FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA--But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

By Ronald G. London

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again. 

Continue Reading...

Updated Location Privacy Protection Act Introduced

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.
Continue Reading...

Google "Street View" case may be headed for SCOTUS Review

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014.
Continue Reading...

An Advertising Perspective on the Kerry-McCain and Stearns-Matheson Privacy Bills

By Paul Glist

Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.

Continue Reading...

Reps. Sterns and Matheson Introduce Consumer Privacy Protection Act

One day after Senators Kerry and McCain introduced their Commercial Privacy Bill of Rights Act of 2011, Representatives Cliff Sterns and Jim Matheson introduced a new bill, the Consumer Privacy Protection Act of 2011 that, unlike Kerry-McCain (or California’s proposed Do Not Track Me Online Act), focuses on personally identifiable information (PII), without addressing behaviorally targeted advertising. Nonetheless, it does propose new legal obligations for commercial and non-profit entities that collect, sell, use, or disclose PII of more than 5,000 consumers during any consecutive twelve-month period.

Some of the bill’s requirements, for many covered entities, may sound like old hat. For example, they would have to establish clear and readily available privacy policies governing their collection, sale, and disclosure of PII, and follow other requirements that have become conventional in bills oriented towards the Federal Trade Commission's Fair Information Practice Principles (FIPP) (for more on the principles, see the FTC principles, here. But the bill's requirements do invite participation in self-regulatory safe harbor programs.  Covered entities create a presumption of compliance if they create and maintain a self-regulatory program that is approved by the FTC. Once approved, programs would have five-year terms. The regulatory program would have to contain a process for resolving disputes with consumers. The bill does not propose to supersede the many sector-specific laws, such as those providing privacy rights in the communications, health, and financial industries. The bill would be enforced by the FTC, and provides for no private right of action.

Identity Theft Enforcement and Restitution Act of 2007 Introduced

Posted By Joe Addiego

The Identity Theft Enforcement and Restitution Act of 2007 recently was introduced to the Senate Committee on the Judiciary by Senator Patrick Leahy, the Chair of that Committee. The purpose of the bill is “to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.”

The bill is aimed at “malicious spyware, hacking and keyloggers,” as well as “cyber-extortion,” and it offers a number of remedies that may be pursued by both the government and individuals in response to occurrences of identity theft. For example, if passed into law, any use of spyware or keylogging that causes damages to 10 or more computers would be punishable as a felony.   The government also would be able to pursue more incidents of such cybercrime, as the bill would allow prosecution where the victim and alleged cyber-criminal are residents of the same state (the current version of the law would require the theft to occur over interstate or international borders). Further, victims of identity theft would have the right to seek “criminal restitution” from the perpetrator for the time and expense related to the victim’s efforts to restore their credit that was damaged as a result of identity theft. The bill has not yet been scheduled for debate or vote.

The concept behind the bill, particularly allowing victims to seek restitution, has merit, but if it ultimately is passed into law, the real questions will be how many victims will attempt to take advantage of that provision, and whether, practically speaking, they will be able to track down and actually recover monies from the identity thieves.

Montana and Washington have passed laws refusing to comply with the federal government's Real ID Act

Posted by Bruce E. H. Johnson

The Real ID Act has been described by Crosscut columnist Skip Berger as creating "what is in essence America's first national identity card using driver's licenses that could be embedded with computer chips and biometric information, such as fingerprints. It has been proposed that such cards be required of every citizen who wants to drive, access government buildings, apply for federal benefits, or fly on commercial aircraft. Management of the vast databases would fall to each state's department of motor vehicles."

Continue Reading...

Pending Privacy and Data Security Legislation in the 110th Congress

Posted by Anne Shelby

Could this be the year that Congress enacts comprehensive data security and breach notification legislation? As the seemingly endless stream of news stories announcing the latest breaches continue, Members of Congress consistently voice their support for uniform national laws. Washington insiders and observers have expressed divergent predictions: some are optimistic while acknowledging the challenges of such legislation, while others are less so, often pointing to the fact that similar circumstances surrounded the proposed CAN-SPAM Act, which took four years to become law.    

Continue Reading...

U.S. SAFE WEB Act of 2006

Posted by Charlene Brownlee

Congress approved S. 1608, the “Undertaking Spam, Spyware, And Fraud Enforcement with Enforcers beyond Borders Act of 2006,” (the US SAFE WEB Act of 2006) on December 9, 2006. The US Safe Web Act amends the Federal Trade Commission Act (FTCA) and improves the Federal Trade Commission (FTC)’s ability to protect consumers from international fraud by: (1) improving the FTC’s ability to gather information and coordinate investigation efforts with foreign counterparts; and (2) enhance the FTC’s ability to obtain monetary consumer redress in cases involving spam, spyware, and Internet fraud and deception.

Continue Reading...

Senator Specter Fails to Cut Off Funding for Warrantless Surveillance

Posted by Randy Gainer

Senator Arlen Specter attempted to attach an amendment to the Senate version of the Supplemental Appropriations bill that was passed by the Senate on May 4, 2006. The amendment would have prevented government agencies from using any funds "appropriated by this or any other Act" to carry out the NSA program acknowledge by President Bush on December 17, 2005, or to carry out any related programs unless the administration briefed the House and Senate Intelligence Committees about the programs. The proposed amendment, SA 3679, was rejected by the Senate.

Continue Reading...

Proposed Amendments to DATA Act Approved by Energy and Commerce Committee

Posted by Teena Lee

On March 23, 2006, the House Energy and Commerce Committee announced that it reached a bipartisan agreement on the Data Accountability and Trust Act (DATA), H.R. 4127. The amendments appear to address a couple of the concerns raised by various consumer advocacy groups to the original bill.

As reported here previously, objectors complained the Act left the target of a security breach too much discretion to determine whether notification should be made and failed to allow parties other than the FTC enforcement powers. The "manager's amendment" appears to try to address those concerns and changes the threshold for consumer notification from a "significant risk of identity theft" to a "reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct" and provides enforcement powers to state attorneys general, in addition to the FTC.

Continue Reading...

House Data Breach Bill, H.R. 3997, Is Unbalanced and Flawed

Posted by Randy Gainer

Many businesses favor a federal data breach law. Businesses need to respond to the perception among consumers that, if consumers provide sensitive private data to businesses, the data are at risk of being misused for fraud and identity theft. That perception has apparently contributed to a decrease in the number of consumers who are willing to provide their information, for example, to on-line businesses.

There are currently more than 20 state laws that require consumers to be notified when sensitive data are disclosed. They include several different standards for when such notices must be sent. This generally requires businesses with consumers from multiple states to apply the most restrictive standard, which is to notify consumers when there is any unauthorized disclosure. Many business officials would like to see a uniform national standard regarding the circumstances in which they must notify consumers. Because notifying consumers is expensive, may trigger class action lawsuits against a business, and causes harm to businesses' reputations and goodwill, many businesses a favor a notification standard that requires that consumers be notified only when consumers are likely to be exposed to fraud or identity theft as a result of a data breach.

Continue Reading...

While Congress Mulls Over the DATA Act, Customers' Personal Information Remain at Risk

Posted by Teena Lee

On October 25, 2005, Representative Cliff Stearns (R-Fla.), introduced Bill H.R. 4127 in the House of Representatives, the Data Accountability and Trust Act (DATA). Purportedly in response to the ChoicePoint and LexisNexis breaches and failures of security, the Act, in brief, charges the FTC to promulgate regulations requiring persons engaged in interstate commerce that own or possess data containing personal information in electronic form to establish and implement information security policies and procedures concerning the treatment and protection of personal information. Notably, the bill would preempt state information security laws. On November 3, 2005, the DATA Act was approved on a vote of 13-8 by the Energy and Commerce Committee's Subcomittee on Commerce, Trade and Consumer Protection, and has been forwarded to the full Energy and Commerce Committee, where it presently sits.

Continue Reading...

Get Ready for Federal Spyware Legislation

Posted by Brian Bennett

Several federal spyware proposals would pre-empt state spyware legislation. Proponents of the federal proposals argue that the public is clamoring for the federal government to address the problems of spyware. Critics of federal spyware proposals point to the federal Can-Spam Act, which, by pre-empting stricter state laws, arguably may have increased the volume of spam. Critics warn that the same thing could happen with federal spyware legislation.

Data Breach Bill Up For Committee Vote Next Week

Posted by Kraig Baker

The Personal Data Security and Privacy Act, the bill originally sponsored in the wake of the high profile data breaches this summer and shelved while the Judiciary Committee was considering the confirmation of Chief Justice Roberts, has again moved to the forefront. Senators on the Judiciary Committee have agreed on a revised bill that harmonizes a number of the provisions in the original proposals. Chairman Specter and Senator Leahy have suggested that a Committee Vote could take place as early as next week.

Congress Considers Security Breach and Data Security Bills

Last week, the Senate's Commerce, Science and Transportation Committee unanimously approved an identity theft bill, entitled the "Identity Theft Protection Act of 2005" (S. 1408), designed to "set[] national standards to safeguard individual personal information, to notify consumers of data breaches, to require businesses to improve their safeguards for sensitive consumer information, to give consumers the right to freeze their credit reports to thwart identity theft, and to limit the solicitation of social security numbers by commercial entities." If enacted, the bill would authorize the Federal Trade Commission to specify "physical and technological safeguards" that business and other entities that collect personal information would be required to put in place.

Continue Reading...

Congressional Action on Privacy and Security

Last week the U.S. Congress concluded its summer session amid a flurry of activity in connection with privacy and security matters, including a Senate vote to extend the USA Patriot Act and committee action on several identity theft bills. The congressional response to the widely-reported security breaches over the past several months follows action in a number of state legislatures, most notably California.

More specifics on what Congress is doing in our next posts...