FTC Continues Its Pursuit of "Robocalling" Platforms

With its latest settlement, the Federal Trade Commission shows that its prior targeting of prerecorded voice dialing platforms, as opposed to those who use them to place “robocalls,” was no one-off initiative, and that it has teeth.  On April 17 the FTC announced it settled a two-year long action against Joseph Turpel, a marketer who the FTC alleged assisted telemarking firms in conducting illegal prerecorded sales calls, concealing Caller ID information, and contacting numbers on the National Do Not Call Registry.  As part of the settlement Turpel is banned not just from continuing operations that violate the FTC’s rules, as is typical, but from all telemarketing and prerecorded sales messaging.

In 2011, the FTC filed a complaint against Turpel, alleging he sold “robocalling” services to telemarketing firms through Sonkei Communications, Inc., and provided clients “the means to hide their identity by transmitting inaccurate caller names, such as ‘SERVICE MESSAGE’ or ‘SERVICE ANNOUNCEMENT’, on caller ID displays.”  In addition to helping its clients hide their identities, the FTC alleged “Turpel knew, or consciously avoided knowing, that clients used his services while calling numbers on the National Do Not Call Registry … and making illegal prerecorded telemarketing solicitations.”

As part of its settlement, the FTC fined Turpel $395,000 and banned him from directly engaging in or assisting others in telemarketing and prerecorded marketing for life.  The monetary payment is suspended based on Turpel’s inability to pay.

The settlement marks the latest effort by the FTC to target prerecorded messaging platforms and not their clients who may misuse them.  In February 2012 the FTC filed complaints against Brian Ebersole, Voice Marketing, Inc., and B2B Voice Broadcasting, Inc.,  alleging they sold prerecorded call services and “provided clients with access to computers, telecommunications services, and automated dialers” to make over one million calls a day.  The FTC also more recently settled an action against Skyy Consulting, Inc., in May 2013, which allegedly “assisted and facilitated its clients in placing outbound pre-recorded telemarketing calls to consumers without their written consent.”

 

FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA--But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

By Ronald G. London

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again. 

Continue Reading...

Acquisitions Don't Nullify Prior Privacy Promises--FTC's Letter to Facebook & WhatsApp Gives Caution to All to Honor Privacy Protections in Mergers

Social networking site Facebook announced in February its plans to acquire WhatsApp—a “rapidly growing cross-platform mobile messaging company”—for the princely sum of $19 billion. While Facebook and WhatsApp are looking forward to a bright future together, the Federal Trade Commission is keeping a watchful eye on both companies regarding the privacy protections that WhatsApp promised its users in the past.
 
On April 10, 2014, the Director of the FTC’s Bureau of Consumer Protection Jessica Rich wrote executives at Facebook and WhatsApp and made clear that both companies must continue to honor WhatsApp’s prior policies and statements against collecting and sharing user data with advertisers—policies that, as Director Rich notes, exceed Facebook’s current privacy protections for its users. 
 
Continue Reading...

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
 
Continue Reading...

New Advisory on Joint FTC/DOJ Statement Encouraging Private Sharing of Cybersecurity Information

Be sure to check out our new advisory examining the joint policy statement that the Federal Trade Commission and Department of Justice issued to facilitate companies’ sharing of cybersecurity information.  The policy statement seeks to reduce uncertainty under antitrust laws for companies wishing to share strategies for preventing and combating cyber-attacks, by stating the agencies’ analytical framework for such information sharing under their longstanding Antitrust Guidelines for Collaborations Among Competitors.  As explained in the advisory, the new policy statement should be helpful as far as it goes, but companies should still proceed cautiously so as not to stray into the area of prohibited concerted activity, and should keep in mind that the new statement does not reduce potential liability under electronic privacy laws for the disclosure of communications or personal information related to cyber threats.  You can read the advisory here.

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.
 
Continue Reading...

EU High Court Overturns Telecom Data Retention Requirements

 
The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.
 
Continue Reading...

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security


In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
 
Continue Reading...

Social Networking for Jerks: FTC Goes After Site for Scraping Facebook Content

 
In the 1979 Carl Reiner film The Jerk, a new phonebook is delivered and Steve Martin, playing the title character, rejoices that “I'm somebody now! Millions of people look at this book every day! This is the kind of spontaneous publicity - your name in print - that makes people. I'm in print! Things are going to start happening to me now.”
 
As we all know, a quarter-century later, things have changed. Getting one’s name publicized takes only a few seconds—if not to millions of people, at least to whomever we’re connected on social media. But, according to the Federal Trade Commission, jerks still abound.
 
Continue Reading...

Updated Location Privacy Protection Act Introduced

 
On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.
 
Continue Reading...

Google "Street View" case may be headed for SCOTUS Review

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014.
 
Continue Reading...

Caution: Your Company's Biggest Privacy Threat is...the FTC

By Sanjay Nangia

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
 
Continue Reading...

Eleventh Circuit Adopts Seventh Circuit Jurisprudence Imposing Strict TCPA Liability on Autodialed and Prerecorded Calls and Texts

By Ronald G. London

The United States Court of Appeals for the Eleventh Circuit issued a decision in Osorio v. State Farm Bank aligning that court with the Seventh Circuit on how Telephone Consumer Protection Act (TCPA) restrictions on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls. 

As reported in Spring 2012, the Seventh Circuit case of Soppet v. Enhanced Recovery held that, where a company gets prior express consent to prerecorded-call and/or to auto-dial or auto-text a cell phone, as the TCPA requires, the caller can still be liable, if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent.  This ups the ante considerably for companies who use automated dialing systems to reach customers, as does the new Eleventh Circuit Osorio decision, which holds, relying on Soppet, that “the consent must come from the current subscriber.”  Osorio is as concerning as Soppet given that TCPA limits on calls to cells encompass autodialed live-agent calls, prerecorded calls, and texts via autodialer, all without regard to the content of a call – i.e., whether it is marketing, or only for customer-care, debt-collection, or other informational purposes.

Continue Reading...

New Advisory on FCC TCPA Declaratory Rulings

Be sure to check out our recent advisory discussing two new Federal Communications Commission (FCC) declaratory rulings that involve communicating with cell phones via autodialed calls and texts, and by prerecorded call.  The rulings respectively allow the consent necessary for such calls to come from intermediaries for text-based social networks, and for package-delivery services to rely on assurances by package sender that addressees consent to autodialed/prerecorded calls/texts with delivery information.  Along the way, the FCC makes several broad and business-friendly statements that should help clarify current uncertainty surrounding the TCPA, and hopefully serve as a defense for some in what has become a booming TCPA class action practice.  You can access the advisory here.

Thank You Commissioner O'Rielly - FCC Acknowledgment of TCPA Confusion is Long Overdue

But One Vote is Not Enough for Action, Nor Does Action Assure a Favorable Outcome

FCC Commissioner Michael O’Rielly recently blogged that “It is Time to Provide Clarity” on issues swirling around application of the Telephone Consumer Protection Act (TCPA).  To this we say, “Hear, Hear!”

Continue Reading...

No Harm, Still Foul? Florida Court Approves Data-Breach Class Action Settlement

 
Data-breach class action suits may have just gained significant traction. On Feb. 28, 2014, the U.S. District Court for the Southern District of Florida approved a first of its kind class action data breach settlement that will pay plaintiffs regardless of whether they were damaged by the breach.
 
Continue Reading...

California Bill Would Create Cyber Security Commission

By Christin McMeley and Jane Whang

In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.

Continue Reading...

California AG Weighs in on Cybersecurity

By Paul Glist and Leslie Moylan

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to prod organizations to analyze risks, determine needs, and outline plans to protect, detect, respond and recover.
 
Continue Reading...

New Cellphone Promises Array of Built-in Privacy Features

By Angela Galloway

Consumers will soon have access to a smartphone that automatically encrypts calls and texts, and provides anonymous web browsing, according to reports about the "Blackphone."

Forbes reports that the phone, set for a spring release, caters to phone users who want built-in privacy protections -- and to avoid the hassle of manually changing privacy settings and adding protective features. For  $629, purchasers will get  three years of encrypted phone calls and messaging services plus 5 GB of encrypted storage, Forbes Reports. The phone also will include anti-tracking and anti-WIFI sniffing services. According to Forbes, the phone was developed by Spanish startup GeeksPhone and Washington D.C.-based Silent Circle.

Newsweek reports that the phone will lack an email app, at least at launch. The company is working with another firm to develop a secure email service. The Guardian reports that the phone  will run a version of Android that certain security holes and provides greater data control than third-party apps.

FTC: No Need to Approve iVeriFly's Proposed Alternative COPPA Consent Method - Proposal is Merely a Variation on Methods COPPA Rule Already Recognizes

By Ronald G. London

Under the provisions of the Children’s Online Privacy Protection Act (COPPA) Rule that invite proposals for new mechanisms for obtaining the verifiable parental consent required to collect, use and disclose personal information from children under 13, the Federal Trade Commission (FTC) has announced that it concluded its proceeding on iVeriFly’s proposal by declining to issue an approval, as the FTC found the method to be simply a variation on those already recognized under the Rule, rendering further FTC action unnecessary.

The verifiable parental consent mechanism iVeriFly proposed uses verification by Social Security number (SSN) as an initial step in confirming the parent’s identity.  But SSN verification is already approved under the COPPA Rule.  Similarly, another step in iVeriFly’s proposed mechanism relies on knowledge-based authentication, which the FTC recently approved (as we discussed here) after iVeriFly’s application was already on file.  In addition, under iVeriFly’s mechanism, once a parent’s COPPA account is created, iVeriFly uses verification codes to confirm the parent’s identity for future contacts, an approach akin to using passwords or PIN numbers for previously authenticated parents, as described in the FTC’s updated frequently asked questions (FAQs), which we discussed here and here.

It is unclear if companies like iVeriFly, who have “variations” on approved COPPA consent methods, seek explicit approval out of concern over enforcement and/or uncertainty about how the FTC will interpret the rules, or whether by doing so, even if arguably already covered, they wish to obtain an FTC letter like iVeriFly did that confirms their approach is already approved (also note that, at least part of iVeriFly’s application encompassed a method that at the time of filing was not approved, but was encompassed by another party’s already-on-file application that the FTC granted before it got to iVeriFly’s proposal).  But in any event, iVeriFly has a green light to proceed, even with the FTC’s non-action on its application.
 

New Advisory Posted on NIST Cybersecurity Framework 1.0 and Growing Federal Concern Over Data Security and Cyber Crime

By Bob Scott

Check out our recent advisory analyzing the National Institute of Standards and Technologies’ newly-finished Cybersecurity Framework, which is intended to reduce cyber risks to critical infrastructure – including to banks, communications companies, utilities, and healthcare providers.  The Framework adds to the growing prominence of data security issues:  increased incidents of electronic data theft; extensive media coverage; rising class-action litigation.  The Federal Trade Commission has assumed enforcement authority for data security and breach incidents under Section 5 of the FTC Act, while Congress and state legislatures consider legislative options.  The Framework remains voluntary for the companies it addresses, but offers insight into evolving government expectations for data security, privacy and civil liberties.  Access the advisory here.

FTC's 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

By Adam H. Greene, Rebecca L. Williams, and Sarah S. Fallows

 
The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.
 

FCC Seeks Comment on Petitions Seeking Clarity for Opt-Out Notices on Fax Ads Sent with the Recipient Consent

By Ronald G. London

The FCC issued a Public Notice seeking comments on nine petitions that request clarification of the agency’s rule governing opt-out notices on fax advertisement – and in particular, those where sender previously obtained the recipient’s consent.  The petitions seek to resolve uncertainty that has arisen from tension between the Telephone Consumer Protection Act’s (TCPA) Junk Fax Prevention Act provisions that require “unsolicited” fax ads to include such opt-out notices, and the recent Eighth Circuit decision in Nack v. Walburg that held, relying on an FCC amicus brief, such opt-out notices also are required for fax ads sent with express consent.  The stakes are high for resolving this technical compliance point, given that TCPA class action activity has exploded in recent years, with settlements and judgments reaching the tens or hundreds of thousands of dollars, and even into the millions.

Continue Reading...

Oregon Restricts Employers' Access to Private Social Media Accounts

By Christie S. Totten, Chrys A. Martin, Angela Galloway, and Peter G. Finch

 Oregon recently joined numerous states in prohibiting employers from seeking access to employees’ or prospective employees’ private social-media accounts, personal email, and other online content. Employers may not:
  1. Require or request that an employee or applicant allow the employer access to the individual’s personal social media account (e.g. cannot ask for the password)
  2. Compel an employee or applicant to add the employer to the individual’s social media contact list, (e.g. cannot require the employee to “friend” the employer on Facebook); or 
  3. Compel an employee or applicant to allow the employer to view the personal account.
Continue Reading...

California Public Utilities Commission Denies Request to Develop Privacy Standards for Wireless Carriers and Mobile Applications

By Jane J. Whang 

After a year in which the California Legislature passed a spate of privacy laws, wireless providers and third party mobile application providers do not need to add privacy regulations from the California Public Utilities Commission (“CPUC”) to their growing list of privacy compliance requirements.  At its January 16, 2014 meeting, the CPUC voted 3-2 to deny a petition filed in November 2012 by consumer advocates requesting the CPUC to open a rulemaking to, among other things, review the privacy practices of telephone corporations and, in particular, to develop privacy standards for wireless carriers and third parties (such as mobile applications) that gain access to wireless consumers’ personal information.  (See P.12-11-006). Click here to read the decision.

Continue Reading...

Oh Canada! Google Settles Health-Related Behavioral Advertising Claims

By Adam H. Greene

The Office of the Privacy Commissioner of Canada (OPC) announced on January 15, 2014, that it reached a settlement with Google over the use of health information in behavioral advertising. The case involving a complaint that an individual visited sites about sleep apnea devices and its browser retained cookies that led to advertisements targeting sleep apnea devices at unrelated websites. OPC cited the practice as violating Google’s own policy that, when tailored ads are shown, the company will not associate a cookie or other identifiers with sensitive categories, such as race, religion, sexual orientation or health. OPC recommended that Google develop a more formalized and rigorous system for reviewing advertisements for policy compliance. Of note, OPC coordinated its investigation with the U.S. FTC, and also expressed concerns that other advertising networks are violating Canadian privacy law.

"A" for Effort? Senator Markey Announces Latest Privacy Legislation Aimed at Protecting Student Data

By Leslie Gallagher Moylan

On January 14, 2014, Senator Edward Markey (D-Mass) announced that he plans to introduce legislation in the coming weeks to ensure that safeguards are in place for student data shared with third parties.  Citing concerns raised by recent changes to the Family Educational Rights and Privacy Act (FERPA) that have allowed for the increased sharing and use of student data in the private sector, Markey stated that the legislation will include the following components:

Continue Reading...

The Anonymization/De-identification Debate Moves to the FCC

Agency Seeks Comments on Petition That Could Severely Restrict Service Provider Ability to Use “Anonymized” Customer Information

 
As explained in our recent PrivSec blog post, on Dec. 11, 2013, a coalition of privacy advocates led by Public Knowledge filed a Petition for Declaratory Ruling with the FCC that, if granted, would significantly expand the scope of Customer Proprietary Network Information (CPNI) data that would be subject to heightened protections under the Commissions’ rules. Those rules limit the use and sharing of confidential customer-specific information by telecommunications carriers and other providers of telephone service, including cable operators and VoIP providers, absent the customer’s opt-in consent. Public Knowledge’s petition asks the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers, but which remains “individually identifiable,” is nonetheless CPNI that may not be shared with other companies or entities absent the customer’s consent. The FCC swiftly issued a Public Notice asking for comments on the Petition by Jan. 17, 2014, with reply comments to be filed by Feb. 3, 2014.
 
Continue Reading...

Google Street View Class Action Survives: Ninth Circuit Holds Wi-Fi is Not "Radio" Under Wiretap Act

By Bob Scott and John Seiver

In the latest development in the Google Street View case, the Ninth Circuit once again upheld the lower court’s decision that Google’s collection of unencrypted Wi-Fi does not fit within an exception to the Wiretap Act that allows the interception and use of “radio transmissions” that are “readily accessible to the public,” although it narrowed the reasoning of its earlier opinion.

After initially upholding the district court order denying Google’s motion to dismiss the case because of the Wiretap Act exception, the court asked for briefing on Google’s petition for panel and en banc rehearing.  Technically, the panel granted part of Google’s motion for rehearing and modified its opinion, but it did not change its decision that unencrypted Wi-Fi transmissions are protected from interception by the Wiretap Act.  Google now could ask the U.S. Supreme Court to review the case, pursue further litigation in the district court, or settle.

Continue Reading...

Denied Again: Alleged Violation of Statute is Enough for Hulu Privacy Case to Proceed

By Christin McMeley

On December 20, 2013, the U.S. District Court for the Northern District of California issued an order in In re: Hulu Privacy Litigation that solely addressed  the issue of whether the Video Privacy Protection Act (the “VPPA”) requires plaintiffs to show actual injury that is separate from a statutory violation to recover actual or liquidated damages.   This is the second setback for Hulu.  The court denied Hulu’s Motion to Dismiss more than a year ago, holding that online streaming video content is covered by the VPPA, despite the statute’s emphasis on prerecorded video cassette tapes and “similar audio visual materials.”  The Court also found that any user of Hulu’s streaming service was a protected “consumer” under the statute, whether or not the user paid for the service.

Continue Reading...

If at First You Don't Succeed ... FTC Approves Second Candidate's New COPPA Verifiable Consent Method

By Ronald G. London

The Federal Trade Commission announced that it has approved a new method for companies to obtain parents’ verifiable consent for online collection and use of children’s personal information under the Children’s Online Privacy Protection Act (COPPA) Rule.  The FTC’s letter issued to Imperium LLC approves knowledge-based authentication – which relies on a series of “challenge” questions requiring information not commonly available or typically found in a person’s wallet – as a method for verifying that the person providing consent is in fact a parent.  The approval comes just over a month after the FTC rejected AssertID’s request for approval of “social-graph verification” as a method for securing verifiable COPPA consent.

Continue Reading...

New Advisory on Canadian Anti-Spam Law That Covers Commercial Emails and Texts to Canada, Computer Program and Software Downloads, and More

Be sure to spend some time with our recent advisory on Canada’s Anti-Spam Law (CASL), now that compliance dates for rules governing commercial electronic messages (CEMs), software downloads, and related conduct have been set to start taking effect July 1, 2014.  By comparison to U.S. CAN-SPAM law, CASL is broader and does not deal solely with email “spam,” but also reaches CEMs sent to instant message and social network accounts, and by short message service (SMS) texts to cell phones, too.  CASL also regulates the installation of computer programs, as well as the and alteration of transmission data, and other computer-related conduct.

When the new law is fully in force, it will apply to all CEMs sent from or accessed by computer systems located in Canada, and thus governs CEMs sent from the other countries, including the United States.   The next 6 to 12 months provided for compliance ramp-up are thus critical for all businesses in Canada—as well as for those in the U.S. who have a Canadian presence or who transmit CEMs or computer software downloads to be received or downloaded by Canadian residents.   Access the advisory here.

The Twelve Days of Surveillance

By Lance Koonce

It seems like a new revelation about mass surveillance by the U.S. government and our allies occurs on an almost daily basis, each one more astounding than the last.  Don’t be surprised if those jingling bells you hear on your roof next week are not St. Nick, but instead someone installing a covert listening device on your fiberoptic phone line.

So, just in time for holidays, here’s a musical summary of some of the most stunning surveillance disclosures, with citations to background material on each.  Break out the eggnog and join us as we count down the Twelve Days of Surveillance.

Continue Reading...

Are You a Target?

By Daniel P. Reing

As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.

Continue Reading...

FCC Asked To Rule That Anonymized Phone Call Data May Not Be Shared Absent Customer Consent Under CPNI Rules; Comments Due January 17, 2014

By Bob Scott

A coalition of privacy advocates filed a petition for declaratory ruling with the FCC on December 11, 2013 seeking a significant tightening of the Commission’s existing rules that limit the sharing of Customer Proprietary Network Information (CPNI) by telecommunications carriers and other phone service providers. The coalition, led by Public Knowledge, has asked the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers is nevertheless “identifying information” under the CPNI rules which may not be shared with other companies or entities absent the customer’s consent.  The FCC has set a deadline of January 17, 2014 for comments on the petition.

Continue Reading...

PCI DSS 3.0: Business as Usual?

By Randy Gainer, Attorney, CISSP, and Christin McMeley, CIPP-US 

In the past, critics of the Payment Card Industry (PCI) Data Security Standard (DSS) have alleged that the DSS requirements either (1) provide little more than a minimal baseline for security with a “check-the-box” compliance approach; or (2) are written vaguely so that the Council can retroactively allege non-compliance and impose fees on merchants who claim to have been PCI DSS “compliant” at the time of the breach (see our recent Genesco post). On November 7, 2013, the PCI Security Standards Council (SSC) released version 3.0, which may address these criticisms by:
  • Focusing on “security, not compliance;”
  • Making PCI DSS a “business as usual practice;”
  • Providing “added flexibility on ways to meet the requirements;” and
  • Clarifying “the level of validation the assessor is expected to perform.”
Continue Reading...

Comments Due January 10, 2014 on Issues Raised in FTC's Internet of Things Workshop

By K.C. Halm

Following its highly publicized workshop exploring consumer privacy and security issues arising from the emerging market of the Internet of Things, the Federal Trade Commission (FTC) is now calling for filed comments on issues raised during the workshop.

At issue is the application of privacy and data security principles and norms in the emerging market sector of connected devices.  As explained in our recent post, workshop participants raised a broad range of questions about the application of many existing privacy principles to entities and systems in the world of connected devices. 

Recognizing the many legitimate and difficult questions raised by this sector, the agency seeks comment on a range of issues, including but not limited to:

  • What are the unique privacy and security concerns and solutions associated with the Internet of Things? 
  • What existing security technologies and practices could businesses and consumers use to enhance privacy and security in the Internet of Things?
  • What is the role of the Fair Information Practice Principles in the Internet of Things?
  • What steps can companies take (before putting a product or service on the market) to prevent connected devices from becoming targets of, or vectors for, malware or adware?
  • How can companies provide effective notice and choice?  If there are circumstances where effective notice and choice aren’t possible, what solutions are available to protect consumers?
  • What new challenges does constant, passive data-collection pose?
  • What effect does the Internet of Things have on data de-identification or anonymization?
  • How can privacy and security risks be weighed against potential societal benefits (such as improved health-care decision-making or energy efficiency) for consumers and businesses?
  • How can companies update device software for security purposes or patch security vulnerabilities in connected devices, particularly if they do not have an ongoing relationship with the consumer?  Do companies have adequate incentives to provide updates or patches over products’ lifecycles?
  • How should the FTC encourage innovation in this area while protecting consumers’ privacy and the security of their data?
  • Are new use-restrictions necessary to protect consumers’ privacy?

The deadline for filing comments is Jan. 10, 2014.  Comments filed prior to the workshop will be taken into consideration.  The agency’s staff will also accept research and surveys in addition to other comments.  Comments will be used to develop the FTC Staff recommendation, which is likely to be issued during the first quarter of 2014.

Please contact us for assistance with preparing or filing these comments with the FTC.

 

A House Divided: Federal Judges Take Conflicting Positions on Wiretap Act Claims Against Google in California's Northern District

When is the “course of business” considered “ordinary?”

By Bob Scott

Last week, the U.S. District Court for the Northern District of California dismissed a class action claim that Google’s modifications to its customer privacy policies and subsequent sharing of customer data across Google products violate the Wiretap Act and other laws.  The decision by Magistrate Judge Grewal in Google, Inc. Privacy Policy Litigation underscores the gap between his broad application of an exception to the Wiretap Act’s prohibitions and the far narrower view of that same exception taken by Judge Koh of the same court in allowing the Google, Inc. Gmail Litigation to proceed, which we discussed here and here.

Both cases challenge, among other things, Google’s practice of sharing data collected from its customers with advertising partners.  In both cases, Google asked the court to dismiss claims that this sharing violates the Wiretap Act, on the basis of the Act’s exception that allows a provider of electronic communications services to intercept customer data “in the ordinary course of business.”  Yet the cases reach opposite decisions on the applicability of that exception to very similar claims.

Continue Reading...

7th Circuit Issues Troubling TCPA Non-Preemption Ruling

By:  Ronald G. London

The U.S. Court of Appeals for the Seventh Circuit held in Patriotic Veterans v. Indiana that the state’s automatic dialing-announcing device (ADAD) statute is not preempted by provisions that govern prerecorded calls and automated telephone dialing systems (ATDS or autodialer) in the federal Telephone Consumer Protection Act (TCPA), even with respect to interstate calls.  The appellate court’s decision is significant to the extent it runs counter to a position staked by the Federal Communications Commission (FCC) that its TCPA rules “almost certainly” would be both the “floor” and “ceiling” for regulating interstate calls governed by the TCPA.

Patriotic Veterans, which utilizes automated prerecorded calls to disseminate political messages, challenged on preemption and First Amendment grounds Indiana’s ADAD law, which generally prohibits automated prerecorded calls with only very limited exceptions for where there is prior consent by the called party and for, e.g., school districts calling students/parents, or employers sending messages to employees.  Patriotic Veterans argued that the state’s law was preempted as to calls made into Indiana from outside the state, by the federal TCPA regime.  Under the TCPA, autodialed and/or prerecorded calls are prohibited to cell phones, hospitals, emergency lines and similar numbers in the absence of prior express consent, and such calls are likewise prohibited to residential lines, unless there is consent or the FCC grants exceptions.  The FCC’s TCPA rules allow prerecorded calls to residential lines if they are not for commercial purposes and/or do not include advertising, or if they are for an emergency or charitable purpose. 

Continue Reading...

It's Not Just the NSA: Your Keyboard Knows Who You Are, Too

By Lance Koonce

In 1891, Arthur Conan-Doyle wrote a Sherlock Holmes short story entitled “A Case of Identity”.  In it, he solves a mystery in part by determining that several different letters were all typed on the same typewriter:

"It is a curious thing," remarked Holmes, "that a typewriter has really quite as much individuality as a man's handwriting. Unless they are quite new no two of them write exactly alike. Some letters get more worn than others, and some wear only on one side. Now, you remark in this note of yours, Mr. Windibank, that in every case there is some little slurring over the e, and a slight defect in the tail of the r. There are fourteen other characteristics, but those are the more obvious."
Continue Reading...

New Advisory on Inquiry Into Privacy and Security for the "Internet of Things"

Be sure to check out our advisory discussing the Federal Trade Commission (FTC) workshop on privacy and security issues arising from the emerging market of connected devices, also known as the “Internet of Things.”  The advisory notes how the FTC expects entities operating in this space to apply “privacy by design” principles and build security into their devices, but also explores sentiments that new privacy and security principles must be developed for the Internet of Things.  While there may be something of a consensus that regulation in this space would be premature, it is clear the FTC will continue to watch this sector closely and police entities that fail to employ reasonable practices necessary to protect against inadvertent disclosure of personally identifiable information, with recommendations and best practices to issue via an FTC report to be published next year.  You can read the advisory here.
 

Federal Lawmakers Revive Do Not Track Kids Legislation

By Christin S. McMeley, Paul Glist, and Leslie Gallagher Moylan

A bipartisan, bicameral effort is again underway to extend current law and impose new restraints on the online tracking of children and teens under the age of 16. As promised, on Thursday, Nov.14, 2013, Senator Edward Markey (D-Mass) and Rep. Joe Barton (R-Texas) introduced their respective versions (S. 1700 and H.R. 3481) of the “Do Not Track Kids Act of 2013.” Specifically, the Do Not Track Kids Act would:

·         Extend many of the privacy protections already afforded to children ages 12 and under in the Children's Online Privacy Protection Act (COPPA) to teens through age 15 ;

·         Formally include online and mobile applications (the FTC already did this through enforcement actions and then by rule in its recent COPPA amendments);

·         Expand the definition of “personal information” to include device identifiers;

·         Extend COPPA protections to geolocation information;

·         Prohibit targeted marketing to children and minors without verifiable parental consent for children or the consent of a “minor” (13-15 year old);

·         Require the operators of a website, online service, or online or mobile application “directed to minors” to adopt and comply with a “Digital Marketing Bill of Rights for Teens” that is consistent with the Fair Information Practices Principles; and

·         Attempt to arm parents and their children with an “eraser button” to eliminate publically available personal information online.

Using momentum gained from the ineffective attempts to establish broader, voluntary Do Not Track standards and mechanisms, California’s recent “Do Not Track” and “Eraser” laws, and increased interest by lawmakers in online tracking and privacy issues generally, Senator Markey and Congressman Barton have focused their efforts “to protect children and teens”—which may be the only way to advance the broader Do Not Track concept in a stymied Congress.

Continue Reading...

First-Shot Misfire for Application Seeking Streamlined FTC Approval of New COPPA Parental Consent Mechanism

By:  Ronnie London

The Federal Trade Commission (FTC) voted thumbs down in its first ruling under the new streamlined process adopted in its Children’s Online Privacy Protection Act (COPPA) Rule review for additional methods of securing verifiable parental consent for online collection and use of children’s personal information.  In its letter ruling, the FTC determined the proposed method of “social-graph verification” suggested by AssertID, Inc., did not meet the criteria for approval.

Continue Reading...

SCOTUS Denies Cert in Challenge to Facebook's "Beacon" Class Action Settlement

Chief Justice hints that cy pres as a class action settlement procedure should be reviewed

By John D. Seiver and Christin S. McMeley

The U.S. Supreme Court has declined to review a case challenging the fairness of a cy pres settlement of a class action against Facebook related to Facebook’s “Beacon” program that was launched in late 2007. Although the Court declined review, Chief Justice Roberts, in a 4-page statement accompanying the denial, acknowledged that cy pres remedies “are a growing feature of class action settlements” and indicated that the Court might review the fairness and adequacy of such awards “in a suitable case.”

Continue Reading...

Data Protection Regulation Proposal Approved by the European Parliament

By Robert Stankey
 
The European Parliament has finalized its version of the proposed Data Protection Regulation, which would substantially change personal data protection rules in the 31-country European Economic Area.  The Parliament’s LIBE committee voted October 21 on a final package of amendments to the European Commission’s draft regulation in January 2012.  After formal approval by the full Parliament, negotiations will begin with national governments (through the Council of the European Union) on a final version of the legislation.
 
Key features of the amendments are:

  • Higher penalties - Violations could be punished through the imposition fines of up to the greater of €100 million ($137 million) or 5% of annual worldwide revenue (compared with €1 million or 2% proposed by the Commission). 
  • Breach notification – Regulators and, in certain circumstances, affected individuals still must be notified of data breaches, but the 24-hour notification deadline that had been proposed by the Commission has been eliminated.
  • Consent – Affirmative action (such as through a writing or an online acceptance) is required to show consent.  Implied consent through use of a service is not sufficient. 
  • Right of erasure – Existing rights to request the deletion of personal data have been strengthened as a replacement for the Commission’s controversial and ill-defined proposal for a “right to be forgotten”.
  • Disclosure to foreign governments – New provisions would make it a violation to disclose information that is processed in the EU to a foreign government without the approval of a data protection authority.
  • Standardized information disclosures – Standard information disclosures have been specified, including an icon-based compliance scorecard.
  • Pseudonymous data – A new category of personal data that cannot be attributed to a specific individual will be subject to a different set of privacy rules.
  • Profiling – Use of personal data for analytic or predictive purposes would require an individual’s consent and provide a mechanism to object to profiling.
  • Extraterritorial application – Parliament has somewhat strengthened provisions that would make data protection rules applicable to all non-European companies that offer goods or services to Europeans or that monitor Europeans.  Data processing within Europe would no longer be required for EU privacy rules to apply.
  • Home regulator – Data controllers would be subject to enforcement by the regulator where they have their main establishment in Europe. 

The text approved by European Parliament can be found here and here.  The Parliament also finalized its changes to the Commission’s proposal for a directive protecting personal data held by European governments and public bodies.

NIST Releases Preliminary Cybersecurity Framework: Comments Next and Final Due In February 2014

By Robert G. Scott, Jr. and Daniel P. Reing

On October 22, 2013, the National Institute of Standards and Technologies (NIST) released its “Preliminary Cybersecurity Framework,” with comments due 45 days after publication in the Federal Register. NIST expects the window for comments to open expeditiously so that it may comply with the deadlines established in President Obama’s Executive Order 13636 (the “EO”). Under the EO, NIST must evaluate comments, revise the Preliminary Framework, and issue a final version by February 12, 2014 (see our earlier posts found here and here). The Administration seeks to encourage private sector adoption of the Framework through potential incentives, and given the increasing volume of and risk from hacking and data loss, private entities should be reviewing their cybersecurity and data protection practices as a matter of ongoing operations.

Continue Reading...

Update: Google Not Going Down Without a Fight

By John D. Seiver and Christin McMeley

Google is seeking further review in two cases we wrote about last week on alleged Wiretap Act violations.  In the Gmail case, where Google was charged with improperly reviewing subscribers’ emails,  Google asked Judge Koh to certify her decision for interlocutory appeal to the Ninth Circuit.  But even if Judge Koh grants Google’s motion, the Ninth Circuit still has to agree to take the appeal.  And given the Ninth Circuit’s Decision in Google’s Street View case, where Google was found to have improperly “intercepted” unencrypted Wi-Fi signals, it is not clear that Google will succeed in gaining interlocutory review, except that….

Google may feel encouraged because the Ninth Circuit on Wednesday ordered the plaintiffs to respond to Google’s petition for panel and en banc rehearing in the Street View case, a precondition to any grant of rehearing. We will update on plaintiffs’ filing and the court’s action on Google’s petition.

While federal courts in California seem more inclined to let plaintiffs move forward with Wiretap Act claims, a U.S. District Court Judge in Delaware dismissed claims that Google violated computer users’ rights by placing “cookies” into user’s Web browsers to facilitate the placement of advertising, and disregarding Apple’s Safari browser’s default blocker.  The court held that a URL is merely “a location identifier” and therefore, the cookies do not intercept “contents” as required for a Wiretap Act violation, nor does it “demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act.”  The court also dismissed claims that the placement of such cookies violated the Stored Communications Act, stating that “[d]espite the temptation, the court declines to try to fit a square peg (modern technology) into the proverbial round hole (the intent of Congress as reflected in the statutory language of the SCA).”  Even though the court found that, “while plaintiffs have offered some evidence that the online personal information at issue has some modicum of identifiable value to an individual plaintiff, plaintiffs have not sufficiently alleged that the ability to monetize their PII has been diminished or lost by virtue of Google's previous collection of it,” it went on to resolve and dismiss the substantive issues because when plaintiffs allege statutory violations with the possibility of collecting statutory damages, “the absence of any actual injury, may in some circumstances create standing.”

It is reasonable to expect that unless and until there are definitive appellate or SCOTUS rulings on standing or that the “round hole” of ECPA cannot easily accommodate the “square peg” of modern technology, we will continue to see the class action privacy bar testing the waters.

More Online Trouble for Service Providers?

By John D. Seiver

Google is facing increased scrutiny of its data collection and use practices, which may be a warning to all Internet and online service providers.  Last week, Judge Koh in San Jose held Google accountable for an alleged violation of the wiretap laws for Google’s “undisclosed” review of subscribers’ emails and other data to deliver targeted ads and create user profiles.  Among other things, the fact that Google warned its Gmail users that it “may” review their emails was apparently not the same as saying it “will” review them.

In the Street View case I blogged on the week before, the Ninth Circuit found that Google violated the same wiretap laws when, as part of compiling Street View data, it accessed unencrypted Wi-Fi transmissions, despite exceptions in the wiretap laws permitting access to unencrypted radio signals.  Google filed for panel and en banc rehearing.

New Advisory Discusses How Strong Operational Privacy Controls Can Help Protect Businesses

Don’t miss our new advisory discussing changing legal perceptions of required privacy protection and the steps that companies can take to incorporate operational controls that protect consumer information and which can help avoid or defend enforcement actions, comply with looming legislative and regulatory developments, and sustain consumer confidence.  The advisory provides a broad overview of current regulatory expectations and insight into what may be on the horizon by highlighting the recent increase in federal and state enforcement actions for alleged failures to secure consumers’ personal information.  As you will see, now is the time to fully internalize privacy imperatives.  You can read the advisory here.

9th Circuit Joffe v. Google "Street View" Decision Raises Questions About Wiretap Act's "Radio Transmissions" Exception

 By John Seiver

Last week, the Ninth Circuit held that the Wiretap Act prohibits the kind of “interception” and collection of transmissions from unencrypted Wi-Fi networks that Google reportedly followed in compiling Street View data. Technically, the court affirmed a district judge’s order denying Google’s motion to dismiss, but the importance of the ruling was in extending Wiretap Act protections to unencrypted Wi-Fi traffic. 
Continue Reading...

Latest FTC Enforcement Action Reflects Agency's Intent to Focus on Emerging Market Involving the "Internet of Things"

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.

Continue Reading...

40 Days and 40 Nights on Mount TCPA: Make Sure You Come Down with Proper Consent for Autodialed, Prerecorded and Text Telemarketing

October 16, 2013 Deadline Looms – Does Increasingly Active Plaintiffs’ Bar Await?

 
Companies that place prerecorded telemarketing calls, or that telemarket to cell phones via text-message or automatic telephone dialing systems, should be well on their way toward compliance with new FCC rules that take effect October 16, 2013.  As explained in our advisories, in 2012 the FCC revised its telemarketing rules in an effort to reconcile them with parallel FTC rules on “robocalls,” that require telemarketers who use a prerecorded message to first have prior written, signed consent from call recipients – an FTC requirement that applies equally to residential and mobile phone lines.  The FCC provided a year for companies to come into compliance with its rule changes, which would have been straightforward had the FCC simply followed through on its stated intent to mirror what the FTC had done.  However, in addition to following the FTC’s approach, the FCC also exceeded what the FTC did in several key ways, making the one-year lead-time, and October 16 deadline, all the more important.
Continue Reading...

CA Legislation Will Require Commercial Websites to Disclose "Do Not Track" Practices

By Paul Glist and Christin S. McMeley

Last week, the California State Senate and Assembly passed AB 370, a bill to amend the California Online Privacy Protection Act (CalOPPA) that would require operators of commercial websites or “online services” to disclose how the site responds to “do not track” signals sent by web browsers, which in turn will trigger enforceability by federal and state authorities. The amendment is expected to be signed by Governor Jerry Brown. Currently, there is no agreed upon definition of tracking, sharing, or permitted uses when a DNT preference is expressed. Nor is there agreement on the propriety of devices or user agents (rather than informed consumers) setting DNT signals by default.

Continue Reading...

COPPA Update: FTC Provides Further Guidance with FAQ Additions

By:  Ronald G. London

The Federal Trade Commission has added to its recently revised “Frequently Asked Questions” (FAQs) to assist covered entities in complying with the first major update of regulations implementing the Children’s Online Privacy Prevention Act (COPPA Rule).  The question-and-answer pairs are more clearly organized by topic and provide additional guidance, largely for ad networks.  Specifically:

  • One new FAQ provides greater latitude for ad networks that find out after the new rules’ effective date that they have been collecting personal information from a child-directed website, by allowing continued use of converted data and persistent identifiers under certain circumstances.
  • The new FAQs also limit the circumstances somewhat where ad networks are deemed to have “actual knowledge” of the child-directed nature of sites from which they collect personal information.  For example, one FAQ clarifies that knowledge gained by an ad network’s employees will less likely be attributed to the ad network if the ad network prominently discloses on its site or service the methods by which the ad network can be directly contacted with COPPA information.
  •  A related FAQ allows ad networks to rely on first-party affirmative representations of their non-child-directed status, including through signaling from the embedding webpage, so long as the ad network does not separately discover additional indicia of a website’s child-directed nature.  If such additional indicia are “inconclusive,” the ad network may still ordinarily continue to rely on the site’s or service’s specific affirmative representations.
  • Another new FAQ further establishes that, without more, the receipt of a list of websites (or services) claimed to be child-directed from parents’ organizations, advocacy groups, or similar entities is not enough to be deemed “actual knowledge” with respect to those websites or services.

This post discusses these additions to the FAQs – for further points of guidance provided in the COPPA FAQs, see our prior post, here.

Continue Reading...

NIST Releases Draft Cybersecurity Framework

By Robert G. Scott, Jr.

The National Institute of Standards and Technologies (NIST) has released the first draft of the Cybersecurity Framework required by President Obama’s Executive Order 13636 and Presidential Policy Directive 21, as detailed in our earlier posts (found here, here and here). The draft outlines the tentative format of the final Framework, which would include four major sections:

  • A guide for senior executives and others on how to use the Framework to evaluate and manage their organizations’ cyber risk preparedness;
     
  • A user’s guide for more detailed implementation of the Framework;
     
  • The “core structure” of the Framework; and
     
  • A compendium of references such as existing cybersecurity standards, guidelines and practices.
Continue Reading...

Federal Data Breach Legislation Introduced, But Will It Go Anywhere?

 

By:  Christin S. McMeley

Last week Senator Pat Toomey (R-PA), along with one Independent and six other Republican Senators, introduced the “Data Security and Breach Notification Act of 2013.”  The bill would provide businesses and consumers with a single set of rules for notifications in the event certain electronic records are compromised, preempting state data breach notification requirements and several federal laws that contain security requirements.

Continue Reading...

Deadline for Compliance with Updated COPPA Rules Draws Near

By:  Ronald G. London and Robert G. Scott, Jr.

The July 1, 2013, deadline for complying with the Federal Trade Commission’s (FTC) updated regulations implementing its Children’s Online Privacy Protection Act (COPPA Rule) is around the corner, as discussed in our post here on the FTC’s denial of additional time and its revised “Frequently Asked Questions” to guide compliance efforts.  Our earlier advisory provides details on, e.g., the expansion of data collection activities covered by COPPA, including through persistent identifiers, new types of personal information whose collection will trigger the rule, clarification of how to obtain parental consent, refinements on what the Commission will deem to be a “child-directed” site covered by COPPA, and more.  The FTC’s COPPA Rule amendments are the first update to capture technological developments and evolving popular online practices – primarily social networking, smartphone Internet access, and the ability to use geolocation information – that arose after the law was enacted.

Federal Cybersecurity Initiatives Demand Vigilance of Communication and Energy Infrastructure Owners and Operators

By:  Robert G. Scott, Jr.

Cybersecurity initiatives are moving rapidly within the federal government and require owners and operators of critical infrastructure – including in particular Communication and Energy Systems, and those who supply and service them – to remain vigilant in managing cybersecurity risks.  The National Institute of Standards and Technologies  (NIST) is moving quickly to develop the Cybersecurity Framework required by President Obama’s Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21), as detailed in our earlier posts here and here.  At the same time, Congress continues to develop cybersecurity legislation to address concerns over the current state of cybersecurity and cyber-threat information-sharing in various sectors of the economy.  Chief among these sectors are energy and communications, which are deemed “uniquely critical” in PPD-21 given their role in supporting all other critical infrastructure.

Continue Reading...

FCC Clarifies Companies' Liability for Third-Party Marketer TCPA Violations

By:  Ronald G. London

The Federal Communications Commission (FCC) has issued a long-awaited declaratory ruling governing when a company is liable under the Telephone Consumer Protection Act (TCPA), and FCC telemarketing and autodialing rules, for violations committed by a third party that the company authorizes to sell its goods or services but does not directly ask or otherwise engage to telemarket, by holding that the company may be vicariously liable under federal common law principles of agency for TCPA violations that the third party commits.

Continue Reading...

FTC Denies Requests to Extend Effective Date for COPPA Rule Revisions

Industry Must Comply by July 1, 2013, Can Look to Expanded FAQs for Guidance on Updated Rules for Information Collection and Disclosure, Parental Notice, and Requirements for Mobile Apps

By:  Ronald G. London

The FTC has voted to retain the July 1, 2013 effective date for the revisions to its Children’s Online Privacy Protection Act (COPPA Rule), shortly after issuing revised “Frequently Asked Questions” (FAQs) to aid compliance efforts.  The FAQs are a key interpretive resource, because there are few enforcement orders – and no real court precedents – that apply COPPA.

This post highlights some key clarifications and a few areas of uncertainty that remain in the FAQs, as a companion to our earlier advisory on the COPPA Rule revisions.  Among other points, we explore guidance provided by the FTC staff in the FAQs regarding:

  • How websites and online services subject to COPPA can handle newly added categories of personal information.
  • The relationship between websites and online services subject to COPPA and third parties that collect personal information through such sites or services.
  • The applicability of COPPA to mobile apps and some of the steps app developers/operators must take toward compliance.
  • Additional detail on providing parental notice as streamlined by the COPPA Rule revisions.
  • Steps required before children’s personal information may be disclosed to third parties.
Continue Reading...

NIST Hosts First of Four Planned Cybersecurity Framework Workshops

By Dan Reing

On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013.  As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people.  The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address.  The RFI comment period closes on April 8, 2013.

Continue Reading...

Bills on Use of Mobile-Device-Location Data Reintroduced

By Brad Guyton

Updating our entry on this issue posted during the last Congress, on March 21, 2013, lawmakers in the House and Senate reintroduced companion bills intended to curb government use of mobile users’ geolocation data.  The reintroduced Geolocation Privacy and Surveillance Act is nearly identical to legislation introduced nearly two years ago, as described in our prior post.  However, unlike two years ago, the bills are not accompanied by companion legislation requiring users’ permission for industry to share geolocation data, as was the case previously with the Location Privacy Protection Act of 2011.

The newly reintroduced Geolocation Privacy and Surveillance Act, sponsored again in the Senate by Sen. Ron Wyden (D-Or.) and in the House by Rep. Jason Chaffetz (R-Utah), would require the government and law enforcement agencies to obtain a warrant before accessing a person’s geolocation data, i.e., GPS information logged through Wi-fi networks and cellular towers.  The legislation is modeled after existing wiretapping and electronic surveillance laws and would add to Title 18 of the U.S. Code a new chapter 120 entitled “Protection of Geolocation Information.”

Several exceptions would apply, including those for emergency responders, parents of minors, and intelligence investigations under the Patriot Act.  In addition, the bill specifies that the Foreign Intelligence Surveillance Act and this legislation, if adopted, would be the only means by which geolocation information could be lawfully obtained by the government.  The bills are expected to be referred to the Judiciary Committees in both chambers, neither of which acted on versions introduced in the previous Congress.

California District Court Finds National Security Letter Statute Unconstitutional

By Brad Guyton and John Seiver

Last week, in In re National Security Letter, the United States District Court for the Northern District of California found unconstitutional two sections of the federal law allowing the FBI to issue “National Security Letters” (“NSLs”) to secretly demand subscriber records from ISPs, telecom carriers and other electronic service providers when investigating international terrorism or conducting clandestine intelligence activities.  An as-yet-unnamed telecommunications provider challenged the federal law and United States District Judge Susan Illston ordered the federal government to cease issuing NSLs and stop enforcing NSL gag orders, but stayed the order pending an expected appeal by the government to the Ninth Circuit.

Continue Reading...

Is the FTC Opening a New Front in the War on Commercial Texting?

By:  Ronald G. London

The Federal Trade Commission (FTC) recently announced it concurrently filed eight complaints in courts around the United States against “senders of spam text messages” who allegedly engaged in deceptive acts or practices by promoting supposedly free gift cards.  The complaints constitute what the FTC called a “crackdown” on affiliate marketers who allegedly “bombard consumers with hundreds of millions of unwanted spam text[s],” in order to steer them to allegedly deceptive websites promoting the cards.
 
While the conduct alleged by the FTC details the kind of gambit that often draws the agency’s wrath, the cases are also notable because they allege that merely sending unsolicited commercial texts can be an “unfair practice” under the Federal Trade Commission Act.  As texting is already heavily regulated by the Federal Communications Commission (FCC) under the Telephone Consumer Protection Act (TCPA), which also allows private causes of action, including class actions, the FTC’s apparent position seems to up the ante for senders of commercial texts.

Continue Reading...

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.

Continue Reading...

The FTC and California's Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment

Be sure to spend some time with our recent advisory analyzing two important privacy developments affecting the mobile ecosystem. Our advisory focuses on the Federal Trade Commission Staff Report and the California Attorney General’s recent release of detailed recommendations and best practices for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC’s Staff Report outlines recommendations to improve privacy disclosures and control at different levels of the mobile ecosystem. The California AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. You can access the advisory here.

Advisory Analyzing New COPPA Rule Changes

Be sure to check out our recent advisory examining the extensive changes the Federal Trade Commission (FTC) made to its regulations implementing  the Children’s Online Privacy Protection Act (COPPA Rule).  The revisions update the Rule to cover technological developments and popular online practices such as social networking, smartphone Internet access, and the use of geolocation information.  The advisory details how the FTC refined its definitions of “operator,” “personal information,” and “websites or online service directed to children,” and updated its requirements for providing notice and getting consent from parents, among many other changes the FTC described as seeking to “broaden and clarify” the Rule.  The advisory, which also explores practical considerations arising from the updated regulations, can be accessed here.

President Obama Signs Video Privacy Protection Act Amendment

By Brad Guyton

On January 10, 2013, President Obama signed H.R. 6671, the Video Privacy Protection Act Amendments Act of 2012, which amends the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, to streamline the process for consumers to share data regarding their video viewing activities.  In practice, this means video providers such as Netflix will be able to implement features that allow subscribers to share their video viewing history using social media services like Facebook.

Continue Reading...

FTC Again Challenges Kids' Mobile App Data Collection and Disclosure Practices

By Bob Scott
 
The Federal Trade Commission (“FTC”) released on December 10, 2012, its second staff report on disclosures for mobile apps targeted at children, building on its prior report issued 10 months earlier.  The reports appear designed to support the FTC’s upcoming proposed changes in Children’s Online Privacy Protection Act (“COPPA”) rules (which we analyzed here and here).  Where the first report emphasized mobile app compliance with notice and consent provisions in the FTC’s COPPA Rule, the latest report went beyond examination of disclosures and tested whether apps collected and shared data with third parties, or included interactive features like in-app advertising,  purchasing,  and/or links to social media.  It also focused in particular on the use of device identifiers and concerns raised by their collection and/or use, while in doing so appearing to overlook uses of device IDs that pose no privacy risk and/or that are otherwise pro-consumer.

Continue Reading...

FTC Settlement Embodies First Agency Action Against Browser History Sniffing

By Bob Scott

The Federal Trade Commission (FTC) announced a proposed settlement of allegations that online advertising company Epic Marketplace, Inc. and its affiliate Epic Media Group (Epic) engaged in deceptive practices by failing to accurately describe their online advertising data practices. Specifically, the FTC alleged that Epic failed to disclose that it ran software script which determined whether consumers had visited web sites outside of Epic’s affiliated advertiser network, and falsely represented that it only collected browser information from web sites within Epic’s network. The settlement is the FTC’s first action against browser history sniffing, and demonstrates the Commission’s continued expansion of jurisdiction through enforcement actions. The proposed settlement must be approved by a majority of the Commissioners before it becomes effective.

According to the FTC, Epic said in its privacy policy that it would collect information about consumers’ visits to sites only within the Epic’s advertising network. Yet in practice, the cookies received from these sites would run a script to determine whether consumers visited sites outside Epic’s network. Epic tracked the results and sent targeted ads based on consumers’ browsing history. Consumers would have no way to know Epic’s software actively searched the browser’s history.

Continue Reading...

FCC Issues Declaratory Ruling Allowing Text-Message Opt-Out Confirmations

But Ruling Rests on Narrower Rationale Than Advanced by Petitioner, and Comes With Conditions

By Ronnie London

Yesterday, the Federal Communications Commission issued a declaratory ruling clarifying that sending a follow-up text-message confirming a consumer’s opt-out from receiving future texts does not itself violate the Telephone Consumer Protection Act (TCPA) or FCC rules.  When a consumer texts “stop” etc. to opt out of further text messages, entities that receive the opt-out often send a final text confirming receipt and effectuation of the opt-out.  The ruling was requested – and sorely needed – in the face of several putative class actions, including some against such notable names as Twitter and American Express, brought on grounds that the confirmatory texts, coming after the consumer has already opted out, lacked the prior express consent necessary under the TCPA and FCC implementing rules for text-messaging.
 

Continue Reading...

Advisory on Potential Traps for the Unwary in New FCC Prerecorded Telemarketing Rules Updated with Announcement of Compliance Deadlines

By Ronald G. London

Be sure to check out the update to our advisory that outlined the amended FCC automated/prerecorded telemarketing rules.  The update flags the October 16, 2012 Federal Register notice announcing that the revisions were approved by the Office of Management and Budget, thus setting effective dates for the new rules as follows:

  • The requirement for prior written signed consent for prerecorded telemarketing (and elimination of established business relationships permitting some such calls), and for auto-dialed live-agent (and prerecorded) telemarketing calls to cell phones and telemarketing text-messages takes effect October 16, 2013.
  • The requirement that prerecorded telemarketing calls must enable automated opt-outs will take effect January 14, 2013.
  • The revisions to the FCC’s abandoned call rules take effect November 15, 2012.

As explained in our prior blog post highlighting the original advisory, the new FCC rules raise the bar for the type of consent needed for auto-dialed live-agent and other telemarketing to cell phones, and extend the automated opt-out mechanism required for prerecorded telemarketing to “abandoned” live-agent telemarketing calls.  Details of the rule changes appear in the advisory update, following the discussion of the effective dates for the various new rules.

DWT Attorneys Offer Privacy Insights at RAMP Advanced Commercial & Mobile Retail Summit

By Ronald G. London

On October 2, 2012, DWT privacy practitioners Ken Payson and Ronnie London joined one of the firm’s leading payments attorneys, Andrew Lorentz, at the RAMP Advanced Commercial & Mobile Retail Summit, to make a presentation on Mobile Marketing Regulatory Compliance:  Lurking Dangers and Cautionary Tales.  The session provided an overview of the mobile marketing legal ecosystem, offered insights on the requirements for compliance with laws and regulations affecting mobile communications, and gleaned lessons learned from litigation and enforcement actions.  You can access the slides for the presentation here.

Mobile Device Privacy Act Introduced

By Bob Scott and Ronnie London

On September 12, 2012, Congressman Markey (D-Mass.) introduced the Mobile Device Privacy Act, H.R. 6377, which requires the FTC to regulate all mobile applications and devices, as well as mobile phone manufacturers and sellers, and mobile app developers.  Representative Markey introduced this bill despite ongoing mobile privacy stakeholder negotiations conducted by NTIA, the process favored by the Administration and adopted by the FTC itself in its Final Report on consumer privacy.  The bill’s exclusion of all non-mobile technology likewise rejects the stated intention of the Administration and the FTC for technology-neutral privacy protection.   Moreover, the bill is not limited to practices affecting “personal” information: all information potentially collected via mobile phones or mobile apps, no matter how benign or technical, is treated as if it is personal data.

Continue Reading...

Hulu Privacy Litigation Marks First Application of Video Privacy Protection Act to Solely Streamed Video

By Bradley W. Guyton

Internet video streaming site Hulu.com is subject to the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, according to a recent decision by the U.S. District Court for the Northern District of California, marking the first time a court has subjected a provider of exclusively online streaming video services to the VPPA.  This is notable insofar as the VPPA prohibits “video tape service providers” from knowingly disclosing the personally identifiable information (“PII”) of any consumer of the provider except to that consumer, or in limited circumstances, including incident to the provider’s ordinary course of business (as well as disclosure with consumers’ consent, and/or pursuant to a warrant or court order).  The VPPA, also requires destruction of PII once no longer necessary for the purposes for which it was collected, and affords those harmed by any act in violation of the VPPA to bring a civil action, which is how the Hulu Privacy Litigation arose.  The decision could have a wide-ranging impact on Internet video providers who may have viewed themselves as potentially not subject to the VPPA.

Continue Reading...

Google Settles Further Privacy Claims with FTC for $22.5 Million Penalty

By K.C. Halm and Bob Scott

On August 9, 2012, the Federal Trade Commission (FTC) announced a settlement with Google over the search engine’s alleged misrepresentations in its online privacy disclosures concerning the use of “cookies” and targeted ads directed to users of Apple, Inc.’s Safari Internet browser.  Under the terms of the settlement, although Google denied liability, it agreed to pay a $22.5 million civil penalty, and to disable all DoubleClick advertising cookies placed through Safari browsers, except opt-out cookies.  The enforcement action is also significant as the FTC’s first effort to punish a company for allegedly violating an industry self-regulatory code, further setting the stage for FTC enforcement of industry-specific codes that the Administration seeks to develop through multi-stakeholder workshops.

Continue Reading...

FTC's Revisions to Proposed COPPA Definitions Published in Federal Register

DWT Pre-Publication Advisory Explains Import of Proposal

Now that it has appeared in the Federal Register, be sure to check out our advisory discussing the Federal Trade Commission’s (FTC) Supplemental Notice of Proposed Rulemaking in its Children’s Online Privacy Protection Act (COPPA) rule update proceeding.  The Supplemental Notice, part of the FTC’s effort to have the COPPA rule reflect technological developments and more recent online practices like social networking, smartphones, and location-based information, proposes to augment, clarify, and both expand and restrict rule changes proposed in the FTC’s September 2011 rulemaking notice (which we discussed in a prior post at the time it was released). 

The Supplemental Notice changes would affect the inclusion of persistent identifiers as “personal information,” data collected by plug-ins, software downloads, or advertising networks, and websites that may not be directed to children but are likely attract children under 13.  Read about these and the other implications of the proposed further changes to the rule’s definitions of “personal information,” website and online service “operators,” and websites and services “directed toward children,” here.
 

Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"

Joins Recent 9th Circuit Decision Narrowly Construing the Law

By Ronnie London

The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access.  In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here.  As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.

Continue Reading...

NTIA to Hold First Privacy Multistakeholder Meeting, With Eye Toward Creating Industry Code of Conduct for Mobile

By Bob Scott

The National Telecommunications Information Administration (NTIA) today announced a multistakeholder meeting designed to create an industry code of conduct to provide transparency for mobile applications and other interactive mobile services.  The meeting will be held July 12, 2012 in the national capital area. 

This is the first of several stakeholder workshops proposed by the Administration and endorsed by the FTC in its “Final Report” on consumer privacy discussed in detail in our March 27, 2012 advisory.  The Administration proposed these industry-specific codes of conduct be developed through these proceedings, and that the resulting codes would be enforceable by the Federal Trade Commission.  Privacy in the context of mobile apps received the greatest volume of comments in NTIA’s request for input on the privacy workshops proposed by the Administration.

This workshop, and the code of conduct it is intended to produce, is likely to affect the interests and operations of the entire mobile ecosystem:  mobile carriers, mobile app developers, interactive service providers, and mobile app platform providers.  NTIA asks that those who intend either to attend the meeting in person or to view the webcast inform NTIA before June 22, 2012 at this link.  NTIA will use the information it received to determine space requirements for the meeting, and to arrange webcast technology.  NTIA's announcement comes just weeks after the Federal Communications Commission (FCC) issued a public notice seeking updated comments on the privacy and security of information stored on mobile service communications devices, as we highlighted when the notice issued.

Case to Watch: Chisea v. 24x7digital on Children's Online Privacy

By Ronnie London

New Jersey’s Attorney General Jeffrey Chisea and the state’s Division of Consumer affairs have filed suit in federal court against smart-phone app-provider 24x7digital LLC, to enjoin its alleged violation of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s (FTC) COPPA Rule.  In the complaint, the state alleges 24x7 violates the statute and rules – which allow enforcement by the FTC and state regulators – by offering educational apps targeted to children that collect their personally identifiable information (PII), which is transmitted also to a third-party data-analyst, without notice to or consent from players’ parents.  The case is significant because, while the FTC has brought a number of enforcement actions, the statute does not directly allow private causes of action – only enforcement by the FTC and state regulators.  There has thus been no real case-law guidance on how the COPPA and the COPPA Rule apply, outside that developed in FTC-originated proceedings.
 

Continue Reading...

Dispatches from The Click-Wrap Comprehension Gulf

By Peter T. Luce

The latest viral privacy meme circulating on Facebook highlights the substantial confusion over online privacy rights.  Although its original author is unknown, versions of the following purported “Privacy Notice” first appeared on users’ Facebook status updates shortly after Facebook’s highly anticipated initial public offering:

"Facebook is now a publicly traded entity. Anyone can infringe on your right to privacy once you post on this site.  It is recommended that you and other members post a similar notice to this or you may copy and paste this one. Protect yourself, this is now a publicly traded site. 

PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government and any worldwide government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile. You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee, agent, student or any personnel under your direction or control. The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law. UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE"

The notice has since been shared and re-posted tens of thousands of times on Facebook and elsewhere on the Web.  The premise for the notice has been debunked as false.  Of course, Facebook users who want to better understand online privacy should look at Facebook’s Data Use Policy and Terms and Conditions

In addition, Facebook permits users to comment on proposed changes to Facebook’s policies, and if more than 7,000 comments are submitted for any proposed change, users are permitted to vote on alternatives to the new policy.  However, the results of the vote are binding only if more than 30% of all active Facebook registered users vote for one of the alternatives (or 270 million of Facebook’s more than 900 million active users) during the notice period (between three and seven days depending on the type of change).  Even with the power of the Internet, rallying millions of users in such a short period of time would be difficult, especially if the users believe they can protect their rights just by posting a notice on their Facebook pages.  Users concerned about their privacy rights should navigate to Facebook’s privacy controls.

The takeaway: Social media and technology companies should adopt clear privacy policies and make continued efforts to educate consumers about their online privacy expectations.

UK websites launch cookie compliance measures and rely on implied consent

By Bob Stankey

New pop-up windows about online cookies are now greeting visitors to popular UK-based websites.  The changes are part of the steps being taken to comply with the new European rules that require consent to the setting of cookies.

Continue Reading...

New Advisory on FCC Inquiry Into Mobile Privacy and Security Issues

By Ronnie London

Be sure to check out our most recent advisory by K.C. Halm noting the issuance of an FCC public notice that seeks updated comments on mobile service providers’ privacy and data security practices, focusing on how they affect customer-specific information stored on mobile handsets, smartphones, tablets and other wireless devices.  The inquiry follows revelations that certain wireless providers use diagnostics firm Carrier IQ’s software to capture network and end-user information for network diagnostic purposes, which has been the subject of litigation, as well as Congressional and regulatory inquiries.

The FCC’s notice poses numerous questions, including the degree of notice and choice afforded consumers, how data storage practices serve carriers’ and their customers’ needs, whether and to what extent current practices create data security risks or vulnerabilities, and how relevant provisions of the Communications Act and FCC rules apply in this context.  You can read more here.

Appeals Court Decision Ratchets Up Risk Factor for Those Delivering Autodialed and Prerecorded Calls

By Ronnie London

Recently, the United States Court of Appeals for the Seventh Circuit issued a decision in Soppet v. Enhanced Recovery Company that could effectively impose strict liability for violations of the Telephone Consumer Protection Act (TCPA) restriction against unconsented automated and/or prerecorded calls to cell phones, even if the calling entity legitimately believed it had valid prior express consent to the calls.

Continue Reading...

FBI Reportedly Seeking Expansion of CALEA to New Communications and Technology Platforms

By Bob Scott & K.C. Halm

 On the heels of the House’s recent approval of the Cyber Intelligence Sharing and Protection Act (CISPA), CNET News reports that the FBI has drafted amendments to the Communications Assistance for Law Enforcement Act (CALEA) that would significantly expand the scope of the statute.  The FBI and other law enforcement officials have long been concerned about the increasing volume of communications occurring on technology platforms that are beyond the reach of CALEA, and outside of law enforcement’s existing surveillance capabilities.  The FBI reportedly terms this phenomenon the “Going Dark” problem.  Solving it as the FBI proposes, however, could require significant operational changes by service providers that utilize such technologies.

Continue Reading...

House Passes Cyber Intelligence Sharing Bill With Substantial Industry Support, But Veto Threat Looms

By Jay Ireland

On April 26, 2012 the House passed the Cyber Intelligence Sharing and Protection Act (“CISPA”) on a 248 – 168 vote.  CISPA is supported by many communications and technology companies (e.g., Verizon, AT&T, Facebook, and Microsoft) as a critical step in protecting the nation’s infrastructure and national security from cyber attacks, by permitting the sharing of cyber threat information between private companies and the federal government.  Critics (e.g., the ACLU, Center for Democracy and Technology, and others) strenuously oppose CISPA based on concerns it compromises individual privacy by allowing personal information to be shared with the government without adequate protections, oversight, or legal recourse.  The White House opposes the legislation and has threatened to veto it in its current form.

Continue Reading...

Plans to Publicize Foreign-Sponsored Hackers and Counter-Measures

By Randy Gainer

A recent story in the Washington Post that describes former FBI assistant director Shawn Henry’s plan to “name names” of governments that sponsor hackers to break into U.S. networks.  He also suggests that the private firm he recently joined, CrowdStrike, may take countermeasures against hackers.  Such “hack-back” strategies have been debated in the security community for several years.  That Mr. Henry is talking openly about going on the offensive against hackers may mean that hacker battles are about to get more interesting.

FCC: Google's Collection of Unencrypted Data Does Not Violate Communications Act

By David M. Silverman

In a Notice of Apparent Liability (NAL) released Monday by the Federal Communications Commission (FCC) against Google, the FCC found that Google’s collection of unencrypted data obtained from Wi-Fi networks in its Street View project did not violate the Communications Act provision that prohibits the unauthorized interception and either use or publication of radio communications. However, the FCC has proposed a $25,000 forfeiture penalty for Google’s initial failure to cooperate with the agency’s investigation of this matter.

Continue Reading...

En Banc 9th Circuit Decision Narrowly Construes Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"

By Ronald G. London

In a 9-2 reversal of an earlier appellate decision by a 3-judge panel, the U.S. Court of Appeals for the 9th Circuit issued an en banc ruling in U.S. v. Nosal, holding that the prohibition in the federal Computer Fraud and Abuse Act (“CFAA”) on exceeding authorized access to a computer covers only the scope of access allowed, not the subsequent use of any information obtained.  In doing so, the court rejected a broader reading the government advocated, which the en banc majority held “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”  The court’s decision, authored by Judge Kozinski, explains that this narrow construction is preferable because it prevents CFAA liability for, for example, employees using their work computers in violation of their employers’ acceptable use polices, and/or web-surfers using a website in ways that may violate its terms of use/service, which the court noted few ever read, and even fewer understand in enough detail to avoid unwitting liability.

Continue Reading...

DWT Attorneys Offer Privacy Insights at RAMP Advanced Commercial & Mobile Retail Summit

By Ronald G. London

On April 4, 2012, DWT privacy practitioners Randy Gainer and Ronnie London joined two of the firm’s leading payments attorneys, James Mann and Andrew Lorentz, at the RAMP Advanced Commercial & Mobile Retail Summit, to make a presentation on Anticipating, Understanding and Preparing for New Rules for a New Mobile World.  The session provided an overview of the mobile payments legal ecosystem, and offered insights on the requirements for financial privacy, compliance with data security and PCI rules, and regulations affecting mobile communications.  You can access the slides for the presentation here.

New DWT Advisory Offers Insights into FTC's Long-Awaited Final Privacy Report

On our Advisories page we recently posted a detailed analysis by Robert G. Scott, Jr. and Paul Glist of the Federal Trade Commission’s March 26, 2012, final report on “Protecting Consumer Privacy in an Era of Rapid Change” (Final Report). The Final Report effectively adopts the preliminary FTC staff report from December 2010 (Staff Report), with important changes that recast the Staff Report’s general framework for privacy protection as privacy by design, simplified consumer choice, and transparency.

Continue Reading...

New Advisory Highlights Potential Traps for the Unwary in Updated FCC Prerecorded Telemarketing Rules

By Ronald G. London

Be sure to spend some time with our new advisory in which we expand on our previous entry outlining the basics of the revised FCC automated/prerecorded telemarketing rules.  The advisory explains how, even though the FCC’s primary purpose was to mirror FTC prerecorded telemarketing rules adopted several years back (which were the subject of our advisory issued at that time, here), some additional new requirements resulted from the FCC’s update of its rules.

Continue Reading...

Oregon Supreme Court Decision Shows How Rapid Response to Data Breach Can Pay Off in Ensuing Litigation

By Ronald G. London

Check out our new advisory, in which Doug Ross and Greg Chaimov explain how taking prompt and effective action to protect patients after a data breach paid big dividends in the Oregon Supreme Court, which affirmed dismissal of a class action against Providence Health & Services-Oregon.  The case is significant in that it shows a prompt and substantial response to such data theft can play a vital role in prevailing in ensuing litigation, especially given that, when the data theft occurred, Oregon had no law governing how a custodian of records like Providence should respond.  That Providence responded quickly to contact its patients and arrange for credit protection was a key factor in the outcome.  Read more here.

FCC Updates Automated/Prerecorded Telemarketing Rules to Mirror FTC Requirements for Prior Written, Signed Consent, Automated Opt-Outs, and Related Regulations

FCC Also Remedies Confusion in Its Rulemaking Proposal by Ensuring New Rules Do Not Affect Non-Telemarketing Prerecorded Calls and Text Messages, Such as for Debt Collection, Airline and School Notifications, Fraud Alerts, Surveys Calls, and Wireless Usage Data

By Ronald G. London

The Federal Communications Commission released a Report and Order that revises its rules governing automated/prerecorded telemarketing to modify the consent and opt-out requirements for such calls.    The rule change eliminates the “established business relationship” exception that previously allowed autodialed/prerecorded telemarketing to residential lines.  Meanwhile, the FCC was careful to ensure the new rules cover only automated/prerecorded “telemarketing” calls and text messages, i.e., those that seek to sell or advertise goods or services, while leaving intact preexisting regulations for non-sales prerecorded calls, such as customer-care, surveys, calls by or on behalf of tax-exempt, non-profit entities, etc.
 

Continue Reading...

Massachusetts Data Protection Law: Third-Party Provision Effective March 1

By Bruce E. H. Johnson

Effective March 1, 2012, any company, wherever located, that is holding the “personal information” of Massachusetts residents must amend its existing vendor contracts to require compliance with Massachusetts data security regulations. 201 CMR 17.03 (f)(2).

Continue Reading...

Europe Plans Significant Expansion in Data Protection Rights

European Commission Releases Formal Proposal on Data Protection Reform

By Robert Stankey and Adam Shoemaker

On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Continue Reading...

Supreme Court Resolves Circuit Split By Allowing Suits Against Telemarketing Violations Into Federal Court Under "Federal Question" Jurisdiction

By Ronald G. London

The U.S. Supreme Court has issued a decision in Mims v. Arrow Financial Services, LLC, resolving a split among federal appeals courts, by holding that claims under the Telephone Protection Act (TCPA), which provides consumers private rights of action for telemarketing violations, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.

Continue Reading...

FTC Consent Decree Targets Allegedly Deceptive Toolbar

By David Silverman

The FTC has reached a settlement with UPromise, Inc., a membership reward service aimed at helping save for college, to resolve charges that company allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. Under the settlement, UPromise must destroy all data it collected under the “Personalized Offers” feature of its “TubroSaver” toolbar, clearly disclose its data collection practices and obtain consent to collection of personal information from those using the toolbar before it is installed or re-enabled, and must further establish a comprehensive information security programing, requiring biennial independent security assessments, for the next 20 years.

Continue Reading...

FTC Enforcement Action Reinforces That Consumers Need Not Utter Any "Magic Words" in Requesting to Be Placed on Telemarketers' Internal Do-Not-Call Lists

Also Reinforces That Telemarketing Sales Rule’s Caller ID Flexibility Only Goes So Far

The Federal Trade Commission (FTC) has announced a $500,000 settlement of a telemarketing enforcement action that it brought based on allegations that the telemarketer interfered with the right of consumers to be placed on companies’ internal do-not-call lists, and that it altered outgoing caller ID to inaccurately display the identity of the calling party. The enforcement action is a reminder that telemarketing customer service reps must be trained to be particularly sensitive to understanding – and effectuating – consumer requests to be added to a company’s do-not-call list, even they don’t request it in such specific terms.

Continue Reading...

Facebook Settles FTC Allegations of Privacy Violations

By Bob Scott

The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.

The FTC’s investigation stemmed from Facebook’s November 2009 modification of its privacy policy, which allowed certain user profile information to be seen by the public. Facebook also allowed some third party applications and advertisers to access personal user information. In simple terms, the FTC’s draft complaint alleged that Facebook’s privacy practices did not match its stated policies, so that Facebook users were not accurately and meaningfully informed about the extent to which personal information would be shared by Facebook with third parties. The FTC characterized the detailed allegations as deceptive and unfair acts and practices prohibited by Section 5 of the Federal Trade Commission Act.

Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done” to protect user’s information.

The terms of settlement include Facebook’s commitments to:

  • accurately represent “the extent to which it maintains the privacy or security of covered information”;
  • clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
  • adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
  • establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
    • The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
    • The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
  • maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.

The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.
 

Update: FTC Extends Comment Deadline for Children's Online Privacy Protection Act (COPPA) Rulemaking

As an update to our advisory FTC Proposes First Modifications to Children's Online Privacy Protection Act (COPPA) Rules Since Original Adoption in 2000, we note the Federal Trade Commission (FTC) has announced it is extending the comment-filing deadline, until December 23, 2011. The prior deadline had been November 28, 2011. The rule update proceeding seeks to examine whether and what changes may be necessary to reflect the evolution of technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.

FTC Enters into Consent Decree with Skid-e-Kids for COPPA Violations

By David M. Silverman

The operator of the Skid-e-Kids website, a self-described “Facebook and MySpace for kids,” has learned that it is not enough merely to have a privacy policy that requires parental consent prior to obtaining personal information online from children under the age of 13. Such website operators must actually abide by that policy as well. The Federal Trade Commission (FTC) reinforced that lesson via an enforcement action and settlement with the company this week.

Continue Reading...

EPIC Files FTC Complaint against Verizon Wireless

By Bob Scott and Rob Morgan

The Electronic Privacy Information Center (“EPIC”) filed a complaint on October 28, 2011 with the Federal Trade Commission (“FTC”) urging the FTC to investigate whether Verizon Wireless has engaged in “unfair and deceptive trade practices” by changing some of its data collection and disclosure practices. The public interest group alleges that Verizon Wireless’s prior customer agreements said that the company would not collect or disclose to third parties (such as advertisers) location information and other data without first obtaining users’ affirmative consent, and claims that Verizon Wireless’s recent announcement that it will track and share this kind of data in anonymized form violated this promise to customers.

Continue Reading...

FCC Expands Upward Adjusted Forfeiture Regime from Faxes to Prerecorded Calls

Building on last summer’s orders in two separate cases (discussed here and here) announcing it will make “upward adjustments” to fines against repeat violators of the “junk fax” law and rules, the Federal Communications Commission has now issued a notice of apparent liability (NAL) expanding that approach to prerecorded call violations, which are regulated under the same law and rules. In proposing to fine Travel Club Marketing Inc. and related entities nearly $3 million, the FCC makes clear its intolerance for repeat offenders, particularly when they attempt to mislead the agency and consumers.

Continue Reading...

New DWT PaymentLawAdvisor Post on MasterCard and Visa Targeted Advertising Initiatives

Regular visitors to this site might want to also bookmark and/or regularly visit our newly launched PaymentLawAdvisor, which provides commentary and resources on the payment industry, and frequently addresses privacy and security issues as they relate to retail payments.

Presently, you can view PaymentLawAdvisor’s recent post about plans by Visa and MasterCard to push into the targeted ads and offers business.  After a recent Wall Street Journal article (subscription required) discussed those plans and how they aspire to link vast amounts of payment card transaction data with other cardholder personal data (such as Internet browsing habits, social network websites, credit bureaus, insurance claims, and even DNA databanks), the companies faced scrutiny from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.), who sent them letters requesting more information about the privacy implications of their plans.  As PaymentLawAdvisor explains, such marketing tactics require careful structuring in order to comply with consumer privacy protections under the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”).

First Circuit Case Becomes One of First Successful Attempts to Assert Data Breach Class Action Liability

By Erin Nedenia Reid

In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in  Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise.   In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers.   The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.

Continue Reading...

Congressmen ask FTC to Investigate Internet Use of "Supercookies"

By David M. Silverman

Two Congressmen have written a letter to the Federal Trade Commission (FTC) asking the FTC to investigate certain websites’ use of “supercookies” to track the activities of website visitors after they have left the website and without their knowledge. The letter, written by Congressmen Joe Barton (R-TX) and Ed Markey (D-MA), is based on an August Wall Street Journal article discussing their use. The cookies have become a key issue based on concerns they may be placed without knowledge of computer users and are practically invisible to them. Such so-called “supercookies” differ from traditional HTTP cookies that track user data in that they are small files hidden within Adobe Flash and elsewhere that remain on users’ computers even when browsing history and cache are cleared, and can be picked up even when browsing in “private browsing” mode.

Continue Reading...

FTC Settlement Ups Ante on Need for Prior Express Consent to Lawfully Text-Message

Texting Absent Consent Now Subject Not Only to FCC Fines and Private Damage Claims, But FTC Enforcement As Well?

By Ronald G. London

The Federal Trade Commission (FTC) has settled an enforcement action with the sender of “loan mod” text messages and emails that, while unremarkable in alleging the contents were deceptive, is notable for treating the mere sending of unsolicited text messages as sufficient to trigger FTC authority to punish unfair and deceptive acts, practices, and methods of competition. The FTC action against the texts also is significant because text-message violations generally fall within the bailiwick of the Federal Communications Commission (FCC)—not the FTC—and laws and rules governing automated/prerecorded calls to cell phones. Under those rules, regardless of a text message’s content, prior express consent is required before sending. The FTC’s current action suggests it is reserving the right to pile on as well, if those rules are not followed.

Continue Reading...

European Data Protection Group Rejects Industry Proposal for Compliance with New Cookie Requirements

By Robert (Bob) Stankey and Adam Shoemaker

On Sept. 14, 2011, the European Union’s Article 29 Data Protection Working Party warned that an industry-sponsored online behavioral advertising (OBA) framework will not satisfy the requirements of new EU data privacy laws. The OBA framework, which was discussed in a Sept. 21, 2011 webinar by DWT attorneys Bob Stankey and Adam Shoemaker, is designed to provide website users with notice that behavioral advertising is being used, and to give them the opportunity to opt in or out of the cookies that these programs deploy. In its current form, the OBA system is manifested through a distinctive icon at the corner of web-based advertisements. Clicking on this icon permits the user to learn more about the advertising system and provides an opportunity to reject cookies.

Continue Reading...

FTC Children's Online Privacy Protection Act (COPPA) Rule Update Underway

The recent Federal Trade Commission (FTC) proposal to update its Children's Online Privacy Protection Rule (COPPA Rule) has hit the Federal Register.  As discussed in our advisory issued when the rule came out, which can be found here, this is the first time in the decade-plus history of the Rule that the FTC has proposed amendments.  The FTC seeks to update the rule to account for changes in technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.

Insofar as COPPA is designed to provide notice to parents and secure their verifiable consent prior to online collection and use of personal information from children under the age of 13, the changes could require significant operational changes for websites covered by the Rule.  Perhaps more importantly, COPPA is seen by some as a model for more general, farther-reaching regulation of uses of personal information, as we describe here.  Consequently, changes to the COPPA Rule to address many of the same technologies and practices that are at the center of privacy debates generally may resonate therein.  The FTC's proceeding is thus one that bears close attention.

Appeals Court Widens Split of Authority on Federal Court Jurisdiction Over Telemarketing Litigation While Raising Financial Stakes for Defendants

The U.S. Court of Appeals for the Sixth Circuit recently issued a decision in Charvat v. NMP, LLC that addressed significant issues pertaining to federal court jurisdiction and statutory damages for telemarketing litigation arising under the Telephone Protection Act (TCPA). The decision is significant because it widens the split in the federal appeals courts on whether claims under the TCPA, which provides consumers private rights of action, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.It also is significant because, insofar as the TCPA provides for statutory damages of $500 per violation, trebled for “willful” violations, the Court allows that amount to be multiplied in some circumstances if several violations occur on a single call.

Continue Reading...

France Implements New Cookie Consent Requirements, Data Breach Disclosure and Notification Rules

By Robert (Bob) Stankey and Adam Shoemaker

On August 24, 2011, in accordance with the EU’s recent revisions to the 2002 e-Privacy Directive, France implemented a law introducing new consent requirements for electronic cookies as well as disclosure and notification rules related to data breaches. The French ordinance complies with the revised e‑Privacy Directive by requiring user consent before websites can track visitors with cookies. However, it permits this consent to be obtained from the setting of parameters or other communication system preferences under the user’s control, which means that browser settings may be sufficient prior consent.

Continue Reading...

FTC Announces First-Ever COPPA Enforcement Action Against Mobile Apps

By David Silverman

The Federal Trade Commission (“FTC”) announced that it has obtained a consent decree requiring payment of a $50,000 penalty for violations of the Children’s Online Privacy Protection Act (“COPPA”) and FTC rules implementing it, marking its first ever COPPA enforcement proceeding involving mobile phone applications (“apps”). The new app enforcement action follows in the wake of another FTC action brought this past spring involving “virtual worlds” that resulted in the largest COPPA civil settlement to date.The enforcement actions show an FTC branching out from traditional websites that may collect children’s personal information (“PI”), to newer media, even while it is in the midst of a proceeding weighing whether and how it should update the COPPA rules to address new platforms and online apps through which children’s PI can be collected.

Continue Reading...

Congressional Subcommittees Hold Consumer Data Privacy Hearing Featuring Testimony by FCC, FTC and NTIA

By Jim Smith

On July 14, 2011, two Subcommittees of the House Energy and Commerce Committee – the Commerce, Manufacturing and Trade Subcommittee chaired by Rep. Mary Bono Mack (R-CA) and the Communications and Technology Subcommittee chaired by Rep. Greg Walden (R-OR) – held a joint hearing that the subcommittees said will “kick off a series on privacy issues to examine how information is collected, protected, and utilized in an increasingly interconnected online ecosystem.”The hearing featured testimony by FCC Chairman Julius Genachowski, Federal Trade Commission (FTC) Commissioner Edith Ramirez, and Assistant Secretary of Commerce Larry Strickling, the Administrator of the National Telecommunications and information Administration (NTIA). The hearing indicated significant interest in prospective online privacy legislation, with unusually strong participation by subcommittee Members including the Chairman of the full Committee, Fred Upton (R-MI), and ranking Democrat Henry Waxman (CA). Several Members noted their heightened consumer privacy concerns in the wake of the past week’s revelations of voicemail and e-mail hacking in Great Britain, and near unanimous interest in strengthening online protection for the privacy of children.

Continue Reading...

Internet Privacy Class Actions

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.

Six Tips for Compliance with Europe's New Cookie Rules

By Robert F. Stankey and Adam Shoemaker

While the European Union’s deadline for implementing new cookie rules has passed, substantial uncertainty remains about what organizations should do to make their online activities compliant. In this advisory we offer six practical tips for dealing with the uncertainty.

Continue Reading...

New Court Decision Upends U.C.C. Rule Typically Applied, Holds Bank Liable for Unrecovered Funds from a Phishing Attack

By: Micah Ratner

A U.S. District Court in the Eastern Disrict of Michigan has issued its decision in Experi-Metal, Inc. v. Comerica Bank, holding that a bank—instead of the bank’s customer—was liable for $560,000 in unrecovered funds from a phishing attack. The case is noteworthy because a customer is typically liable for unauthorized transfers under Uniform Commercial Code (“U.C.C”) Article 4A. Under U.C.C. Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.

Continue Reading...

FTC Urges "Privacy By Design" for Mobile Device and Social Media Data Collection As Well

By Brian Nixon

On June 28, 2011, the American Bar Association’s science and technology law section held a teleconference to discuss the topic “Law of E-Tracking: Is Your Phone Too Smart, Your Media Too Social, and Your Advertising Misbehaving?” The teleconference addressed, among other things, effective best practices for companies that collect, use and share information about consumers when they use location based services (“LBS”) on mobile devices and/or social media sites.

Continue Reading...

FCC Adopts Rules Implementing Truth in Caller ID Act

Check out our just-posted advisory offering an overview of the FCC Report and Order adopting rules implementing the Truth in Caller ID Act.  The Act, and now the FCC’s rules implementing it, target “spoofing,” i.e., manipulating the phone number displayed by caller ID devices so that call recipients see a number other than that from which a call originated.  In particular, the statute and regulations prohibit spoofing accompanied by an intent to defraud, cause harm, or wrongfully obtain anything of value, and allows the FCC to impose substantial penalties for violations.

As the FCC’s R&O explains, malicious spoofing practices range from those involved in attempts to gain unauthorized access to voicemail accounts, to identity theft, to stalking, and even to false emergency calls to law enforcement for the purpose of eliciting responses from SWAT teams.  Our discussion of how the Act and rules seek to combat such malfeasance, and how they avoid ensnaring legitimate practices, can be found here.

Two Bills Introduced on Use of Mobile-Device-Location Data

By Rob Morgan

Two new bills propose to place limits on government and industry use of mobile users’ location data. The bills would require users’ permission for industry to share geolocation data. They would also require probable-cause warrants for law enforcement agencies to use mobile-device-location data to track individuals.

Continue Reading...

FCC Does Not Hesitate in Flexing New Junk Fax Enhanced Forfeiture Muscles

Also Reinforces That Faxes Need Not Be Ads, But Only a "Prelude" to Marketing, to Violate Junk Fax Rules

Less than two weeks after we reported on the Federal Communications Commission’s announcement that it would henceforth make “upward adjustments” to its fines against repeat violators of the statute and rules governing unsolicited fax advertisements, the FCC has issued another enhanced forfeiture, this time adding $150,000 to more than double the fine that would have applied otherwise. The nearly $300,000 proposed fine underscores how serious the FCC is about establishing an effective deterrent to repeated violations. The proposed fine is also a reminder that even faxes offering things for free (in this case, listings in a directory) can fall within the “junk fax” ban if they are part of an “overall advertising campaign” to sell goods or services.

Continue Reading...

Three Federal Courts Rule that the Intended Target, Rather Than the Actual Recipient, Can Govern Whether "Robocall" Liability Lies for Calls to Wrong Numbers

By Ryan Gist and Ronnie London.   In separate cases in different jurisdictions, one federal appeals court and two district courts recently held that, just because companies using autodialers reach someone other than their intended target, they do not lose the protection of exceptions in the law that depend on the relationship between the company and the person it is attempting to call. Since impermissible automated calls can lead to statutory damages of up to $1500 per call (as well as fines by federal agencies), the decisions are good news for companies that rely on autodialed and prerecorded calls but may not always be in a position to know when current or former customers’ phone numbers are reassigned, and/or if they have moved from a previous address. It is also particularly good news for those who may need to place such automated calls to cell phones, where the federal prohibition is tightest and the exceptions to it are narrowest.

The recent cases arise under the Telephone Consumer Protection Act (TCPA) and Federal Communications Commission (FCC) rules implementing it, which together prohibit automated and prerecorded calls, with certain exceptions. With respect to cell phones, the TCPA and rules prohibit automated/prerecorded calls unless there is prior express consent from the called party (or the call is for emergency purposes). As to residential (land) lines, they impose the same prohibition, but the statute also specifically allows the FCC to create categorical exemptions for some calls.

Continue Reading...

Recap of A Summary of Privacy Issues for Broadcasters and Other Media Companies

Recently, the editors of this blog and of DWT's Broadcast Law Blog held a joint webinar for the Texas Association of Broadcasters that explored the landscape of of privacy issues that media companies may face.  Subjects ranged from those that arise in the context of news-gathering and -reporting and advertising, to those implicating “robo-calling,” telemarketing and “spam,” to online issues involving collection of personal information about children and/or for targeted ads and app use, and data securitization. 

There is a summary of the presentation on the Broadcast law Blog, and the slides from the session, providing a good outline of many of the basic legal concepts that arise in connection with privacy issues, are available here.

FCC Ups the Ante on "Junk-Fax" Fines for Repeat Offenders

A proposed $315,000 fine against The Street Map Company for unsolicited fax advertisements suggests the Federal Communications Commission is losing its patience – to the tune of tens of thousands of dollars in extra fines – with companies that repeatedly send “junk faxes” even after the agency has cited them, and gone so far as to propose fines, for such conduct.  And, the FCC’s notice of apparent liability (“NAL”) goes on to say, it plans to increasingly impose such “upward adjustments” in junk fax fines in similar cases in the future.

Continue Reading...

FCC Announces Public Forum on Location Based Services for Mobile Devices

On June 28, 2011, the FCC's Wireless Telecommunications Bureau, in conjunction with staff from the FTC, will hold a "public education forum" to discuss, among other things, industry best practices and the benefits/risks of "Location Based Services" for smartphones and other mobile devices.  The forum is expected to include members from industry and technology companies as well as consumer groups and academia.  In connection with the forum, the FCC is accepting comments about LBSs.  Together, the forum and comments are expected to help inform a forthcoming FCC staff report on LBS.

The LBS forum is one of the many events in Washington concerning mobile privacy, an issue that has become quite the hot topic in the wake of concerns regarding LBS use by Apple and Google.  As we discussed earlier here, the Senate Judiciary Committee's new Subcommittee on Privacy, Technology and the Law already held a hearing about Apple and Google's  policies on location-based information.  These two companies, in addition to Facebook and other organizations, are again expected to appear on the Hill tomorrow to discuss mobile privacy and protections, this time before the Senate's Consumer Protection, Product Safety and Insurance Subcommittee.  Indeed, federal legislation has already been introduced that would regulate "geolocation" data of teenagers and children, as well as general commercial practices for the collection, use and sharing of personal information (which we discussed in detail here).

Parsing the FTC's Comments in the FCC's Telemarketing Inquiry into "On Behalf of" Calls

Has the FTC Missed the Point, or is it Subtly Seeking to Expand Liability?

The Federal Trade Commission recently announced that it filed comments in a Federal Communications Commission declaratory ruling proceeding aimed at determining the scope of TCPA liability for companies when third-party vendors make unlawful telemarketing calls.  The FTC urges the FCC to rule that when a company that provides goods or services allows a third-party to offer them, calls placed by that third party qualify as calls made on behalf of, and initiated by, the company that provides the goods or services, even though that company did not place the call.  But the FTC's comments are unclear how far it seeks to have the FCC go in this regard, and that lack of clarity serves to obscure whether the FTC has avoided the core question, or is really seeking to impose substantially broader telemarketing liability.

Continue Reading...

Operators of Online "Virtual Worlds" Agree to Largest Civil Settlement of COPPA Complaint to Date

By Micah Ratner

While over on the Hill the question was whether the Children’s Online Privacy Protection Act (“COPPA”) could be a springboard to “bigger and better” regulatory things, the Federal Trade Commission made news by enforcing the existing statute to elicit the largest civil settlement under the FTC COPPA Rule to date. On May 11, 2011, Playdom, Inc., an operator of over 20 online “virtual online worlds, agreed to pay $3 million to settle FTC claims that it violated COPPA by collecting and disclosing personal information from hundreds of thousands of children under 13 without prior parental consent.

Playdom’s websites were geared toward general audiences but also attracted children, and one of the online worlds called “Pony Stars” was specifically directed at children. The complaint also alleged that Playdom’s privacy policy violated the FTC Act (related to unfair or deceptive acts or practices) by misrepresenting that it would prevent children from posting personal information on its sites. The FTC noted that by summer’s end 2010, Playdom had terminated most of the online worlds at issue, though some continued in operation for several months by non-U.S. based providers, before shutting down as well.

Continue Reading...

DWT Advisory: New Do-Not-Track Bills Target Online Behavioral Marketing and Mobile Apps

By Paul Glist

Two new “do-not-track” privacy bills would impose new restraints on online tracking, behavioral marketing, and the use of mobile application and geolocation data. Rep. Markey introduced his discussion draft with his co-chairman of the House privacy caucus, Rep. Barton. Their “Do Not Track Kids Online” bill would build on the current Child Online Privacy Protection Act (COPPA), which requires parental consent for collecting and using personal information online from children under 13.

Using the political hook of protecting children, the bill proposes to convert COPPA into a framework extending to online and mobile apps, and to tracking and marketing to all those under 18—in the process imposing age verification requirements and other processes that may redefine the apps and mobile experience for all users. Sen. Rockefeller’s version, the “Do Not Track Online Act of 2011,” would simply grant the Federal Trade Commission (FTC) the power to define and adopt the comprehensive do-not-track regime the FTC recommended in December 2010 (which we discussed in detail earlier).

continue reading

Senators Grill Apple and Google over Location Tracking and Privacy

By Rob Morgan

During the maiden hearing of the Senate Judiciary Committee’s new Subcommittee on Privacy, Technology, and the Law chaired by Senator Franken, committee members pressed Google and Apple on how the companies use, collect, and share their customers’ location data, the notices they provide consumers, and the privacy standards they apply to third party applications. Online and mobile privacy issues have become Hill mainstays, but Franken scheduled his first hearing –Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy – in the wake of revelations that Apple’s iOS4 operating system for its iPhones and iPads collected and stored users’ location information even when they tried to turn off location services.

Among other things, the hearing helped underscore the extent to which the Hill has been long awaiting a specific proposal on reforms of the Electronic Communications Privacy Act (“ECPA”), which would be expected to address concerns such as those underlying these involving location data. In fact, Senator Leahy, Chairman of the Judiciary committee, indicated at the hearing that he would “soon” introduce an ECPA update to address some of these issues.

Continue Reading...

Does Dismissal of Flash Cookie Case Against Specific Media Signal Smoother Sailing for Targeted Advertising?

By Rob Morgan

Online advertisers may collectively be breathing a cautious sigh of relief following last week's dismissal by the U.S. District Court in the Central District of California of the class action in Genevive La Court, et al. v. Specific Media, Inc.  Plaintiffs had alleged Specific Media improperly used local shared objects ("LSOs," also known as "Flash cookies") to bypass web users' security settings to gather browsing information to support targeted ads.  The Court held that Plaintiffs failed to demonstrate specific harm needed to support standing to bring such a suit, but gave them leave to amend the complaint and try again.  Although Plaintiffs have said they intend to re-file, the Court pointed out other problems with the claims that could be difficult to overcome, even in a new filing.

Continue Reading...

FTC Enforcement Action Reminds That Sweepstakes Entries Are Not Express Permission or EBR for Telemarketing Calls

By David Silverman

The FTC entered a stipulated judgment and order with a company that sells power wheelchairs and electric scooters, to settle charges that Electric Mobility Corporation violated the Telemarketing Sales Rule’s “(“TSR”) “do not call” restrictions by placing marketing calls to consumers who submitted sweepstakes entries that included their phone numbers. The FTC’s complaint, the settlement, and the monetary penalty paid under it, reinforce prior guidance that mere provision of a phone number on such entries or similar forms is not, under the TSR, “consent” to sales calls to households on the National Do-Not-Call Registry, nor does it create an “established business relationship (or “EBR”) that allows such telemarketing.

Continue Reading...

Watch this Space - How Will Supreme Court Pharmaceutical Detailing Case Resonate in Privacy Debate?

This morning the Supreme Court heard oral argument in Sorrell v. IMS Health Inc. The case explores whether a Vermont law violates the First Amendment in prohibiting use of physicians’ prescribing histories by entities wishing to leverage the data for marketing. The case thus focuses principally on free speech jurisprudence, insofar as the Court has under review a decision that the state’s statute unconstitutionally restricts commercial speech. But at the same time, the issues arise against a privacy backdrop that implicates, among other things, use made of data reflecting individuals’ conduct for purposes of targeting marketing messages to them.

Continue Reading...

An Advertising Perspective on the Kerry-McCain and Stearns-Matheson Privacy Bills

By Paul Glist

Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.

Continue Reading...

Commerce Releases Privacy Report; Recommends Industry Self-Regulation and Creation of Privacy Policy Office

By Paul Glist

On December 16, 2010, the Commerce Department released its own Privacy Report, suggesting a “revitalized” privacy framework that can protect consumer privacy, dynamic businesses and innovation, and promote better global data flow, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  Like the Federal Trade Commission’s counterpart Privacy Report of December 1, 2010, this “green paper” is a first step inviting comment, but it adopts a markedly more balanced approach.  It invites more reliance on cooperative industry self-regulation, while proposing the creation of a Privacy Policy Office within the Commerce Department which could coordinate the Administration’s privacy policies here and represent the US abroad.

Continue Reading...

FTC Releases Privacy Report; Outlines New Framework for Privacy Protections and Do Not Track

By Paul Glist

The Federal Trade Commission has released its long awaited Privacy Report. The Report proposes a "normative framework" for new privacy protections that would cover the use of personal and profiling information across all industries, on and offline, and recommends a "do not track" law to limit online behavioral advertising.  (Copy of the FTC's Report is available here.)  The Report is something of a hybrid. It is positioned as a preliminary staff report for comment, but voted on by the FTC Commissioners (over cautionary statements by the Republicans). It is partly a companion and complement to Bobby Rush’s privacy bill; partly a call for rulemaking comments (by January 31, 2011); partly a call for better industry self-regulation; and partly a warning of more aggressive enforcement activity to come under existing law.

Premises. The Report renews an FTC refrain that the current framework for privacy enforcement needs updating. Consumers don’t read or understand privacy notices, so cannot give informed consent. They have little or no idea that data profiles are assembled by parties with whom they have no direct relationship, and feel nervous that profiles are being used to deliver targeted advertising. Whether or not the profiles are “personally-identifiable” or de-identified, the “fear of being monitored” is harm in itself that should be addressed, and industry is not moving quickly enough. (These premises are questioned in the Republican concurring statements.)

Scope. Like the Rush bill, the Report proposes a framework for privacy that extends far beyond online advertising to all businesses that handle consumer data—online, offline, bricks and mortar—with to-be-defined exceptions for those that handle only small amounts.

Notice. Like the Rush bill, it encourages clear notices, ideally given to the consumer in a less-burdensome, standardized format at a time when it is meaningful and subject to easy comparison with other firms’ privacy notices.

Choice. Also like the Rush bill, it seeks a graduated level of consumer choice depending on use. “Commonly-accepted” uses, such as order fulfillment, service improvement, fraud detection, legal and law enforcement compliance, first-party advertising on the same platform, and possibly advertising by obvious affiliates, would be permitted without choice. Almost everything else is put in play: first-party advertising sent through different media, third-party advertising networks, data collection by an ISP, collection of “sensitive information,” and collection of any information about “sensitive users” like impulsive teens would all be subjected to a heightened level of choice. The Report punts on whether that should be opt-in or opt-out. The Report questions how far companies should be permitted to give “take it or leave it” offers, conditioning services on the use of consumer data. But at least it recommends a sliding scale, in which the level of protection afforded should be proportionate to the data and risks involved at each business.

Access. Any company that maintains data profiles—including third party data brokers—would be expected to provide some level of notice and access if the stored personal profile may be used for the denial of a benefit. Those with data profiles used for other purposes might respond to inquiries with a description of the kinds of information stored and an opportunity to opt-out. The Report reveals concern over the use of de-identified data, wondering how data can be effectively anonymized and how long it can remain anonymized as technology advances.

Privacy by Design, Security, and Data Minimization. The Report exhorts all businesses to adopt “privacy by design,” going beyond security, privacy officers and training to designed privacy into every product, service, and application with the same concern given to costs. The Report includes typical recommendations for collecting and retaining only the data needed for legitimate business uses, and asks how it should define what is “needed” and what is a “legitimate business use.”

Do Not Track. The FTC’s headline issue is recommending a “do not track” requirement. The current idea is to require modified browsers to send an HTTP header asking sites not to track for behavioral advertising. The Report does recite many of the “enormous benefits” of behavioral advertising and other technology advances such as free Internet content, online search, lower prices, global communication, and cloud computing. It also asks a few token questions about the impact that “opt-out” from behavioral advertising might have on Internet commerce and on the consumer experience online. But it asks far more about the mechanics of implementing “do not track.” The Report does not grapple with how much protection “do not track” would provide if it cannot control overseas servers, or does not reach email, web applications, mobile, or “offline” data.

Technological neutrality. As with the Rush and Boucher bills, the Report does not achieve technological neutrality. It carries forward a reflexive hostility to collecting data at the cable modem, while positioning advertiser supported companies at the edge to offer behavioral advertising with adequate notice and informed consent.

Next Steps. Because this Report is serving multiple purposes, it will be part of the privacy debate in many forums. It will be a feature at the December 2 hearing before Bobby Rush’s House Consumer Affairs Subcommittee; over the coming weeks before the January 31 deadline for comment on the Report and the FTC’s scores of specific questions; and before other agencies (such as the FCC or Commerce) which are also pursuing the privacy agenda.

City Of Ontario v. Quon: United States Supreme Court Rejects Police Officer's Lawsuit Claiming That City's Review Of His Personal Text Messages Was An Illegal Search

By Kelli Sager, Jeffrey Fisher, Rochelle Wilcox, and John (Rory) Eastburg

The United States Supreme Court has ruled unanimously that a California city’s audit of a police officer’s text messages was reasonable, and rejected a lawsuit claiming that the review violated the Fourth Amendment.  At the same time, the Court declined to issue “[a] broad holding concerning employees’ privacy expectations vis-à-vis employer-provided technological equipment,” on the ground that such a ruling “might have implications for future cases that cannot be predicted.”  Read more at www.dwt.com/LearningCenter, or click here.

 

FTC Enters Settlement With Purveyor Of Keylogger Software

By Ronnie London & Elizabeth Soja

On June 2, 2010, the FTC announced a settlement with a company that was selling and distributing spyware and providing customers with instructions for remotely installing that spyware on the computers of unsuspecting third parties.  The court’s final order requires CyberSpy Software, LLC and its owner to ensure that any download of “RemoteSpy” keylogger software now provides notice to the computer’s owner that the spyware has been downloaded onto the device.  The computer’s owner must also consent before the software can be installed.  Along those same lines, the order bans all advertising that says RemoteSpy can be installed surreptitiously on a computer without the owner’s knowledge.  The final order follows a preliminary order entered back in November 2008.

The FTC’s complaint against CyberSpy and its owner, filed in federal court in Florida in November 2008, alleged that the defendants provided “customers with instructions on how to disguise the software as an innocuous file, such as 'photos' or 'music' attached to an email, in order to send the software to another computer."  When the recipient clicked on the attachment, the software downloaded onto the device without the owner's knowledge.  Once the software was installed, it sent information regarding all activity from the computer to CyberSpy's servers via the Internet.  RemoteSpy customers could then “access this information by going to remotespy.com and typing in a password that they selected when signing up for Defendants' service,” according to the complaint.

The FTC alleged that these practices violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce.

ISP Host to Spam, Viruses, and Spyware Shuttered by FTC Enforcement Action

By Ronnie London & Micah Ratner

The FTC announced on May 19, 2010, that on April 8, a Northern District of California judge issued a permanent injunction shutting down an ISP—Pricewert LLC—that primarily hosted spam, botnets, trojan horses, viruses, child pornography, and spyware.  ICANN and other industry standards bodies have shut down ISPs that host illegal content, but the FTC’s enforcement action against Pricewert LLP marked the first instance where a federal district court permanently shut down a “rogue” ISP.

The FTC’s June 2009 complaint alleged that Pricewert “recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious, and harmful electronic content” and “actively colludes with its criminal clientele in several areas, including the maintenance and deployment of botnets.”  The FTC’s evidence included transcripts of instance messages that showed senior Pricewert employees colluding with bot-herders to create and configure a botnet.  Pricewert also allegedly marketed its services on chat rooms for spammers, ignored take-down requests from the online security community, and shifted IP addresses for its criminal clients to evade detection.  The same month, the federal court issued a TRO and then a preliminary injunction against Pricewert based on the FTC’s allegations of unfair and deceptive practices under Section 5 of the FTC Act.

Also on April 8, the district court appointed a permanent receiver and determined the amount of disgorgement of profits.  The FTC reports that the ISP’s servers and assets were seized and will be liquidated.  The court cut an award of ill-gotten profits from $2.16 million to $1.08 million because the FTC was unable to submit sufficient evidence to show the percentage of Pricewert’s legitimate versus illegal activity.

 

Update on CAN-SPAM Complaint Mills' Tenuous Legal Posture

In our entry CAN-SPAM Complaint Mills - Time For A New Business Model? pointing to our advisory on the Ninth Circuit’s decision in Gordon v. Virtumondo, Inc., we noted the court’s holding that private suits to enforce the CAN-SPAM Act are limited to bona fide Internet access service providers who genuinely suffer “adverse affects” attributable to email that violates the law, its recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”

Yesterday, the Ninth Circuit built on that foundation, issuing its decision in Asis Internet Services v. Azoogle.com, Inc., which affirmed dismissal of a similar plaintiff’s CAN-SPAM claims, and an award of costs against it. Citing Gordon v. Virtumondo for the proposition that Asis did not meet the requirement of being adversely affected by the unsolicited emails it received, the court held “the mere cost of carrying SPAM emails over Plaintiff’s facilities does not constitute a harm as required by the statute.” It also held that while Plaintiff also spent money on email filtering, the cost of email filtering did not increase due to the emails at issue, reinforcing that “such ordinary filtering costs do not constitute a harm.” The case thus maintains the high bar to CAN-SPAM complaints set in Gordon.

Maine Privacy Law Remains On The Books, But AG Won't Enforce It

By Robert J. Driscoll

We recently blogged (here) about a new Maine law that would restrict the collection and use of personal information from minors for marketing purposes.  Shortly thereafter, a coalition of educational and industry groups filed a lawsuit in the U.S. District Court in Maine, challenging the law on the basis that it violates the First Amendment and the Commerce Clause of the Constitution.  On September 9, 2009, the court entered a stipulated order of dismissal.  While determining that the plaintiffs had established a likelihood of success on their claims, the judge noted that the Attorney General, acknowledging the substantial legal issues raised by the new law, had committed not to enforce it.  The judge also pointedly stated in the order that “third parties are on notice that a private cause of action [under the new law] could suffer from the same constitutional infirmities,” in an apparent attempt to discourage private individuals from filing a private cause of action to enforce the law.  The legislature is expected to revisit the new law and to consider amendments that would address these infirmities in the upcoming session.

New Maine Privacy Law Restricts Marketing to Minors

By Robert J. Driscoll

The state of Maine recently passed a new law restricting the collection and use of health-related information and personal information of minors.  We have published an advisory containing some of the details.  The new law, which takes effect in September, is substantially more limiting than COPPA and will significantly impact the ability of marketers to communicate with Maine residents under age 18.  Read more at www.dwt.com/LearningCenter, or click here.

CAN-SPAM Complaint Mills - Time For A New Business Model?

Be sure to check out our advisory on Gordon v. Virtumundo, Inc.  There, you’ll find our review of the recent 9th Circuit decision clarifying that private suits to enforce the federal CAN-SPAM Act – apart from the FTC, state attorneys general, and other state/federal agencies statutorily authorized to bring claims – are limited to bona fide Internet access service providers, who genuinely suffer “adverse affects” attributable to email that violates the law.  We also discuss the 9th Circuit’s recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”  Read more at www.dwt.com/LearningCenter, or click here.

"Red Flag". . . or White Flag?

The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009.  This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008.  It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them.  This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.

When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply.  With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying.  Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well.  With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.

This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”  In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns.  However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad?  This may well be an area Congress should consider revisiting, and sooner, rather than later.

A $6 Million Reminder That FCC Still Has Work To Do On Telemarketing And Federal Preemption

Last week came news that DISH Network LLC signed an Assurance of Voluntary Compliance (“AVC”) with the Attorneys General of 46 states, in which it agreed to pay nearly $6 million – plus, potentially, additional restitution – and to modify its sales practices to settle claims that it failed to follow telemarketing do-not-call laws and engaged in unfair trade practices.  The agreement, which DISH executed with regulators from every state but California, Illinois, North Carolina, and Ohio, notes that among the alleged violations were failure “to comply with federal, state and/or local laws regarding telemarketing,” but denies any wrongdoing.  The AVC also called for DISH to comply with such state laws going forward.

The extent to which Attorneys General leveraged their states’ telemarketing laws in the settlement, and to require future compliance, is a troubling reminder that it has been more than half a decade that the Federal Communications Commission (“FCC”) has sat on petitions, declaratory ruling requests, and other calls for it to follow through on its promise to preempt the application of state laws to interstate telemarketing if they differ from federal standards.  Specifically, when it joined the Federal Trade Commission to update federal telemarketing rules in 2003, including creating of a National Do-Not-Call Registry, the FCC established certain limitations on application of state law thereafter.  It said its rules implementing the Telephone Consumer Protection Act (“TCPA”), which underlie the Registry, would serve as a “floor” with respect to all interstate and intrastate telemarketing calls.  That is, federal rules would govern all interstate calls, and with respect to intrastate calls, state rules that were less restrictive than their federal counterparts were preempted.  And, while the TCPA allows states to impose more restrictive rules to intrastate calls, the FCC said its rules would “almost certainly” preempt the application of such laws to interstate calls.  It also said that, rather than establishing blanket preemption (as with less-restrictive state laws), it would address preemption of such laws on a case-by-case basis.

In the ensuing years, in the related context of unsolicited fax ads, the TCPA’s preemption provision, which applies equally to the law’s telemarketing and fax provisions, was interpreted in accord with the FCC’s position.  At the same time, multiple petitions were filed, targeting sundry state laws, asking that the FCC preempt various state telemarketing prohibitions or requirements.  In other cases, trade associations asked the FCC to impose 50-state preemption with respect to certain state laws and rules.  Some of these petitions have languished since 2004, or even 2003, and while the FCC has sought comment, all these matters remain pending.

The AVC that DISH has entered with all but 4 states requires it to comply with state telemarketing rules that likely were preempted by federal law.  This is a significant reminder that the FCC needs to bring closure to this issue.  Indeed, it is likely that many of the calls at issue in the DISH enforcement action were interstate in nature and should not have been subject to state laws that differ from the TCPA rules.  The point is not that if preemption were clarified by the FCC, the issues surrounding DISH’s marketing practices would have disappeared.  Nonetheless, the settlement serves as a hefty reminder that telemarketers making interstate calls still face state laws that differ from – and as the FCC has said, are “almost certainly” preempted by – federal regulations intended to unify the rules in this area and to eliminate the patchwork of state requirements and prohibitions.  Perhaps, now that a new FCC installed by a new administration is poised to be at full strength, there is an opportunity to complete this last piece of long-unfinished business.

Advertising Industry Publishes Self-Regulatory Principles for Online Behavioral Data Collection

By Robert J. Driscoll, Paul Glist and Jennifer Small

On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.

The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation.  The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.

These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues.  FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation.  The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.

This advisory provides a brief overview of the new principles.  Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.

Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks.   In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.

The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.

The proposed requirements are summarized briefly below.

  • Transparency.  Online behavioral advertising will be accompanied by enhanced notice to consumers.  Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads.  In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data.  Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.
  • Consumer control.  The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use.  Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.
  • Data security.  Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose.  This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.
  • Material changes.  Consent is required for any retroactive material change in the use of collected data.
  • Sensitive data.  Children known to be under 13 are provided additional protections, as is health and financial data.  The principles note that what is “sensitive” information may change over time.
  • Accountability.  Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues.  Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.
  • Education.  Participants are encouraged to educate individuals and businesses about online behavioral advertising.  It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.

Currently key House members are drafting new legislation on online privacy.  We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate.   In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.
 

 


 

Has The 9th Circuit Raised The Bar For Text-Message Affiliate Marketing?

Did text-message advertising get more difficult after last week’s decision by the U.S. Court of Appeals for the Ninth Circuit in Satterfield v. Simon & Schuster, Inc.? Perhaps so, but not principally for reasons cited by many accounts and commentators reporting on the case.

Satterfield, the recipient of a text-message advertising a Stephen King novel sent by its publisher as part of an outsourced promo campaign, sued Simon & Schuster (and outsourcer ipsh!) under the Telephone Consumer Protection Act (“TCPA”), which prohibits (among other things) “calls” to numbers assigned to cellular and similar services sent by automatic telephone dialing system (or “ATDS”). Simon & Schuster defended on grounds the ad was not delivered by an ATDS as defined by statute, and that text messages are not “calls” as the TCPA requires. It also claimed the text fell under the law’s consent exception insofar as Satterfield received it after registering at Nextones.com (to allow her minor son to receive a free ringtone), where she agreed to terms and conditions (“T&Cs”) that included accepting on the registered cell phone promotions from the website’s affiliates and brands. Initially, Satterfield was turned aside on summary judgment when the trial court held the text was not sent by an ATDS and that Satterfield consented to its receipt (and thus did not reach arguments that text messages are not “calls” under the TCPA).

Last week, the Ninth Circuit reversed. It found, given dueling expert testimony, a material fact question that needed to be tried, as to whether the equipment that sent the text was an ATDS. It also held, based on Federal Communications Commission (“FCC”) pronouncements, and on the law’s legislative history and intent, that text messages are “calls” under the TCPA. This part of the decision became the headline in much reporting and commentary on the case, not to mention speculation about what it means to marketers. But classifying text messages to phone numbers as ATDS transmissions is hardly news – the FCC said they were over five years ago, and reiterated as much in adopting rules under the CAN-SPAM Act (which govern mobile service commercial messages to email addresses, which differ from text messages to phone numbers), so that question was never in serious doubt. Rather, the more intriguing aspect of the Ninth Circuit’s decision (in my view), which received less attention, comes in its last few pages.

There, the court rejected claims that the text-message was allowed based on consent Satterfield gave at the Nextones’ website to receiving promotions from its affiliates and brands. Rather than viewing who could be an “affiliate” of Nextones in more colloquial terms – which is the tone for which many online T&Cs and privacy policies strive to make them more consumer-friendly – the Ninth Circuit construed “affiliate” as having “independent legal significance” so as to require a corporate relationship between the entities “by shareholdings or other means of control.” Since Nextones and Simon & Schuster are not commonly controlled, the court reasoned, the publisher could not be an “affiliate” of Nextones from whom Satterfield consented to receive texted ads. The court took a similarly narrow view of “brands,” holding they are “commonly defined” as “goods identified as being … of a single firm,” so since the text message advertised a product of Simon & Schuster, not Nextones, consent did not exist on this basis, either.

The decision thus begs the question how a company’s website (and other peripheral materials) must identify third-parties who may market to the company’s consumers, in order for consent, such as that contemplated by the TCPA, to encompass third parties. If describing them as “affiliates” will not suffice – and, one would think, the prospect exists of courts like the Ninth Circuit imposing legally-specific definitions on, or finding equally insufficient otherwise, other commonly used colloquialisms such as “partners,” “clients” or “co-marketers” – how are companies to describe such third-party marketers in a way that is both understandable and succinct, while still being meaningful to consumers? That, I believe, is among the principal challenges facing marketers in the wake of the Ninth Circuit’s Satterfield decision.
 

We're Baaaaaaack.

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:

Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)

Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)

Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)

Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)

Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.

We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.

Thanks,

The PrivSecBlog Team


And by the way:

The Lakers.
Ratings. And possibly bad karma.