Be sure to check out our new advisory examining the joint policy statement that the Federal Trade Commission and Department of Justice issued to facilitate companies’ sharing of cybersecurity information. The policy statement seeks to reduce uncertainty under antitrust laws for companies wishing to share strategies for preventing and combating cyber-attacks, by stating the agencies’ analytical framework for such information sharing under their longstanding Antitrust Guidelines for Collaborations Among Competitors. As explained in the advisory, the new policy statement should be helpful as far as it goes, but companies should still proceed cautiously so as not to stray into the area of prohibited concerted activity, and should keep in mind that the new statement does not reduce potential liability under electronic privacy laws for the disclosure of communications or personal information related to cyber threats. You can read the advisory here.
Eleventh Circuit Adopts Seventh Circuit Jurisprudence Imposing Strict TCPA Liability on Autodialed and Prerecorded Calls and Texts
The United States Court of Appeals for the Eleventh Circuit issued a decision in Osorio v. State Farm Bank aligning that court with the Seventh Circuit on how Telephone Consumer Protection Act (TCPA) restrictions on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls.
As reported in Spring 2012, the Seventh Circuit case of Soppet v. Enhanced Recovery held that, where a company gets prior express consent to prerecorded-call and/or to auto-dial or auto-text a cell phone, as the TCPA requires, the caller can still be liable, if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent. This ups the ante considerably for companies who use automated dialing systems to reach customers, as does the new Eleventh Circuit Osorio decision, which holds, relying on Soppet, that “the consent must come from the current subscriber.” Osorio is as concerning as Soppet given that TCPA limits on calls to cells encompass autodialed live-agent calls, prerecorded calls, and texts via autodialer, all without regard to the content of a call – i.e., whether it is marketing, or only for customer-care, debt-collection, or other informational purposes.Continue Reading...
Be sure to check out our recent advisory discussing two new Federal Communications Commission (FCC) declaratory rulings that involve communicating with cell phones via autodialed calls and texts, and by prerecorded call. The rulings respectively allow the consent necessary for such calls to come from intermediaries for text-based social networks, and for package-delivery services to rely on assurances by package sender that addressees consent to autodialed/prerecorded calls/texts with delivery information. Along the way, the FCC makes several broad and business-friendly statements that should help clarify current uncertainty surrounding the TCPA, and hopefully serve as a defense for some in what has become a booming TCPA class action practice. You can access the advisory here.
But One Vote is Not Enough for Action, Nor Does Action Assure a Favorable Outcome
FCC Commissioner Michael O’Rielly recently blogged that “It is Time to Provide Clarity” on issues swirling around application of the Telephone Consumer Protection Act (TCPA). To this we say, “Hear, Hear!”Continue Reading...
Consumers will soon have access to a smartphone that automatically encrypts calls and texts, and provides anonymous web browsing, according to reports about the "Blackphone."
Forbes reports that the phone, set for a spring release, caters to phone users who want built-in privacy protections -- and to avoid the hassle of manually changing privacy settings and adding protective features. For $629, purchasers will get three years of encrypted phone calls and messaging services plus 5 GB of encrypted storage, Forbes Reports. The phone also will include anti-tracking and anti-WIFI sniffing services. According to Forbes, the phone was developed by Spanish startup GeeksPhone and Washington D.C.-based Silent Circle.
Newsweek reports that the phone will lack an email app, at least at launch. The company is working with another firm to develop a secure email service. The Guardian reports that the phone will run a version of Android that certain security holes and provides greater data control than third-party apps.
FTC: No Need to Approve iVeriFly's Proposed Alternative COPPA Consent Method - Proposal is Merely a Variation on Methods COPPA Rule Already Recognizes
Under the provisions of the Children’s Online Privacy Protection Act (COPPA) Rule that invite proposals for new mechanisms for obtaining the verifiable parental consent required to collect, use and disclose personal information from children under 13, the Federal Trade Commission (FTC) has announced that it concluded its proceeding on iVeriFly’s proposal by declining to issue an approval, as the FTC found the method to be simply a variation on those already recognized under the Rule, rendering further FTC action unnecessary.
The verifiable parental consent mechanism iVeriFly proposed uses verification by Social Security number (SSN) as an initial step in confirming the parent’s identity. But SSN verification is already approved under the COPPA Rule. Similarly, another step in iVeriFly’s proposed mechanism relies on knowledge-based authentication, which the FTC recently approved (as we discussed here) after iVeriFly’s application was already on file. In addition, under iVeriFly’s mechanism, once a parent’s COPPA account is created, iVeriFly uses verification codes to confirm the parent’s identity for future contacts, an approach akin to using passwords or PIN numbers for previously authenticated parents, as described in the FTC’s updated frequently asked questions (FAQs), which we discussed here and here.
It is unclear if companies like iVeriFly, who have “variations” on approved COPPA consent methods, seek explicit approval out of concern over enforcement and/or uncertainty about how the FTC will interpret the rules, or whether by doing so, even if arguably already covered, they wish to obtain an FTC letter like iVeriFly did that confirms their approach is already approved (also note that, at least part of iVeriFly’s application encompassed a method that at the time of filing was not approved, but was encompassed by another party’s already-on-file application that the FTC granted before it got to iVeriFly’s proposal). But in any event, iVeriFly has a green light to proceed, even with the FTC’s non-action on its application.
FCC Seeks Comment on Petitions Seeking Clarity for Opt-Out Notices on Fax Ads Sent with the Recipient Consent
The FCC issued a Public Notice seeking comments on nine petitions that request clarification of the agency’s rule governing opt-out notices on fax advertisement – and in particular, those where sender previously obtained the recipient’s consent. The petitions seek to resolve uncertainty that has arisen from tension between the Telephone Consumer Protection Act’s (TCPA) Junk Fax Prevention Act provisions that require “unsolicited” fax ads to include such opt-out notices, and the recent Eighth Circuit decision in Nack v. Walburg that held, relying on an FCC amicus brief, such opt-out notices also are required for fax ads sent with express consent. The stakes are high for resolving this technical compliance point, given that TCPA class action activity has exploded in recent years, with settlements and judgments reaching the tens or hundreds of thousands of dollars, and even into the millions.Continue Reading...
California Public Utilities Commission Denies Request to Develop Privacy Standards for Wireless Carriers and Mobile Applications
After a year in which the California Legislature passed a spate of privacy laws, wireless providers and third party mobile application providers do not need to add privacy regulations from the California Public Utilities Commission (“CPUC”) to their growing list of privacy compliance requirements. At its January 16, 2014 meeting, the CPUC voted 3-2 to deny a petition filed in November 2012 by consumer advocates requesting the CPUC to open a rulemaking to, among other things, review the privacy practices of telephone corporations and, in particular, to develop privacy standards for wireless carriers and third parties (such as mobile applications) that gain access to wireless consumers’ personal information. (See P.12-11-006). Click here to read the decision.Continue Reading...
The Office of the Privacy Commissioner of Canada (OPC) announced on January 15, 2014, that it reached a settlement with Google over the use of health information in behavioral advertising. The case involving a complaint that an individual visited sites about sleep apnea devices and its browser retained cookies that led to advertisements targeting sleep apnea devices at unrelated websites. OPC cited the practice as violating Google’s own policy that, when tailored ads are shown, the company will not associate a cookie or other identifiers with sensitive categories, such as race, religion, sexual orientation or health. OPC recommended that Google develop a more formalized and rigorous system for reviewing advertisements for policy compliance. Of note, OPC coordinated its investigation with the U.S. FTC, and also expressed concerns that other advertising networks are violating Canadian privacy law.
Agency Seeks Comments on Petition That Could Severely Restrict Service Provider Ability to Use “Anonymized” Customer Information
On December 20, 2013, the U.S. District Court for the Northern District of California issued an order in In re: Hulu Privacy Litigation that solely addressed the issue of whether the Video Privacy Protection Act (the “VPPA”) requires plaintiffs to show actual injury that is separate from a statutory violation to recover actual or liquidated damages. This is the second setback for Hulu. The court denied Hulu’s Motion to Dismiss more than a year ago, holding that online streaming video content is covered by the VPPA, despite the statute’s emphasis on prerecorded video cassette tapes and “similar audio visual materials.” The Court also found that any user of Hulu’s streaming service was a protected “consumer” under the statute, whether or not the user paid for the service.Continue Reading...
If at First You Don't Succeed ... FTC Approves Second Candidate's New COPPA Verifiable Consent Method
The Federal Trade Commission announced that it has approved a new method for companies to obtain parents’ verifiable consent for online collection and use of children’s personal information under the Children’s Online Privacy Protection Act (COPPA) Rule. The FTC’s letter issued to Imperium LLC approves knowledge-based authentication – which relies on a series of “challenge” questions requiring information not commonly available or typically found in a person’s wallet – as a method for verifying that the person providing consent is in fact a parent. The approval comes just over a month after the FTC rejected AssertID’s request for approval of “social-graph verification” as a method for securing verifiable COPPA consent.Continue Reading...
New Advisory on Canadian Anti-Spam Law That Covers Commercial Emails and Texts to Canada, Computer Program and Software Downloads, and More
Be sure to spend some time with our recent advisory on Canada’s Anti-Spam Law (CASL), now that compliance dates for rules governing commercial electronic messages (CEMs), software downloads, and related conduct have been set to start taking effect July 1, 2014. By comparison to U.S. CAN-SPAM law, CASL is broader and does not deal solely with email “spam,” but also reaches CEMs sent to instant message and social network accounts, and by short message service (SMS) texts to cell phones, too. CASL also regulates the installation of computer programs, as well as the and alteration of transmission data, and other computer-related conduct.
When the new law is fully in force, it will apply to all CEMs sent from or accessed by computer systems located in Canada, and thus governs CEMs sent from the other countries, including the United States. The next 6 to 12 months provided for compliance ramp-up are thus critical for all businesses in Canada—as well as for those in the U.S. who have a Canadian presence or who transmit CEMs or computer software downloads to be received or downloaded by Canadian residents. Access the advisory here.
FCC Asked To Rule That Anonymized Phone Call Data May Not Be Shared Absent Customer Consent Under CPNI Rules; Comments Due January 17, 2014
By Bob Scott
A coalition of privacy advocates filed a petition for declaratory ruling with the FCC on December 11, 2013 seeking a significant tightening of the Commission’s existing rules that limit the sharing of Customer Proprietary Network Information (CPNI) by telecommunications carriers and other phone service providers. The coalition, led by Public Knowledge, has asked the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers is nevertheless “identifying information” under the CPNI rules which may not be shared with other companies or entities absent the customer’s consent. The FCC has set a deadline of January 17, 2014 for comments on the petition.Continue Reading...
By K.C. Halm
Following its highly publicized workshop exploring consumer privacy and security issues arising from the emerging market of the Internet of Things, the Federal Trade Commission (FTC) is now calling for filed comments on issues raised during the workshop.
At issue is the application of privacy and data security principles and norms in the emerging market sector of connected devices. As explained in our recent post, workshop participants raised a broad range of questions about the application of many existing privacy principles to entities and systems in the world of connected devices.
Recognizing the many legitimate and difficult questions raised by this sector, the agency seeks comment on a range of issues, including but not limited to:
- What are the unique privacy and security concerns and solutions associated with the Internet of Things?
- What existing security technologies and practices could businesses and consumers use to enhance privacy and security in the Internet of Things?
- What is the role of the Fair Information Practice Principles in the Internet of Things?
- What steps can companies take (before putting a product or service on the market) to prevent connected devices from becoming targets of, or vectors for, malware or adware?
- How can companies provide effective notice and choice? If there are circumstances where effective notice and choice aren’t possible, what solutions are available to protect consumers?
- What new challenges does constant, passive data-collection pose?
- What effect does the Internet of Things have on data de-identification or anonymization?
- How can privacy and security risks be weighed against potential societal benefits (such as improved health-care decision-making or energy efficiency) for consumers and businesses?
- How can companies update device software for security purposes or patch security vulnerabilities in connected devices, particularly if they do not have an ongoing relationship with the consumer? Do companies have adequate incentives to provide updates or patches over products’ lifecycles?
- How should the FTC encourage innovation in this area while protecting consumers’ privacy and the security of their data?
- Are new use-restrictions necessary to protect consumers’ privacy?
The deadline for filing comments is Jan. 10, 2014. Comments filed prior to the workshop will be taken into consideration. The agency’s staff will also accept research and surveys in addition to other comments. Comments will be used to develop the FTC Staff recommendation, which is likely to be issued during the first quarter of 2014.
Please contact us for assistance with preparing or filing these comments with the FTC.
A House Divided: Federal Judges Take Conflicting Positions on Wiretap Act Claims Against Google in California's Northern District
When is the “course of business” considered “ordinary?”
By Bob Scott
Both cases challenge, among other things, Google’s practice of sharing data collected from its customers with advertising partners. In both cases, Google asked the court to dismiss claims that this sharing violates the Wiretap Act, on the basis of the Act’s exception that allows a provider of electronic communications services to intercept customer data “in the ordinary course of business.” Yet the cases reach opposite decisions on the applicability of that exception to very similar claims.Continue Reading...
By: Ronald G. London
The U.S. Court of Appeals for the Seventh Circuit held in Patriotic Veterans v. Indiana that the state’s automatic dialing-announcing device (ADAD) statute is not preempted by provisions that govern prerecorded calls and automated telephone dialing systems (ATDS or autodialer) in the federal Telephone Consumer Protection Act (TCPA), even with respect to interstate calls. The appellate court’s decision is significant to the extent it runs counter to a position staked by the Federal Communications Commission (FCC) that its TCPA rules “almost certainly” would be both the “floor” and “ceiling” for regulating interstate calls governed by the TCPA.
Patriotic Veterans, which utilizes automated prerecorded calls to disseminate political messages, challenged on preemption and First Amendment grounds Indiana’s ADAD law, which generally prohibits automated prerecorded calls with only very limited exceptions for where there is prior consent by the called party and for, e.g., school districts calling students/parents, or employers sending messages to employees. Patriotic Veterans argued that the state’s law was preempted as to calls made into Indiana from outside the state, by the federal TCPA regime. Under the TCPA, autodialed and/or prerecorded calls are prohibited to cell phones, hospitals, emergency lines and similar numbers in the absence of prior express consent, and such calls are likewise prohibited to residential lines, unless there is consent or the FCC grants exceptions. The FCC’s TCPA rules allow prerecorded calls to residential lines if they are not for commercial purposes and/or do not include advertising, or if they are for an emergency or charitable purpose.Continue Reading...
First-Shot Misfire for Application Seeking Streamlined FTC Approval of New COPPA Parental Consent Mechanism
By: Ronnie London
The Federal Trade Commission (FTC) voted thumbs down in its first ruling under the new streamlined process adopted in its Children’s Online Privacy Protection Act (COPPA) Rule review for additional methods of securing verifiable parental consent for online collection and use of children’s personal information. In its letter ruling, the FTC determined the proposed method of “social-graph verification” suggested by AssertID, Inc., did not meet the criteria for approval.Continue Reading...
Chief Justice hints that cy pres as a class action settlement procedure should be reviewed
The U.S. Supreme Court has declined to review a case challenging the fairness of a cy pres settlement of a class action against Facebook related to Facebook’s “Beacon” program that was launched in late 2007. Although the Court declined review, Chief Justice Roberts, in a 4-page statement accompanying the denial, acknowledged that cy pres remedies “are a growing feature of class action settlements” and indicated that the Court might review the fairness and adequacy of such awards “in a suitable case.”Continue Reading...
Google is facing increased scrutiny of its data collection and use practices, which may be a warning to all Internet and online service providers. Last week, Judge Koh in San Jose held Google accountable for an alleged violation of the wiretap laws for Google’s “undisclosed” review of subscribers’ emails and other data to deliver targeted ads and create user profiles. Among other things, the fact that Google warned its Gmail users that it “may” review their emails was apparently not the same as saying it “will” review them.
In the Street View case I blogged on the week before, the Ninth Circuit found that Google violated the same wiretap laws when, as part of compiling Street View data, it accessed unencrypted Wi-Fi transmissions, despite exceptions in the wiretap laws permitting access to unencrypted radio signals. Google filed for panel and en banc rehearing.
Don’t miss our new advisory discussing changing legal perceptions of required privacy protection and the steps that companies can take to incorporate operational controls that protect consumer information and which can help avoid or defend enforcement actions, comply with looming legislative and regulatory developments, and sustain consumer confidence. The advisory provides a broad overview of current regulatory expectations and insight into what may be on the horizon by highlighting the recent increase in federal and state enforcement actions for alleged failures to secure consumers’ personal information. As you will see, now is the time to fully internalize privacy imperatives. You can read the advisory here.
Latest FTC Enforcement Action Reflects Agency's Intent to Focus on Emerging Market Involving the "Internet of Things"
By K.C. Halm
In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.
The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.
But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.Continue Reading...
40 Days and 40 Nights on Mount TCPA: Make Sure You Come Down with Proper Consent for Autodialed, Prerecorded and Text Telemarketing
October 16, 2013 Deadline Looms – Does Increasingly Active Plaintiffs’ Bar Await?
By Paul Glist and Christin S. McMeley
Last week, the California State Senate and Assembly passed AB 370, a bill to amend the California Online Privacy Protection Act (CalOPPA) that would require operators of commercial websites or “online services” to disclose how the site responds to “do not track” signals sent by web browsers, which in turn will trigger enforceability by federal and state authorities. The amendment is expected to be signed by Governor Jerry Brown. Currently, there is no agreed upon definition of tracking, sharing, or permitted uses when a DNT preference is expressed. Nor is there agreement on the propriety of devices or user agents (rather than informed consumers) setting DNT signals by default.
By: Ronald G. London
The Federal Trade Commission has added to its recently revised “Frequently Asked Questions” (FAQs) to assist covered entities in complying with the first major update of regulations implementing the Children’s Online Privacy Prevention Act (COPPA Rule). The question-and-answer pairs are more clearly organized by topic and provide additional guidance, largely for ad networks. Specifically:
- One new FAQ provides greater latitude for ad networks that find out after the new rules’ effective date that they have been collecting personal information from a child-directed website, by allowing continued use of converted data and persistent identifiers under certain circumstances.
- The new FAQs also limit the circumstances somewhat where ad networks are deemed to have “actual knowledge” of the child-directed nature of sites from which they collect personal information. For example, one FAQ clarifies that knowledge gained by an ad network’s employees will less likely be attributed to the ad network if the ad network prominently discloses on its site or service the methods by which the ad network can be directly contacted with COPPA information.
- A related FAQ allows ad networks to rely on first-party affirmative representations of their non-child-directed status, including through signaling from the embedding webpage, so long as the ad network does not separately discover additional indicia of a website’s child-directed nature. If such additional indicia are “inconclusive,” the ad network may still ordinarily continue to rely on the site’s or service’s specific affirmative representations.
- Another new FAQ further establishes that, without more, the receipt of a list of websites (or services) claimed to be child-directed from parents’ organizations, advocacy groups, or similar entities is not enough to be deemed “actual knowledge” with respect to those websites or services.
This post discusses these additions to the FAQs – for further points of guidance provided in the COPPA FAQs, see our prior post, here.Continue Reading...
The July 1, 2013, deadline for complying with the Federal Trade Commission’s (FTC) updated regulations implementing its Children’s Online Privacy Protection Act (COPPA Rule) is around the corner, as discussed in our post here on the FTC’s denial of additional time and its revised “Frequently Asked Questions” to guide compliance efforts. Our earlier advisory provides details on, e.g., the expansion of data collection activities covered by COPPA, including through persistent identifiers, new types of personal information whose collection will trigger the rule, clarification of how to obtain parental consent, refinements on what the Commission will deem to be a “child-directed” site covered by COPPA, and more. The FTC’s COPPA Rule amendments are the first update to capture technological developments and evolving popular online practices – primarily social networking, smartphone Internet access, and the ability to use geolocation information – that arose after the law was enacted.
By: Ronald G. London
The Federal Communications Commission (FCC) has issued a long-awaited declaratory ruling governing when a company is liable under the Telephone Consumer Protection Act (TCPA), and FCC telemarketing and autodialing rules, for violations committed by a third party that the company authorizes to sell its goods or services but does not directly ask or otherwise engage to telemarket, by holding that the company may be vicariously liable under federal common law principles of agency for TCPA violations that the third party commits.Continue Reading...
Industry Must Comply by July 1, 2013, Can Look to Expanded FAQs for Guidance on Updated Rules for Information Collection and Disclosure, Parental Notice, and Requirements for Mobile Apps
By: Ronald G. London
The FTC has voted to retain the July 1, 2013 effective date for the revisions to its Children’s Online Privacy Protection Act (COPPA Rule), shortly after issuing revised “Frequently Asked Questions” (FAQs) to aid compliance efforts. The FAQs are a key interpretive resource, because there are few enforcement orders – and no real court precedents – that apply COPPA.
This post highlights some key clarifications and a few areas of uncertainty that remain in the FAQs, as a companion to our earlier advisory on the COPPA Rule revisions. Among other points, we explore guidance provided by the FTC staff in the FAQs regarding:
- How websites and online services subject to COPPA can handle newly added categories of personal information.
- The relationship between websites and online services subject to COPPA and third parties that collect personal information through such sites or services.
- The applicability of COPPA to mobile apps and some of the steps app developers/operators must take toward compliance.
- Additional detail on providing parental notice as streamlined by the COPPA Rule revisions.
- Steps required before children’s personal information may be disclosed to third parties.
By: Ronald G. London
The Federal Trade Commission (FTC) recently announced it concurrently filed eight complaints in courts around the United States against “senders of spam text messages” who allegedly engaged in deceptive acts or practices by promoting supposedly free gift cards. The complaints constitute what the FTC called a “crackdown” on affiliate marketers who allegedly “bombard consumers with hundreds of millions of unwanted spam text[s],” in order to steer them to allegedly deceptive websites promoting the cards.
While the conduct alleged by the FTC details the kind of gambit that often draws the agency’s wrath, the cases are also notable because they allege that merely sending unsolicited commercial texts can be an “unfair practice” under the Federal Trade Commission Act. As texting is already heavily regulated by the Federal Communications Commission (FCC) under the Telephone Consumer Protection Act (TCPA), which also allows private causes of action, including class actions, the FTC’s apparent position seems to up the ante for senders of commercial texts.
The FTC and California's Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment
Be sure to spend some time with our recent advisory analyzing two important privacy developments affecting the mobile ecosystem. Our advisory focuses on the Federal Trade Commission Staff Report and the California Attorney General’s recent release of detailed recommendations and best practices for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC’s Staff Report outlines recommendations to improve privacy disclosures and control at different levels of the mobile ecosystem. The California AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. You can access the advisory here.
Be sure to check out our recent advisory examining the extensive changes the Federal Trade Commission (FTC) made to its regulations implementing the Children’s Online Privacy Protection Act (COPPA Rule). The revisions update the Rule to cover technological developments and popular online practices such as social networking, smartphone Internet access, and the use of geolocation information. The advisory details how the FTC refined its definitions of “operator,” “personal information,” and “websites or online service directed to children,” and updated its requirements for providing notice and getting consent from parents, among many other changes the FTC described as seeking to “broaden and clarify” the Rule. The advisory, which also explores practical considerations arising from the updated regulations, can be accessed here.
By Brad Guyton
On January 10, 2013, President Obama signed H.R. 6671, the Video Privacy Protection Act Amendments Act of 2012, which amends the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, to streamline the process for consumers to share data regarding their video viewing activities. In practice, this means video providers such as Netflix will be able to implement features that allow subscribers to share their video viewing history using social media services like Facebook.Continue Reading...
By Bob Scott
The Federal Trade Commission (“FTC”) released on December 10, 2012, its second staff report on disclosures for mobile apps targeted at children, building on its prior report issued 10 months earlier. The reports appear designed to support the FTC’s upcoming proposed changes in Children’s Online Privacy Protection Act (“COPPA”) rules (which we analyzed here and here). Where the first report emphasized mobile app compliance with notice and consent provisions in the FTC’s COPPA Rule, the latest report went beyond examination of disclosures and tested whether apps collected and shared data with third parties, or included interactive features like in-app advertising, purchasing, and/or links to social media. It also focused in particular on the use of device identifiers and concerns raised by their collection and/or use, while in doing so appearing to overlook uses of device IDs that pose no privacy risk and/or that are otherwise pro-consumer.
By Bob Scott
The Federal Trade Commission (FTC) announced a proposed settlement of allegations that online advertising company Epic Marketplace, Inc. and its affiliate Epic Media Group (Epic) engaged in deceptive practices by failing to accurately describe their online advertising data practices. Specifically, the FTC alleged that Epic failed to disclose that it ran software script which determined whether consumers had visited web sites outside of Epic’s affiliated advertiser network, and falsely represented that it only collected browser information from web sites within Epic’s network. The settlement is the FTC’s first action against browser history sniffing, and demonstrates the Commission’s continued expansion of jurisdiction through enforcement actions. The proposed settlement must be approved by a majority of the Commissioners before it becomes effective.
But Ruling Rests on Narrower Rationale Than Advanced by Petitioner, and Comes With Conditions
Yesterday, the Federal Communications Commission issued a declaratory ruling clarifying that sending a follow-up text-message confirming a consumer’s opt-out from receiving future texts does not itself violate the Telephone Consumer Protection Act (TCPA) or FCC rules. When a consumer texts “stop” etc. to opt out of further text messages, entities that receive the opt-out often send a final text confirming receipt and effectuation of the opt-out. The ruling was requested – and sorely needed – in the face of several putative class actions, including some against such notable names as Twitter and American Express, brought on grounds that the confirmatory texts, coming after the consumer has already opted out, lacked the prior express consent necessary under the TCPA and FCC implementing rules for text-messaging.
Advisory on Potential Traps for the Unwary in New FCC Prerecorded Telemarketing Rules Updated with Announcement of Compliance Deadlines
Be sure to check out the update to our advisory that outlined the amended FCC automated/prerecorded telemarketing rules. The update flags the October 16, 2012 Federal Register notice announcing that the revisions were approved by the Office of Management and Budget, thus setting effective dates for the new rules as follows:
- The requirement for prior written signed consent for prerecorded telemarketing (and elimination of established business relationships permitting some such calls), and for auto-dialed live-agent (and prerecorded) telemarketing calls to cell phones and telemarketing text-messages takes effect October 16, 2013.
- The requirement that prerecorded telemarketing calls must enable automated opt-outs will take effect January 14, 2013.
- The revisions to the FCC’s abandoned call rules take effect November 15, 2012.
As explained in our prior blog post highlighting the original advisory, the new FCC rules raise the bar for the type of consent needed for auto-dialed live-agent and other telemarketing to cell phones, and extend the automated opt-out mechanism required for prerecorded telemarketing to “abandoned” live-agent telemarketing calls. Details of the rule changes appear in the advisory update, following the discussion of the effective dates for the various new rules.
On October 2, 2012, DWT privacy practitioners Ken Payson and Ronnie London joined one of the firm’s leading payments attorneys, Andrew Lorentz, at the RAMP Advanced Commercial & Mobile Retail Summit, to make a presentation on Mobile Marketing Regulatory Compliance: Lurking Dangers and Cautionary Tales. The session provided an overview of the mobile marketing legal ecosystem, offered insights on the requirements for compliance with laws and regulations affecting mobile communications, and gleaned lessons learned from litigation and enforcement actions. You can access the slides for the presentation here.
By Bob Scott and Ronnie London
On September 12, 2012, Congressman Markey (D-Mass.) introduced the Mobile Device Privacy Act, H.R. 6377, which requires the FTC to regulate all mobile applications and devices, as well as mobile phone manufacturers and sellers, and mobile app developers. Representative Markey introduced this bill despite ongoing mobile privacy stakeholder negotiations conducted by NTIA, the process favored by the Administration and adopted by the FTC itself in its Final Report on consumer privacy. The bill’s exclusion of all non-mobile technology likewise rejects the stated intention of the Administration and the FTC for technology-neutral privacy protection. Moreover, the bill is not limited to practices affecting “personal” information: all information potentially collected via mobile phones or mobile apps, no matter how benign or technical, is treated as if it is personal data.
Hulu Privacy Litigation Marks First Application of Video Privacy Protection Act to Solely Streamed Video
Internet video streaming site Hulu.com is subject to the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, according to a recent decision by the U.S. District Court for the Northern District of California, marking the first time a court has subjected a provider of exclusively online streaming video services to the VPPA. This is notable insofar as the VPPA prohibits “video tape service providers” from knowingly disclosing the personally identifiable information (“PII”) of any consumer of the provider except to that consumer, or in limited circumstances, including incident to the provider’s ordinary course of business (as well as disclosure with consumers’ consent, and/or pursuant to a warrant or court order). The VPPA, also requires destruction of PII once no longer necessary for the purposes for which it was collected, and affords those harmed by any act in violation of the VPPA to bring a civil action, which is how the Hulu Privacy Litigation arose. The decision could have a wide-ranging impact on Internet video providers who may have viewed themselves as potentially not subject to the VPPA.Continue Reading...
On August 9, 2012, the Federal Trade Commission (FTC) announced a settlement with Google over the search engine’s alleged misrepresentations in its online privacy disclosures concerning the use of “cookies” and targeted ads directed to users of Apple, Inc.’s Safari Internet browser. Under the terms of the settlement, although Google denied liability, it agreed to pay a $22.5 million civil penalty, and to disable all DoubleClick advertising cookies placed through Safari browsers, except opt-out cookies. The enforcement action is also significant as the FTC’s first effort to punish a company for allegedly violating an industry self-regulatory code, further setting the stage for FTC enforcement of industry-specific codes that the Administration seeks to develop through multi-stakeholder workshops.Continue Reading...
DWT Pre-Publication Advisory Explains Import of Proposal
Now that it has appeared in the Federal Register, be sure to check out our advisory discussing the Federal Trade Commission’s (FTC) Supplemental Notice of Proposed Rulemaking in its Children’s Online Privacy Protection Act (COPPA) rule update proceeding. The Supplemental Notice, part of the FTC’s effort to have the COPPA rule reflect technological developments and more recent online practices like social networking, smartphones, and location-based information, proposes to augment, clarify, and both expand and restrict rule changes proposed in the FTC’s September 2011 rulemaking notice (which we discussed in a prior post at the time it was released).
The Supplemental Notice changes would affect the inclusion of persistent identifiers as “personal information,” data collected by plug-ins, software downloads, or advertising networks, and websites that may not be directed to children but are likely attract children under 13. Read about these and the other implications of the proposed further changes to the rule’s definitions of “personal information,” website and online service “operators,” and websites and services “directed toward children,” here.
NTIA to Hold First Privacy Multistakeholder Meeting, With Eye Toward Creating Industry Code of Conduct for Mobile
By Bob Scott
The National Telecommunications Information Administration (NTIA) today announced a multistakeholder meeting designed to create an industry code of conduct to provide transparency for mobile applications and other interactive mobile services. The meeting will be held July 12, 2012 in the national capital area.
This is the first of several stakeholder workshops proposed by the Administration and endorsed by the FTC in its “Final Report” on consumer privacy discussed in detail in our March 27, 2012 advisory. The Administration proposed these industry-specific codes of conduct be developed through these proceedings, and that the resulting codes would be enforceable by the Federal Trade Commission. Privacy in the context of mobile apps received the greatest volume of comments in NTIA’s request for input on the privacy workshops proposed by the Administration.
This workshop, and the code of conduct it is intended to produce, is likely to affect the interests and operations of the entire mobile ecosystem: mobile carriers, mobile app developers, interactive service providers, and mobile app platform providers. NTIA asks that those who intend either to attend the meeting in person or to view the webcast inform NTIA before June 22, 2012 at this link. NTIA will use the information it received to determine space requirements for the meeting, and to arrange webcast technology. NTIA's announcement comes just weeks after the Federal Communications Commission (FCC) issued a public notice seeking updated comments on the privacy and security of information stored on mobile service communications devices, as we highlighted when the notice issued.
By Ronnie London
New Jersey’s Attorney General Jeffrey Chisea and the state’s Division of Consumer affairs have filed suit in federal court against smart-phone app-provider 24x7digital LLC, to enjoin its alleged violation of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s (FTC) COPPA Rule. In the complaint, the state alleges 24x7 violates the statute and rules – which allow enforcement by the FTC and state regulators – by offering educational apps targeted to children that collect their personally identifiable information (PII), which is transmitted also to a third-party data-analyst, without notice to or consent from players’ parents. The case is significant because, while the FTC has brought a number of enforcement actions, the statute does not directly allow private causes of action – only enforcement by the FTC and state regulators. There has thus been no real case-law guidance on how the COPPA and the COPPA Rule apply, outside that developed in FTC-originated proceedings.
By Peter T. Luce
The latest viral privacy meme circulating on Facebook highlights the substantial confusion over online privacy rights. Although its original author is unknown, versions of the following purported “Privacy Notice” first appeared on users’ Facebook status updates shortly after Facebook’s highly anticipated initial public offering:
"Facebook is now a publicly traded entity. Anyone can infringe on your right to privacy once you post on this site. It is recommended that you and other members post a similar notice to this or you may copy and paste this one. Protect yourself, this is now a publicly traded site.
PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government and any worldwide government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile. You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee, agent, student or any personnel under your direction or control. The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law. UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE"
The notice has since been shared and re-posted tens of thousands of times on Facebook and elsewhere on the Web. The premise for the notice has been debunked as false. Of course, Facebook users who want to better understand online privacy should look at Facebook’s Data Use Policy and Terms and Conditions.
In addition, Facebook permits users to comment on proposed changes to Facebook’s policies, and if more than 7,000 comments are submitted for any proposed change, users are permitted to vote on alternatives to the new policy. However, the results of the vote are binding only if more than 30% of all active Facebook registered users vote for one of the alternatives (or 270 million of Facebook’s more than 900 million active users) during the notice period (between three and seven days depending on the type of change). Even with the power of the Internet, rallying millions of users in such a short period of time would be difficult, especially if the users believe they can protect their rights just by posting a notice on their Facebook pages. Users concerned about their privacy rights should navigate to Facebook’s privacy controls.
The takeaway: Social media and technology companies should adopt clear privacy policies and make continued efforts to educate consumers about their online privacy expectations.
Be sure to check out our most recent advisory by K.C. Halm noting the issuance of an FCC public notice that seeks updated comments on mobile service providers’ privacy and data security practices, focusing on how they affect customer-specific information stored on mobile handsets, smartphones, tablets and other wireless devices. The inquiry follows revelations that certain wireless providers use diagnostics firm Carrier IQ’s software to capture network and end-user information for network diagnostic purposes, which has been the subject of litigation, as well as Congressional and regulatory inquiries.
The FCC’s notice poses numerous questions, including the degree of notice and choice afforded consumers, how data storage practices serve carriers’ and their customers’ needs, whether and to what extent current practices create data security risks or vulnerabilities, and how relevant provisions of the Communications Act and FCC rules apply in this context. You can read more here.
Appeals Court Decision Ratchets Up Risk Factor for Those Delivering Autodialed and Prerecorded Calls
Recently, the United States Court of Appeals for the Seventh Circuit issued a decision in Soppet v. Enhanced Recovery Company that could effectively impose strict liability for violations of the Telephone Consumer Protection Act (TCPA) restriction against unconsented automated and/or prerecorded calls to cell phones, even if the calling entity legitimately believed it had valid prior express consent to the calls.Continue Reading...
On April 4, 2012, DWT privacy practitioners Randy Gainer and Ronnie London joined two of the firm’s leading payments attorneys, James Mann and Andrew Lorentz, at the RAMP Advanced Commercial & Mobile Retail Summit, to make a presentation on Anticipating, Understanding and Preparing for New Rules for a New Mobile World. The session provided an overview of the mobile payments legal ecosystem, and offered insights on the requirements for financial privacy, compliance with data security and PCI rules, and regulations affecting mobile communications. You can access the slides for the presentation here.
On our Advisories page we recently posted a detailed analysis by Robert G. Scott, Jr. and Paul Glist of the Federal Trade Commission’s March 26, 2012, final report on “Protecting Consumer Privacy in an Era of Rapid Change” (Final Report). The Final Report effectively adopts the preliminary FTC staff report from December 2010 (Staff Report), with important changes that recast the Staff Report’s general framework for privacy protection as privacy by design, simplified consumer choice, and transparency.Continue Reading...
New Advisory Highlights Potential Traps for the Unwary in Updated FCC Prerecorded Telemarketing Rules
Be sure to spend some time with our new advisory in which we expand on our previous entry outlining the basics of the revised FCC automated/prerecorded telemarketing rules. The advisory explains how, even though the FCC’s primary purpose was to mirror FTC prerecorded telemarketing rules adopted several years back (which were the subject of our advisory issued at that time, here), some additional new requirements resulted from the FCC’s update of its rules.Continue Reading...
FCC Updates Automated/Prerecorded Telemarketing Rules to Mirror FTC Requirements for Prior Written, Signed Consent, Automated Opt-Outs, and Related Regulations
FCC Also Remedies Confusion in Its Rulemaking Proposal by Ensuring New Rules Do Not Affect Non-Telemarketing Prerecorded Calls and Text Messages, Such as for Debt Collection, Airline and School Notifications, Fraud Alerts, Surveys Calls, and Wireless Usage Data
The Federal Communications Commission released a Report and Order that revises its rules governing automated/prerecorded telemarketing to modify the consent and opt-out requirements for such calls. The rule change eliminates the “established business relationship” exception that previously allowed autodialed/prerecorded telemarketing to residential lines. Meanwhile, the FCC was careful to ensure the new rules cover only automated/prerecorded “telemarketing” calls and text messages, i.e., those that seek to sell or advertise goods or services, while leaving intact preexisting regulations for non-sales prerecorded calls, such as customer-care, surveys, calls by or on behalf of tax-exempt, non-profit entities, etc.
Supreme Court Resolves Circuit Split By Allowing Suits Against Telemarketing Violations Into Federal Court Under "Federal Question" Jurisdiction
The U.S. Supreme Court has issued a decision in Mims v. Arrow Financial Services, LLC, resolving a split among federal appeals courts, by holding that claims under the Telephone Protection Act (TCPA), which provides consumers private rights of action for telemarketing violations, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.Continue Reading...
The FTC has reached a settlement with UPromise, Inc., a membership reward service aimed at helping save for college, to resolve charges that company allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. Under the settlement, UPromise must destroy all data it collected under the “Personalized Offers” feature of its “TubroSaver” toolbar, clearly disclose its data collection practices and obtain consent to collection of personal information from those using the toolbar before it is installed or re-enabled, and must further establish a comprehensive information security programing, requiring biennial independent security assessments, for the next 20 years.Continue Reading...
FTC Enforcement Action Reinforces That Consumers Need Not Utter Any "Magic Words" in Requesting to Be Placed on Telemarketers' Internal Do-Not-Call Lists
Also Reinforces That Telemarketing Sales Rule’s Caller ID Flexibility Only Goes So Far
The Federal Trade Commission (FTC) has announced a $500,000 settlement of a telemarketing enforcement action that it brought based on allegations that the telemarketer interfered with the right of consumers to be placed on companies’ internal do-not-call lists, and that it altered outgoing caller ID to inaccurately display the identity of the calling party. The enforcement action is a reminder that telemarketing customer service reps must be trained to be particularly sensitive to understanding – and effectuating – consumer requests to be added to a company’s do-not-call list, even they don’t request it in such specific terms.Continue Reading...
By Bob Scott
The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.
Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done” to protect user’s information.
The terms of settlement include Facebook’s commitments to:
- accurately represent “the extent to which it maintains the privacy or security of covered information”;
- clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
- adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
- establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
- The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
- The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
- maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.
The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.
Update: FTC Extends Comment Deadline for Children's Online Privacy Protection Act (COPPA) Rulemaking
As an update to our advisory FTC Proposes First Modifications to Children's Online Privacy Protection Act (COPPA) Rules Since Original Adoption in 2000, we note the Federal Trade Commission (FTC) has announced it is extending the comment-filing deadline, until December 23, 2011. The prior deadline had been November 28, 2011. The rule update proceeding seeks to examine whether and what changes may be necessary to reflect the evolution of technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.
By Bob Scott and Rob Morgan
The Electronic Privacy Information Center (“EPIC”) filed a complaint on October 28, 2011 with the Federal Trade Commission (“FTC”) urging the FTC to investigate whether Verizon Wireless has engaged in “unfair and deceptive trade practices” by changing some of its data collection and disclosure practices. The public interest group alleges that Verizon Wireless’s prior customer agreements said that the company would not collect or disclose to third parties (such as advertisers) location information and other data without first obtaining users’ affirmative consent, and claims that Verizon Wireless’s recent announcement that it will track and share this kind of data in anonymized form violated this promise to customers.Continue Reading...
Building on last summer’s orders in two separate cases (discussed here and here) announcing it will make “upward adjustments” to fines against repeat violators of the “junk fax” law and rules, the Federal Communications Commission has now issued a notice of apparent liability (NAL) expanding that approach to prerecorded call violations, which are regulated under the same law and rules. In proposing to fine Travel Club Marketing Inc. and related entities nearly $3 million, the FCC makes clear its intolerance for repeat offenders, particularly when they attempt to mislead the agency and consumers.Continue Reading...
Regular visitors to this site might want to also bookmark and/or regularly visit our newly launched PaymentLawAdvisor, which provides commentary and resources on the payment industry, and frequently addresses privacy and security issues as they relate to retail payments.
Presently, you can view PaymentLawAdvisor’s recent post about plans by Visa and MasterCard to push into the targeted ads and offers business. After a recent Wall Street Journal article (subscription required) discussed those plans and how they aspire to link vast amounts of payment card transaction data with other cardholder personal data (such as Internet browsing habits, social network websites, credit bureaus, insurance claims, and even DNA databanks), the companies faced scrutiny from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.), who sent them letters requesting more information about the privacy implications of their plans. As PaymentLawAdvisor explains, such marketing tactics require careful structuring in order to comply with consumer privacy protections under the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”).
By David M. Silverman
Two Congressmen have written a letter to the Federal Trade Commission (FTC) asking the FTC to investigate certain websites’ use of “supercookies” to track the activities of website visitors after they have left the website and without their knowledge. The letter, written by Congressmen Joe Barton (R-TX) and Ed Markey (D-MA), is based on an August Wall Street Journal article discussing their use. The cookies have become a key issue based on concerns they may be placed without knowledge of computer users and are practically invisible to them. Such so-called “supercookies” differ from traditional HTTP cookies that track user data in that they are small files hidden within Adobe Flash and elsewhere that remain on users’ computers even when browsing history and cache are cleared, and can be picked up even when browsing in “private browsing” mode.
Texting Absent Consent Now Subject Not Only to FCC Fines and Private Damage Claims, But FTC Enforcement As Well?
The Federal Trade Commission (FTC) has settled an enforcement action with the sender of “loan mod” text messages and emails that, while unremarkable in alleging the contents were deceptive, is notable for treating the mere sending of unsolicited text messages as sufficient to trigger FTC authority to punish unfair and deceptive acts, practices, and methods of competition. The FTC action against the texts also is significant because text-message violations generally fall within the bailiwick of the Federal Communications Commission (FCC)—not the FTC—and laws and rules governing automated/prerecorded calls to cell phones. Under those rules, regardless of a text message’s content, prior express consent is required before sending. The FTC’s current action suggests it is reserving the right to pile on as well, if those rules are not followed.Continue Reading...
European Data Protection Group Rejects Industry Proposal for Compliance with New Cookie Requirements
By Robert (Bob) Stankey and Adam Shoemaker
On Sept. 14, 2011, the European Union’s Article 29 Data Protection Working Party warned that an industry-sponsored online behavioral advertising (OBA) framework will not satisfy the requirements of new EU data privacy laws. The OBA framework, which was discussed in a Sept. 21, 2011 webinar by DWT attorneys Bob Stankey and Adam Shoemaker, is designed to provide website users with notice that behavioral advertising is being used, and to give them the opportunity to opt in or out of the cookies that these programs deploy. In its current form, the OBA system is manifested through a distinctive icon at the corner of web-based advertisements. Clicking on this icon permits the user to learn more about the advertising system and provides an opportunity to reject cookies.
The recent Federal Trade Commission (FTC) proposal to update its Children's Online Privacy Protection Rule (COPPA Rule) has hit the Federal Register. As discussed in our advisory issued when the rule came out, which can be found here, this is the first time in the decade-plus history of the Rule that the FTC has proposed amendments. The FTC seeks to update the rule to account for changes in technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.
Insofar as COPPA is designed to provide notice to parents and secure their verifiable consent prior to online collection and use of personal information from children under the age of 13, the changes could require significant operational changes for websites covered by the Rule. Perhaps more importantly, COPPA is seen by some as a model for more general, farther-reaching regulation of uses of personal information, as we describe here. Consequently, changes to the COPPA Rule to address many of the same technologies and practices that are at the center of privacy debates generally may resonate therein. The FTC's proceeding is thus one that bears close attention.
Appeals Court Widens Split of Authority on Federal Court Jurisdiction Over Telemarketing Litigation While Raising Financial Stakes for Defendants
The U.S. Court of Appeals for the Sixth Circuit recently issued a decision in Charvat v. NMP, LLC that addressed significant issues pertaining to federal court jurisdiction and statutory damages for telemarketing litigation arising under the Telephone Protection Act (TCPA). The decision is significant because it widens the split in the federal appeals courts on whether claims under the TCPA, which provides consumers private rights of action, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.It also is significant because, insofar as the TCPA provides for statutory damages of $500 per violation, trebled for “willful” violations, the Court allows that amount to be multiplied in some circumstances if several violations occur on a single call.Continue Reading...
On August 24, 2011, in accordance with the EU’s recent revisions to the 2002 e-Privacy Directive, France implemented a law introducing new consent requirements for electronic cookies as well as disclosure and notification rules related to data breaches. The French ordinance complies with the revised e‑Privacy Directive by requiring user consent before websites can track visitors with cookies. However, it permits this consent to be obtained from the setting of parameters or other communication system preferences under the user’s control, which means that browser settings may be sufficient prior consent.Continue Reading...
The Federal Trade Commission (“FTC”) announced that it has obtained a consent decree requiring payment of a $50,000 penalty for violations of the Children’s Online Privacy Protection Act (“COPPA”) and FTC rules implementing it, marking its first ever COPPA enforcement proceeding involving mobile phone applications (“apps”). The new app enforcement action follows in the wake of another FTC action brought this past spring involving “virtual worlds” that resulted in the largest COPPA civil settlement to date.The enforcement actions show an FTC branching out from traditional websites that may collect children’s personal information (“PI”), to newer media, even while it is in the midst of a proceeding weighing whether and how it should update the COPPA rules to address new platforms and online apps through which children’s PI can be collected.Continue Reading...
Congressional Subcommittees Hold Consumer Data Privacy Hearing Featuring Testimony by FCC, FTC and NTIA
By Jim Smith
On July 14, 2011, two Subcommittees of the House Energy and Commerce Committee – the Commerce, Manufacturing and Trade Subcommittee chaired by Rep. Mary Bono Mack (R-CA) and the Communications and Technology Subcommittee chaired by Rep. Greg Walden (R-OR) – held a joint hearing that the subcommittees said will “kick off a series on privacy issues to examine how information is collected, protected, and utilized in an increasingly interconnected online ecosystem.”The hearing featured testimony by FCC Chairman Julius Genachowski, Federal Trade Commission (FTC) Commissioner Edith Ramirez, and Assistant Secretary of Commerce Larry Strickling, the Administrator of the National Telecommunications and information Administration (NTIA). The hearing indicated significant interest in prospective online privacy legislation, with unusually strong participation by subcommittee Members including the Chairman of the full Committee, Fred Upton (R-MI), and ranking Democrat Henry Waxman (CA). Several Members noted their heightened consumer privacy concerns in the wake of the past week’s revelations of voicemail and e-mail hacking in Great Britain, and near unanimous interest in strengthening online protection for the privacy of children.Continue Reading...
While the European Union’s deadline for implementing new cookie rules has passed, substantial uncertainty remains about what organizations should do to make their online activities compliant. In this advisory we offer six practical tips for dealing with the uncertainty.Continue Reading...
By Brian Nixon
On June 28, 2011, the American Bar Association’s science and technology law section held a teleconference to discuss the topic “Law of E-Tracking: Is Your Phone Too Smart, Your Media Too Social, and Your Advertising Misbehaving?” The teleconference addressed, among other things, effective best practices for companies that collect, use and share information about consumers when they use location based services (“LBS”) on mobile devices and/or social media sites.Continue Reading...
Also Reinforces That Faxes Need Not Be Ads, But Only a "Prelude" to Marketing, to Violate Junk Fax Rules
Less than two weeks after we reported on the Federal Communications Commission’s announcement that it would henceforth make “upward adjustments” to its fines against repeat violators of the statute and rules governing unsolicited fax advertisements, the FCC has issued another enhanced forfeiture, this time adding $150,000 to more than double the fine that would have applied otherwise. The nearly $300,000 proposed fine underscores how serious the FCC is about establishing an effective deterrent to repeated violations. The proposed fine is also a reminder that even faxes offering things for free (in this case, listings in a directory) can fall within the “junk fax” ban if they are part of an “overall advertising campaign” to sell goods or services.Continue Reading...
Three Federal Courts Rule that the Intended Target, Rather Than the Actual Recipient, Can Govern Whether "Robocall" Liability Lies for Calls to Wrong Numbers
By Ryan Gist and Ronnie London. In separate cases in different jurisdictions, one federal appeals court and two district courts recently held that, just because companies using autodialers reach someone other than their intended target, they do not lose the protection of exceptions in the law that depend on the relationship between the company and the person it is attempting to call. Since impermissible automated calls can lead to statutory damages of up to $1500 per call (as well as fines by federal agencies), the decisions are good news for companies that rely on autodialed and prerecorded calls but may not always be in a position to know when current or former customers’ phone numbers are reassigned, and/or if they have moved from a previous address. It is also particularly good news for those who may need to place such automated calls to cell phones, where the federal prohibition is tightest and the exceptions to it are narrowest.
The recent cases arise under the Telephone Consumer Protection Act (TCPA) and Federal Communications Commission (FCC) rules implementing it, which together prohibit automated and prerecorded calls, with certain exceptions. With respect to cell phones, the TCPA and rules prohibit automated/prerecorded calls unless there is prior express consent from the called party (or the call is for emergency purposes). As to residential (land) lines, they impose the same prohibition, but the statute also specifically allows the FCC to create categorical exemptions for some calls.Continue Reading...
Recently, the editors of this blog and of DWT's Broadcast Law Blog held a joint webinar for the Texas Association of Broadcasters that explored the landscape of of privacy issues that media companies may face. Subjects ranged from those that arise in the context of news-gathering and -reporting and advertising, to those implicating “robo-calling,” telemarketing and “spam,” to online issues involving collection of personal information about children and/or for targeted ads and app use, and data securitization.
There is a summary of the presentation on the Broadcast law Blog, and the slides from the session, providing a good outline of many of the basic legal concepts that arise in connection with privacy issues, are available here.
A proposed $315,000 fine against The Street Map Company for unsolicited fax advertisements suggests the Federal Communications Commission is losing its patience – to the tune of tens of thousands of dollars in extra fines – with companies that repeatedly send “junk faxes” even after the agency has cited them, and gone so far as to propose fines, for such conduct. And, the FCC’s notice of apparent liability (“NAL”) goes on to say, it plans to increasingly impose such “upward adjustments” in junk fax fines in similar cases in the future.Continue Reading...
On June 28, 2011, the FCC's Wireless Telecommunications Bureau, in conjunction with staff from the FTC, will hold a "public education forum" to discuss, among other things, industry best practices and the benefits/risks of "Location Based Services" for smartphones and other mobile devices. The forum is expected to include members from industry and technology companies as well as consumer groups and academia. In connection with the forum, the FCC is accepting comments about LBSs. Together, the forum and comments are expected to help inform a forthcoming FCC staff report on LBS.
The LBS forum is one of the many events in Washington concerning mobile privacy, an issue that has become quite the hot topic in the wake of concerns regarding LBS use by Apple and Google. As we discussed earlier here, the Senate Judiciary Committee's new Subcommittee on Privacy, Technology and the Law already held a hearing about Apple and Google's policies on location-based information. These two companies, in addition to Facebook and other organizations, are again expected to appear on the Hill tomorrow to discuss mobile privacy and protections, this time before the Senate's Consumer Protection, Product Safety and Insurance Subcommittee. Indeed, federal legislation has already been introduced that would regulate "geolocation" data of teenagers and children, as well as general commercial practices for the collection, use and sharing of personal information (which we discussed in detail here).
Has the FTC Missed the Point, or is it Subtly Seeking to Expand Liability?
The Federal Trade Commission recently announced that it filed comments in a Federal Communications Commission declaratory ruling proceeding aimed at determining the scope of TCPA liability for companies when third-party vendors make unlawful telemarketing calls. The FTC urges the FCC to rule that when a company that provides goods or services allows a third-party to offer them, calls placed by that third party qualify as calls made on behalf of, and initiated by, the company that provides the goods or services, even though that company did not place the call. But the FTC's comments are unclear how far it seeks to have the FCC go in this regard, and that lack of clarity serves to obscure whether the FTC has avoided the core question, or is really seeking to impose substantially broader telemarketing liability.Continue Reading...
By Micah Ratner
While over on the Hill the question was whether the Children’s Online Privacy Protection Act (“COPPA”) could be a springboard to “bigger and better” regulatory things, the Federal Trade Commission made news by enforcing the existing statute to elicit the largest civil settlement under the FTC COPPA Rule to date. On May 11, 2011, Playdom, Inc., an operator of over 20 online “virtual online worlds, agreed to pay $3 million to settle FTC claims that it violated COPPA by collecting and disclosing personal information from hundreds of thousands of children under 13 without prior parental consent.
By Paul Glist
Two new “do-not-track” privacy bills would impose new restraints on online tracking, behavioral marketing, and the use of mobile application and geolocation data. Rep. Markey introduced his discussion draft with his co-chairman of the House privacy caucus, Rep. Barton. Their “Do Not Track Kids Online” bill would build on the current Child Online Privacy Protection Act (COPPA), which requires parental consent for collecting and using personal information online from children under 13.
Using the political hook of protecting children, the bill proposes to convert COPPA into a framework extending to online and mobile apps, and to tracking and marketing to all those under 18—in the process imposing age verification requirements and other processes that may redefine the apps and mobile experience for all users. Sen. Rockefeller’s version, the “Do Not Track Online Act of 2011,” would simply grant the Federal Trade Commission (FTC) the power to define and adopt the comprehensive do-not-track regime the FTC recommended in December 2010 (which we discussed in detail earlier).
By Rob Morgan
During the maiden hearing of the Senate Judiciary Committee’s new Subcommittee on Privacy, Technology, and the Law chaired by Senator Franken, committee members pressed Google and Apple on how the companies use, collect, and share their customers’ location data, the notices they provide consumers, and the privacy standards they apply to third party applications. Online and mobile privacy issues have become Hill mainstays, but Franken scheduled his first hearing –Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy – in the wake of revelations that Apple’s iOS4 operating system for its iPhones and iPads collected and stored users’ location information even when they tried to turn off location services.
Among other things, the hearing helped underscore the extent to which the Hill has been long awaiting a specific proposal on reforms of the Electronic Communications Privacy Act (“ECPA”), which would be expected to address concerns such as those underlying these involving location data. In fact, Senator Leahy, Chairman of the Judiciary committee, indicated at the hearing that he would “soon” introduce an ECPA update to address some of these issues.Continue Reading...
Does Dismissal of Flash Cookie Case Against Specific Media Signal Smoother Sailing for Targeted Advertising?
By Rob Morgan
Online advertisers may collectively be breathing a cautious sigh of relief following last week's dismissal by the U.S. District Court in the Central District of California of the class action in Genevive La Court, et al. v. Specific Media, Inc. Plaintiffs had alleged Specific Media improperly used local shared objects ("LSOs," also known as "Flash cookies") to bypass web users' security settings to gather browsing information to support targeted ads. The Court held that Plaintiffs failed to demonstrate specific harm needed to support standing to bring such a suit, but gave them leave to amend the complaint and try again. Although Plaintiffs have said they intend to re-file, the Court pointed out other problems with the claims that could be difficult to overcome, even in a new filing.Continue Reading...
FTC Enforcement Action Reminds That Sweepstakes Entries Are Not Express Permission or EBR for Telemarketing Calls
By David Silverman
The FTC entered a stipulated judgment and order with a company that sells power wheelchairs and electric scooters, to settle charges that Electric Mobility Corporation violated the Telemarketing Sales Rule’s “(“TSR”) “do not call” restrictions by placing marketing calls to consumers who submitted sweepstakes entries that included their phone numbers. The FTC’s complaint, the settlement, and the monetary penalty paid under it, reinforce prior guidance that mere provision of a phone number on such entries or similar forms is not, under the TSR, “consent” to sales calls to households on the National Do-Not-Call Registry, nor does it create an “established business relationship (or “EBR”) that allows such telemarketing.Continue Reading...
This morning the Supreme Court heard oral argument in Sorrell v. IMS Health Inc. The case explores whether a Vermont law violates the First Amendment in prohibiting use of physicians’ prescribing histories by entities wishing to leverage the data for marketing. The case thus focuses principally on free speech jurisprudence, insofar as the Court has under review a decision that the state’s statute unconstitutionally restricts commercial speech. But at the same time, the issues arise against a privacy backdrop that implicates, among other things, use made of data reflecting individuals’ conduct for purposes of targeting marketing messages to them.Continue Reading...
By Paul Glist
Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.Continue Reading...
By Paul Glist
By Paul Glist
The Federal Trade Commission has released its long awaited Privacy Report. The Report proposes a "normative framework" for new privacy protections that would cover the use of personal and profiling information across all industries, on and offline, and recommends a "do not track" law to limit online behavioral advertising. (Copy of the FTC's Report is available here.) The Report is something of a hybrid. It is positioned as a preliminary staff report for comment, but voted on by the FTC Commissioners (over cautionary statements by the Republicans). It is partly a companion and complement to Bobby Rush’s privacy bill; partly a call for rulemaking comments (by January 31, 2011); partly a call for better industry self-regulation; and partly a warning of more aggressive enforcement activity to come under existing law.
Premises. The Report renews an FTC refrain that the current framework for privacy enforcement needs updating. Consumers don’t read or understand privacy notices, so cannot give informed consent. They have little or no idea that data profiles are assembled by parties with whom they have no direct relationship, and feel nervous that profiles are being used to deliver targeted advertising. Whether or not the profiles are “personally-identifiable” or de-identified, the “fear of being monitored” is harm in itself that should be addressed, and industry is not moving quickly enough. (These premises are questioned in the Republican concurring statements.)
Scope. Like the Rush bill, the Report proposes a framework for privacy that extends far beyond online advertising to all businesses that handle consumer data—online, offline, bricks and mortar—with to-be-defined exceptions for those that handle only small amounts.
Notice. Like the Rush bill, it encourages clear notices, ideally given to the consumer in a less-burdensome, standardized format at a time when it is meaningful and subject to easy comparison with other firms’ privacy notices.
Choice. Also like the Rush bill, it seeks a graduated level of consumer choice depending on use. “Commonly-accepted” uses, such as order fulfillment, service improvement, fraud detection, legal and law enforcement compliance, first-party advertising on the same platform, and possibly advertising by obvious affiliates, would be permitted without choice. Almost everything else is put in play: first-party advertising sent through different media, third-party advertising networks, data collection by an ISP, collection of “sensitive information,” and collection of any information about “sensitive users” like impulsive teens would all be subjected to a heightened level of choice. The Report punts on whether that should be opt-in or opt-out. The Report questions how far companies should be permitted to give “take it or leave it” offers, conditioning services on the use of consumer data. But at least it recommends a sliding scale, in which the level of protection afforded should be proportionate to the data and risks involved at each business.
Access. Any company that maintains data profiles—including third party data brokers—would be expected to provide some level of notice and access if the stored personal profile may be used for the denial of a benefit. Those with data profiles used for other purposes might respond to inquiries with a description of the kinds of information stored and an opportunity to opt-out. The Report reveals concern over the use of de-identified data, wondering how data can be effectively anonymized and how long it can remain anonymized as technology advances.
Privacy by Design, Security, and Data Minimization. The Report exhorts all businesses to adopt “privacy by design,” going beyond security, privacy officers and training to designed privacy into every product, service, and application with the same concern given to costs. The Report includes typical recommendations for collecting and retaining only the data needed for legitimate business uses, and asks how it should define what is “needed” and what is a “legitimate business use.”
Do Not Track. The FTC’s headline issue is recommending a “do not track” requirement. The current idea is to require modified browsers to send an HTTP header asking sites not to track for behavioral advertising. The Report does recite many of the “enormous benefits” of behavioral advertising and other technology advances such as free Internet content, online search, lower prices, global communication, and cloud computing. It also asks a few token questions about the impact that “opt-out” from behavioral advertising might have on Internet commerce and on the consumer experience online. But it asks far more about the mechanics of implementing “do not track.” The Report does not grapple with how much protection “do not track” would provide if it cannot control overseas servers, or does not reach email, web applications, mobile, or “offline” data.
Technological neutrality. As with the Rush and Boucher bills, the Report does not achieve technological neutrality. It carries forward a reflexive hostility to collecting data at the cable modem, while positioning advertiser supported companies at the edge to offer behavioral advertising with adequate notice and informed consent.
Next Steps. Because this Report is serving multiple purposes, it will be part of the privacy debate in many forums. It will be a feature at the December 2 hearing before Bobby Rush’s House Consumer Affairs Subcommittee; over the coming weeks before the January 31 deadline for comment on the Report and the FTC’s scores of specific questions; and before other agencies (such as the FCC or Commerce) which are also pursuing the privacy agenda.
By Ronnie London & Elizabeth Soja
On June 2, 2010, the FTC announced a settlement with a company that was selling and distributing spyware and providing customers with instructions for remotely installing that spyware on the computers of unsuspecting third parties. The court’s final order requires CyberSpy Software, LLC and its owner to ensure that any download of “RemoteSpy” keylogger software now provides notice to the computer’s owner that the spyware has been downloaded onto the device. The computer’s owner must also consent before the software can be installed. Along those same lines, the order bans all advertising that says RemoteSpy can be installed surreptitiously on a computer without the owner’s knowledge. The final order follows a preliminary order entered back in November 2008.
The FTC’s complaint against CyberSpy and its owner, filed in federal court in Florida in November 2008, alleged that the defendants provided “customers with instructions on how to disguise the software as an innocuous file, such as 'photos' or 'music' attached to an email, in order to send the software to another computer." When the recipient clicked on the attachment, the software downloaded onto the device without the owner's knowledge. Once the software was installed, it sent information regarding all activity from the computer to CyberSpy's servers via the Internet. RemoteSpy customers could then “access this information by going to remotespy.com and typing in a password that they selected when signing up for Defendants' service,” according to the complaint.
The FTC alleged that these practices violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce.
By Ronnie London & Micah Ratner
The FTC announced on May 19, 2010, that on April 8, a Northern District of California judge issued a permanent injunction shutting down an ISP—Pricewert LLC—that primarily hosted spam, botnets, trojan horses, viruses, child pornography, and spyware. ICANN and other industry standards bodies have shut down ISPs that host illegal content, but the FTC’s enforcement action against Pricewert LLP marked the first instance where a federal district court permanently shut down a “rogue” ISP.
The FTC’s June 2009 complaint alleged that Pricewert “recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious, and harmful electronic content” and “actively colludes with its criminal clientele in several areas, including the maintenance and deployment of botnets.” The FTC’s evidence included transcripts of instance messages that showed senior Pricewert employees colluding with bot-herders to create and configure a botnet. Pricewert also allegedly marketed its services on chat rooms for spammers, ignored take-down requests from the online security community, and shifted IP addresses for its criminal clients to evade detection. The same month, the federal court issued a TRO and then a preliminary injunction against Pricewert based on the FTC’s allegations of unfair and deceptive practices under Section 5 of the FTC Act.
Also on April 8, the district court appointed a permanent receiver and determined the amount of disgorgement of profits. The FTC reports that the ISP’s servers and assets were seized and will be liquidated. The court cut an award of ill-gotten profits from $2.16 million to $1.08 million because the FTC was unable to submit sufficient evidence to show the percentage of Pricewert’s legitimate versus illegal activity.
In our entry CAN-SPAM Complaint Mills - Time For A New Business Model? pointing to our advisory on the Ninth Circuit’s decision in Gordon v. Virtumondo, Inc., we noted the court’s holding that private suits to enforce the CAN-SPAM Act are limited to bona fide Internet access service providers who genuinely suffer “adverse affects” attributable to email that violates the law, its recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”
Yesterday, the Ninth Circuit built on that foundation, issuing its decision in Asis Internet Services v. Azoogle.com, Inc., which affirmed dismissal of a similar plaintiff’s CAN-SPAM claims, and an award of costs against it. Citing Gordon v. Virtumondo for the proposition that Asis did not meet the requirement of being adversely affected by the unsolicited emails it received, the court held “the mere cost of carrying SPAM emails over Plaintiff’s facilities does not constitute a harm as required by the statute.” It also held that while Plaintiff also spent money on email filtering, the cost of email filtering did not increase due to the emails at issue, reinforcing that “such ordinary filtering costs do not constitute a harm.” The case thus maintains the high bar to CAN-SPAM complaints set in Gordon.
By Robert J. Driscoll
We recently blogged (here) about a new Maine law that would restrict the collection and use of personal information from minors for marketing purposes. Shortly thereafter, a coalition of educational and industry groups filed a lawsuit in the U.S. District Court in Maine, challenging the law on the basis that it violates the First Amendment and the Commerce Clause of the Constitution. On September 9, 2009, the court entered a stipulated order of dismissal. While determining that the plaintiffs had established a likelihood of success on their claims, the judge noted that the Attorney General, acknowledging the substantial legal issues raised by the new law, had committed not to enforce it. The judge also pointedly stated in the order that “third parties are on notice that a private cause of action [under the new law] could suffer from the same constitutional infirmities,” in an apparent attempt to discourage private individuals from filing a private cause of action to enforce the law. The legislature is expected to revisit the new law and to consider amendments that would address these infirmities in the upcoming session.
By Robert J. Driscoll
The state of Maine recently passed a new law restricting the collection and use of health-related information and personal information of minors. We have published an advisory containing some of the details. The new law, which takes effect in September, is substantially more limiting than COPPA and will significantly impact the ability of marketers to communicate with Maine residents under age 18. Read more at www.dwt.com/LearningCenter, or click here.
Be sure to check out our advisory on Gordon v. Virtumundo, Inc. There, you’ll find our review of the recent 9th Circuit decision clarifying that private suits to enforce the federal CAN-SPAM Act – apart from the FTC, state attorneys general, and other state/federal agencies statutorily authorized to bring claims – are limited to bona fide Internet access service providers, who genuinely suffer “adverse affects” attributable to email that violates the law. We also discuss the 9th Circuit’s recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.” Read more at www.dwt.com/LearningCenter, or click here.
The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009. This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008. It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them. This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.
When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply. With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying. Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well. With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.
This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns. However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad? This may well be an area Congress should consider revisiting, and sooner, rather than later.
Last week came news that DISH Network LLC signed an Assurance of Voluntary Compliance (“AVC”) with the Attorneys General of 46 states, in which it agreed to pay nearly $6 million – plus, potentially, additional restitution – and to modify its sales practices to settle claims that it failed to follow telemarketing do-not-call laws and engaged in unfair trade practices. The agreement, which DISH executed with regulators from every state but California, Illinois, North Carolina, and Ohio, notes that among the alleged violations were failure “to comply with federal, state and/or local laws regarding telemarketing,” but denies any wrongdoing. The AVC also called for DISH to comply with such state laws going forward.
The extent to which Attorneys General leveraged their states’ telemarketing laws in the settlement, and to require future compliance, is a troubling reminder that it has been more than half a decade that the Federal Communications Commission (“FCC”) has sat on petitions, declaratory ruling requests, and other calls for it to follow through on its promise to preempt the application of state laws to interstate telemarketing if they differ from federal standards. Specifically, when it joined the Federal Trade Commission to update federal telemarketing rules in 2003, including creating of a National Do-Not-Call Registry, the FCC established certain limitations on application of state law thereafter. It said its rules implementing the Telephone Consumer Protection Act (“TCPA”), which underlie the Registry, would serve as a “floor” with respect to all interstate and intrastate telemarketing calls. That is, federal rules would govern all interstate calls, and with respect to intrastate calls, state rules that were less restrictive than their federal counterparts were preempted. And, while the TCPA allows states to impose more restrictive rules to intrastate calls, the FCC said its rules would “almost certainly” preempt the application of such laws to interstate calls. It also said that, rather than establishing blanket preemption (as with less-restrictive state laws), it would address preemption of such laws on a case-by-case basis.
In the ensuing years, in the related context of unsolicited fax ads, the TCPA’s preemption provision, which applies equally to the law’s telemarketing and fax provisions, was interpreted in accord with the FCC’s position. At the same time, multiple petitions were filed, targeting sundry state laws, asking that the FCC preempt various state telemarketing prohibitions or requirements. In other cases, trade associations asked the FCC to impose 50-state preemption with respect to certain state laws and rules. Some of these petitions have languished since 2004, or even 2003, and while the FCC has sought comment, all these matters remain pending.
The AVC that DISH has entered with all but 4 states requires it to comply with state telemarketing rules that likely were preempted by federal law. This is a significant reminder that the FCC needs to bring closure to this issue. Indeed, it is likely that many of the calls at issue in the DISH enforcement action were interstate in nature and should not have been subject to state laws that differ from the TCPA rules. The point is not that if preemption were clarified by the FCC, the issues surrounding DISH’s marketing practices would have disappeared. Nonetheless, the settlement serves as a hefty reminder that telemarketers making interstate calls still face state laws that differ from – and as the FCC has said, are “almost certainly” preempted by – federal regulations intended to unify the rules in this area and to eliminate the patchwork of state requirements and prohibitions. Perhaps, now that a new FCC installed by a new administration is poised to be at full strength, there is an opportunity to complete this last piece of long-unfinished business.
By Robert J. Driscoll, Paul Glist and Jennifer Small
On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.
The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation. The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.
These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues. FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation. The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.
This advisory provides a brief overview of the new principles. Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.
Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks. In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.
The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.
The proposed requirements are summarized briefly below.
- Transparency. Online behavioral advertising will be accompanied by enhanced notice to consumers. Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads. In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data. Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.
- Consumer control. The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use. Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.
- Data security. Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose. This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.
- Material changes. Consent is required for any retroactive material change in the use of collected data.
- Sensitive data. Children known to be under 13 are provided additional protections, as is health and financial data. The principles note that what is “sensitive” information may change over time.
- Accountability. Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues. Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.
- Education. Participants are encouraged to educate individuals and businesses about online behavioral advertising. It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.
Currently key House members are drafting new legislation on online privacy. We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate. In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.
Did text-message advertising get more difficult after last week’s decision by the U.S. Court of Appeals for the Ninth Circuit in Satterfield v. Simon & Schuster, Inc.? Perhaps so, but not principally for reasons cited by many accounts and commentators reporting on the case.
Satterfield, the recipient of a text-message advertising a Stephen King novel sent by its publisher as part of an outsourced promo campaign, sued Simon & Schuster (and outsourcer ipsh!) under the Telephone Consumer Protection Act (“TCPA”), which prohibits (among other things) “calls” to numbers assigned to cellular and similar services sent by automatic telephone dialing system (or “ATDS”). Simon & Schuster defended on grounds the ad was not delivered by an ATDS as defined by statute, and that text messages are not “calls” as the TCPA requires. It also claimed the text fell under the law’s consent exception insofar as Satterfield received it after registering at Nextones.com (to allow her minor son to receive a free ringtone), where she agreed to terms and conditions (“T&Cs”) that included accepting on the registered cell phone promotions from the website’s affiliates and brands. Initially, Satterfield was turned aside on summary judgment when the trial court held the text was not sent by an ATDS and that Satterfield consented to its receipt (and thus did not reach arguments that text messages are not “calls” under the TCPA).
Last week, the Ninth Circuit reversed. It found, given dueling expert testimony, a material fact question that needed to be tried, as to whether the equipment that sent the text was an ATDS. It also held, based on Federal Communications Commission (“FCC”) pronouncements, and on the law’s legislative history and intent, that text messages are “calls” under the TCPA. This part of the decision became the headline in much reporting and commentary on the case, not to mention speculation about what it means to marketers. But classifying text messages to phone numbers as ATDS transmissions is hardly news – the FCC said they were over five years ago, and reiterated as much in adopting rules under the CAN-SPAM Act (which govern mobile service commercial messages to email addresses, which differ from text messages to phone numbers), so that question was never in serious doubt. Rather, the more intriguing aspect of the Ninth Circuit’s decision (in my view), which received less attention, comes in its last few pages.
There, the court rejected claims that the text-message was allowed based on consent Satterfield gave at the Nextones’ website to receiving promotions from its affiliates and brands. Rather than viewing who could be an “affiliate” of Nextones in more colloquial terms – which is the tone for which many online T&Cs and privacy policies strive to make them more consumer-friendly – the Ninth Circuit construed “affiliate” as having “independent legal significance” so as to require a corporate relationship between the entities “by shareholdings or other means of control.” Since Nextones and Simon & Schuster are not commonly controlled, the court reasoned, the publisher could not be an “affiliate” of Nextones from whom Satterfield consented to receive texted ads. The court took a similarly narrow view of “brands,” holding they are “commonly defined” as “goods identified as being … of a single firm,” so since the text message advertised a product of Simon & Schuster, not Nextones, consent did not exist on this basis, either.
The decision thus begs the question how a company’s website (and other peripheral materials) must identify third-parties who may market to the company’s consumers, in order for consent, such as that contemplated by the TCPA, to encompass third parties. If describing them as “affiliates” will not suffice – and, one would think, the prospect exists of courts like the Ninth Circuit imposing legally-specific definitions on, or finding equally insufficient otherwise, other commonly used colloquialisms such as “partners,” “clients” or “co-marketers” – how are companies to describe such third-party marketers in a way that is both understandable and succinct, while still being meaningful to consumers? That, I believe, is among the principal challenges facing marketers in the wake of the Ninth Circuit’s Satterfield decision.
Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:
(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?
Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.
So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:
Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:
Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)
Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)
Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)
Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)
Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.
We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.
The PrivSecBlog Team
And by the way:
Ratings. And possibly bad karma.