Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Marketing and Consumer Privacy

Subscribe to Marketing and Consumer Privacy RSS Feed

PCI Council: SSL Will No Longer Be Sufficient for E-Commerce

Posted in Data Protection, Deals and Technology, Marketing and Consumer Privacy

In the latest edition of the PCI Council’s Assessor Newsletter, the Council previewed a proposed change related to the use of Secure Socket Layer (SSL) protocol for encrypting communications between your website’s e-commerce shopping cart and your customers’ computers.

In talking about this proposed revision, which should be expected in version 3.1 of the PCI DSS and PA-DSS (version 3.0 is currently in effect), the newsletter said the following:

“In order to address a few minor updates and clarifications and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSC’s definition of “strong cryptography,” and updates to the standards are needed to address this issue.”

(emphasis added)

The newsletter goes on to state that the Council is currently working with industry stakeholders to determine the impact of this proposed change.  A date for the release of the new version has not yet been set but, in a bulletin published on February 13, the PCI Council said that the change, when made, will become effective immediately but will be ... Continue Reading

New Jersey Amends “Do Not Call” Law, Eases Prohibition on Telemarketing to Cell Phones

Posted in Marketing and Consumer Privacy

In a somewhat significant departure from prior law, New Jersey Governor Chris Christie signed into law a bill to immediately amend the state’s telemarketing sales call rules to expand the ability of companies to make telemarketing calls to consumers’ mobile devices. Prior to the enactment of S. 1382, New Jersey’s “do not call” law for telemarketing mobile devices (N.J. Stat. § 56:8-130) prohibited “telemarketing sales calls” to consumers on their mobile devices, unless the call was made by a commercial mobile services company to its users, and even then only if the call was directly related to the company’s mobile services and the users do not incur charges.  The definition of “telemarketing sales call” was broad and did not have any exceptions for specific types of sales calls (though it did expressly exclude calls made for the sole purpose of collecting on accounts or following up on contractual obligations).

Under the statute’s revised language, only “unsolicited telemarketing sales calls” to consumers’ mobile phones in the state are prohibited. While seemingly not a drastic change on its face, the statute defines “unsolicited telemarketing sales calls” as those made other than in response to the consumer’s express written consent, or ... Continue Reading

Advisory Alert: FTC Staff Report on Internet of Things

Posted in Marketing and Consumer Privacy, Technology

The Federal Trade Commission released its much anticipated staff report on January 27 regarding consumer privacy and data security concerns arising from the emerging market for connected devices known as the Internet of Things (“IoT”). Titled “The Internet of Things: Privacy and Security in a Connected World,” the FTC’s report (the “Report”) builds on the FTC’s November 2013 IoT Workshop and focuses on issues arising from the estimated 25 billion consumer-facing IoT devices expected to be connected by the end of this year. The Report presents the FTC staff’s recommendations and best practices for enhancing privacy and security in the consumer IoT space, but does not resolve some of the most significant issues presented by this emerging sector, including how to reconcile the growing tension between Fair Information Practice Principles or “FIPPs”— such as notice, choice and data minimization – with technology that often lacks screens for notice and contains sensors designed to collect multiple streams of data at all times.

Continue reading here.... Continue Reading

When Try, Try Again Does Not Succeed: FTC Denies AgeCheq, Inc.’s Second Parental Consent Application Under COPPA

Posted in Marketing and Consumer Privacy

The Federal Trade Commission announced that is has denied AgeCheq, Inc.’s second proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule.  After trying but failing last year to gain FTC approval for a third-party common consent administrator mechanism, AgeCheq offered a new proposal, which would have allowed parents to access and submit an online “sign and send” form to a third party intermediary’s online verification portal. But the FTC once again turned AgeCheq away.

Under COPPA and the FTC’s COPPA Rule, websites and online services that collect personal information online from children under 13 must obtain verifiable parental consent for the collection, use and/or disclosure of the information.  The Rule allows limited collection of personal information from the child in the first instance in order to allow consent to be obtained, including the child’s name or online contact information, and/or the parent’s name or online contact information.  The Rule also specifies several means of obtaining parental consent, and allows parties to submit and seek FTC approval of additional means for obtaining consent not presently permitted by the Rule.

AgeCheq submitted its proposed “Device-Sign Parental Consent Form” (DSPCF) method to the FTC in October 2014. ... Continue Reading

FTC Director Rich: Greater Transparency Needed in Post-Mad Men Era of Online Advertising

Posted in Marketing and Consumer Privacy

The world of the popular television show Mad Men may be glamorous, but according to the Director of the Federal Trade Commission’s Bureau of Consumer Protection, Jessica Rich, it depicts more fiction than fact about modern advertising practices which has moved online and depends on vast amount of customer data.  While speaking at the AdExchanger Industry Preview 2015 on January 21st, Ms. Rich cautioned that online advertisers must be more open and transparent with consumers on how they use, collect, and share consumers’ information in this new marketing paradigm, and warned advertisers that failing to sufficiently disclose or attempting to deceive customers about their data collection and use practices could lead to FTC enforcement actions and a loss of consumer trust.

In noting the vast benefits that targeted advertising holds for consumers, Director Rich stated that consumer privacy has grown from being just an issue of matter of legal compliance “to a C-suite issue – part of a [company’s] broader bottom line strategy as consumer awareness and demand for privacy continues to grow.”  Indeed, Ms. Rich stated that “providing transparency and choices about privacy is increasingly a selling point for businesses” as more consumers are becoming aware of and concerned ... Continue Reading

State AGs Looking to Crack Down on Telemarketers Press FCC and FTC

Posted in Communications/Media, Marketing and Consumer Privacy

A majority of the nation’s state and territorial Attorneys General have collectively urged the Federal Communications Commission and Federal Trade Commission to revisit rules and policies in ways that would help law enforcement crack down on telemarketing practices.

Recently, the FCC issued a public notice seeking comment on a request by the National Association of Attorneys General and 39 undersigned state law enforcement executives (referred to collectively here as “NAAG”).  The petition seeks a formal FCC opinion on the legal ability of telephone providers to implement call-blocking technology to combat unwanted telemarketing. In their request, NAAG noted that while call-blocking technology such as “NoMoRobo,” “Call Control,” and “Telemarketing Guard” currently exist on the market, telecom companies are reluctant to employ such devices to stop unwanted telemarketing from reaching consumers due to perceived legal barriers. According to telecom industry representatives, “phone companies have a legal obligation to complete phone calls” and the current legal framework “does not allow [them] to decide for the consumer which calls should be allowed to go through and which should be blocked.”

The FCC’s notice asks for public comment on three major issues raised by NAAG and the Attorneys General:

  • The legal and/or regulatory prohibitions, if
... Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Healthcare, Marketing and Consumer Privacy

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently opined that if the plaintiff provided his cell phone number only for verification purposes, that provision of the cell number cannot be equated to consent to receive automated refill reminders on his cell phone.

Click here to continue reading.... Continue Reading

Is Your Website Ready for California’s “Minor Eraser” Law?

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Starting on Jan. 1, 2015, California’s new “Minor Eraser” law goes into effect and allows minors in California to remove content or information that they have posted as a registered user on a website, online service, online application or mobile application (collectively, an “online service”).

Does this new law apply to your website? 

This new law will apply to online services in two instances – if your online service is directed to minors or if the operator has actual knowledge that a minor is using the online service.  This law defines “minor” as any person under 18 years old who resides in California.

The statute defines “directed to minors” as an online service, or any part thereof, that is “created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults” (emphasis added); however, an online service is not “directed to minors” solely because it refers or links to another online service that is directed to minors, see Cal. Bus. & Prof. Code §22580(e).  It is important to note that a portion of an online service can be directed to minors if it ... Continue Reading

AgeCheq, Inc. Looking for Second Bite at the Parental Consent Apple

Posted in Marketing and Consumer Privacy

FTC Denies Company’s First Proposed COPPA Parental Consent Method, Seeks Public Comment on Second Proposal

The Federal Trade Commission announced that it has denied AgeCheq, Inc.’s proposed verifiable parental consent method application, which relied on existing verifiable consent methods but also utilized a third-party common consent administrator to allow for consent across multiple devices (see our discussion here). Under the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule, interested parties can propose and request FTC approval for additional methods for obtaining verified parental consent not presently permitted by the Rule.  In its letter to AgeCheq, the FTC explained that its denial of AgeCheq’s application was because AgeCheq’s proposed method is already recognized by the Commission “as a valid means of obtaining verifiable parental consent in the Rule, and AgeCheq is free to pursue the development of a common consent mechanism without Commission approval.”

Meanwhile, the FTC announced that it is seeking public comment on a second proposed verifiable parental consent method from AgeCheq.  According to AgeCheq’s latest application, its newest proposed method would augment the traditional paper “sign and send” parental notification method for the mobile space, allowing parents to access and submit an online “sign and ... Continue Reading

Advisory Alert: California’s “Online Eraser” Law for Minors to Take Effect Jan. 1, 2015

Posted in Marketing and Consumer Privacy

On Jan. 1, 2015, California’s “Online Eraser” law will take effect, requiring websites and other online service operators to delete on demand any content posted by minors.  The law also prohibits such operators from sharing minors’ personal information with third parties for the purpose of marketing particular products or services to them.  The new law, however, is ambiguous and possibly unconstitutional.

To read the full article, click here.... Continue Reading

FCC Reaffirms Fax Ads Sent With Recipients’ Prior Permission Require Opt-Out Notice

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

But Grants Retroactive Waivers to Petitioners Who Sent Permission-Based Faxes Without Opt-Out Notices

The Federal Communications Commission has issued an Order sustaining its rule that even ads faxed with the permission of the recipient must include a notice with instructions for how to opt out of future faxes. The Order responds to a passel of petitions that argued the Telephone Consumer Protection Act’s (TCPA) “junk fax” provision and attendant opt-out requirement apply only to “unsolicited” fax advertisements, and thus do not cover faxes “solicited” by those who consent to receive the faxed ads.

However, while staunchly defending its statutory authority to adopt an opt-out notice rule for permission-based faxes, and that it was a logical outgrowth of its rulemaking notice, the FCC recognized that its order adopting the rule may have been confusing on this point. It accordingly granted retroactive waivers to petitioners with temporary relief from any past obligation to have opt-out notices on permission-based faxes. The waivers give petitioners who received them a six-month window to come into compliance with the opt-out requirement, and the FCC invited similarly situated parties to seek similar waivers, strongly suggesting that such requests must be on file within the next six months.... Continue Reading

California Attorney General Releases Breach Report with Key Findings and Recommendations for Retailers, Financial Institutions and Health Care Sectors

Posted in Data Protection, Marketing and Consumer Privacy

California Attorney General Kamala D. Harris has released a “California Data Breach Report,” which presents a series of findings and recommendations based on a review of breaches reported to the Attorney General’s office in 2012 and 2013.  It should come as no surprise that breaches are on the rise, but the Attorney General’s analysis of the reported breaches outlines the root causes of these breaches on an industry basis and recommends best practices to address the sources of those breaches.  For instance, the vast majority of retail breaches were the result of computer intrusions (malware and hacking), leading to recommendations such as the implementation of chip-and-pin technology, end-to-end encryption and tokenization of payment card data.  Similarly, in the healthcare industry, where 70% of the reported breaches were the result of physical loss or theft of hardware or portable media containing unencrypted data, the Attorney General recommends health care providers and institutions use strong encryption to protect covered information on laptops and other portable devices.

Key Findings

  • 28% year-over-year increase in breaches reported to the California Attorney General.
  • Excluding Target and LivingSocial breaches: a 35% year-over-year increase in the number of records breached.
  • Including Target and LivingSocial breaches:
... Continue Reading

Improving Data Breach Security, from the Customer’s Wallet on Up: In Wake of Massive Breaches, It May be Time to Consider Enhancing Customer Security with Chip-Embedded Payment Cards

Posted in Data Protection, Marketing and Consumer Privacy

In early September, Home Depot announced that it had suffered a severe security incident, which resulted in a massive data breach that exposed the payment card information of Home Depot customers across the United States and Canada. The home improvement retailer later confirmed that the breach was the result of malware designed by hackers to evade the company’s security measures, and which subsequently compromised the integrity of its sales register systems. Once compromised, hackers were able to “scrape” customer payment information from the registers’ memory and transmit customer payment card data overseas.

All told, the breach exposed the payment card information of 56 million customers, making it one of the largest known retail data breaches to date. Home Depot’s announcement and the resulting disclosure of the number of customers affected adds the home improvement giant the ever-expanding list of major retailers that have found themselves victimized by cyber criminals.

As this blog noted earlier this summer, credit card and debit card fraud caused $11.27 billion in losses in 2012. Secured PoS devices are critically important for stemming the tide of payment card fraud, as they are the point where customer payment card information is commonly gathered. Accordingly, businesses that use ... Continue Reading

“Th-th-th-that’s All, Folks!” Federal Judge Dismisses Class Action against Cartoon Network, Finds Anonymous User IDs Don’t Qualify as Personal Information under VPPA

Posted in Communications/Media, Data Protection, Marketing and Consumer Privacy

On October 8, Georgia Federal District Judge Thomas Thrash, Jr., dismissed a putative class action against The Cartoon Network, Inc., where the plaintiff alleged that the animation company violated the Video Privacy Protection Act (“VPPA”) by sharing its mobile app users’ data with third parties without consent. Specifically, the plaintiff in Ellis v. The Cartoon Network claimed that the Cartoon Network shared the viewing histories and Android mobile device IDs (“Android IDs”) of individuals who used the company’s mobile Cartoon Network App (“CN App”) with Bango, a United Kingdom-based data analytics firm. Once Bango had this information, it was able to reverse engineer users’ true identities by using data collected from other unrelated sources. At the heart of his claim, the plaintiff alleged that the Android IDs by themselves that the Cartoon Network transmitted to Bango constituted Personally Identifiable Information (“PII”) under the VPPA, and that the Cartoon Network violated the statute by sharing it with Bango without users’ consent.

What is PII under the VPPA?

While Judge Thrash agreed that the plaintiff was a “consumer” under the VPPA as he was subscriber of the Cartoon Network’s services, the judge took issue with the plaintiff’s assertion that an Android ... Continue Reading

Second Circuit Adopts FCC’s Narrow Construction of “Implied” Express Consent for Autodialed Calls to Cell Phones

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

This updates our report last summer on a Federal Communications Commission (FCC) letter brief filed at the invitation of the U.S. Court of Appeals for the Second Circuit in Nigro v. Mercantile Adjustment Bureau, which observed the FCC taking a noticeably less generous view of its then-recent declaratory rulings on whether consumer provision of a cell number is deemed consent to autodial it under the Telephone Consumer Protection Act (TCPA). We noted at that time that, “It would be a shame if, in the FCC’s view, calls in the course of ‘normal, expected and desired business communications’ are permissible only if no one objects after-the-fact.” The Second Circuit has now issued an opinion adopting the view in the FCC’s letter brief, holding that because Nigro did not provide his phone number directly to the creditor in the context of the debt incurred (in respect to which Mercantile called), the TCPA prohibited the calls.

To recap, when Nigro contacted his recently deceased mother-in-law’s electric utility to stop service, he gave them a cell number, which Mercantile later called using an automatic dialing system to collect a remaining balance on the mother-in-law’s account. Nigro sued on grounds the calls violated the ... Continue Reading

Eleventh Circuit Reverses Refusal to Honor FCC’s TCPA Debt Collection Declaratory Ruling, Fosters Uniformity on TCPA’s Autodialing Exception

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The U.S. Court of Appeals for the Eleventh Circuit has brought a bit of legal balance back to automated debt collection calls, and reminded lower courts that when it comes to claims under the Telephone Consumer Protection Act (TCPA), they must honor the validity of FCC rulings.

The Eleventh Circuit’s decision implicates a 2008 declaratory ruling by the FCC regarding automated debt collection calls under the TCPA.  The TCPA and FCC rules implementing it prohibit autodialed and/or prerecorded calls to cell phones, unless there is prior express consent from the call recipient.  The FCC’s Debt Collection Declaratory Ruling from early 2008 held that prior express consent exists where a consumer gives a company his/her cell phone number as part of a transaction, and the company later autodials/prerecorded-calls or texts the consumer in connection with a debt arising from that transaction.

In Mais v. Gulf Coast Collection Bureau, Mais alleged that defendants placed autodialed and/or prerecorded calls to his cellphone without consent, in violation of the TCPA.  The calls followed from Mais’ emergency room treatment, during which his wife completed hospital admission documents and provided her husband’s cellphone number and other information.  Defendants maintained before the U.S. District Court for ... Continue Reading

Google Street View Plaintiffs on the Hunt for “a Needle in a Haystack” to Demonstrate Standing, but District Court Grants Plaintiffs Greater Role in Examination of Google’s Data

Posted in Communications/Media, Data Protection, Marketing and Consumer Privacy

Back in April, Google filed a Petition for Certiorari with the U.S. Supreme Court in the Street View case, seeking review of the Ninth Circuit’s decision holding that unencrypted Wi-Fi signals are protected from interception by the federal Wiretap Act. Over the summer, the U.S. Supreme Court denied Google’s petition, thus allowing the plaintiffs to move forward with their putative class action.

With their foot in the door, plaintiffs now have to demonstrate standing, and are looking to Google’s collection of Street View data to do it. However, plaintiffs want access to Google’s data on their terms as well. Most recently, plaintiffs argued before U.S. District Judge Charles Breyer of the Northern District of California that the recommended jurisdictional discovery plan to control the search for evidence supporting plaintiffs’ standing was inadequate in several respects.

In August federal Magistrate Judge Maria-Elena James recommended that a Special Master be appointed to cull through Google’s Street data to hunt for evidence of plaintiffs’ communications. Judge James also recommended that Google’s Jurisdictional Discovery Proposal be used to help select the special master, develop protocols and rules for depositing information, and all related matters. Plaintiffs accepted the suggestion of a Special Master ... Continue Reading

Ninth Circuit Confirms Consultants and Other Middlemen May Be Vicariously Liable Under the TCPA

Posted in Communications/Media, Deals and Technology, Marketing and Consumer Privacy

The U.S. Court of Appeals for the Ninth Circuit issued a decision in Gomez v. Campbell-Ewald Company holding that the defendant marketing consultant could be liable under the Telephone Consumer Protection Act (TCPA) for unsolicited text messages that it arranged for a separate third-party to send on behalf of a client, the U.S. Navy.  The court’s holding clarifies that companies can be vicariously liable for TCPA violations if a called-party plaintiff establishes an agency relationship under federal common law between the defendant and a third-party caller, even if the content of the call was not on the defendant’s behalf and the defendant did not physically place the call.  The decision extends last year’s Federal Communications Commission (FCC) Dish Network declaratory ruling on violations of the TCPA and FCC rule provisions governing telemarketing and autodialing by third parties that a company authorizes to sell its goods/services, but does not directly ask or otherwise engage to telemarket.

The TCPA and regulations implementing it govern telemarketing and do-not-call issues, as well as automated calls to cell phones and prerecorded calls to residential lines and cells.  Under the TCPA, those who receive calls in violation of the statute or rules enjoy a private cause ... Continue Reading

FTC Seeks Public Comment on AgeCheq, Inc.’s Proposed Parental Consent Method under COPPA

Posted in Marketing and Consumer Privacy

The Federal Trade Commission announced Monday that it seeks public comment on a new verifiable parental consent method application proposed by AgeCheq, Inc., to enable apps, websites and advertisers to obtain parental consent to collect children’s personal information. Per COPPA’s final Rule, interested parties can propose and request FTC approval for additional methods for obtaining verified parental consent not presently permitted by the Rule. AgeCheq’s proposed consent method would allow parents to register themselves and their child’s devices with a third-party common consent administrator, which then would verify the parent’s identity via other methods permitted by the Rule and link that verification to their child’s devices. The FTC will accept public comments on AgeCheq’s proposal until Sept. 30, 2014.... Continue Reading

In Flight Catalog: Senator Rockefeller Opens Inquiry Into Consumer Data Practices by Airlines

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last week, Senator Jay Rockefeller (D-W.Va.) sent a letter to the top ten revenue generating passenger airlines in the United States, opening an inquiry into their practices related to charging additional fees for optional services and the collection of consumer data. With respect to consumer data, Sen. Rockefeller’s letter calls for greater transparency from airlines about how they collect, use, and disclose the personal information of consumers, citing concerns by consumer advocates that “airline policies can contain substantial caveats” and that “it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping, and sharing about them.” To assist the Senate Committee on Commerce, Science, & Transportation (“Committee”) in evaluating these concerns, Sen. Rockefeller has asked the airlines to provide the following information:

Do you retain personal information that your company obtains from consumers when they shop for airfares or from other sources? If yes:

a.  State the period of time your company retains such information and what specific data points you retain;

b.  State any specific sources for personal information or other such information your company obtains directly from consumers;

c.  Describe the privacy and security protections your company provides for personal ... Continue Reading

Consumer Privacy Legislation? All Sides Weigh In But Remain Far Apart in the Big Debate Over Big Data

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Recent comments filed by various stakeholders in response to the U.S. Commerce Department’s National Telecommunications and Information Administration’s (NTIA) Request for Public Comment (RFC) on “Big Data and Consumer Privacy in the Internet Economy,” evidence a wide rift between consumer groups and most business interests regarding the need for additional consumer privacy law in the era of Big Data. NTIA issued its RFC back in June, in response to a recommendation in the May 1 White House report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “Big Data Report”), which addressed how big data is transforming the lives of Americans.

In the Big Data Report, the White House recommended (among other things) that:

[t]he Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights (“CPBR”) could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework . . . could be embraced within the framework established by the [CPRB”]. Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and submission by the President to Congress.

The Consumer Privacy Bill of Rights and Big ... Continue Reading

FTC Undertakes Periodic Rule Review of Telemarketing Sales Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The Federal Trade Commission (FTC) has published in the Federal Register a Request for Comments on all aspects of its Telemarketing Sales Rule (TSR) as part of a routine review of the effectiveness, costs and benefits of its rules. Though the Request for Comments targets several TSR issues in particular (discussed below), it views the review as assessing generally whether the Rule is serving a “useful purpose,” and whether it can be improved to reflect changes in the marketplace since it was previously amended in 2003, 2008 and 2010. Comments are due October 14, 2014.

The Request for Comments does not itself propose specific changes to the TSR but rather invites input on several specific topics, as well as on any issues relevant to the TSR that commenters wish to address. Notably, the advent of the National Do-Not-Call Registry culminating in 2003 started as precisely this kind of “routine” review of the TSR. Here, the FTC specifically seeks comment on issues surrounding:

• Whether there is a need to expand the TSR’s recordkeeping requirements;

• The use of pre-acquired account information, i.e., that which a customer has previously provided to a seller or telemarketer to subsequently charge his or her ... Continue Reading

FTC Updates COPPA FAQs Again – Revisions to Part H Gives App Developers and Parents Welcomed Clarification on Parental Consent

Posted in Marketing and Consumer Privacy

Continuing our Blog’s updates on the Federal Trade Commission’s Frequently Asked Questions (FAQs) to the updated Children’s Online Privacy Protection Act (COPPA) Rule, we highlight that the FTC revised three portions of “Part H” this week, which concern how entities seeking to comply with COPPA may obtain verifiable parental consent.

COPPA requires that entities give notice to parents and obtain verifiable parental consent before collecting personal information from children under 13 years of age.  The FTC implements COPPA’s directives via its COPPA Rule, and has been issuing updates to the COPPA Rule FAQs intermittently over the past two years.  In April, the FTC made updates to Part M of the COPPA FAQs to clarify in what circumstances schools can consent to the disclosure of children’s personal information to third-party websites on behalf of their parents, when that information is used for the educational benefit of the students.

With its recent changes to sections of Part H of the FAQs, the FTC seeks to expand how websites and mobile apps can obtain verifiable parental consent.  Importantly, the FAQs tentatively ratify the use of data from parents’ credit and debit cards and third parties such as app stores, while adding ... Continue Reading

FCC Letter Brief to Second Circuit Narrowly Construes Recent TCPA Guidance

Posted in Marketing and Consumer Privacy

We reported last spring on two FCC declaratory rulings, GroupMe and Cargo Airline, that included some broad, business-friendly interpretations of rules implementing the Telephone Consumer Protection Act (TCPA), under which plaintiff class actions are thriving.  The rulings also reinvigorated an FCC statement from when it first adopted TCPA rules in 1992, that a consumer’s provision of a cell phone number in a transaction with a company may be deemed prior express consent to be called at that number.  But in a letter brief filed in Nigro v. Mercantile Adjustment Bureau (at the invitation of the U.S. Court of Appeals for the Second Circuit) the FCC seems to lean back the other way by narrowly construing its recent rulings and 1992 guidance.

 In Nigro, the plaintiff-appellant contacted his then recently deceased mother-in-law’s electric company to request discontinuance of her service, and at that time gave the company his cell number.  Mercantile Adjustment called Nigro’s cell phone using an automatic dialing system in connection with a balance due on the account that the electric company hired it to collect.  Nigro’s suit alleged that the collection efforts violated the TCPA’s ban on autodialed and/or prerecorded calls to cell phones made without ... Continue Reading