Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

FCC Reaffirms Fax Ads Sent With Recipients’ Prior Permission Require Opt-Out Notice

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning
FCC Logo

But Grants Retroactive Waivers to Petitioners Who Sent Permission-Based Faxes Without Opt-Out Notices

The Federal Communications Commission has issued an Order sustaining its rule that even ads faxed with the permission of the recipient must include a notice with instructions for how to opt out of future faxes. The Order responds to a passel of petitions that argued the Telephone Consumer Protection Act’s (TCPA) “junk fax” provision and attendant opt-out requirement apply only to “unsolicited” fax advertisements, and thus do not cover faxes “solicited” by those who consent to receive the faxed ads.

However, while staunchly defending its statutory authority to adopt an opt-out notice rule for permission-based faxes, and that it was a logical outgrowth of its rulemaking notice, the FCC recognized that its order adopting the rule may have been confusing on this point. It accordingly granted retroactive waivers to petitioners with temporary relief from any past obligation to have opt-out notices on permission-based faxes. The waivers give petitioners who received them a six-month window to come into compliance with the opt-out requirement, and the FCC invited similarly situated parties to seek similar waivers, strongly suggesting that such requests must be on file within the next six months.... Continue Reading

Second Circuit Adopts FCC’s Narrow Construction of “Implied” Express Consent for Autodialed Calls to Cell Phones

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

This updates our report last summer on a Federal Communications Commission (FCC) letter brief filed at the invitation of the U.S. Court of Appeals for the Second Circuit in Nigro v. Mercantile Adjustment Bureau, which observed the FCC taking a noticeably less generous view of its then-recent declaratory rulings on whether consumer provision of a cell number is deemed consent to autodial it under the Telephone Consumer Protection Act (TCPA). We noted at that time that, “It would be a shame if, in the FCC’s view, calls in the course of ‘normal, expected and desired business communications’ are permissible only if no one objects after-the-fact.” The Second Circuit has now issued an opinion adopting the view in the FCC’s letter brief, holding that because Nigro did not provide his phone number directly to the creditor in the context of the debt incurred (in respect to which Mercantile called), the TCPA prohibited the calls.

To recap, when Nigro contacted his recently deceased mother-in-law’s electric utility to stop service, he gave them a cell number, which Mercantile later called using an automatic dialing system to collect a remaining balance on the mother-in-law’s account. Nigro sued on grounds the calls violated the ... Continue Reading

Chip-and-PIN is Coming…To the US Government

Posted in Data Protection, Policy and Regulatory Positioning

Last Friday, in the wake of numerous data breaches, President Obama signed a new Executive Order that will change how federal agencies use payment cards and allow access to certain government portals.  Those changes include the adoption of chip-and-PIN (also known as EMV) payment terminals and cards, and the implementation of multi-factor authentication on digital applications where consumers can access personal information.

The Executive Order requires the executive departments and agencies to deploy chip-and-PIN payment processing terminals at government offices “as soon as possible.”  Legacy payment processing terminals do not have to be replaced immediately but all new terminals purchased after Jan. 1, 2015 must include the necessary hardware to support the enhanced security features.  The Department of Treasury also has until the same deadline to develop a plan on how the agencies can install the associated software-components to support these security features.

More importantly, by Jan. 1, 2015, all Direct Express prepaid debit cards used to pay government benefits will include the embedded chip.  The Office of Management and Budget is also charged with developing plans to replace the cards issued by other federal agencies with payment cards that include the enhanced security features.  In a speech to the ... Continue Reading

Eleventh Circuit Reverses Refusal to Honor FCC’s TCPA Debt Collection Declaratory Ruling, Fosters Uniformity on TCPA’s Autodialing Exception

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The U.S. Court of Appeals for the Eleventh Circuit has brought a bit of legal balance back to automated debt collection calls, and reminded lower courts that when it comes to claims under the Telephone Consumer Protection Act (TCPA), they must honor the validity of FCC rulings.

The Eleventh Circuit’s decision implicates a 2008 declaratory ruling by the FCC regarding automated debt collection calls under the TCPA.  The TCPA and FCC rules implementing it prohibit autodialed and/or prerecorded calls to cell phones, unless there is prior express consent from the call recipient.  The FCC’s Debt Collection Declaratory Ruling from early 2008 held that prior express consent exists where a consumer gives a company his/her cell phone number as part of a transaction, and the company later autodials/prerecorded-calls or texts the consumer in connection with a debt arising from that transaction.

In Mais v. Gulf Coast Collection Bureau, Mais alleged that defendants placed autodialed and/or prerecorded calls to his cellphone without consent, in violation of the TCPA.  The calls followed from Mais’ emergency room treatment, during which his wife completed hospital admission documents and provided her husband’s cellphone number and other information.  Defendants maintained before the U.S. District Court for ... Continue Reading

In Flight Catalog: Senator Rockefeller Opens Inquiry Into Consumer Data Practices by Airlines

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last week, Senator Jay Rockefeller (D-W.Va.) sent a letter to the top ten revenue generating passenger airlines in the United States, opening an inquiry into their practices related to charging additional fees for optional services and the collection of consumer data. With respect to consumer data, Sen. Rockefeller’s letter calls for greater transparency from airlines about how they collect, use, and disclose the personal information of consumers, citing concerns by consumer advocates that “airline policies can contain substantial caveats” and that “it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping, and sharing about them.” To assist the Senate Committee on Commerce, Science, & Transportation (“Committee”) in evaluating these concerns, Sen. Rockefeller has asked the airlines to provide the following information:

Do you retain personal information that your company obtains from consumers when they shop for airfares or from other sources? If yes:

a.  State the period of time your company retains such information and what specific data points you retain;

b.  State any specific sources for personal information or other such information your company obtains directly from consumers;

c.  Describe the privacy and security protections your company provides for personal ... Continue Reading

Consumer Privacy Legislation? All Sides Weigh In But Remain Far Apart in the Big Debate Over Big Data

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Recent comments filed by various stakeholders in response to the U.S. Commerce Department’s National Telecommunications and Information Administration’s (NTIA) Request for Public Comment (RFC) on “Big Data and Consumer Privacy in the Internet Economy,” evidence a wide rift between consumer groups and most business interests regarding the need for additional consumer privacy law in the era of Big Data. NTIA issued its RFC back in June, in response to a recommendation in the May 1 White House report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “Big Data Report”), which addressed how big data is transforming the lives of Americans.

In the Big Data Report, the White House recommended (among other things) that:

[t]he Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights (“CPBR”) could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework . . . could be embraced within the framework established by the [CPRB”]. Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and submission by the President to Congress.

The Consumer Privacy Bill of Rights and Big ... Continue Reading

FTC Undertakes Periodic Rule Review of Telemarketing Sales Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The Federal Trade Commission (FTC) has published in the Federal Register a Request for Comments on all aspects of its Telemarketing Sales Rule (TSR) as part of a routine review of the effectiveness, costs and benefits of its rules. Though the Request for Comments targets several TSR issues in particular (discussed below), it views the review as assessing generally whether the Rule is serving a “useful purpose,” and whether it can be improved to reflect changes in the marketplace since it was previously amended in 2003, 2008 and 2010. Comments are due October 14, 2014.

The Request for Comments does not itself propose specific changes to the TSR but rather invites input on several specific topics, as well as on any issues relevant to the TSR that commenters wish to address. Notably, the advent of the National Do-Not-Call Registry culminating in 2003 started as precisely this kind of “routine” review of the TSR. Here, the FTC specifically seeks comment on issues surrounding:

• Whether there is a need to expand the TSR’s recordkeeping requirements;

• The use of pre-acquired account information, i.e., that which a customer has previously provided to a seller or telemarketer to subsequently charge his or her ... Continue Reading

Pass or Fail? Sens. Markey and Hatch Introduce “Protecting Student Privacy Act” Seeking to Amend FERPA, Increase Protection of Student PII Shared with Private Companies

Posted in Data Protection, Policy and Regulatory Positioning

On July 30, 2014, Sen. Edward J. Markey, D-Mass., made good on his earlier promise to beef up the Family Educational Rights and Privacy Act of 1974 (FERPA) to provide heightened protections for student educational records shared with private companies.

Together with Sen. Orrin Hatch, R-Utah, Markey introduced the “Protecting Student Privacy Act” (S.2690), which would amend FERPA and require schools and school districts to implement various data security protections to safeguard the personally identifiable information (PII) contained in students’ education records, and ties receipt of federal education funding to compliance with the Act’s heightened security standards.

Among the bill’s provisions, the Protecting Student Privacy Act:

  • Requires schools and school districts to protect students’ personally identifiable information (PII) contained in education records maintained by the institution;
  • Prohibits schools and school districts from using, releasing, or providing access to student PII in education records for advertising or marketing services or products;
  • Provides parents with a right to access their children’s PII and challenge, correct, or delete any inaccurate data in the education records held by private companies;
  • Mandates that outside parties such as private companies with whom students’ PII is shared have comprehensive information security policies and procedures in place to
  • ... Continue Reading

“Getting to Know You, Getting to Know All About You…” FTC Data Brokers Report Calls for More Industry Transparency, Regulation in How Data Brokers Use Consumers’ Personal Information

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

“You may not know them, but data brokers know you,” Federal Trade Commission (FTC) Chairwoman Edith Ramirez said when she announced the release of the Commission’s newest report on the data broker industry. And in the FTC’s opinion, Congress and the data brokerage industry need to take concerted action to bring transparency to the industry, protect consumers’ personally identifiable information (PII), and prevent abuse and discrimination. But will the FTC’s recommendations have any real effect? In light of recent statements about “actual” vs. “potential” harm and the expanding scope of the Agency’s Section 5 enforcement authority, the answer is a definite “maybe.”

Summary
On May 27, 2014, the FTC released “Data Brokers: A Call for Transparency and Accountability,” a report that marks the conclusion of the FTC’s two-year study into data broker industry practices. Coming on the heels of the White House’s own Big Data Report the FTC’s Data Brokers Report highlights that “[i]n today’s economy, Big Data is big business” with numerous positive effects for both companies and consumers. And data brokers specifically play an important role in driving our economy through increased targeted marketing, identity verification and fraud detection.

But the Data Brokers Report also rang ... Continue Reading

FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA–But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again.... Continue Reading

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming…

Has Congress really given the FTC Authority?
As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of ... Continue Reading

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding ... Continue Reading

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).

With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring ... Continue Reading

Updated Location Privacy Protection Act Introduced

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning, Surveillance

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.

Under the proposed legislation, companies collecting geolocation data from more than 1,000 devices in ... Continue Reading

Google “Street View” case may be headed for SCOTUS Review

Posted in Communications/Media, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014... Continue Reading.

Caution: Your Company’s Biggest Privacy Threat is…the FTC

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Sanjay Nangia... Continue Reading

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

Latest FTC Enforcement Action Reflects Agency’s Intent to Focus on Emerging Market Involving the “Internet of Things”

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

NIST Issues Draft RFI for Cybersecurity Framework

Posted in Policy and Regulatory Positioning

By Robert G. Scott, Jr.

Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.... Continue Reading

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.... Continue Reading

Internet Privacy Class Actions

Posted in Cyber and National Security, Global, Litigation, Policy and Regulatory Positioning

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.... Continue Reading

An Advertising Perspective on the Kerry-McCain and Stearns-Matheson Privacy Bills

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Paul Glist

Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.... Continue Reading