The Secure Times

The FTC recently sent a detailed 15 page letter to the Internet Corporation for Assigned Names and Numbers (ICANN) expressing concern that the organization's plan to expand the domain name system could leave consumers open to online fraud and undermine law enforcers' ability to track online scammers.  The House Energy and Commerce Committee has also expressed concern about ICANN's expansion plan.

ICANN has overseen the allocation of Internet domain names since 1998.  The organization intends to expand generic top-level domain names (gTLDs) - currently ".com", ".net", and ".org" - to include many new domain names, such as the name of a company or a business category e.g. ".restaurant."  According to the FTC letter, gTLD expansion could create a "dramatically increased opportunity for consumer fraud." In particular, the letter outlines a concern that "the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips.  Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one."  The FTC letter urges ICANN to take additional steps before rolling out new domain names, and suggests that a pilot program be implemented by ICANN before proceeding with a full expansion.

The FTC received support from the 400 member Association of National Advertisers which hoped that the letter would help "convince ICANN that it must stop [the] initiative and build true consensus with the many constituencies that depend upon a responsibly managed Internet domain naming process."

The House Energy and Commerce Committee has also expressed opposition to ICANN's expansion plan.  The House Subcommittee on Communications and Technology held a recent hearing to examine the issue, and the full Committee followed up with a bipartisan letter describing domain name expansion as a "worthy goal", while expressing concern "that there is significant uncertainty in this process for business, non-profit organizations, and consumers."  The letter urges ICANN to delay its plan, which is set to go live on January 12, 2012.

Recently, a federal district court judge dismissed the majority of claims brought by financial institutions against Heartland Payment Systems ("HPS") as a result of its 2009 data breach.  The plaintiffs alleged that hackers obtained payment card numbers and expiration dates for approximately 130 million accounts as a result of the breach.  The plaintiffs were financial institutions that did not participate in the Visa or MasterCard settlements. 

U.S. District Judge Lee Rosenthal dismissed all claims except for the plaintiffs' claim under the Florida Deceptive and Unfair Trade Practices Act.  HPS argued that the Act only applied to consumers, but Judge Rosenthal disagreed, noting that the Act was amended in 2001 to state “person” instead of “consumer."

Continue reading "Most Claims Dismissed Against Heartland Payment Systems in Data Breach Litigation" »

The EU Commissioner responsible for data protection recently outlined the growing contours of EU data protection reform legislation expected to issue early next year.  In a November 28 speech to the American Chamber of Commerce, Viviane Reding, Vice President of the EC Commission, and EU Justice Commissioner, spoke of her determination to deliver "a strong, consistent and future-proof framework for data protection, with consistent rules across all Member States and across all Union policies."

Commissioner Reding began her speech by outlining the challenges currently facing businesses operating under the EU's 1995 data protection legislation.  First, EU data protection laws are fragmented between 27 EU member states, leading to varying legal interpretations and enforcement regimes.  Reding estimated that this fragmentation costs businesses €2.3 billion a year.  Second, fragmentation is inconsistent with the EU's goal to unify its 27 member states in a single market by "making it difficult to sell or shop cross-border." Third, according to EU survey data, existing data protection rules do not have the confidence of consumers, thus inhibiting the adoption of new technologies such as cloud computing.

According to Commissioner Reding, the need for data protection has grown exponentially since 1995 "when the full potential of the Internet had not yet been realized.  In 1993 the Internet carried only 1% of all telecommunicated information.  By 2007, the figure was more than 97%."

Commissioner Reding went on to detail some specific regulatory reforms impacting businesses including: increased coordination between member state data protection authorities (DPAs); eliminating the requirement to notify data processing to DPAs; a single point of contact for companies dealing with multiple EU DPAs; and mutual recognition by DPAs of binding corporate rules approved by another DPA.  The Commissioner also outlined the individual data protection safeguards in the reform proposal, such as timely notification of data protection breaches to consumers.

Reding included in her remarks her position on the role of industry self-regulation.  According to the Commissioner, self-regulation "has an important, complementary role to play in this reform.  But let me be clear: self-regulation is not a fig-leaf for non-compliance; self-regulation only works if there is strong, legally binding regulation in the first place."

Judge Robert S. Lasnik from the Washington Western District Court granted last week Amazon’s motion to dismiss in the class action suit Del Vecchio et al v. Amazon.com, Inc. Plaintiffs may now file an amended complaint within 30 days.

Plaintiffs alleged that Amazon, the famous online retailer, placed browser cookies on their computers against their wishes, by “exploiting” a shortcoming in Microsoft’s Internet Explorer browser s cookie filtering function, and that Defendant intentionally published a “gibberish” website policy to deceive Plaintiff’s browser into accepting Defendant’s cookies despite their filter settings.

Plaintiff also alleged that Amazon retooled flash cookies so that they would behave as traditional browser cookies in order to be accepted by Plaintiff’s browser, and that the online retailer used the personal information thus gathered and also shared it with third parties, despite the terms of its Privacy Notice.

Plaintiffs claimed being injured by Amazon’s misappropriation of their personal information, in which they have economic and property interests, and also damage to and consumption of their Computer Assets, leading to economic harms, including “devaluation of personal information, [and] loss of the economic value of the information as an asset” and diminution of the performance and value of their computer resources.

However, Judge Lasnik granted Amazon’s motion to dismiss as Plaintiffs failled to plead plausible losses.

Diminished Performance of Plaintiff’s Computer

Plaintiffs alleged that, by transferring cookies to Plaintiff’s computers, it thus diminished their  performance and constituted an interruption in service, but Judge Lasnik considered it merely “naked assertions.”

Monetary Value of Personal Information

The Computer Fraud and Abuse Act (“CFAA”) punishes unauthorized access to a protected computer, and provides for a civil remedy ”unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Therefore, the issue of the value of the loss (more or less than $5,000) was one of the questions presented to the court.

According to Judge Lasnik’s order, the facts of the case cannot allow the Court “to reasonably infer that those losses plausibly occurred in this case, let alone that they totaled $5,000.” Plaintiffs argued, for example, that by acquiring their personal information, they were thus deprived ‘”of the opportunity to exchange their valuable information,” but such deprivation is “entirely speculative” according to Judge Lasnik.  However, Judge Lasnik did not shun entirely the idea that personal data may have value, as he adds: “[w]hile it may be theoretically possible that Plaintiffs’ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”

The issue of proving the value of personal dat is quite interesting…  How could one measure the value of one’s personal information? Is the personal information of a gold or platinum card member more valuable than those of a basic member?  Should sites like Klout, which uses algorithms to grade one’s reputation on several social media sites, be introduced as evidence? It will be interesting to read Plaintiff’s amended complaint in the next weeks.

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

• More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

• More steps will be needed under CASL to be permitted to communicate online.

• Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

California recently amended its Song-Beverly Act (“Act”) to include a specific exception from its prohibition on collecting personal information during a credit card transaction. This exception allows collection of personal information (such as a zip code) by businesses in certain pay at the pump scenarios.   This law was filed with the Secretary of State on October 9, 2011, and went into effect immediately. This amendment was enacted as a result of the California Supreme Court’s decision in Pineda v. Williams Sonoma in February of this year. Our coverage of this decision can be found here.

Litigation continues in California in the aftermath of the Pineda decision. In August, the Superior Court of California, County of San Francisco, held that the prohibition on collecting and recording personal information under the Act did not apply to online transactions in Gonor v. Craigslist, concurring with an earlier federal court decision from 2009 (See Saulic v. Symantec Corp.)

Litigation has also been filed in other states that have laws similar to the Act. In Massachusetts, suit was filed against Michael’s stores in May. The plaintiff alleged that she made a purchase at a Michael’s store with her credit card, and provider her zip code during the sales transaction. She asserted that Michael’s then combined her zip code with other information to obtain her home address and sent her marketing materials. Plaintiff argues that this practice violates Mass. Gen Laws ch. 93 s. 105.

Similarly in New Jersey, suits have been filed in state and federal court regarding the collection of zip code at the point of sale. Plaintiffs argue that this practice violates NJSA 56:11-17. In September, a state court judge allowed a suit to move forward against Harmon Stores.  However, a federal judge came to the opposite conclusion about a week later and dismissed a class action based on this law.   For businesses that collect zip codes or personal information during credit card transactions, this issue will continue to be one to watch.

On Monday, the Ninth Circuit announced its decision in Suzlon Energy Ltd. v. Microsoft Corp., -- F.3d -- (9th Cir. 2011), holding that the plain language of the Electronic Communications Privacy Act ("ECPA") applies to any person, including foreigners.

In Suzlon Energy, Suzlon Energy sought production of emails from Microsoft stored in the United States for use against an Indian citizen in a civil action in Australia. Initially the district court granted Suzlon Energy's request, and in response, Microsoft filed an objection. The district court ultimately agreed with Microsoft and held that ECPA prohibited Microsoft's disclosure of the emails.

The Ninth Circuit affirmed the district court's decision, stating "[t]he Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written."  The Ninth Circuit also examined the legislative history of ECPA, and found it did not "clearly refute" the plain language of the statute.  The Court cautioned however that ECPA's protections only applied to information stored in the United States.

A full copy of the decision is located here.  It will be interesting to see what impact, if any, this decision has on the growing movement to modernize ECPA.

The Wall Street Journal reported this week that Judge Martin Glenn of the U.S. Bankruptcy Court in Manhattan approved on September 26th the $13.9 million sale of Borders’s intellectual property to Barnes & Noble. Intellectual property assets include personal information (PI) that Borders collected from 48 million customers. This PI includes customer’s email addresses, but also records of books and videos they have purchased.

The issue of the privacy rights of Border’s customers was debated during the process. At a September 22 hearing, Judge Glenn had hesitated to approve the sale over concerns about customer’s privacy. The two sides, working with the Consumer Privacy Ombudsman (CPO) appointed by the court overseeing the Borders bankruptcy, agreed to email Border’s customers within a day of the sale's closing to ask them if they wish to opt out of Barnes & Noble’s email list. Records about specific titles bought in the past at Border’s won't be included in the sale.

The CPO had contacted the Federal Trade Commission (FTC) requesting it to provide a written description of its concerns regarding the possible sale of the PI collected by Borders during bankruptcy proceeding.

Bureau of Consumer Protection Director David Vladeck answered in a letter to the CPO on September 14, which was submitted to the court.

Borders and Its Privacy Policies

Selling PI during bankruptcy is regulated by section 363(b) of the Bankruptcy Code, 11 U.S.C. § 363(b), which provides that:  (our emphasis)

(b) (1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless —

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease —

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

Border’s 2006 and 2007 privacy policies had promised customers that the retailer would only disclose to third parties a customer’s email address or other PI if the customer “expressly consents to such disclosure.” The 2008 privacy policy, however, stated that:

“Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.”

However, Mr. Vladeck wrote that the FTC “views this provision as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy” and that “[e]ven if the provision were to apply in the event of a sale or divestiture of assets through bankruptcy, Borders represented that it would “seek appropriate protection” for such information.”

Privacy Policies and Unfair Practice

Mr. Vladeck wrote that the FTC was concerned that any sale or transfer of the PI of Borders’ customers “would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.”

Mr. Vladeck ‘s letter noted that the FTC brought cases in the past where it alleged that the failure to adhere to a privacy policy is a deceptive practice under the FTC Act. In one of these cases, FTC v. Toysmart, an online retailer had filed for bankruptcy and then tried to sell its customer’s PI. The FTC alleged that the sharing of PI in connection with an offer for sale violated section 5 of the FTC Act, as the retailer had represented in its privacy policy that such information would never be shared with third parties.

Mr. Vladeck wrote that the “Toysmart settlement is an appropriate model to apply” in the Border’s case. The FTC entered a settlement with Toysmart allowing the transfer of customer information under certain limited circumstances:

1) the buyer had to agree not to sell customer information as a standalone asset, but instead to sell it as part of a larger group of assets, including trademarks and online content;

 2) the buyer had to be an entity that concentrated its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction;

3) the buyer had to agree to treat the personal information in accordance with the terms of Toysmart’s privacy policy; and

 4) the buyer had to agree to seek affirmative consent before making any changes to the policy that affected information gathered under the Toysmart policy.

Mr. Vladeck concluded his letter by offering these guidelines:

-          “Borders agrees not to sell the customer information as a standalone asset;

-          The buyer is engaged in substantially the same lines of business as Borders;

-          The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy; and

-          The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.”

It seems that Mr. Vladeck’ s letter had a significant impact on the ruling.  Curiously, only a small percentage of customers understand the value their PI may have for a company, even though PI may be sold as assets.

The Federal Trade Commission (FTC) is seeking comments from the general public on proposed amendments to the Children’s Online Privacy Protection Rule (COPPA Rule or the Rule).

The Children’s Online Privacy Protection Act (COPPA) was passed in 1998. It required the FTC to issue regulations regarding the collection of children’s personal information by operators of websites or online services directed to children under 13, and to enforce these regulations. The COPPA Rule was issued in November 1999, and became effective on April 21, 2000.

The COPPA Rule required the FTC, no later than April 21, 2005, to do a review of the Rule and to report the results of this review to Congress. The FTC sought public comments in 2005 on the Rule, and also sought additional comments on the COPPA Rule’s sliding scale approach to obtaining parental consent, which takes into account how children’s collected information  will be used. The FTC announced in April 2006 its decision to retain the COPPA Rule without changes.

In March 2010, the FTC asked the public to comment on whether changes to technology warrant changes to the COPPA Rule. The FTC also held a public roundtable during the comment period to discuss COPPA’s definitions of “Internet,” “website,” and “online service” as they apply to new devices and technologies.

After reviewing these public comments, the FTC is now proposing to amend the COPPA Rule. It proposes to modify some of the Rule’s definitions, and to update the requirements for parental consent, confidentiality and security, and safe harbor provisions. The FTC also proposes to add a new provision addressing data retention and deletion.

Parental Consent (16 CFR 312.5):

(p. 59 and following)

The FTC proposes to eliminate the “email plus” method for parental consent. This method allows operators to obtain verifiable parental consent through an email from the parent, but the email must be coupled with an additional step, such as postal address or telephone number from the parent, and confirming the parent’s consent by letter or telephone.

The FTC found that electronic scans and video conferencing technologies are functionally equivalent to the written and oral methods of parental consent originally recognized by the FTC in 1999. Therefore, the FTC proposes to recognize these two methods as a way to obtain verifiable parental consent.  The FTC also proposes to allow operators to collect a form of government-issued identification (driver’s license, truncated social security number) from the parent, as a way to verify the parent’s identity, provided that the parent’s identification is deleted “promptly” once the verification is done (p. 63).

Confidentiality, Security, and Integrity of Personal Information Collected From Children (16 CFR 312.8):

(p. 76 and following)

The Commission proposes to amend § 312.8 to strengthen the provision for maintaining the confidentiality, security, and integrity of personal information. The FTC thus proposes adding a requirement that “operators take reasonable measures to ensure that any service provider or third party to whom they release children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.” Indeed, COPPA requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, but does not explain what would be the data security obligations of third parties.

The FTC Commission proposes to amend § 312.8 to add:

“The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The operator must take reasonable measures to ensure that any service provider or any third party to whom it releases children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.”

Safe Harbors (current 16 CFR 312.10, proposed 16 CFR 312.11):

(p. 80 and following)

COPPA established a “safe harbor” for participants in FTC-approved COPPA self-regulatory programs: compliance with these programs serve as a “safe harbor” against an FTC’s enforcement action. Such programs are, for example, the Children’s Advertising Review Unit of the Council of Better Business Bureaus, or TRUSTe.

The FTC proposes to amend paragraph (b)(2) of the safe harbor provisions of the Rule to read:

“An effective, mandatory mechanism for the independent assessment of subject operators’ compliance with the self regulatory program guidelines . At a minimum, this mechanism must include a comprehensive review by the safe harbor program, to be conducted not less than annually, of each subject operator’s information policies, practices, and representations. The assessment mechanism required under this paragraph can be provided by an independent enforcement program, such as a seal program.”

Data Retention and Deletion Requirements (proposed 16 CFR 312.10):

(p. 78 and following)

The FTC proposes to add new data retention and deletion provisions. Operators would retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. Also, operators would have to delete this information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

The new data retention and deletion provision (§ 312.10) would read:

“An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”

Written comments must be received on or before November 28, 2011.

Earlier this week, the Article 29 Working Party published a letter it sent to the Interactive Advertising Bureau Europe (IAB Europe) and the European Advertising Standards Alliance (EASA) regarding their proposed self-regulatory framework for online behavioral advertising (OBA) to satisfy the EU’s ePrivacy Directive.   The letter referred to a meeting between the Working Party and the OBA industry scheduled for sometime in September and was sent in advance of the meeting to inform the OBA industry of the Working Party’s main concerns with the proposed framework.

Continue reading "Article 29 Working Party Publishes Letter Criticizing the Proposed Online Behavioral Advertising Self-Regulatory Framework." »

            A putative class action was filed yesterday (8/23/11) against comScore, Inc., an internet research and analytics company.  The plaintiffs allege that comScore violated federal law and the Illinois mini-FTC Act by collecting personal information from consumers’ computers without the consumers’ knowledge or consent.  The complaint was filed in the federal district court for the Northern District of Illinois, Dunstan et al. v comScore, Inc. (No. 1:11-cv-05807).

            The complaint alleges that comScore induced consumers to download its surveillance software by bundling the software with third-party free software products such as screensavers, games, and CD burning software, but failed to clearly disclose the extent to which the surveillance software will monitor a consumer’s internet activity and the access the software will have to change privacy and security settings.   The complaint also alleges that comScore intentionally made the surveillance software difficult to disable or uninstall by not deleting it when the freeware with which it was bundled was deleted. 

The claims asserted include violations of the federal Stored Communications Act (18 U.S.C. § 2701 et seq.),  Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.), Computer Fraud and Abuse Act (18 U.S.C. § 1030 et seq.),  the Illinois Consumer Fraud and Deceptive Practices Act (815 ILCS 505/1 et seq.), and common law unjust enrichment.  The plaintiffs are seeking actual, statutory and punitive damages, an injunction to stop comScore’s  illegal practices, disgorgement of profits, and attorneys' fees.

The Ninth Circuit found, in Howard v. Criminal Information Services, Inc., that the Driver’s Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721–2725, does not prohibit the buying in bulk of state driver databases for future use of the information therein.

Two different groups of plaintiffs had filed suit seeking to represent a class in Oregon and Washington states, seeking damages on the ground that their personal information was obtained by defendants, among them a newspaper company and a company performing background checks, in violation of the DPPA.

The DPPA provides that personal information from state driver license databases can be obtained, disclosed, or used only for certain specified purposes, such as verifying the accuracy of personal information submitted by the individual, or to use in connection with matters of motor vehicle or driver safety and theft.  

However, plaintiffs did not complain that the ultimate use of their information was for purposes not permitted by the DPPA, but rather that the DPPA forbids bulk purchasing of driver’s personal information for future use, as future use is not a permitted purpose under the DPPA. Indeed, defendants had not requested driver’s records individually, but instead bought the entire database from the state, for the purpose of “stockpiling” it, a term used by the statute.  However, their ultimate use of the information was permitted purposes under the DPPA.

The Ninth Circuit concluded that plaintiffs did not state a claim that stockpiling information for a permitted use is not a violation of the DPPA, as the statute is concerned with the use to which the information is put, not the way it is acquired:

“The DPPA does not contain a temporal requirement for when the information obtained must be used for the permitted purpose. Nor is there a requirement that once the information is obtained for a permitted purpose that it actually be used at all. The DPPA only requires that Defendants obtained the information for a permitted purpose.”

The United Kingdom Equality and Human Rights Commission (EHRC) published this week a report, “Protecting information privacy,” written by Charles Raab and Benjamin Goold, from the University of Edinburgh and the University of British Columbia. The report represents the views of the two authors and do not necessarily represent the views of the Commission.

The report claims that current U.K. privacy laws and regulation do not adequately protect human rights, and that fundamental reform is needed, especially as data security breaches happen regularly (see p. 9-10 for examples). Such breaches are bound to happen more frequently, as demand for personal information increases, and new technology facilitates its collection. Indeed, “personal information privacy is under particular threat in today’s ‘information economy’ and ‘information-age government’” (p.10).

The public sector has increased its use of personal information, and the state plays an expanded role. The U.K. legal framework has “a weak, fractured and piecemeal approach to [privacy] regulation” (p.12), and it is more and more difficult for individuals to understand how their personal information is used, and what they should do when it is misused.

 The 1984 Data Protection Act (DPA) was the first statutory information privacy protection law. Also, Article 8 of the European Convention on Human Rights (ECHR) protects an individual’s ‘right to respect for his private and family life, his home and his correspondence.’ The ECHR is incorporated into U.K. law by the Human Rights Act (HRA) of 1998 (for an overview of current laws, see p. 25 and following).

According to the report, U.K legislation has not kept pace with technology changes, and that the state has failed to adequately protect the right to privacy. The report states that “[n]ew strategies must continually be developed to cope with the increasingly novel ways in which privacy, including information privacy, is at risk” (p.75).

The report makes four main recommendations:

(1)    The government should develop a clear set of ‘privacy principles’ to be used as a basis for future legislation, and as a guide to regulators and governments agencies concerned with information privacy and data collection.

(2)    Existing privacy legislation should be reformed to be consistent with ‘privacy principles’ in order to enhance existing provisions of the HRA.

(3)    There should be greater regulatory coherence, that is, the U.K. needs to rationalize and consolidate its current approach to the regulation of surveillance and data collection.

(4)     Technological, organizational, and other ways to protect privacy should be improved, and the development and use of technological and non-legal solutions to the problem of information privacy protection should be encouraged by government.

The Federal Trade Commission announced today that W3 Innovations, LLC, a developer of mobile applications, will pay $50, 000 to settle charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the FTC COPPA Rule (the Rule). The case, United States of America v. W3 Innovations, LLC, is the first FTC case involving mobile applications.

The Rule applies to any operator of a commercial website or online service directed to children that collects, uses and/or discloses children’s personal information. A website operator must obtain “verifiable parental consent prior to collecting, using, and/or disclosing personal information from children.”

The Complaint alleged that defendant had offered some forty apps for download from the Apple’s app store, which allowed users to play games and share information online. These apps, listed by the Defendant in the Games-Kids section of the Apple store, and similar to games played by elementary school girls and boys, were targeted to children.

The Complaint also alleged that the defendant had collected over 30,000 email addresses, and also had collected, maintained, and/or disclosed personal information from about 600 users, but had failed to provide direct notice to parents about this practice and had failed to maintain or link to an online notice of the way it collects data. Defendant had not obtained verifiable consent from parents prior to collecting, using, or disclosing children’s personal information.

The Consent Order (the Order) ordered that Defendant must, within 5 days from the date of entry of the Order, delete all personal information collected and maintained in violation of the Rule, and also pay a $50,000 penalty.

Spain’s Data Protection Agency has ordered Google to delete personal information regarding approximately 90 individuals from Google’s search engine indexes. These individuals filed formal complaints with the Data Protection Agency alleging that certain personal information, such as decades old arrest records and the current address of a domestic violence victim, should not be accessible through the Internet. In ordering Google to delete information, the Data Protection Agency indicated that every individual has the “right to be forgotten” and have certain information deleted from the Internet.

The Agency and Google are now engaged in a lawsuit regarding whether Google can be required to remove certain information from its search indexes. Privacy experts have expressed concern that requiring search engines to delete certain personal information could restrict access to public information. Regardless of the outcome, however, the European Union is expected to draft legislation later this year that could include a “right to be forgotten” provision and allow individuals to have certain information deleted from the search indexes or websites.

In late July 2011, Connecticut passed a law restricting employers’ access to employee’s or potential employee’s credit reports. Public Act No. 11-223 prohibits employers from requiring an employee or prospective employee to consent to a credit report request as a condition of employment, unless one of the following conditions is met:

• The employer is a financial institution;
• A credit report is required by law;
• The employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee’s employment; or
• A credit report is substantially related to an employee’s current or potential job or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related.

The new statute defines “substantially related to an employee’s current or potential job” to include a number of situation where an employee or potential employee would have managerial or fiduciary responsibilities, or would have access to personal information, confidential business information, or other sensitive data. Connecticut’s statute becomes effective October 1, 2011. This law is similar to employer credit report restrictions that have recently been enacted in other states, such as Illinois and Oregon.

Attending the ABA Annual Meeting in Toronto and interested in privacy?  Then don't miss these two important panels on the afternoon of Saturday August 6th:

New Restrictions on U.S. Internet Sales: Data Passes, Negative Options, Automatic Renewals and Recurring Charges (if you don’t know what they are, you should attend), on Saturday, August 6, from 2:00 pm – 3:30 pm, in the Metro Toronto Convention Centre, South Bldg, Room 716A, 700 Level.  The panel will address hot topics in data sharing practices involving personal information.  Speakers include Damier Xandrine, Senior Counsel, Wells Fargo; Holly Towle, partner at K&L Gates LLP, and Alysa Hutnik, partner at Kelley Drye & Warren LLP. 

"Can the Law Keep Up with Technology? Can Self Regulation Help?" - on Saturday, August 6th, from 3:45 - 5:15 p.m, in room 713B, 700 Level, in the South Building of the Toronto Convention Center.  Saira Nayak will moderate a discussion around the meaning of privacy self regulation, with FTC Commissioner Julie Brill, Privacy Commissioner Jennifer Stoddart of Canada, Stuart Ingis of Venable LLP, and Dr. Paolo Balboni of the European Privacy Association.  

 A complete listing of the ABA Annual Meeting programs is available at: http://www2.americanbar.org/annual/pdfs/2011TorontoProgramFinal.pdf

The Massachusetts Attorney General recently announced a $7,500 settlement with Belmont Savings Bank following a data breach in which an unencrypted backup computer tape was lost after an employee failed to follow the bank's policies and procedures.  This tape contained the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents.

The tape was lost in May 2011, when an employee left it on a desk rather than storing it in a vault for the night.  Surveillance footage showed that the tape was then thrown away by the cleaning crew.  The tape was most likely incinerated by the bank's waste disposal company, and the bank has indicated that it has no evidence that the Massachusetts residents' personal information had been acquired or used by an unauthorized person.

In addition to the $7,500 penalty, the settlement requires Belmont Savings Bank to mitigate the risk of future data breaches by:

• Ensuring the proper transfer and inventory of backup computer tapes containing personal information;
• Storing backup computer tapes containing personal information in a secure location; and
• Effectively training its employees on the bank's policies and procedures for maintaining the security of personal information.

This is the second announcement this year by the Massachusetts Attorney General’s office of a settlement as a result of a data breach. 

Continue reading "FTC Withdraws FCRA Commentary" »

The Center for Technology Innovation at Brookings hosted a discussion on July 21 featuring Jon Leibowitz, Chairmanof the Federal Trade Commission, and Cameron F. Kerry, General Counsel of the U.S. Department of Commerce. Both share their views on the Department of Commerce and FTC's strategies to protect consumer privacy.

Chairman Leibowitz reported that, in response to questions posed by the FTC staff report on privacy published in December 2010, the FTC received more than 450 comments from interested parties, which are being analyzed now. The FTC expects to issue a final report later this year.

Chairman Leibowitz also highlighted which critical elements are essential ”to a fair process and an outcome that ensures both the protection of consumer privacy, as well as business innovation.” These are clear and enforceable standards, and a transparent process involving all stakeholders.

Mr. Kerry reminded the audience that the Obama administration announced last March its support of legislation to create a consumer privacy bill of rights, a baseline data privacy protection. He added that the Department of Commerce believes that:

“a baseline protection should be flexible, should be enforceable at law, and serve as the basis for the development of enforceable codes of conduct. These codes of conduct should specify how the principles in the bill of rights would apply in specific business context.” …

We need a process that allows industry to be responsive to changing consumer expectations and enables stake holders to identify privacy risks early in the development of new products and new services. We need a process that is nimble enough to respond quickly to consumer data privacy issues as they emerge and that can address them without the need for legislation or regulation because legislation and regulation simply do not move at Internet speed.”

Mr. Kerry then exposed what will be the role played by the Department of Commerce in this process.

“As I said in the Green Paper that we issued last December, more than self-regulation is needed. At this point, it’s clear that an effective and a representative process usually -- not always but usually -- takes a nudge from the government. That’s why we see a need for the government to take the initiative in convening stakeholder discussions….

The Department of Commerce will enlist stakeholder participation by issuing public notices that describe the issues in play and announcing times,  dates, and places for public meetings, and will provide opportunities for remote participation by live streaming and options for viewers around the world to post reactions and comments. We intend to run an open process but independent -- industry stakeholders and independent third parties will hold the pen in drafting the codes.

The FTC will play an important role, as the Department of Commerce believes that:

“…effective enforcement will benefit from legislation that grants the FTC a clear authority in the commercial data privacy arena. Granting the FTC explicit authority in enforcing the principles of the bill of rights -- privacy bill of rights -- will strengthen its role in consumer data privacy policy and give it the enforcement tools that are needed in this field. And if companies know that the FTC can enforce baseline legislation, that is an incentive to define codes of conduct and to move forward with the process as this world advances into new areas.”

Mr. Kerry then added that:

“At the Department of Commerce, we don’t intend to wait for legislation. We are going to begin to identify pressing privacy issues that can benefit from a multi-stakeholder process and we’ll continue discussions with the FTC about baseline protections, about how to approve codes of conduct and about how to implement the multi-stakeholder process. And then we will begin to convene groups to energize this process in a conversation that today is long overdue.”

More information, including the uncorrected transcript of the event, here. All quotes are from this uncorrected transcript.

The Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a joint hearing on Thursday, July 14, 2011 on “Internet Privacy: The Views of the FTC, the FCC, and NTIA.”

In her opening statement, Subcommittee Chairman Mary Bono Mack (R-CA) noted that:

“… as consumers, we willingly dole out this personally identifiable information online – literally bit by bit. This information is then compiled and collated by computers to produce personal profiles used in online behavioral marketing and advertising. This data mining helps to pay the freight for all of the information that we get for free on the Internet. … First and foremost, greater transparency is needed to empower consumers. While it’s still unclear to me whether government regulations are really needed, providing consumers with more transparency is the first step in better protecting Americans.”

In his opening statement, Representative Henry Waxman (D-CA) noted that self-regulation may not be the best way to protect consumer’s online privacy. He cited a recent report by Stanford researcher Jonathan Mayer “Tracking the Trackers” which found that eight members of the self-regulatory group Network Advertising Initiative (NAI) had left cookies in place even after having promised users who chose to opt out to stop tracking them.

What could be the role of the Federal Communications Commission?

Chairman Greg Walden (R-Ore) noted that:

“[t]oday’s regime is neither competitively nor technologically neutral. [While] Section 222 of the Communications Act gives the Federal Communications Commission broad authority to implement privacy protections for consumers of wireline and wireless telephone services…[and]specifically calls out location-based services for regulation, [it]…applies that regulation only to carriers and not providers of devices, operating systems, or applications. Other parts of the Communications Act give the Commission authority over cable operators and satellite television providers under a “prior consent” framework. In stark contrast, there are few if any communications privacy regulations governing web-based companies, even those that can access a user’s search queries, emails, voice and video online conversations, web browser, and even operating systems…. Why should a wireless provider that transmits data to and from a smartphone be subject to federal oversight, but not an operating system provider that has access to the exact same data?”

Chairman Julius Genachowski of the Federal Communications Commission (FCC) testified that one of the FCC’s National Broadband Plan findings was that “[p]rivacy concerns are a barrier to broadband adoption.”  He added that “[i]t is clear we need to strike a balance – ensuring that personal information and consumer choice is protected, and at the same time ensuring a climate that encourages new investment and new innovations that will create jobs and improve our quality of life.”

The FCC has, “[t]hrough … rulemakings and enforcement … addressed difficult issues such as when opt-in and opt-out notifications are appropriate, minimum notice standards, data sharing rules, reasonable data security measures, and notification to law enforcement and consumers in the event of data breaches.

What could be the role of the Federal Trade Commission?

 Commissioner Edith Ramirez of the Federal Trade Commission (FCC) stated in her prepared testimony that “the Commission continues to encourage Congress to enact data security legislation that would (1) impose data security standards on companies, and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach,” referring to a prepared statement of the FCC of its testimony on data security before the Subcommittee on commerce, manufacturing, and trade,  June 15, 2011.

Also, the FTC “enforces the FTC Act and several other laws that require companies to maintain reasonable safeguards for the consumer data they maintain” and “enforces the FCRA, which… prescribes that companies only sell sensitive consumer report information for “permissible purposes,” and not for general marketing purposes.” The FTC is also “active in ensuring that companies engaged in social networking adhere to any promises to keep consumers’ information private,” citing a March 2011 consent order resolving allegations that Twitter deceived its customers by failing to honor their choices after offering  the opportunity to designate certain “tweets” as private.

The FTC “has sought to protect consumers from deceptive practices in the behavioral advertising area”, for instance, when it settled with Chitika Ad Network over a deceptive opt-out mechanism. The FTC also “sought to ensure that data brokers respect consumers’ choices,” for instance when it announced a final order against data broker US Search, that maintained an online service, allowing users to search for information about others.

What could be the role of the National Telecommunication and Information Administration?

Lawrence Strickling, Assistant Secretary for Communications and Information & Administrator, National Telecommunication and Information Administration (NTIA), which acts as principal advisor to the President on communications and information policy, testified that the NTIA “has been working over the last two years with Secretary Locke’s Internet Policy Task Force and colleagues throughout the Executive Branch to conduct a broad assessment of how well our current consumer data privacy policy framework serves consumers, businesses, and other participants in the Internet economy.” The NTIA “supports legislation that would create baseline consumer data privacy protections through a consumer privacy bill of rights.”

The NTIA “has recommended legislation with three main characteristics. First, it should establish baseline consumer data privacy protections that would apply in commercial contexts. … Second, we have recommended that legislation provides appropriate incentives for stakeholders in the private sector to develop and adopt enforceable codes of conduct through a multi-stakeholder process…. Third, the Administration supports legislation that strengthens the FTC’s consumer data privacy enforcement authority.”

More, including the hearing webcast, here.

The European Union (EU) Commission published on July 14, 2011 a public consultation, “ePrivacy Directive: circumstances, procedures and formats for personal data breach notifications.”  

The European Union Commission is seeking the opinion of telecom operators, Internet service providers, Member States, national data protection authorities, consumer organizations and other interested parties on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way all across the EU.

Directive 2009/136/EC revised the Directive 2002/22/EC, the “Universal Service Directive,” and Directive 2002/58/EC, the “ePrivacy Directive.” Both of these directives are part of the Telecom Package, the five directives comprising the regulatory framework for electronic communications networks and services in the EU. Directive 2009/136/EC entered into force on 25 May 2011. The 2009 Directive introduced in the European Union legal framework an obligation for electronic communications providers to report, without undue delay, personal data breaches to the relevant national authority, and to individuals affected when there is a risk to their personal data or privacy. A personal data breach is a security incident by which personal data is compromised (unauthorized access, alteration or destruction).

The Commission is hoping to gather practical contributions about how the new rules have been implemented, and what issues may have been encountered. This information would then help the Commission find out whether additional technical measures are needed to ensure that all Member States’ personal data breach notification measures are harmonized, and if so, what form they should take.

From the press release:

“The consultation is seeking input on the following specific issues:

Circumstances: how organizations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible

Procedures: the notification deadline, the means of notification and the procedure for an individual case

Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.”

One can contribute to the consultation until September 9, 2011.

In Sorrell v. IMS the U.S. Supreme Court stroke down yesterday (by a vote of 6-3) Vermont’s 2007 Prescription Confidentiality Law, which had made it illegal for pharmacies and similar entities to sell prescriber-identifying information, without the prescriber’s consent. The court had heard oral arguments in April.

Subject to certain exceptions, such as health care research, this information could not have been be sold or disclosed by pharmacies for marketing purposes. The law, Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010), states that:

“A health insurer, a self-insured employer, an electronic transmission intermediary, a pharmacy, or other similar entity shall not sell, license, or exchange for value regulated records containing prescriber-identifiable information, nor permit the use of regulated records containing prescriber-identifiable information for marketing or promoting a prescription drug, unless the prescriber consents . . . . Pharmaceutical manufacturers and pharmaceutical marketers shall not use prescriber-identifiable information for marketing or promoting a prescription drug unless the prescriber consents . . . .”

Pharmacies receive prescriber-identifying information when processing prescriptions, and many of them then sell this information to data-mining companies, which use this information to write marketing reports. These reports are leased to pharmaceutical manufacturers, and used for marketing research, leading to increased sales.

The case involved two consolidated suits, one brought by Vermont data-miners, the other by an association of pharmaceutical manufacturers, all contending that the Vermont law violated their First Amendment rights, as speech helping pharmaceutical marketing is speech protected by the First Amendment. The United States District Court for the District of Vermont had denied them relief, but the Second Circuit reversed, holding that the Vermont law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining companies without an adequate justification.

The state of Vermont had argued that the law is merely a commercial regulation, and thus heightened judicial scrutiny is unwarranted. But the Supreme Court was not convinced, noting that the law “imposes more than an incidental burden on protected expression. Both on its face and in its practical operation, Vermont’s law imposes a burden based on the content of speech and the identity of the speaker.” Since Vermont’s law enacts content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information, this statute…

“disfavors marketing, that is, speech with a particular content. More than that, the statute disfavors specific speakers, namely pharmaceutical manufacturers. As a result of these content- and speaker-based rules, detailers cannot obtain prescriber-identifying information, even though the information may be purchased or acquired by other speakers with diverse purposes and viewpoints.”

The state of Vermont had also argued that physicians have a “reasonable expectation” that their prescriber-identifying information “will not be used for purposes other than . . . filling and processing” prescriptions. The Supreme Court was not convinced by this argument either as the Vermont law does not completely serve that interest. The Vermont law allows pharmacies to share prescriber-identifying information with anyone unless this person then allows the information to be used for marketing. However, researchers, journalists, even the State itself, may use the information, and this “does not in itself advance confidentiality interests” remarked the Supreme Court, noting that…

“[p]erhaps the State could have addressed physician confidentiality through “a more coherent policy.” For instance, the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances.. A statute of that type would present quite a different case than the one presented here. But the State did not enact a statute with that purpose or design. Instead, Vermont made prescriber-identifying information available to almost limitless audience. The explicit structure of the statute allows the information to be studied and used by all but a narrow class of disfavored speakers….

Vermont has given its doctors a contrived choice: Either consent, which will allow your prescriber-identifying information to be disseminated and used without constraint; or, withhold consent, which will allow your information to be used by those speakers whose message the State supports. [The Vermont law] may offer a limited degree of privacy, but only on terms favorable to the speech the State prefers.”

Justice Breyer wrote a dissenting opinion, with whom Justice Ginsburg and Justice Kagan joined. In his view, the Vermont statute only adversely affects speech in one way, as it prevents pharmaceutical and data-mining companies to access data that could help pharmaceutical companies create better sales messages. Justice Breyer wrote: ”In my view, this effect on expression is inextricably related to a lawful governmental effort to regulate a commercial enterprise.”

Viviane Reding, Vice-President of the European Commission, spoke on Monday at the Data Protection and Privacy Conference of the British Bankers' Association in London.

Ms. Reding acknowledged that the current EU legal frame work protecting personal data may no longer be appropriate to a world which has much changed since 1995 (when Directive 95/46/EC, the data protection Directive, was first published) as individuals “leave digital traces with every move [they] make.” The European Union now “needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.”

Businesses must also play their part. The way they collect, process, store, and use personal data must be done in a more transparent way than it is right now. Ms. Reding alluded to the recent Sony PlayStation Network data breach, which affected some 70 million users worldwide, whose personal information, name, address, email, and birth date have been compromised. According to Ms. Reding, “this incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers' trust in the online economy. “

Companies must better protect personal data against security breaches and identity theft. Ms. Reding stated that “they should immediately notify breaches of data security and confidentiality” and that she does intend to introduce a mandatory requirement for business organizations to notify data security breaches.

 As of today, Directive 2009/136/EC, which introduced mandatory data breach notification in the EU legal framework, makes it a requirement only to providers of publicly available electronic communications services to report data breaches. Business organizations do not however, have to report them.

This is likely to change soon, as Ms Reding wants to introduce this requirement for all sectors, including banking and financial services. She expressed hope that “[i]t would … create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.”

Changes are ahead, as new EU data protection legislation proposals should be finalized in the upcoming months.

Two federal bills introduced last week aim at protecting the privacy of the geolocation of mobile phone users. One bill would regulate private entities, and the other bill would regulate law enforcement and federal agencies.

Senator Al Franken (D-MN), chairman of the Judiciary Subcommittee on Privacy, introduced last week S.1223, the “Location Privacy Protection Act of 2011.” The bill is co-sponsored by Senator Richard Blumenthal (D-CT). The bill would only regulate companies. While the text of the legislation is not yet available, a press release states that the bill would:

“close current loopholes in federal law to require any company that may obtain a customer’s location information from his or her smartphone or other mobile device to (1) get that customer’s express consent before collecting his or her location data; and (2) get that customer’s express consent before sharing his or her location data with third parties.”

Indeed, the Electronic Communications Privacy Act (18 U.S.C. § 2702) can be interpreted as allowing electronic communication service providers, including smartphone and app companies, to share with third parties the location information of their customers without first obtaining their consent.

The other federal geolocation privacy bill, the “Geolocation Privacy and Surveillance Act,” was introduced last week by Senator Ron Wyden (D-Ore.) and U.S. Representative Jason Chaffetz (R-Utah). It would regulate the government’s use of geolocation information. Its section 4 would make it illegal for the government to obtain geolocation information by making fraudulent statements to a telecommunications carrier, or by accessing the carrier’s customer account records without permission.