The Secure Times

The FTC has reined another tech giant, albeit a waning one, into a settlement agreement over alleged privacy violations. On May 8, the FTC announced a consent decree with Myspace LLC that forbids it from misrepresenting its privacy policies and requires it to institute a comprehensive privacy policy and submit to biennial audits for compliance for twenty years. This is the third settlement that the FTC has achieved with a major tech company in the social networking arena-- the agency reached similarly structured settlement agreements with Google and Facebook last year.

The FTC's Allegations

The FTC's allegations stem from a gap between Myspace's privacy policy and its practices from January 2009 until June 2010. In its policy, Myspace promised that it would not share a user's personally identifiable information (defined as name, email, mailing address, phone number or credit number) without notice and user consent; that its means for delivering customized ads and sharing browsing data with advertisers; and that it complied with the U.S.-E.U. Safe Harbor framework for data protection.

However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer's "Friend ID," which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users' full name and any other information designated as public in the users' settings. The public information could then be combined with additional information harvested by the advertiser's tracking cookie and by any other means.

According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance - although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.

Settlement Terms

The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all "covered information." This includes a user's name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all "widely disseminated statements" about Myspace's privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace's compliance.

The 20-year timeframe, which has been the standard in FTC's previous privacy consent decrees, has raised some snickers among commentators about Myspace's longevity, given the site's declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook's number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.

The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.

Links

• FTC announcement, including settlement agreement and press release
• Digital Trends article on settlement, including public statement from Specific Media
• Wall Street Journal coverage

Tags:

• FTC
• Online Privacy
• Privacy Policies

Last week, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  CISPA would authorize Internet service providers and other companies to share customer communications and other personal information with governmental agencies.  The intent of the bill is to enhance information sharing for data security purposes, however, many organizations such as the Center for Democracy and Technology and the ACLU strongly oppose the bill, and President Obama has threatened to veto it.

Critics of CISPA state that the bill is overbroad and does not contain appropriate privacy, confidentiality or civil liberties safeguards.  According to the White House's statement, "the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information."  For example, CISPA could allow companies to give email communications to the government with no judicial oversight if the emails contained cyber threat information.  Supporters argue that this information sharing is necessary in order to prevent cyber attacks.  Initially internet companies appeared to have supported the bill, although this week Mozilla announced its opposition to the bill and Microsoft has expressed concern over the bill's impact on personal privacy.

In addition to privacy concerns, an interesting article on Slate had another take on CISPA - that it will effectively overwhelm the government with more data than it can handle, noting that "analyzing the world's data to identify potential cyberthreats has gone from difficult to impossible.  The volume of digital information has become far too large." 

CISPA now moves to the Senate for consideration, where it will compete with at least two other cyber security bills.

The UK communications regulator Ofcom this week announced that it is investigating alleged email-hacking by journalists at Sky News, a satellite news channel controlled by Rupert Murdoch.  The investigation raises interesting issues regarding the role of online privacy in news reporting; in particular whether privacy should trump the public interest in media led investigations into criminal activity.

Ofcom announced its investigation after a Sky News representative admitted to hacking the email accounts of John Darwin, who faked his own death in order to claim life insurance, and later reappeared living abroad.  In addition to email-hacking, Sky News also admitted to posting a hacked voicemail message from Mr. Darwin's wife on its website.  These hacking admissions were made at the wide-ranging Leveson Inquiry into press ethics and culture, which was prompted by last year's UK press phone-hacking scandal.

Under UK law, email hacking is a violation of the Computer Misuse Act 1990, and may trigger criminal sanctions.  In addition, Ofcom's broadcasting code - Rule 8.1 - provides that: "Any infringement of privacy in programs, or in connection with obtaining material included in programs, must be warranted."  The potential sanctions for breach of Ofcom's code range from a warning, to a fine, to revoking a broadcasting license in the most serious circumstances. 

For its part, Sky News argues that its actions were "editorially justified" since there are rare instances when it is defensible for a journalist to commit an offense in the public interest, in this case the detection of insurance fraud.

An Ofcom spokesperson stated that the agency "is investigating the fairness and privacy issues raised by Sky News' statement that it had accessed without prior authorization private email accounts during the course of its news investigations." 

The regulator also announced that it will "make the outcome [of its investigation] known in due course." 

This is the second part of a post about the recently published FTC Privacy Report.

Simplified Consumer Choice (Consent)

Some practices do not require choice

Under the Final Framework, companies would not have to provide consumers with a choice if they collect and use data for ‘commonly accepted practices’ (p.36). Instead of defining rigidly what would be considered as being commonly accepted practices, the FTC focus on the interaction between a business and the consumer (p.38). Is the practice “consistent with the context of the transaction or the consumer’s existing relationship with the business, or is [it] required or specifically authorized by law? ” (p. 39).

One may remember that the Telephone Consumer Protection Act has a similar “existing business relation” exception to consent.

However, the six practices originally identified  in the preliminary staff report as those that companies may engage in without offering consumer choice (fulfillment, fraud prevention, internal operations, legal compliance, public purpose, and most first-party marketing) remain useful as guidance as to whether a practical practice would be indeed considered as being commonly accepted.

First party marketing occurs when a company collects customer data and uses it for its own marketing purposes, as opposed to third party marketing, where collected data is sold to third party for their own marketing purposes.  Entities having a first–party relationship with a consumer would not be exempt from providing consumers with choices if it also collects consumer data not consistent with the first-party relationship, such as tracking the consumer across sites (p. 40-41).

The FTC’s final principle on choice is that companies do not need to provide choice before collecting consumer data for practices either consistent with their relationship with the customer or if required by law (p.48).

Companies should give a choice if the practice is inconsistent with the interaction with the consumer 

Such choice should be given “at a time and in a context in which the consumer is making a decision about his or her data” (p. 48).

The FTC still advocates the implementation of a universal, one-stop mechanism for online behavioral tracking (Do Not Track) (p. 52).

A Do Not Track system should include five key principles (p. 53):

1.     It should cover all parties tracking consumers

2.     It should be easy to find, understand and use

3.     The choices offered should be persistent and should not be overridden

4.     It should be comprehensive, effective and enforceable

5.     It should allow the consumer to opt out of receiving targeted advertisements , and also allow consumers to opt out of collection of behavioral data for all purposes other than those consistent with the context of the interaction

Express consent would, however, be required at the time and in the context in which the consumer is making its decision if the company is using data in a materially different manner then the one stated when collecting the data, and if it collects sensitive data, such as social security numbers, information about children, or financial and health data.

Large platform providers (ISPS, operating systems, browsers…)

Such entities have access to a very large spectrum of unencrypted consumer data, which would allow them to build very detailed consumer profiles. Indeed, an ISP has access to all of its customer online activity when using that particular connection, raising privacy concerns. The FTC will host a workshop in the second half of 2012 to discuss privacy issues raised by data collection by large platforms.

Transparency

There are several ways companies could increase the transparency of their data practices.

            Privacy Notice

Privacy notices should be:

-          Clearer

-          Shorter

-          More Standardized

However, prescribing a rigid privacy statement format to be used in all sectors is “not appropriate” according to the FTC. Some elements should be standardized, such as format and terminology, in order for consumers to be able to easily compare privacy practices (p. 62).

            Access

Companies should provide reasonable access to the consumer data they maintain, and this access should be proportionate to the sensitivity of the data and the nature of its use (p. 64).

For entities maintaining data solely for marketing purposes, the FTC agrees that the costs of providing consumer a right to access and correct data would likely outweigh the benefits. However, entities should provide consumers with the lists of data categories they keep, and inform them of their right to state that they do not want their data to be used for marketing purposes (p. 65). However, such companies should provide more individualized access to data if possible, citing as an example Yahoo’s Ad Interest Manager, allowing users to opt out of certain advertising categories.

The FTC also noted that companies compiling consumer data to then sell it to other companies, who then use the data in order to make a decision about a particular person’s ability to be offered a job, an insurance rata, or a credit, are subjected to the FCRA. Consumers then have a right to access and correct their information under the FCRA, 15 U.S.C. §§ 1681g-1681h,even if the company compiling the data is not sure of the use it will be make of the data, but “has reason to believe” it will be used for making such decisions (p. 67).

Entities maintaining data for other, non-marketing purposes that fall outside the scope of the FCRA, such as fraud management risk companies, or social networking sites, should use a sliding scale approach. The consumer access to his data would depend on the use being made of it, and of its sensitive character (p. 67).

The FTC supports legislation, such as the Data Accountability and Trust Act, which would give consumers a right to access their data held by data brokers. It also supports the creation by the data broker industry of a centralized web site where data brokers would inform consumers about their data collection practices, and disclose the companies buying this data (p. 69).

The FTC also supports the idea of an “eraser button,” which would allow people to delete the content they have posted online, a right somewhat similar to the right to be forgotten stated by the recent EU Commission Proposal for a new privacy framework (p. 70).

            Consumer Education

Consumers should be better educated about commercial data privacy practices, and this should be done by all stakeholders.

The European Commission has launched a public consultation on the ‘Internet of Things’ (IoT) and is inviting comments until July 12, 2012. Members of the public are invited to respond to an online questionnaire.

Privacy

The public is invited to submit comments on the privacy implications of the IoT, as smart objects collect data which may also reveal information about an individual, his habits, location, or interests, and this whether his identity is known, or unknown, and might be indirectly revealed by combining data from different sources. One of the questions is:

“Traditional data protection principles include fair and lawful data processing; data collection for specified, explicit, and legitimate purposes; accurate and kept up-to-date data; data retention for no longer than necessary. Do you believe that additional principles and requirements are necessary for IoT applications?”

Safety and Security

The questions are also about the safety and security issues which may be raised by IoT. Indeed, IoT objects are able to act on behalf of people and therefore need protection against false requests for information and against unauthenticated commands by using user authentication to ensure the authenticity of both the device and the data.

The public is invited to state whether they agree that “[d]ata life cycle management in the IoT infrastructure includes data creation, processing, sharing, storing, archiving, and deletion of data… [and that] [g]uidelines should be developed to ensure secure and trusted data life cycle management.”

Security of Critical IoT Supported Infrastructures

Comments may also address the security of critical IoT supported infrastructures, as there is a risk of abuse and attacks of such systems. The public may answer whether they agree that “[p]olicy makers should provide guidance on security-by-design and applicable security technologies.”

Ethical Issues

The questionnaire also addresses ethical questions. One of the questions is whether “IoT applications could change our sense and definition of personal identity.”Another question asks whether “IoT applications could interfere with individuals’ autonomy when decisions are taken by autonomous systems.”

Open Object Identifiers and Interoperability

The IoT is able to identify each connected object by its identifier, and the questionnaire states that, if there are right now some 5 billion mobile phone subscribers, there may be 50 billion connected non-phone devices in 10 years, a rather stunning figure.

Should openly accessible identifier solutions allowing for the interoperability of smart devices be authorized?  The public is invited to state whether IoT identifier policy should promote business models for open interoperable platforms.

Other topics of the questionnaire include governance issues and standards for meeting policy objectives.

The Federal Trade Commission (FTC) issued its much-awaited final privacy report, “Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers” (the Report).

The Report provides companies with self-regulation guidelines, and it calls for businesses collecting consumer data to implement best practices to protect this data. According to the Report, “the framework is meant to encourage best practices and is not intended to conflict with requirements of existing laws and regulations” (p.16).

The FTC believes that self-regulation has not yet gone far enough, with the expectation of Do Not Track (p. 11). Yet, the Report also recommends that Congress pass baseline and technologically neutral privacy legislation, as well as data security legislation. Privacy legislation would give businesses clear guidance, and would also serve as a deterrent by providing remedies to aggrieved parties.  The FTC also recommends the passage of legislation targeted at data brokers, which would allow consumers to have access to their personal data held by data brokers.

Scope of the Privacy Framework

The framework would apply to all commercial entities collecting or using consumer data that can be reasonably linked to a specific consumer, computer, or other device.

It would not apply however, to entities collecting only non-sensitive data from fewer than 5,000 consumers a year, if they do not share that data with third parties, thus to avoid an entity out of the scope of the Framework from selling its collected data to a data broker.

As noted by the Report, HR 5777, the Best Practices Act, contained a similar exclusion, for entities collecting information for fewer than 10,000 individuals during any 12-month period, if the data is not sensitive.

The frameworks would, however, apply to both online and offline data. That way data collected by data brokers would be included in its scope. Also, as noted by the FTC, consumer data collection is ‘ubiquitous,’ whether it occurs online and offline, and the privacy concerns these practices raise are similar (p. 17).

The framework would apply to data that is reasonably linkable to a specific consumer, computer, or device (p. 18).

Under the final framework, data would not be considered as “reasonably linkable to a particular consumer or device” if a company implements three signification protections for that data (p. 21):

-          Taking reasonable measures to ensure that the data is de-identified

-          Publicly commit to maintain and use the data in a de-identified fashion

-          If making the de-identified data available to third parties, prohibiting by contract that third parties  attempt to re-identify the data

Interestingly, the issue of what is personal data is also debated right now in the European Union EU). Recital 24 of the recent EU Commission data protection proposal hints that IP addresses or cookies do not need to be necessarily considered as personal data, as they need to be combined with unique identifiers and other information to allow identification. In a recently published opinion on the proposal, the Article 29 Working Party stated that personal data needs to be more extensively defined, as being all data related to an identifiable individual, and that IP addresses should thus be considered related to identifiable individuals, especially if processing IP addresses or cookies is done to identify users of the computer.

Privacy by Design

The baseline is that “[c]ompanies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services” (p. 22).

Such Privacy protections include four substantive principles:

-          Data security

-          Reasonable collection limits

-          Sound retention practices

-          Data accuracy

Data Security

The Report notes that the FTC has been enforcing data security obligations under Section 5 of the FTC Act, the FCRA and the GLBA (p. 24) and also notes that several companies have already implemented data security protection measures, such as secure payment card data, browser privacy, or SSL encryption (p.25).

            Reasonable Collection Limit

The FTC believes that companies should limit data collection “to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law” (p. 27).

Sound Data Retention

Companies should not retain data if it is no longer necessary for the legitimate purpose for which is has collected. The FTC does not, however, set a data retention timetable. Instead, it states that the data retention period can be flexible, and may vary according to the type of data collected and its intended use (p. 29).

Data Accuracy

What companies would have to do in order to ensure the accuracy of the data collected depends on the data’s intended use and whether it is sensitive data or not.

Part II to be posted later this week.

One remembers the stir that Google’s Street View project created during 2010 in the United States, Canada, and the European Union, when it was discovered that the California company had collected WiFi  network data, when its Street View cars roamed the streets of the world, taking pictures of the of the environment in order to create a comprehensive map. It turned out that this data included “payload” data, that is, the content of emails, text messages, or even passwords.

Google had first denied payload data collection, then admitted it, but stated that such data was fragmented, and then finally acknowledged in October 2010 that sometimes entire emails had been captured. Following that statement, the Federal Communications Commission (FCC) started an inquiry to determine whether such conduct violated section 705(a) of the Communications Act of 1934, which prohibits the interception of interstate radio communications, except if authorized by the Wiretap Act.  

Google had argued that, under the Wiretap Act, which prohibits the intentional interception of electronic communications, it is not unlawful to intercept electronic communications made though a system readily accessible to the general public, and that such a definition encompassed unencrypted WiFi communications networks.  

On April 13, 2012, the FCC filed a Notice of Apparent Liability for Forfeiture (NAL) finding that Google “apparently willfully and repeatedly violated [the FCC] orders to produce… information and documents” that the FCC had requested. Such conduct would carry a $25,000 penalty. However, the FCC decided not to take any enforcement action under Section 705(a), as “[t]here is not clear precedent for applying [it] to… Wi-Fi communications.”

Employers will be prohibited from taking, or threatening to take disciplinary actions, if the employee refuses to disclose her passwords. Employers will also be prohibited from refusing to hire an applicant because of his refusal to disclose his passwords.

In 2010, Robert Collins, a Maryland corrections officer was asked to provide the Maryland Division of Corrections (DOC) his Facebook login information during a recertification interview. The American Civil Liberties Union of Maryland sent a letter in January 2011 to DOC Secretary Gary Maynard. Secretary Maynard answered in February 2011 and ordered the practice be suspended for 45 days to allow further study of the issue. The DOC then revised its policy: candidates would have to sign a form stating that they understand that providing their passwords is voluntary.

A similar bill is still being discussed in Illinois. Is a federal law around the corner? Senator Richard Blumenthal (D-Conn) plans to introduce a bill which would prevent employers to ask applicants to provide their social media passwords as part of the hiring process.

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

• businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
• CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

• simply include the name by which they carry on business (rather than both that and their legal name);
• include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
• include the information in the above point on a website that “is readily accessible” (rather than via a single click);
• use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
• simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

In response to the White House's February 23, 2012 release of Consumer Data Privacy in a Networked World:  A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department's National Telecommunications and Information Administration ("NTIA") has issued a request for public comments on the consumer data privacy issues to be addressed through voluntary, yet legally enforceable, codes of conduct that implement the Consumer Privacy Bill of Rights outlined in the Framework.  NTIA is seeking comments from all interested stakeholders, including consumer groups, industry, academia, law enforcement agencies, and international partners.  Comments are due on March 26, 2012.

Interested parties may submit comments on any consumer privacy-related topic, though NTIA's request indicates that the Framework's transparency principles in privacy notices for mobile applications ("apps"), particularly apps that feature location-based services, are among the agency's highest priorities.  Other highlighted areas for comment include cloud computing, online services directed toward teens and children, trusted identity systems, and the use of technologies, such as browser-based cookies, to collect personal data.

NTIA also seeks comment on how the multistakeholder process can be structured to ensure openness, transparency, and consensus-building among a diverse group of interested parties.  These comments represent the initial step of a process aimed at developing voluntary codes of conduct that will be enforced by the Federal Trade Commission.

On February 24, the Oregon Supreme Court held that absent any allegations that stolen personal information was used or viewed by a third party, plaintiffs had not suffered an injury that would support a negligence claim or an action under Oregon's Unlawful Trade Practices Act in Paul v. Providence Health System-Oregon. 

The breach at issue occurred in 2005, when an employee left disks and tapes containing medical records for 365,000 patients in the employee's car and those disks and tapes were stolen.  Some of the records went back 20 years, and contained Social Security numbers and medical information.   In 2006, the defendant settled with the Oregon Attorney General and agreed to pay credit monitoring costs to affected patients for two years and over $95,000 to the Attorney General.  In 2007, the trial court granted the defendant's motion to dismiss, taking into account that several plaintiffs had been at least partially compensated via the attorney general settlement, and holding that the plaintiffs' claimed damages were premised on the risk of future injury rather than actual present harm.

Plaintiffs argued that they had suffered financial loss in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft.  They also argued that they had suffered damages by the emotional distress caused by the theft of the records.   The Supreme Court however found not only that there was no evidence that the plaintiffs had suffered any financial loss as a result of the breach, but also that there was no evidence that the records had ever been accessed or viewed.  The Court also noted that its decision to dismiss the claims were in line with many other decision by courts in other jurisdictions, such as Pisciotta v. Old Nat. Bancorp out of the Seventh Circuit and Ruiz v. Gap from the Ninth Circuit.

Yesterday the Federal Trade Commission announced that it will host a day long workshop open to the public on May 30 to explore whether new guidance is needed for advertising disclosures made both online and in mobile media.  The workshop will address the Dot Com Disclosures and how potential revisions could illustrate clear and conspicuous disclosures in the online and mobile advertising environment.  The FTC started seeking input on how to revise the Dot Com Disclosures to account for changes in technology since the guidance was originally issued last year.  

Topics to be addressed include:

- How can effective disclosures be made in social media and on mobile devices, especially when space is limited for disclosures? 

- When can disclosures provided separately from an initial advertisement be considered adequate?

- What are available options when consumers use devices that do not allow downloading or printing terms of an agreement?

- How can short, effective and accessible privacy disclosures be made on mobile devices?

The FTC also seeks suggestions of topics of discussion and original research.  Requests and recommendations can be sent to dotcomdisclosuresworkshop@ftc.gov.  Additional information is available here.

The Executive Office of the President today released a 52-page framework document setting out the Obama Administration's policies "for protecting privacy and promoting innovation in the global digital economy."  The policy framework includes four principal elements: A Consumer Privacy Bill of Rights, a multistakeholder process to agree how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of international partners. 

The Administration acknowledges that existing United States privacy law and policy "effectively address some privacy issues" but adds that "additional protections are necessary to preserve consumer trust" in the online environment.  The framework therefore calls for consumer data privacy legislation, under which the FTC and State Attorneys General would have authority to enforce the Consumer Privacy Bill of Rights.

The baseline protections - described as "privacy principles recognized throughout the world" - established in the Consumer Privacy Bill of Rights are:

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how it is used.

Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which they provide the data.

Security: Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is accurate.

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure that they adhere to the Consumer Privacy Bill of Rights.

Going forward, the Administration encourages privacy stakeholders, including the private sector, to implement the Consumer Privacy Bill of Rights through the auspices of the Commerce Department; it also commits to work with Congress to "write these flexible, general principles into law."

The Federal Trade Commission (FTC) just released a Staff Report (the Report) titled ‘Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.’

Mobile Applications (Apps) are getting increasingly popular among children and teenagers, even very young. Indeed, the Report found out that 11% of the apps sold by Apple have toddlers as their intended audience (Report p. 6). Apps geared to children are often either free or inexpensive, which makes them easy to purchase, even on a pocket-money budget (Report p. 7-8).

As such, according to the Report, these apps seem to be intended for children’s use, and some may even be “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s implementing Rule (the Rule). The Rule defines what is a “[w]ebsite or online service directed to children”) at 16 C.F.R. § 312.2. Under COPPA and the Rule, operators of online services directed to children under age 13 of age must provide notice and obtain parental consent before collecting children’s personal information. This includes apps. Yet, the FTC staff was unable, in most instances, to find out whether an app collected any data, or, if it did, the type of data collected, the purpose for collecting it, and who collected or obtained access to such data (Report p. 10).

‘The mobile app market place is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development’ (Report p.3)

Downloading an app on a smart phone may an impact on children’s privacy, as apps are able to gather personal information such as the geolocation of the user, her phone number or a list of contacts, and this, without her parent’s knowledge. Indeed, if app stores and operating systems provide rating systems and controls which allow parents to restrict access to mobile content and features, and even to limit data collection, they do not provide information about which data is collected and whether it is shared. (Report, p. 15)

The Report concludes by recommending that app stores, app developers, and third parties providing services within apps, increase their efforts to provide parents with “clear, concise and timely information” about apps download by children. Parents would then be able to know, before downloading an app, what data will be collected, how it will be used, and who will obtain access to this data (Report p. 17). This should be done by using “simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device.” (Report p. 3)

One remembers that United States of America v. W3 Innovations, LLC, in August 2011, was the first FTC case involving mobile applications.

An Illinois bill, H.B.3782, would amend the Illinois “Right to Privacy in the Workplace Act”, by providing that:

“it shall be unlawful for any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile.”

A similar bill, S.B.971, which was proposed last year in Maryland, would have prohibited employers from requiring a prospective employee, or an employee,to disclose user names or passwords for Internet sites. The Maryland bill did not become law.

It remains to be seen if the same fate will occur to H.B. 3782, but one can regret that the Illinois legislator only refers to a ‘prospective employee,’ especially considering a recent Illinois case. In Maremont v. Susan Fredman Design Group, Ltd., et al. (N.D. Ill.; Dec. 7, 2011), Plaintiff, the employee of a design company, had stored the passwords to her personal Twitter and Facebook accounts on her employer’s server, using a computer owned by the employer, but had not given this information to anyone. Defendant, the employer, allegedly accessed these two personal social media accounts while plaintiff was on medical leave, in order to post information promoting the design company. Plaintiff argued that this violated the Stored Communication Act (SCA), which forbids the unauthorized access to a wire or electronic communication while in electronic storage, 18 U.S.C. § 2701(a).The Court held that Plaintiff had not yet proven actual damages, a prerequisite to recover statutory damages under the SCA, as the discovery was not yet completed, and that is was thus premature for the Court to address the issue. It will be interesting to follow further developments in this case.

Hat tip to Venkat Balasubramani for posting the Maremont case online.

The Electronic Privacy Information Center (EPIC) is suing the Federal Trade Commission (FTC) in order to compel the federal agency to enforce the October 2011 Google Buzz consent order, In the Matter of Google, Inc., FTC File No. 102 3136, which was issued following a complaint filed by EPIC with the FTC in February 2010.

Pursuant to this consent order, Google may not misrepresent the extent to which it maintains and protects the privacy and confidentiality of the information it collects, including the purposes for which the information is collected, and the extent to which consumers may exercise control over the collection, use, or disclosure of this information. Also, Google must obtain the express affirmative consent of Google users before making any new or additional sharing of information to third parties, which must be identified, and the purpose(s) for sharing the information must be disclosed to Google users. The consent order also requires Google to establish and implement a comprehensive privacy program.

Google announced in last January changes in its privacy policy, which will be effective March 1, 2012. Google will then start collecting user data across all the different Google sites, such as Gmail or YouTube, provided that the user logged into her Google account. Ms. Alma Whitten, Google’s Director of Privacy, Product and Engineering, stated that Google can thus provide “a simpler, more intuitive Google experience.” A Google user will have one single Google profile. There is, however, no opt-out available. The new privacy policy states that:

“We may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.”

According to EPIC’s complaint, these changes are “in clear violation of [Google] prior commitments to the Federal Trade Commission.” EPIC is arguing that Google violated the Consent Order “by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of [users] information, by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework… [and] by failing to obtain affirmative consent from users prior to sharing their information with third parties.”

Indeed, the European Union (EU) is also concerned by these changes. The Article 29 Working Party sent a letter to Google on February 2, to inform the California company that it will “check the possible consequences for the protection of the personal data of [E.U. Member States ]citizens” of these changes. Google answered to the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s Data Protection Authority, in charge of coordinating the enquiry into Google Privacy changes, that changes were made in order to insure that Google’s privacy policy is “simpler and more understandable” and also “to create a better user experience.”

Meanwhile, EPIC is arguing that the FTC has a non-discretionary obligation to enforce a final order, yet has not yet taken any action with respect to changes ahead in Google’s privacy policy.

Congress, the bastion of gridlock and acrimony that shut down the FAA; hasn't passed a budget since the middle of the Bush Administration; and almost caused a default on the debt looks increasingly poised to consider legislation to dramatically overhaul and systematize how the United States responds to a cyber attack.  With lasting reprucussions on private and public sector operations. 

 Both the House and Senate are working on bi-partisan legislative vehicles which are poised to see significant floor time in the next few weeks.  The bi-cameral consideration could even be followed by a substance based conference committee and enactment by the President before Election Day.  For the School House Rocks fans (www.schoolhouserock.tv/Bill.html), a major piece of legislation moving through the regular order just as Saturday morning infomercials told you about, would be a major accomplishment in present day Washington. 

So what are the bills? Where do they stand? And what's in them?

Continue reading "Congress: Slowly, Inexorably Moving to Cyber Security Legislation" »

The FTC recently sent a detailed 15 page letter to the Internet Corporation for Assigned Names and Numbers (ICANN) expressing concern that the organization's plan to expand the domain name system could leave consumers open to online fraud and undermine law enforcers' ability to track online scammers.  The House Energy and Commerce Committee has also expressed concern about ICANN's expansion plan.

ICANN has overseen the allocation of Internet domain names since 1998.  The organization intends to expand generic top-level domain names (gTLDs) - currently ".com", ".net", and ".org" - to include many new domain names, such as the name of a company or a business category e.g. ".restaurant."  According to the FTC letter, gTLD expansion could create a "dramatically increased opportunity for consumer fraud." In particular, the letter outlines a concern that "the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips.  Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one."  The FTC letter urges ICANN to take additional steps before rolling out new domain names, and suggests that a pilot program be implemented by ICANN before proceeding with a full expansion.

The FTC received support from the 400 member Association of National Advertisers which hoped that the letter would help "convince ICANN that it must stop [the] initiative and build true consensus with the many constituencies that depend upon a responsibly managed Internet domain naming process."

The House Energy and Commerce Committee has also expressed opposition to ICANN's expansion plan.  The House Subcommittee on Communications and Technology held a recent hearing to examine the issue, and the full Committee followed up with a bipartisan letter describing domain name expansion as a "worthy goal", while expressing concern "that there is significant uncertainty in this process for business, non-profit organizations, and consumers."  The letter urges ICANN to delay its plan, which is set to go live on January 12, 2012.

Recently, a federal district court judge dismissed the majority of claims brought by financial institutions against Heartland Payment Systems ("HPS") as a result of its 2009 data breach.  The plaintiffs alleged that hackers obtained payment card numbers and expiration dates for approximately 130 million accounts as a result of the breach.  The plaintiffs were financial institutions that did not participate in the Visa or MasterCard settlements. 

U.S. District Judge Lee Rosenthal dismissed all claims except for the plaintiffs' claim under the Florida Deceptive and Unfair Trade Practices Act.  HPS argued that the Act only applied to consumers, but Judge Rosenthal disagreed, noting that the Act was amended in 2001 to state “person” instead of “consumer."

Continue reading "Most Claims Dismissed Against Heartland Payment Systems in Data Breach Litigation" »

The EU Commissioner responsible for data protection recently outlined the growing contours of EU data protection reform legislation expected to issue early next year.  In a November 28 speech to the American Chamber of Commerce, Viviane Reding, Vice President of the EC Commission, and EU Justice Commissioner, spoke of her determination to deliver "a strong, consistent and future-proof framework for data protection, with consistent rules across all Member States and across all Union policies."

Commissioner Reding began her speech by outlining the challenges currently facing businesses operating under the EU's 1995 data protection legislation.  First, EU data protection laws are fragmented between 27 EU member states, leading to varying legal interpretations and enforcement regimes.  Reding estimated that this fragmentation costs businesses €2.3 billion a year.  Second, fragmentation is inconsistent with the EU's goal to unify its 27 member states in a single market by "making it difficult to sell or shop cross-border." Third, according to EU survey data, existing data protection rules do not have the confidence of consumers, thus inhibiting the adoption of new technologies such as cloud computing.

According to Commissioner Reding, the need for data protection has grown exponentially since 1995 "when the full potential of the Internet had not yet been realized.  In 1993 the Internet carried only 1% of all telecommunicated information.  By 2007, the figure was more than 97%."

Commissioner Reding went on to detail some specific regulatory reforms impacting businesses including: increased coordination between member state data protection authorities (DPAs); eliminating the requirement to notify data processing to DPAs; a single point of contact for companies dealing with multiple EU DPAs; and mutual recognition by DPAs of binding corporate rules approved by another DPA.  The Commissioner also outlined the individual data protection safeguards in the reform proposal, such as timely notification of data protection breaches to consumers.

Reding included in her remarks her position on the role of industry self-regulation.  According to the Commissioner, self-regulation "has an important, complementary role to play in this reform.  But let me be clear: self-regulation is not a fig-leaf for non-compliance; self-regulation only works if there is strong, legally binding regulation in the first place."

Judge Robert S. Lasnik from the Washington Western District Court granted last week Amazon’s motion to dismiss in the class action suit Del Vecchio et al v. Amazon.com, Inc. Plaintiffs may now file an amended complaint within 30 days.

Plaintiffs alleged that Amazon, the famous online retailer, placed browser cookies on their computers against their wishes, by “exploiting” a shortcoming in Microsoft’s Internet Explorer browser s cookie filtering function, and that Defendant intentionally published a “gibberish” website policy to deceive Plaintiff’s browser into accepting Defendant’s cookies despite their filter settings.

Plaintiff also alleged that Amazon retooled flash cookies so that they would behave as traditional browser cookies in order to be accepted by Plaintiff’s browser, and that the online retailer used the personal information thus gathered and also shared it with third parties, despite the terms of its Privacy Notice.

Plaintiffs claimed being injured by Amazon’s misappropriation of their personal information, in which they have economic and property interests, and also damage to and consumption of their Computer Assets, leading to economic harms, including “devaluation of personal information, [and] loss of the economic value of the information as an asset” and diminution of the performance and value of their computer resources.

However, Judge Lasnik granted Amazon’s motion to dismiss as Plaintiffs failled to plead plausible losses.

Diminished Performance of Plaintiff’s Computer

Plaintiffs alleged that, by transferring cookies to Plaintiff’s computers, it thus diminished their  performance and constituted an interruption in service, but Judge Lasnik considered it merely “naked assertions.”

Monetary Value of Personal Information

The Computer Fraud and Abuse Act (“CFAA”) punishes unauthorized access to a protected computer, and provides for a civil remedy ”unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Therefore, the issue of the value of the loss (more or less than $5,000) was one of the questions presented to the court.

According to Judge Lasnik’s order, the facts of the case cannot allow the Court “to reasonably infer that those losses plausibly occurred in this case, let alone that they totaled $5,000.” Plaintiffs argued, for example, that by acquiring their personal information, they were thus deprived ‘”of the opportunity to exchange their valuable information,” but such deprivation is “entirely speculative” according to Judge Lasnik.  However, Judge Lasnik did not shun entirely the idea that personal data may have value, as he adds: “[w]hile it may be theoretically possible that Plaintiffs’ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”

The issue of proving the value of personal dat is quite interesting…  How could one measure the value of one’s personal information? Is the personal information of a gold or platinum card member more valuable than those of a basic member?  Should sites like Klout, which uses algorithms to grade one’s reputation on several social media sites, be introduced as evidence? It will be interesting to read Plaintiff’s amended complaint in the next weeks.

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

• More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

• More steps will be needed under CASL to be permitted to communicate online.

• Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

California recently amended its Song-Beverly Act (“Act”) to include a specific exception from its prohibition on collecting personal information during a credit card transaction. This exception allows collection of personal information (such as a zip code) by businesses in certain pay at the pump scenarios.   This law was filed with the Secretary of State on October 9, 2011, and went into effect immediately. This amendment was enacted as a result of the California Supreme Court’s decision in Pineda v. Williams Sonoma in February of this year. Our coverage of this decision can be found here.

Litigation continues in California in the aftermath of the Pineda decision. In August, the Superior Court of California, County of San Francisco, held that the prohibition on collecting and recording personal information under the Act did not apply to online transactions in Gonor v. Craigslist, concurring with an earlier federal court decision from 2009 (See Saulic v. Symantec Corp.)

Litigation has also been filed in other states that have laws similar to the Act. In Massachusetts, suit was filed against Michael’s stores in May. The plaintiff alleged that she made a purchase at a Michael’s store with her credit card, and provider her zip code during the sales transaction. She asserted that Michael’s then combined her zip code with other information to obtain her home address and sent her marketing materials. Plaintiff argues that this practice violates Mass. Gen Laws ch. 93 s. 105.

Similarly in New Jersey, suits have been filed in state and federal court regarding the collection of zip code at the point of sale. Plaintiffs argue that this practice violates NJSA 56:11-17. In September, a state court judge allowed a suit to move forward against Harmon Stores.  However, a federal judge came to the opposite conclusion about a week later and dismissed a class action based on this law.   For businesses that collect zip codes or personal information during credit card transactions, this issue will continue to be one to watch.

On Monday, the Ninth Circuit announced its decision in Suzlon Energy Ltd. v. Microsoft Corp., -- F.3d -- (9th Cir. 2011), holding that the plain language of the Electronic Communications Privacy Act ("ECPA") applies to any person, including foreigners.

In Suzlon Energy, Suzlon Energy sought production of emails from Microsoft stored in the United States for use against an Indian citizen in a civil action in Australia. Initially the district court granted Suzlon Energy's request, and in response, Microsoft filed an objection. The district court ultimately agreed with Microsoft and held that ECPA prohibited Microsoft's disclosure of the emails.

The Ninth Circuit affirmed the district court's decision, stating "[t]he Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written."  The Ninth Circuit also examined the legislative history of ECPA, and found it did not "clearly refute" the plain language of the statute.  The Court cautioned however that ECPA's protections only applied to information stored in the United States.

A full copy of the decision is located here.  It will be interesting to see what impact, if any, this decision has on the growing movement to modernize ECPA.

The Wall Street Journal reported this week that Judge Martin Glenn of the U.S. Bankruptcy Court in Manhattan approved on September 26th the $13.9 million sale of Borders’s intellectual property to Barnes & Noble. Intellectual property assets include personal information (PI) that Borders collected from 48 million customers. This PI includes customer’s email addresses, but also records of books and videos they have purchased.

The issue of the privacy rights of Border’s customers was debated during the process. At a September 22 hearing, Judge Glenn had hesitated to approve the sale over concerns about customer’s privacy. The two sides, working with the Consumer Privacy Ombudsman (CPO) appointed by the court overseeing the Borders bankruptcy, agreed to email Border’s customers within a day of the sale's closing to ask them if they wish to opt out of Barnes & Noble’s email list. Records about specific titles bought in the past at Border’s won't be included in the sale.

The CPO had contacted the Federal Trade Commission (FTC) requesting it to provide a written description of its concerns regarding the possible sale of the PI collected by Borders during bankruptcy proceeding.

Bureau of Consumer Protection Director David Vladeck answered in a letter to the CPO on September 14, which was submitted to the court.

Borders and Its Privacy Policies

Selling PI during bankruptcy is regulated by section 363(b) of the Bankruptcy Code, 11 U.S.C. § 363(b), which provides that:  (our emphasis)

(b) (1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless —

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease —

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

Border’s 2006 and 2007 privacy policies had promised customers that the retailer would only disclose to third parties a customer’s email address or other PI if the customer “expressly consents to such disclosure.” The 2008 privacy policy, however, stated that:

“Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.”

However, Mr. Vladeck wrote that the FTC “views this provision as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy” and that “[e]ven if the provision were to apply in the event of a sale or divestiture of assets through bankruptcy, Borders represented that it would “seek appropriate protection” for such information.”

Privacy Policies and Unfair Practice

Mr. Vladeck wrote that the FTC was concerned that any sale or transfer of the PI of Borders’ customers “would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.”

Mr. Vladeck ‘s letter noted that the FTC brought cases in the past where it alleged that the failure to adhere to a privacy policy is a deceptive practice under the FTC Act. In one of these cases, FTC v. Toysmart, an online retailer had filed for bankruptcy and then tried to sell its customer’s PI. The FTC alleged that the sharing of PI in connection with an offer for sale violated section 5 of the FTC Act, as the retailer had represented in its privacy policy that such information would never be shared with third parties.

Mr. Vladeck wrote that the “Toysmart settlement is an appropriate model to apply” in the Border’s case. The FTC entered a settlement with Toysmart allowing the transfer of customer information under certain limited circumstances:

1) the buyer had to agree not to sell customer information as a standalone asset, but instead to sell it as part of a larger group of assets, including trademarks and online content;

 2) the buyer had to be an entity that concentrated its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction;

3) the buyer had to agree to treat the personal information in accordance with the terms of Toysmart’s privacy policy; and

 4) the buyer had to agree to seek affirmative consent before making any changes to the policy that affected information gathered under the Toysmart policy.

Mr. Vladeck concluded his letter by offering these guidelines:

-          “Borders agrees not to sell the customer information as a standalone asset;

-          The buyer is engaged in substantially the same lines of business as Borders;

-          The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy; and

-          The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.”

It seems that Mr. Vladeck’ s letter had a significant impact on the ruling.  Curiously, only a small percentage of customers understand the value their PI may have for a company, even though PI may be sold as assets.