The Secure Times

On February 25, 2010, the FTC announced two separate settlements.  One is a Stipulated Final Judgment and Order to settle a complaint, without trial, filed in the U.S. District Court, Northern District of Georgia.  This settlement is with ControlScan, a company that provides privacy and data security certification to online retailers and other Web sites.  Based on the same facts, Richard Stanton, the founder and former chief executive officer of ControlScan also agreed to settle charges pursued by the FTC at the Federal Trade Commission.  The FTC charged that ControlScan misled consumers about how often ControlScan monitored the sites and the steps it took to verify the privacy and security practices of the sites that had ControlScan certificates. The settlements bars future misrepresentations. Mr. Stanton's settlement requires him to give up $102,000 in "ill-gotten gains". The Stipulated Final Judgment and Order specifies that the complaint which it settles states a claim upon which relief may be granted against ControlScan under Sections 5(a)(1) and 13(b) of the FTC Act.  A judgment against ControlScan of $750,000 is suspended, based on ControlScan’s inability to pay, but if the court finds that ControlScan misrepresented its financial condition, the entire amount will be payable immediately, less any amounts paid by Stanton.

More information can be found at http://www.ftc.gov/opa/2010/02/controlscan.shtm.

Yesterday, February 25, 2010, the Federal Trade Commission filed notice of appeal to the DC Circuit Court of Appeals to attempt to reverse Judge Walton’s ruling late last year that the FTC cannot require practicing lawyers to comply with the Red Flags Rule.  In August 2009, the American Bar Association challenged the applicability of the Red Flags Rule to lawyers, arguing that it would impose a serious burden on law firms.  At that time, the ABA sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Red Flags Rule. Judge Walton ruled from the bench in late October and issued his Order and Memorandum Opinion in December.  

Continue reading "FTC Appeals Judge Walton's Decision on Red Flags Rule" »

On February 24, 2010, the Federal Trade Commission (“FTC”) released the “Consumer Sentinel Network Data Book” (“Report”).  This Report includes a listing of the top consumer complaints reported in 2009 to the FTC. 

The top ten complaints for 2009 are:

The Federal Trade Commission (“FTC”) is preparing for the third and final roundtable discussion on privacy.  The first roundtable was held in December 2009 in Washington, DC, to explore privacy implications of developing technology and business practices that collect and use of consumer data.  This event was followed by a second roundtable in Berkley, CA in January 2010.  The discussion in Berkley focused on benefits and risks created by technology and the privacy implications of social networking, cloud computing, and mobile marketing. 

The third roundtable will be held on March 17, 2010 in Washington, DC.  At this event, panelists will discuss the collection and use of “sensitive” information.  In preparation for this roundtable, the FTC has requested comments on the following issues:

• How can we best achieve accountability for best practices or standards for commercial handling of consumer data?  Can consumer access to and correction of their data be made cost effective?  Are there specific accountability or enforcement regimes that are particularly effective? 
• What potential benefits and concerns are raised by emerging business models built around the collection and use of consumer health information?  What, if any, legal protections do consumers expect apply to their personal health information when they conduct online searches, respond to surveys or quizzes, seek medical advice online, participate in chat groups or health networks, or otherwise?
• Should “sensitive” information be treated or handled differently than other consumer information?  How do we determine what information is “sensitive”?  What standards should apply to the collection and uses of such information?  Should information about children and teenagers be subject to different standards and, if so, what should they be? 

For those who cannot join the discussion in person, a live webcast of this conference will be available at the FTC's website. 

On February 24, 2010, the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet will hold a joint hearing on the collection and use of location information for commercial purposes.  This joint hearing is the third on privacy held by these two subcommittees this Congress.  A joint hearing was held in June 2009 to learn about online behavioral advertising practices and to consider whether federal privacy legislation is necessary to address concerns associated with these practices.  A second hearing was held in November 2009 on the online and offline collection and commercial use of consumer information.

The scheduled witnesses for Wednesday’s hearing are:

Lorrie Cranor

Associate Professor

Computer Science and Engineering & Public Policy

Carnegie Mellon University

 

Mike Altschul

Senior Vice President and General Counsel

CTIA – The Wireless Association

 

John B. Morris, Jr.

General Counsel

Center for Democracy and Technology

 

Anne Collier

Connect Safely

 

Jerry King

Chief Operating Officer
uLocate Communications, Inc.

 

Tony Bernard
VP/GM
Useful Networks

These hearings are being held in preparation for introducing privacy legislation.  Rep. Boucher (D-VA), the Chairman of the Subcommittee on Communications, Technology, and the Internet, has stated that he intends to introduce a bill to regulate online collection and use of consumer information.  Privacy legislation is expected soon.

An industry group is launching its response to the FTC's challenge for better self-regulation of behavioral advertising.  In a variety of fora, the FTC has made it clear that it wants to see stronger and more clear disclosures regarding targeted on-line advertising.  The challenge of just how to provide useful information to consumers, who may or may not understand the technologies at issue, has proved problematic to say the least.

The Future of Privacy Forum's answer, reported today in the New York Times, is a new "Power I" symbol that will alert consumers that further information is available regarding the source of the content they are seeing.  The hopes is that this will give consumers the power to understand and shape how their information is used online. 

The open question is whether the Power I will be enough for an FTC that seems uncomfortable with notice and consent (a/k/a contractual) solutions, and seems inclined to regulate in this area of rapidly evolving technologies.  And of course it also remains to be seen whether consumers will view this "Power I" as empowering information, or as a "Power Eye" invading their privacy. 

The full story is over at The New York Times, in the article by Stephanie Clifford, "A Little ‘i’ to Teach About Online Privacy."   

Maine's Democratic state Senator Elizabeth Schneider is expected to introduce a revised bill aimed at protecting the online privacy of minors by the end of the month, Maine Public Broadcasting's A.J. Higgins reports.

The federal Children's Online Privacy Protection Act (COPPA) already protects the privacy of children under 13, but Schneider has expressed concern that COPPA does not do enough to protect all minors from marketing, particularly prescription-drug and health care product marketing on the web.

The new bill in the works will replace controversial legislation previously introduced by Schneider, signed into law and scheduled to enter into force in September 2009. The first bill, which proposed severe restrictions on marketing to anyone under the age of 18, was subject to a barrage of criticism and several legal challenges. Maine attorney general Janet Mills even declared that she would not enforce the law due to constitutional free speech concerns. (My colleague, Deborah Birnbach, and I covered those developments in a November article in Goodwin Procter's Privacy & Data Security Advisory newsletter.)

As a result, Schneider has agreed to draft a more narrowly focused measure, with the specific goal of addressing medical information. It will be interesting to see how the new bill balances the protection of privacy with the free-speech concerns brought up by Mills and other critics. A public hearing on the new bill could be scheduled as early as next month, when the state legislature reconvenes.

• Cecelia Prewett as the Director of the Office of Public Affairs.  Ms. Prewett has a background in communications both in the public and private sector, working for the American Association for Justice, AARP, the State of Illinois, and on Capitol Hill as a communications director to several Members of Congress
• Jessica Rich as Deputy Director in the Bureau of Consumer Protection ("BCP").  Ms. Rich was most recently the Acting Associate Director of the Division of Privacy and Identity Protection in the BCP.  She was formerly an Assistant Director in the same division and the Division of Financial Practices, legal advisor to the Director of the BCP, and staff attorney in one of the FTC's consumer fraud divisions.
• Charles Harwood as Deputy Director in the Bureau of Consumer Protection.  Mr. Harwood previously was the Director of the FTC's Northwest Regional Office in Seattle for 20 years.  Prior to joining the FTC, Mr. Harwood served as a counsel to the U.S. Senate's Committee on Commerce, Science, and Transportation, and the U.S. Department of the Interior's Indian Arts and Crafts Board.
• Norm Armstrong, Jr. as Deputy Director in the Bureau of Competition.  Mr. Armstrong has served as Acting Deputy Direct in the Bureau of Competition, Deputy Assistant Director of the Mergers IV Division, Counsel to the Director, and Liaison to the Department of Defense.
• Joel Winston as Associate Director of the Division of Financial Practices.  Mr. Winston has previously held several positions within the FTC including Associate Director of two divisions, Assistant Director of a division, and Assistant Deputy Director of the BCP.
• Maneesha Mithal as Associate Director of the Division of Privacy and Identity Protection.  Ms. Mithal has previously served as Assistant Director of the same division and Assistant Deputy Director of the BCP.
• Mark Eichorn as Assistant Director of the Division of Privacy and Identity Protection.  Mr. Eichorn has served as an Attorney Advisor to the Chairman and in the Division of Advertising Practices.

• Subcommittee members and witnesses discussed many facets of personal information use for marketing purposes, such as how consumer data is collected, the types of data that businesses collect, consumers' ability to access his or her personal information held by marketers, and consumer education concerning privacy matters.
• Participants discussed elements that could be addressed in future legislation included increasing transparency and choice, consumer education, and providing consumers with a clear statement of their rights--such as the ability to "opt in" and/or "opt out" of having personal data collected.  Witnesses, such as Chris Hoofnagle with the University of California, Berkley - School of Law, encouraged consumer education measures, noting that most consumers are unaware of their obligation to object to data collection practices with which they do not agree, and that many consumers assume that personal information collected by companies is secure--which may not always be the case. 
• Many of the witnesses advocated privacy protection through a self-regulatory scheme, but Subcommittee members countered that self-regulation is ineffective at stopping "bad actors" and comprehensive legislation is necessary to protect consumers from unscrupulous businesses.
• Finally, almost all of the witnesses stressed that legislation should be tailored to meet the needs of different types of businesses and industries, as well as creating different standards to regulate the offline versus online collection and use of personal information. 

• Board of Governors of the Federal Reserve System;
• Commodity Futures Trading Commission;
• Federal Deposit Insurance Corporation;
• Federal Trade Commission;
• National Credit Union Administration;
• Office of the Comptroller of the Currency;
• Office of Thrift Supervision; and
• Securities and Exchange Commission

• Benefits and risks of collecting, using, and retaining consumer data;
• Consumer expectations and disclosures;
• Online behavioral advertising;
• Information brokers; and
• Exploring existing regulatory frameworks

• The FTC should pursue enforcement actions against all businesses involved in unfair privacy practices, not just spyware companies.
• The FTC should use its subpoena power to acquire information about company privacy practices.    
• The Commission should encourage Congress to pass general consumer privacy legislation that would allow the FTC to draft its own set of consumer privacy rules to clarify basic privacy expectations and strengthen privacy protection. 
• The FTC should establish benchmarks and metrics for evaluating company privacy policies, and the Commission should more actively promote the development of privacy-enhancing technology. 

• that the FTC is exceeding its congressionally granted powers under the 2003 law by interpreting its Red Flags Rule to apply to accountants;
• that the FTC has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft;
• that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an extension of credit; and
• that the FTC failed to identify any legally supportable basis for applying the rule to accountants.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.  A brief analysis of the changes is available here, and the department's website is expected to post the final version of the regulations this week.

Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.

The FTC's scheduled enforcement date for the Red Flags Rule is November 1. The American Bar Association challenged the Rule's applicability to lawyers arguing that it would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Rule.  

Judge Walton rejected the FTC’s definition of a creditor stating that under the FTC's interpretation, a plumber who charges a customer after working on a toilet for two days also would be considered a "creditor."  

It is not clear at this point whether the FTC will appeal the decision.

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.  More information about the model notice is available here.

The Direct Marketing Association (DMA) announced additions to its Guidelines for Ethical Business Practices that address online behavioral advertising (OBA) and mobile marketing.   

The new OBA guidelines are designed to follow the previously-released seven Self-Regulatory Principles adopted by DMA; the Association of National Advertisers; the American Association of Advertising Agencies; the Interactive Advertising Bureau; and the Council of Better Business Bureaus.   

Among the new OBA rules is a requirement that when information is collected from or used on a website for online behavioral advertising purposes, visitors should be provided with notice (easy to find, read, and understand) about the third party’s policies for online behavioral advertising.  The rules also describe methods that third parties should use to provide notice about OBA. 

The mobile marketing sections are described as an expansion of DMA’s existing guidelines for wireless communications and require, among other things, prior express consent for mobile marketing.  

A press release announcing and linking to the guidelines is available at: http://www.the-dma.org/cgi/disppressrelease?article=1357

The FTC announced a settlement with Inconix Brand Group under which Iconix will pay a $250,000 civil penalty to settle FTC allegations that the company violated the Children's Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission. 

Iconix owns, licenses, and markets (offline and on its websites) apparel brands including Mudd, Candie’s, Bongo, and OP. The FTC alleged that Iconix required consumers on certain of its websites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other website features. On one website, MyMuddWorld.com, Iconix also allegedly enabled girls to publicly share personal stories and photos online. The FTC alleged that in connection with certain of these sites, since 2006, Iconix knowingly collected and stored personal information from approximately 1,000 children without first notifying their parents or obtaining parental consent in violation of COPPA.

Information about the settlement can be found on the FTC’s website, at: http://www.ftc.gov/opa/2009/10/iconix.shtm.