« October 2009 | Main | December 2009 »

November 30, 2009

FTC Senior Staff Appointments

The FTC has announced the appointments of several senior staff at the Commission:
  • Cecelia Prewett as the Director of the Office of Public Affairs.  Ms. Prewett has a background in communications both in the public and private sector, working for the American Association for Justice, AARP, the State of Illinois, and on Capitol Hill as a communications director to several Members of Congress
  • Jessica Rich as Deputy Director in the Bureau of Consumer Protection ("BCP").  Ms. Rich was most recently the Acting Associate Director of the Division of Privacy and Identity Protection in the BCP.  She was formerly an Assistant Director in the same division and the Division of Financial Practices, legal advisor to the Director of the BCP, and staff attorney in one of the FTC's consumer fraud divisions.
  • Charles Harwood as Deputy Director in the Bureau of Consumer Protection.  Mr. Harwood previously was the Director of the FTC's Northwest Regional Office in Seattle for 20 years.  Prior to joining the FTC, Mr. Harwood served as a counsel to the U.S. Senate's Committee on Commerce, Science, and Transportation, and the U.S. Department of the Interior's Indian Arts and Crafts Board.
  • Norm Armstrong, Jr. as Deputy Director in the Bureau of Competition.  Mr. Armstrong has served as Acting Deputy Direct in the Bureau of Competition, Deputy Assistant Director of the Mergers IV Division, Counsel to the Director, and Liaison to the Department of Defense.
  • Joel Winston as Associate Director of the Division of Financial Practices.  Mr. Winston has previously held several positions within the FTC including Associate Director of two divisions, Assistant Director of a division, and Assistant Deputy Director of the BCP.
  • Maneesha Mithal as Associate Director of the Division of Privacy and Identity Protection.  Ms. Mithal has previously served as Assistant Director of the same division and Assistant Deputy Director of the BCP.
  • Mark Eichorn as Assistant Director of the Division of Privacy and Identity Protection.  Mr. Eichorn has served as an Attorney Advisor to the Chairman and in the Division of Advertising Practices.

November 24, 2009

Consumer Advocates and Pharmacists' Group Request FTC and HHS Investigation of Possible Violation of Health Privacy Rules

The National Community Pharmacists Association (NCPA) and seven consumer advocacy groups have requested that the FTC and the Department of Health and Human Services to investigate activities by CVS Caremark that may violate HIPAA.  In a letter filed with the FTC and HHS, the organizations alleged that CVS Caremark used health information in violation of healthy privacy and antitrust laws.  CVS Caremark was created from the 2007 merger of the pharmacy CVS and the pharmacy benefits manager Caremark Corp.  The letter alleges, among other things, that CVS Caremark uses the information it obtains from non-CVS pharmacies through its pharmacy benefits management program to market the CVS mail-order pharmacy and CVS in-store pharmacy programs to those consumers--an inappropriate use of protected health information.
 
CVS Caremark recently settled an action with the FTC regarding its data security practices.
 
Additional coverage of the story is available here.

November 23, 2009

House Subcommittees Hold Hearing to Address Potential Privacy Legislation

On November 19, 2009, the House Subcommittee on Commerce, Trade, and Consumer Protection and the House Subcommittee on Communications, Technology, and the Internet conducted a hearing entitled "Exploring the Offline and Online Collection and Use of Consumer Information."  The hearing focused primarily on the collection, dissemination, and use of personal information from both online and offline sources, as well exploring privacy issues that should be addressed by future legislation.  Highlights of the hearing included:
  • Subcommittee members and witnesses discussed many facets of personal information use for marketing purposes, such as how consumer data is collected, the types of data that businesses collect, consumers' ability to access his or her personal information held by marketers, and consumer education concerning privacy matters.
  • Participants discussed elements that could be addressed in future legislation included increasing transparency and choice, consumer education, and providing consumers with a clear statement of their rights--such as the ability to "opt in" and/or "opt out" of having personal data collected.  Witnesses, such as Chris Hoofnagle with the University of California, Berkley - School of Law, encouraged consumer education measures, noting that most consumers are unaware of their obligation to object to data collection practices with which they do not agree, and that many consumers assume that personal information collected by companies is secure--which may not always be the case. 
  • Many of the witnesses advocated privacy protection through a self-regulatory scheme, but Subcommittee members countered that self-regulation is ineffective at stopping "bad actors" and comprehensive legislation is necessary to protect consumers from unscrupulous businesses.
  • Finally, almost all of the witnesses stressed that legislation should be tailored to meet the needs of different types of businesses and industries, as well as creating different standards to regulate the offline versus online collection and use of personal information. 
In a separate interview, Chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, Bobby Rush (D-IL), indicated that a draft privacy bill would not be circulated before the end of the year. 

November 18, 2009

House Committee Holds Hearing on Collection and Use of Consumer Information

On Thursday, November 19, 2009 at 10 a.m., the House Subcommittee on Commerce, Trade, and Consumer Protection and the House Subcommittee on Communications, Technology, and the Internet will hold a hearing, "Exploring the Offline and Online Collection and Use of Consumer Information," to examine the collection and commercial use of consumer data in both online and offline environments.  The hearing is scheduled to take place in room 2123 of the Rayburn House Office Building and will also be broadcast live through a video Webcast available on the Committee of Energy and Commerce's website and shown live on C-SPAN. 
 
Witnesses for tomorrow's hearing include, George Pappachen from Kantar/WPP; Jennifer Barrett from Acxiom; Chris Hoofnagle from the University of California, Berkeley--School of Law; Zoe Strickland from Wal-Mart Stores Inc.; Michelle Bougie form LearningResources.com and EducationalInsights.com; and Pam Dixon from World Privacy Forum.  More information on the hearing can be found here.   

November 17, 2009

Federal Agencies Release Model Privacy Notice Form

Eight federal regulatory agencies announced the release of a final model privacy notice form.  The model privacy form is designed to help consumers understand how their information is collected and shared by financial institutions.  The model privacy form complies with the requirements for a financial institution to notify consumers of the institution's information sharing practices and provide consumers with an opportunity to opt out of certain practices pursuant to the Gramm-Leach-Bliley (GLB) Act.
 
The model privacy form uses plain language in a user-friendly format.  The agencies have developed a Model Privacy Form - Opt Out and a Model Privacy Form - No Opt Out.
 
The model privacy form was developed by:
  • Board of Governors of the Federal Reserve System;
  • Commodity Futures Trading Commission;
  • Federal Deposit Insurance Corporation;
  • Federal Trade Commission;
  • National Credit Union Administration;
  • Office of the Comptroller of the Currency;
  • Office of Thrift Supervision; and
  • Securities and Exchange Commission
A copy of the GLB Model Privacy Form Rule is available here.

FTC Announces Agenda for First Privacy Roundtable

The FTC has announced the agenda for the first of three privacy roundtables the Commission will host to discuss the privacy challenges posed by current technology and business practices that collect and use consumer data.

On December 7, 2009, at the FTC Conference Center in Washington, DC, panelists will discuss:
  • Benefits and risks of collecting, using, and retaining consumer data;
  • Consumer expectations and disclosures;
  • Online behavioral advertising;
  • Information brokers; and
  • Exploring existing regulatory frameworks
The roundtable will also be available via live webcast.

The FTC has also announced that the second roundtable will be held at the University of California, Berkeley, School of Law on January 28, 2010.

General information about the series of roundtables is available here.

Brill and Ramirez to be Nominated For FTC Commissioners

President Obama has selected Julie Brill and Edith Ramirez to serve on the Federal Trade Commission.  Brill is currently the Senior Deputy Attorney General and Chief of Consumer Protection and Antitrust for the North Carolina Department of Justice, a position she has held since February 2009.  Prior to working with the North Carolina DOJ, Brill was an Assistant Attorney General for the State of Vermont.  Ramirez is a currently a Partner with the law firm Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles and focuses her practice on issues including copyright and trademark infringement, antitrust, and unfair competition.  Ramirez has represented companies including Mattel, American Broadcasting Companies, and The Walt Disney Company.
 
If confirmed by the Senate, Brill and Ramirez will fill the two vacant spots on the Commission created when Deborah Majoras left the FTC in March 2008 and Pamela Jones Harbor's term ended this September.  Brill and Ramirez would each serve a seven year term.
 
Additional information about Brill and Ramirez is available here.

November 12, 2009

EU Council Approves Law Regulating Cookies

The Council of the European Union approved a Directive that would require online entities to obtain web users' consent before using Internet cookies.  The Directive is technology neutral and focuses on the storage/access to information on web users' equipment.  It would require subscriber/user consent in response to being provided clear and comprehensive information before using cookies, except when storage/access to a user's device is "strictly necessary" to provide the service requested by the user.  The Directive would amend the existing EU telecom law that permits the use of cookies upon notice to web users and the opportunity to opt out, and would go into effect within the next 18 months.
 
The Directive could have a significant impact on the online advertising industry, which commonly uses cookies for ad serving, and may also impact the use of cookies for web analytics.  Various consent mechanisms, including the option of obtaining consent via the settings on a user's web browser, may satisfy the requirements.
 
An article about the Directive is available hereCommenters have raised serious concerns about the application of these provisions of the Directive.
 
A full copy of the Directive is available here.

CDT Submits Comments for FTC Consumer Privacy Roundtable

The Center for Democracy and Technology (CDT) has submitted comments for the Federal Trade Commission's (FTC) public roundtable discussions exploring the privacy challenges created by current and emerging technology, and business practices that involve the collection and use of consumer data.  The first in this series of FTC roundtable discussions will take place on December 7, 2009.  The CDT has urged the FTC to use these roundtable discussions to create a full set of fair information practice principles (FIPs) for a stronger privacy protection framework.  The CDT also made specific recommendations to improve privacy protection in the 21st century.
  • The FTC should pursue enforcement actions against all businesses involved in unfair privacy practices, not just spyware companies.
  • The FTC should use its subpoena power to acquire information about company privacy practices.    
  • The Commission should encourage Congress to pass general consumer privacy legislation that would allow the FTC to draft its own set of consumer privacy rules to clarify basic privacy expectations and strengthen privacy protection. 
  • The FTC should establish benchmarks and metrics for evaluating company privacy policies, and the Commission should more actively promote the development of privacy-enhancing technology. 
The CDT's full comments can be found here

November 11, 2009

AICPA Challenges Application of FTC's Red Flags Rule to CPAs

The American Institute of Certified Public Accountants ("AICPA") challenged application of the Federal Trade Commission's Red Flags Rule to accountants.  In its lawsuit, filed in U.S. District Court for the District of Columbia, the AICPA alleges:
  • that the FTC is exceeding its congressionally granted powers under the 2003 law by interpreting its Red Flags Rule to apply to accountants;
  • that the FTC has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft;
  • that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an extension of credit; and
  • that the FTC failed to identify any legally supportable basis for applying the rule to accountants.
The AICPA's challenge follows the recent ruling by the U.S. District Court for the District of Columbia that the Red Flags Rule is not applicable to lawyers.

Coverage of the lawsuit is available here.

November 6, 2009

Senate Judiciary Committee Approves Data Privacy Bills

Yesterday the Senate Judiciary Committee passed two bills that would require business and government agencies to adopt data security measures and provide notices of breaches.
Those bills include:
·      The Personal Data Privacy and Security Act of 2009 (S. 1490), which would increase criminal penalties for identity theft involving electronic personal data and would make it a crime to intentionally or willfully conceal a security breach involving personal data.  It also would impose requirements on commercial data brokers, require entities that maintain personal data to notify individuals and law enforcement in the event of a breach, and require development of rules protecting privacy and security when the government uses information from commercial data brokers.
·      The Data Breach Notification Act (S .139), which would impose customer notification requirements on agencies or business entities that suffer a security breach involving personal information.
Information about the bill can be accessed on the Committee’s webpage at: http://judiciary.senate.gov/

An article about this development is available at: http://www.computerworld.com/s/article/9140408/Federal_data_protection_law_inches_forward

November 3, 2009

Massachusetts Regulator Revises Information Security Requirements

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.  A brief analysis of the changes is available here, and the department's website is expected to post the final version of the regulations this week.