By Ani Gevorkian
Last week, the U.S. District Court for the Southern District of California issued an opinion regarding the definition of an “Automatic Telephone Dialing System” (“ATDS”) under the Telephone Consumer Protection Act (“TCPA”). The opinion follows a small but growing number of cases holding that courts have their own ability to interpret the statutory definition of ATDS and need not follow the Federal Communication Commission’s interpretation of that term.
The case, Marks v. Crunch San Diego, involved a class action suit against gym-operator Crunch San Diego (“Crunch”) for its use of a third-party web-based platform to send promotional text messages to current and prospective member mobile phones. The plaintiff claimed he had received three unwanted text messages from Crunch over the course of about a month, in violation of the TCPA. The motion for summary judgment turned on the issue of whether the platform Crunch used could be classified as an ATDS. The court held that it could not.
By Randall Friedland
California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report. The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013. The report also outlined suggested best practices and provided recommendations on ways to improve data security.
The report documented a clear upward trend in both the number of data breaches and those affected by such breaches. For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012. Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year. Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches. Continue Reading
Yesterday, the Federal Trade Commission (FTC) filed a complaint against AT&T alleging that the company misled consumers by limiting its “unlimited” data plan for mobile customers.
The FTC’s two-count complaint, which was filed in the U.S. District Court for the Northern District of California, alleges that AT&T violated Section 5 of the FTC Act, which prohibits “unfair or deceptive” trade practices, by imposing significant data speed restrictions on unlimited data plan customers and failing to disclose this practice to customers.
Following the Guardian’s recent exposé on Whisper’s consumer-privacy practices, alleging that the social-media app that supposedly allows people “to anonymously share [their] thoughts with the world . . . in a community built around trust and honesty,” in fact tracks the geolocation of users who opted out of such data collection, Chairman of the Senate Commerce Committee John D. Rockefeller IV (D-WV) has made an inquiry into the company’s practices and policies. Specifically, Rockefeller has requested from Whisper a staff briefing on the following issues:
- Whether and how Whisper has tracked the location of users who opted out of geolocation services, and if it has, how Whisper has used that data.
- The extent to which Whisper retains user data and where user data is processed and maintained.
- Whisper’s data sharing with third parties, including when and how those practices have changed over time.
- Whisper’s practices of notifying users about the company’s privacy and data-security policies pertaining to user data, and any changes to those policies.
For its part, Whisper has published numerous separate responses, through various channels and company representatives, attempting to address with the public the Guardian’s accusations. These include two statements from the company’s co-founder and CEO Michael Heyward, entitled “What Whisper Is All About” and “Setting The Record Straight,” and the first full statement from Whisper’s editor-in-chief Neetzan Zimmerman. Initially, Zimmerman also had taken to Twitter to respond in a piecemeal fashion to the allegations. In the wake of Rockefeller’s request for more information about the company’s privacy practices, however, as mentioned in his most recent response, Heyward has placed members of Whisper’s editorial team on administrative leave pending the results of an internal review.
By Caleb Skeath
Last Friday, the FCC announced that it intends to fine two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — a total of $10 million for failing to protect certain customer data. According to the FCC, the two carriers, which provide discount phone services to low-income individuals, posted customer “proprietary information” on unprotected Internet servers that were accessible by the public. The fine, approved by a 3-2 vote, represents the largest privacy action in FCC history, eclipsing a $7.4 million fine handed down to Verizon in early September for failing to provide customers with required notices about Verizon’s use of Customer Proprietary Network Information (“CPNI”).
Covington has been selected to host a panel and privacy-by-design bootcamp at the 2015 South by Southwest (“SXSW”) Interactive Festival, which will take place next March 13-17. The panel will be led by Covington associates Libbie Canter and Meena Harris, both members of the firm’s Privacy and Data-Security practice group. With more than 4,500 entries received in 2013, SXSW has noted that the selection process is “extremely competitive.” Our team is thrilled to have made the cut. Stay tuned for more details and coverage of SXSW 2015 on the blog.
As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week. The past couple of weeks have been a challenging time for the Internet, though, and our thoughts have turned to the darker side of anonymity and privacy. The scourge of the so-called #GamerGate movement has resulted in stunning threats of violence against women in the gaming community, causing Brianna Wu and Zoe Quinn to leave their homes after a barrage of threats, and media critic Anita Sarkeesian being forced to cancel a public presentation because of a death threat. Civility online is under siege, and cyberthreats against women seem to be escalating. Can anything be done?
Fortunately, Maryland law professor Danielle Citron’s new book, Hate Crimes in Cyberspace, has arrived at just the right moment. Danielle’s work provides a thorough exposition of the problem and clear-minded thinking about potential solutions. It’s the perfect weekend reading for those, like this writer, who feel a need to find solutions and restore hope in the potential of online discourse. If you haven’t picked up Danielle’s book yet, there are excellent reviews of it here and here. It is insightful and thoughtful, and a wonderful contribution to our thinking on these essential issues. Continue Reading
On October 21, 2014, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) voted the Italian Giovanni Buttarelli as top candidate for the post of European Data Protection Supervisor (EDPS). Mr. Buttarelli spent the last five years as Assistant Supervisor to the current EDPS, Mr. Peter Hustinx.
Referred to as the “privacy watchdog”, the EDPS’ main objective is ensuring that the European institutions, bodies, agencies and offices respect the privacy of citizen data. With the European Union’s rules on personal data protection currently under review, this institution is expected to play an increasingly prominent role in European policy.
The European Parliament and the EU Council of Ministers appoint the EDPS and the Assistant Supervisor “by common accord” for a five-year term, on the basis of a candidate list proposed by the European Commission. Following interviews of five candidates on October 20th, Mr. Buttarelli received 34 votes in the LIBE Committee, making him the top candidate for the job, and leaving behind other high-level EU privacy experts (the Committee’s shortlist of preferences can be accessed here). The Pole Wojciech Wiewiorowski, head of the Polish Data Protection Authority, was nominated for the position of Assistant Supervisor. The Committee’s nominations will be voted on by the Parliament’s plenary session, and subsequently by the EU Council.
By Philippe Bradley-Schmieg
The European Parliament voted yesterday (October 22, 2014) to approve the President of the European Commission’s selections for his team of European Commissioners.
Jean-Claude Juncker’s picks received strong endorsement from MEPs, with 423 in favour, 209 against, and 67 abstentions. Even so, he was forced to amend his proposal ahead of the vote after a few of his first picks failed to win over hostile MEPs during Parliamentary confirmation hearings.
The new Commissioners will take office on Monday, November 3rd, although questions remain over the division of authority within the new Commission with respect to privacy and data protection.
As recently previewed on this blog, Jean-Claude Juncker has set up a complex structure of overlapping portfolios, in the hope that this will, he says, lead the Commission to “work together as a strong team, cooperating across portfolios to produce integrated, well-grounded and well-explained initiatives that lead to clear results.” Continue Reading
By Ani Gevorkian
On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars. The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually. The rule will be effective as soon as it is published in the Federal Register.
Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information. An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.
Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements. For instance, the institution may not share data in ways that trigger customers’ opt-out rights. They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice. Continue Reading