Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Another Court Finds That an Automated SMS Platform is Not an ATDS

Posted in Litigation, United States

By Ani Gevorkian

Last week, the U.S. District Court for the Southern District of California issued an opinion regarding the definition of  an “Automatic Telephone Dialing System” (“ATDS”) under the Telephone Consumer Protection Act (“TCPA”).  The opinion follows a small but growing number of cases holding that courts have their own ability to interpret the statutory definition of ATDS and need not follow the Federal Communication Commission’s interpretation of that term.

The case, Marks v. Crunch San Diego, involved a class action suit against gym-operator Crunch San Diego (“Crunch”) for its use of a third-party web-based platform to send promotional text messages to current and prospective member mobile phones.  The plaintiff claimed he had received three unwanted text messages from Crunch over the course of about a month, in violation of the TCPA.  The motion for summary judgment turned on the issue of whether the platform Crunch used could be classified as an ATDS.  The court held that it could not.

Continue Reading

California Attorney General’s Second Annual Data Breach Report Finds Dramatic Increase in Number of Data Breaches

Posted in State Legislatures, United States

By Randall Friedland

California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report.   The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013.  The report also outlined suggested best practices and provided recommendations on ways to improve data security.


The report documented a clear upward trend in both the number of data breaches and those affected by such breaches.  For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012.  Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year.  Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches.  Continue Reading

FTC Says AT&T Fails to Deliver on ‘Unlimited’ Data Promises

Posted in Federal Trade Commission

Yesterday, the Federal Trade Commission (FTC) filed a complaint against AT&T alleging that the company misled consumers by limiting its “unlimited” data plan for mobile customers.

The FTC’s two-count complaint, which was filed in the U.S. District Court for the Northern District of California, alleges that AT&T violated Section 5 of the FTC Act, which prohibits “unfair or deceptive” trade practices, by imposing significant data speed restrictions on unlimited data plan customers and failing to disclose this practice to customers.

Continue Reading

Whisper’s Privacy Problem: Sen. Rockefeller Pushes for Probe While Editorial Team Is Suspended Pending Review

Posted in Congress, United States

Following the Guardian’s recent exposé on Whisper’s consumer-privacy practices, alleging that the social-media app that supposedly allows people “to anonymously share [their] thoughts with the world . . . in a community built around trust and honesty,” in fact tracks the geolocation of users who opted out of such data collection, Chairman of the Senate Commerce Committee John D. Rockefeller IV (D-WV) has made an inquiry into the company’s practices and policies.  Specifically, Rockefeller has requested from Whisper a staff briefing on the following issues:

  1. Whether and how Whisper has tracked the location of users who opted out of geolocation services, and if it has, how Whisper has used that data.
  2. The extent to which Whisper retains user data and where user data is processed and maintained.
  3. Whisper’s data sharing with third parties, including when and how those practices have changed over time.
  4. Whisper’s practices of notifying users about the company’s privacy and data-security policies pertaining to user data, and any changes to those policies.

Rockefeller’s inquiry appears to be a direct result of the Guardian’s reporting, which is cited throughout the Senator’s letter to Whisper and mentioned as a “recent media account[ ]” that has “raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy.”  As we’ve previously reported, Rockefeller has been a long-time and ardent advocate for stronger consumer-privacy protections.  Most recently, before focusing on Whisper specifically, Rockefeller has been active on the hot topics of data breach and big data as it relates to the practices of data brokers.

For its part, Whisper has published numerous separate responses, through various channels and company representatives, attempting to address with the public the Guardian’s accusations.  These include two statements from the company’s co-founder and CEO Michael Heyward, entitled “What Whisper Is All About” and “Setting The Record Straight,” and the first full statement from Whisper’s editor-in-chief Neetzan Zimmerman.  Initially, Zimmerman also had taken to Twitter to respond in a piecemeal fashion to the allegations.  In the wake of Rockefeller’s request for more information about the company’s privacy practices, however, as mentioned in his most recent response, Heyward has placed members of Whisper’s editorial team on administrative leave pending the results of an internal review.

FCC Expands Application of Customer Privacy Provisions with $10 Million Fine Against Carriers

Posted in Federal Communications Commission

By Caleb Skeath

Last Friday, the FCC announced that it intends to fine two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — a total of $10 million for failing to protect certain customer data.  According to the FCC, the two carriers, which provide discount phone services to low-income individuals, posted customer “proprietary information” on unprotected Internet servers that were accessible by the public.  The fine, approved by a 3-2 vote, represents the largest privacy action in FCC history, eclipsing a $7.4 million fine handed down to Verizon in early September for failing to provide customers with required notices about Verizon’s use of Customer Proprietary Network Information (“CPNI”).

Continue Reading

Covington Selected to Lead Panel at #SXSW 2015

Posted in Privacy Policies

Covington has been selected to host a panel and privacy-by-design bootcamp at the 2015 South by Southwest (“SXSW”) Interactive Festival, which will take place next March 13-17.  The panel will be led by Covington associates Libbie Canter and Meena Harris, both members of the firm’s Privacy and Data-Security practice group.  With more than 4,500 entries received in 2013, SXSW has noted that the selection process is “extremely competitive.”  Our team is thrilled to have made the cut.  Stay tuned for more details and coverage of SXSW 2015 on the blog.

Privacy Weekend: Provocative Articles We’re Reading Now

Posted in Privacy Weekend

As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week.  The past couple of weeks have been a challenging time for the Internet, though, and our thoughts have turned to the darker side of anonymity and privacy.  The scourge of the so-called #GamerGate movement has resulted in stunning threats of violence against women in the gaming community, causing Brianna Wu and Zoe Quinn to leave their homes after a barrage of threats, and media critic Anita Sarkeesian being forced to cancel a public presentation because of a death threat.  Civility online is under siege, and cyberthreats against women seem to be escalating.  Can anything be done?

Fortunately, Maryland law professor Danielle Citron’s new book, Hate Crimes in Cyberspace, has arrived at just the right moment.  Danielle’s work provides a thorough exposition of the problem and clear-minded thinking about potential solutions.  It’s the perfect weekend reading for those, like this writer, who feel a need to find solutions and restore hope in the potential of online discourse.  If you haven’t picked up Danielle’s book yet, there are excellent reviews of it here and here.  It is insightful and thoughtful, and a wonderful contribution to our thinking on these essential issues. Continue Reading

European Parliament Nominates New European Data Protection Supervisor

Posted in Uncategorized

On October 21, 2014, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) voted the Italian Giovanni Buttarelli as top candidate for the post of European Data Protection Supervisor (EDPS).  Mr. Buttarelli spent the last five years as Assistant Supervisor to the current  EDPS, Mr. Peter Hustinx. 

Referred to as the “privacy watchdog”, the EDPS’ main objective is ensuring that the European institutions, bodies, agencies and offices respect the privacy of citizen data.  With the European Union’s rules on personal data protection currently under review, this institution is expected to play an increasingly prominent role in European policy.

The European Parliament and the EU Council of Ministers appoint the EDPS and the Assistant Supervisor “by common accord” for a five-year term, on the basis of a candidate list proposed by the European Commission.  Following interviews of five candidates on October 20th, Mr. Buttarelli received 34 votes in the LIBE Committee, making him the top candidate for the job, and leaving behind other high-level EU privacy experts (the Committee’s shortlist of preferences can be accessed here).  The Pole Wojciech Wiewiorowski, head of the Polish Data Protection Authority, was nominated for the position of  Assistant Supervisor.  The Committee’s nominations will be voted on by the Parliament’s plenary session, and subsequently by the EU Council.

EU Confirms New Heads of the European Commission – But Who Will Drive Data Protection Reforms?

Posted in European Union, International

 By Philippe Bradley-Schmieg 

The European Parliament voted yesterday (October 22, 2014) to approve the President of the European Commission’s selections for his team of European Commissioners.

Jean-Claude Juncker’s picks received strong endorsement from MEPs, with 423 in favour, 209 against, and 67 abstentions.  Even so, he was forced to amend his proposal ahead of the vote after a few of his first picks failed to win over hostile MEPs during Parliamentary confirmation hearings.

The new Commissioners will take office on Monday, November 3rd, although questions remain over the division of authority within the new Commission with respect to privacy and data protection.

As recently previewed on this blog, Jean-Claude Juncker has set up a complex structure of overlapping portfolios, in the hope that this will, he says, lead the Commission to “work together as a strong team, cooperating across portfolios to produce integrated, well-grounded and well-explained initiatives that lead to clear results.” Continue Reading

CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

Posted in Financial Institutions, Financial Privacy, Privacy Policies

By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice. Continue Reading