Inside Privacy - Updates on Developments in Global Privacy & Data Security

Last week, Judge Ware of the Northern District of California denied a motion to amend his November 2011 dismissal, with prejudice, in In re Facebook Privacy Litigation, a case in which plaintiffs had argued that Facebook improperly transmitted users’ personal information, including User ID numbers or usernames, to third party advertisers.

In his most recent Order, Judge Ware reaffirmed his prior holding that plaintiffs had not stated a claim under the Stored Communications Act (“SCA”) based on an exception to the statute that allows a service provider to divulge the contents of a communication to, or with the lawful consent of, “an addressee or intended recipient” of the communication.

Continue Reading

As we have previously posted, on January 25, 2012, the European Commission proposed comprehensive measures to reform the European data protection framework.  Among other things, the proposal would impose restrictions on the processing of personal data relating to children; create a breach notification requirement in the EU; require organizations employing 250 or more persons to designate a data protection officer; and increase the sanctions for data protection violations to up to two percent of an organization’s worldwide revenue.  The proposal also would expand the scope of the European data protection framework to non-EU companies that either process data pertaining to individuals residing in the EU to whom they offer goods or services or whose activities serve to monitor the behavior of such individuals.

Earlier this month, Covington lawyers hosted a webinar to discuss significant proposed reforms to the European data protection framework that have been put forward by the European Commission.  We received a number of excellent questions from those participating in the webinar.  Please click below to read the answers that Covington lawyers provided to these questions.

Continue Reading

The White House released a report today containing its “Consumer Privacy Bill of Rights,” referring to the new privacy framework as a “comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.”  The report is entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” and it outlines a plan for implementing Consumer Privacy Bill of Rights that calls for the cooperation of industry, Congress, and international stakeholders. 

The Consumer Privacy Bill of Rights identifies seven fundamental principles that apply to personal data, which is defined as “any data, including aggregations of data, that is linkable to a specific individual.”  Those principles are individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability.

The report asks companies to work with federal agencies such as the Department of Commerce and the Federal Trade Commission to develop enforceable codes of conduct that adhere to the new Bill of Rights.  If companies voluntarily agree to abide by such codes, the report suggested, violations of the codes could be construed as deceptive or unfair trade practices under Section 5 of the FTC Act.  Congress is called on to enact comprehensive privacy legislation that embodies the proposed principles.  The report also sets forth a plan for promoting interoperability, which includes developing a streamlined approach to regulating companies that transfer personal data across borders.

The report is the product of a comprehensive review of national privacy policy in an Internet economy.  The Commerce Department’s Internet Policy Task Force began the review in 2010.

Yesterday California Attorney General Kamala D. Harris announced an agreement she forged among Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion to ensure that mobile device apps that collect personal information contain privacy policies.  The agreement is designed to ensure that mobile apps comply with the California Online Privacy Protection Act, which requires operators of commercial websites and online services, including mobile apps, that collect personally identifiable information about Californians to conspicuously post a privacy policy. 

Attorney General Harris first convened the parties to the agreement in August 2011, believing that working with these companies, whose platforms comprise the majority of the mobile apps market, would be the most direct way to ensure that mobile apps include privacy disclosures.  The new agreement commits the companies to:

• Provide consumers with the opportunity to review an app's privacy policy before purchasing and downloading an app.
• Educate developers about their obligations to respect consumer privacy and to disclose to consumers what private information they collect, how they use the information, and with whom they share it.
• Implement a means for users to report apps that do not comply with applicable terms of service and/or laws, as well as a process for responding to these reports of non-compliance.
• Continue to work with the California Attorney General to develop best practices for mobile privacy and to reconvene within six months to evaluate privacy in the mobile space.

By David Fagan and Kristen Eichensehr

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process -- shepherded by Senate Majority Leader Reid and Minority Leader McConnell -- with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.

Continue Reading

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

Today, the Federal Communications Commission adopted new rules that strengthen its restrictions on autodialed or prerecorded telemarketing calls.  The FCC billed the new rules as an effort to maintain consistency with the Federal Trade Commission’s telemarketing sales rule, which also governs telemarketing calls, and to give consumers control over the calls that they receive.

Under the new rules, companies will need to obtain prior express written consent from consumers before making prerecorded or autodialed telemarketing calls to consumers.  The FCC’s rule changes also eliminate the “established business relationship” exemption in its existing rule, which allows these calls to residential “landline” phones without consent.  The new restrictions will require written consent even for companies that have done business with the call recipient in the past. 

One area of dispute over the new rules related to whether the “written” consent requirement could be satisfied electronically and what steps were necessary to make the consent effective.  Consistent with the FTC’s approach, the FCC concluded that “written” consent can be provided electronically, such as through a website form.  However it is provided, though, the FCC requires “clear and conspicuous disclosure” about what the consumer is consenting to and an “unambiguous” agreement to receive calls at a phone number designated in the consent document.  Like the FTC, the FCC also warned that consents would not be effective if the consent is a condition of purchasing goods or services.

An additional change to maintain consistency with the FTC’s rule is a requirement that telemarketing calls that use a prerecorded voice include an interactive “opt-out” mechanism, which would allow the call recipient to opt out of future calls by pressing a button.  Finally, the FCC imposed new restrictions on so-called “call abandonment,” which occurs when there is no live telemarketer available to take an autodialed call.

Although the FCC’s rule changes have a broad impact on the telemarketing business, they do not impact non-telemarketing calls, even if they are made using an autodialer or include a prerecorded voice.  As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account, and exclude certain health care-related calls that are regulated under HIPAA, which already imposes a written consent requirement.

The new FCC rules will not be effective until they are approved by the Office of Management and Budget.  Once that happens, companies will have a year to obtain prior written consent to covered telemarketing calls and to stop covered calls to consumers with whom they have established business relationships.  The other rule changes have shorter timetables:  the interactive opt-out requirement will go into effect after 90 days, and the abandonment restrictions after 30 days.

The Korean Herald reports that the Korea’s Communications Commission (KCC) has opened an investigation into Google’s rollout of its new privacy policy in that country.  The investigation reportedly will focus on whether the company has received sufficient consent to the changes to Google's existing policy and whether Google is collecting more data than is required to provide its services. 

Google’s new privacy policy also faces scrutiny from regulators in the EU, where Google recently rejected a request by the Article 29 Working Party to “pause” the rollout of the policy, and in the U.S., where members of the House have sought additional information from the company on the meaning of the changes for consumers.