March 2013

As we previously blogged, in a case concerning retail chain Michaels Stores, the Supreme Judicial Court of Massachusetts (SJC) recently issued a broad ruling regarding the circumstances in which consumers may sue for collection of zip code information during credit card transactions under Massachusetts law.  Two separate putative class

Continue Reading Bed Bath & Beyond Sued Over Zip Code Data

Following the German Government’s adoption of a cybersecurity strategy back in February 2011, and only a couple of weeks after the publication of the European Commission’s CyberSecurity Strategy and proposal for a Directive on Network and Information Security (see InsidePrivacy EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive, February 7, 2013), Germany has put forward its own proposal for a cybersecurity law.

On 5 March 2013, the German Interior Minister, Hans-Peter Friedrich, presented a draft IT Security Act, which would impose certain minimum IT security standards on operators of critical infrastructure as well as telecommunications and information society service providers.  The measure would introduce mandatory reporting obligations.Continue Reading German Government Proposes Cybersecurity Law

On 20 March 2013, the UK Information Commissioner’s Office (ICO) announced that it had issued a fine of £90,000 against DM Design, a Glasgow-based kitchen and bedroom fitting company, for breaching the Privacy and Electronic Communications Regulations (PECR) by making thousands of unwanted direct marketing calls.  This fine, made two years after the ICO was first granted the power to issue fines of up to £500,000 for serious breaches of the PECR, apparently marks the start of a new enforcement campaign against companies breaching the PECR.  The ICO stated in its announcement that the fine against DM Design will not be “an isolated penalty,” and confirmed that twelve other companies also are now under investigation for direct marketing breaches, and that two of these will apparently receive “significant penalties” over the coming weeks.
Continue Reading ICO Issues Fine of £90,000 for Breach of PECR

The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament (EP)– the EP’s lead committee for the European Commission’s legislative proposal for a General Data Protection Regulation to replace the current EU Data Protection Directive–was supposed to vote at the end of April on the proposed amendments

Continue Reading European Parliament’s Lead Committee for the Proposed EU General Data Protection Regulation Postpones Vote

In a recent decision, the Supreme Judicial Court of Massachusetts (“SJC”) broadly interpreted a statute that governs the personal information that may be collected by a merchant during a credit card transaction.  The decision, Tyler v. Michaels Stores, Inc., SJC-1145 (Mass. March 11, 2013), was issued in response to three questions that had been certified to the SJC by a federal district judge in Boston, in connection with a lawsuit alleging violation of Mass. Gen. Laws, ch. 93, §105(a), the Massachusetts analogue to California’s Song-Beverly Act. 

Section 105(a) provides that “[n]o business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”  “Personal identification information,” in turn, “shall include, but shall not be limited to, a credit card holder’s address or telephone number.”  Violations of Section 105(a) are treated as “unfair and deceptive trade practices” under Mass. Gen. Laws. ch. 93A, §§ 2, 9, which provides “injured” persons a private right of action against any entity that commits an unfair or deceptive trade practice.

The plaintiff in Tyler alleged that Michaels Stores violated §105(a) by requesting her ZIP code during a credit card transaction at one Michaels Stores retail location.  The district court agreed that the plaintiff had sufficiently pled a violation of that statute, but nonetheless dismissed the complaint because she had failed to allege a cognizable injury stemming from the violation, which is required to bring an action under Massachusetts’s unfair and deceptive trade practices statute.  The court explained that the purpose of §105(a) was to prevent identify fraud, and suggested a plaintiff would need to allege that fraud had occurred because of the alleged violation of §105(a).   Continue Reading Massachusetts Supreme Judicial Court Issues Broad Ruling on Point-of-Sale Data Collection

The U.S. Supreme Court unanimously ruled on Tuesday that plaintiffs bringing class actions cannot escape federal jurisdiction by stipulating to seek less than $5 million in damages.  In a nine-page opinion, the Court held that plaintiff Greg Knowles had no power to speak for the proposed class when he

Continue Reading Supreme Court Rejects Plaintiffs’ Efforts to Stipulate Out of Federal Court

By Dan Cooper and Philippe Bradley

This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here). 

The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices. 

This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.Continue Reading EU Data Protection Working Party Sets Out App Privacy Recommendations

On March 12, 2013, the Federal Trade Commission (FTC) released new guidance for online advertisers, providing specific tips and examples of how to make disclosures clear and conspicuous, and, therefore, not deceptive in the context of emerging technologies, space-constrained screens, and social media platforms.

The guidelines—titled “.com Disclosures:  How to Make Effective Disclosures in Digital Advertising”—update prior guidance known as “Dot Com Disclosures,” which was released in 2000.  The updated guidelines emphasize that consumer protection laws apply to commercial activities across all mediums, including on computers, mobile devices, and tablets.

Continue Reading FTC Releases New Guidance For Online Advertising Disclosures

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act.  The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA).  An earlier version of the bill passed the House in December but was never taken up by the Senate. 

Continue Reading House Passes Legislation Eliminating Annual GLBA Privacy Notice Requirement

On 27 February 2013, the Article 29 Working Party published its latest statement regarding the draft General Data Protection Regulation (the “Regulation”), which continues to undergo revision in the European Parliament and Council.  (The latest European body to comment on the draft was the European Parliament’s Committee on Employment and Social Affairs (EMPL), which published its opinion on the draft Regulation late last week.)

The Working Party statement stakes out the Working Party’s position on six key areas of the reform, including rules on consent, regulation of the public sector, and data transfers.  The statement was also accompanied by in-depth discussions about an “exemption for personal or household activities” and about how the “one-stop shop” rules will work when a controller is processing data in multiple jurisdictions.Continue Reading Article 29 Working Party Releases Further Comments on EU Data Protection Reform