The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

In accordance with the federal courts’ referrals, the parties in both cases petitioned the FCC to interpret the relevant TCPA provisions and regulations and determine whether sellers like DISH could be liable for unlawful telemarketing calls made by dealers or other third parties.

The FCC concluded that a seller is not always liable for calls made by third parties for the seller’s benefit, but that sellers may be held vicariously liable for the conduct of third-party telemarketers in some circumstances. Specifically, the FCC concluded that, at a minimum, federal common law principles of agency law allow a seller to be held vicariously liable under either statutory provision if the telemarketer acts as the seller’s agent or has “apparent authority” to do so, or if the seller ratifies the telemarketer’s conduct.

The FCC provided “illustrative examples” of situations in which sellers might be vicariously liable for telemarketers’ conduct, such as situations in which:

• the seller approves, writes, or reviews telemarketing scripts;
• the seller gives telemarketers access to customer information or the seller’s internal systems;
• the seller authorizes telemarketers to use the seller’s trade name, trademark and service mark;
• the seller “knew (or reasonably should have known) that the telemarketer was violating the TCPA on the seller’s behalf and the seller failed to take effective steps within its  power to force the telemarketer to cease that conduct.”

In a partial dissent, Commissioner Ajit Pai argued that the majority incorrectly interpreted the two TCPA provisions at issue to incorporate the same standard of vicarious liability, even though the provisions’ language differs. Pai argued that, given the language of the TCPA’s do-not-call provision, “the Commission should give meaning to [the words] ‘on behalf of’ and impose third-party liability for do-not-call violations whenever a telemarketer initiates a call on a seller’s behalf, even if that telemarketer is not under the seller’s control.”

The majority decision left open the possibility that the FCC could in the future interpret the TCPA to allow “a broader standard of vicarious liability for do-not-call violations,” but said the agency could not establish such a broad standard in a declaratory ruling, given the FCC’s existing precedent.

The FCC also recently released a Small Entity Compliance Guide outlining changes to the TCPA rules that were adopted by the FCC in early 2012 and that began taking effect last fall. Among other changes, the revised rules require all prerecorded telemarketing calls to include an automated, interactive opt-out mechanism throughout the duration of the call, as well as a toll-free telephone number that can be contacted to opt out when a prerecorded telemarketing message is left on voicemail. That rule took effect in January. As of October 16, 2013, prior express written consent will be required to transmit prerecorded or autodialed telemarketing calls to wireless numbers, and the established business relationship exception will no longer apply to prerecorded telemarketing calls to residential lines.

The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Harris has stated that she plans to police mobile app privacy using CalOPPA. Her office released a set of best practices for mobile app privacy policies in January, a month before the Federal Trade Commission released its own mobile app guidelines. But considering federal regulators’ interest in the issue, it is debatable whether, like the Delta case, such matters are better left for enforcement at the Federal level.

Delta added a prominent link to its privacy policy on the home screen of the Fly Delta App not long after the filing of the suit and has had a public privacy policy on its main Web site all along.

• collects or modifies a user’s personal information without express notification and user consent;
• accesses a network without express notification or consent, causing unauthorized bandwidth use, monetary loss, information disclosure, or other negative consequences;
• affects the smart device’s normal operations or the safe operation of the telecommunications network;
• contains content restricted by PRC law (e.g., obscene, anti-government, or hate speech); or
• infringes a user’s personal information, safety, legitimate rights or interests, or prejudices the security of network information.

Notably, the regulation focuses only on “pre-installed apps” and not, as in a previous draft version, “pre-installed apps” and “[applications] provided by other means.”  This revision may reduce the likelihood that regulation would apply to apps installed post-sale, e.g., apps delivered via app stores, although we understand that MIIT is also currently drafting regulations targeting mobile app stores.  An earlier draft contained a provision, absent in the final regulation, that would have extended the app restrictions described above to certain unnamed “partners” of smart device manufacturers.  This revision clarifies that the regulation applies only to smart device manufacturers applying for or in possession of a network access license for the products they manufacture.

The new regulation emerges following increased national attention on consumer personal information disclosures.  Most notably, China’s annual consumer affairs show -- the “March 15 Consumer Rights Day Gala” produced by state-run CCTV -- contained two pieces describing the potential risks of online personal information disclosure.  At the close of one such segment highlighting the privacy risks of Android-based applications, the host informed viewers that “our country is already in the process of formulating related laws and regulations targeting the mobile internet.”  The mobile device regulation discussed here appears to be the first of these new regulations.

The regulation will become effective November 1, 2013. 

Readers interested in how other jurisdictions are addressing this and related issues may wish to review our summary of a recent European Union opinion covering app developers, smart device manufacturers, and app stores.

Links

Notice Regarding Strengthening the Management of Network Access for Mobile Smart Terminals [Chinese]

New Data Privacy Rules in China Target Mobile Smart Device Manufacturers and Online Content Providers (June 2012 Covington E-Alert)

March 15 Consumer Rights Day Gala Full Video [Chinese]

(For Android segment click “安桌系统手机应用软件严重窃取用户资料” on the right hand menu.)

1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here). 

The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices. 

This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.

Of particular concern to app developers targeting the European marketplace will be its recommendations that app makers must ensure that:

• new user consent to data collection must be specific, informed and granular - and the precise purpose of the collection must be set out in “well-defined” and “comprehensible” terms, and in the case of third party purposes such as analytics and advertising, “comprehensive”;
• any deviation from the specified purposes in new versions of an app must be subject to renewed user consent;
• third parties with whom data will be shared must be specifically, not generically, described;
• developers must adopt a ‘privacy by design’ approach to internal planning, development and QA processes;
• apps must only collect data that is strictly necessary to perform the desired functionality;
• users must be allowed to access, rectify, erase and object to data processing, and be informed of those mechanisms;
• apps must only retain data for a “reasonable retention period”, and accounts should expire after a predefined inactivity period, following which a user should be given an opportunity to retrieve their data, which must otherwise be deleted or irreversibly anonymised (and on the back of this prescription, they recommend that users be given tools to alter the length of these periods); and
• when dealing with under-age users, app developers must exercise particular care and adherence to the data minimisation principle, and refrain from processing their data for behavioural advertising purposes.

App stores

The Working Party considers that app stores must enforce app makers’ obligations to fully inform potential users prior to their installation of the app, and must publish detailed information on the data protection checks they perform when an app is submitted for distribution through the store. 

OS and device manufacturers

The report also places a burden upon on OS and device manufacturers to:

• employ “privacy by design” principles, and prevent secret monitoring of users;
• ensure that an app’s default settings render it compliant with EU data protection law;
• offer developers granular, not wholesale, access to data, sensors and services; and
• provide effective means to avoid tracking by third parties - and this protection must be enabled by default.

The report recommends that they put in place APIs to allow users to send data deletion requests to local or remote user data stores. 

Third parties

The Working Party goes on to state that third parties must, for example:

• refrain from circumventing privacy measures such as “Do Not Track” browser tools; and
• specifically avoid delivering ads outside the context of the app - so must not, for example, place icons on mobile desktops or redirect browser home pages. 

Network operators and other telcos, if they bundle apps with the devices they distribute with contracts or sell through their stores, must obtain valid consent from users for those pre-installed apps.  They must also “take on board relevant responsibilities when contributing to determining certain features of the device and of the OS, e.g. when limiting the user's access to certain configuration parameters or filtering fix releases (security and functional ones) provided by the device and OS manufacturers”, hinting that the Working Party has reservations at the practice of withholding certain OS updates from older phones. 

Summary 

App makers are left in a difficult position.  On the one hand, implementation of these features, such as discarding data after predefined retention periods, could be technically challenging; they will at the very least add to codebase and QA complexity, and will be difficult to implement without creating a less straightforward user experience.  The report also makes it clear that developers must audit and understand the functionality of any third party software libraries that they rely upon, to fully ensure that all gathering and processing of user data by their app will be compliant with EU law. 

On the other hand, this detailed report is a sure sign that data protection and privacy regulators are becoming more experienced in the domain, more certain in their expectations, and more precise with the standards they are seeking to impose - the risks and costs of noncompliance may well be on the rise.

The guidelines—titled “.com Disclosures:  How to Make Effective Disclosures in Digital Advertising”—update prior guidance known as “Dot Com Disclosures,” which was released in 2000.  The updated guidelines emphasize that consumer protection laws apply to commercial activities across all mediums, including on computers, mobile devices, and tablets.

• The disclosure must be clear and conspicuous regardless of the device or platform.  If an ad would be unfair, deceptive, or otherwise unlawful without a disclosure, but the disclosure cannot be made clearly and conspicuously on a particular device or platform, then the ad should not run at all on that device or platform.
• Proximity and placement.  In evaluating whether a disclosure is likely to be clear and conspicuous, advertisers should consider the placement of the disclosure in the ad and its proximity to the relevant claim.  Whereas the 2000 guidance defined “proximity” to mean “near, and when possible, on the same screen,” the updated guidance advises that disclosures should be “as close as possible” to the relevant claim.  It also states a preference that advertisements be designed so that “scrolling” is not necessary to see the disclosure.  In self-evaluating their ads, advertisers should adopt the perspective of a “reasonable consumer.” 
• Prominence.  It is the advertiser’s responsibility to draw attention to the required disclosures.  According to the updated guidelines, size matters, colors count, and graphics help.  Repetition—but not too much repetition so as to clutter the ad—may make a consumer more likely to notice and understand a disclosure.
• Hyperlinks.  The updated guidance suggests that advertisers label hyperlinks as specifically as possible.  Like the prior guidelines, the updated guidelines stress that disclosures that are an integral part of a claim —such as general cost information or certain health and safety information, not be communicated through a hyperlink.
• Pop-ups and technological limitations.  Pop-up disclosures should be avoided, because these may be blocked by certain technologies or devices.  The fact that some browsers and devices may not optimally support certain techniques for displaying disclosures also should be considered.  (For example, it should be taken into account that some mobile devices currently will not support Adobe Flash Player).
• Multimedia campaigns.  Disclosures should mirror the medium in which a claim is made.  Specifically, audio claims should contain audio disclosures at a volume and cadence sufficient for a reasonable consumer to hear and understand.  Written claims should contain written disclosures, not solely in an audio or video clip.  Video disclosures should be of a sufficient duration.  Additionally, all disclosures should be in language that it is simple, straightforward, and understandable to the reasonable consumer.

Prior to updating its guidance, the FTC held three public comment periods and hosted a day-long public workshop in May 2012, described here and here. 

The FTC staff report makes clear that these guidelines provide only suggestions for practices that may increase the likelihood that a disclosure is clear and conspicuous; they are not intended to provide a safe harbor from potential liability.

Legislation was reintroduced in the Senate last week that would allow Internet users to opt out of certain forms of online tracking.  The bill [PDF] was previously introduced in 2011.

The “Do-Not-Track Online Act of 2013,” introduced on February 27 by Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.), would require the Federal Trade Commission to create rules for the implementation of a mechanism that would enable an individual to “simply and easily indicate whether [the] individual prefers to have personal information collected by providers of online services” -- in other words, a "Do Not Track" mechanism.  The FTC rules, which would generally prohibit collecting information from users who have opted out of such collection, would be enforced by the FTC and state attorneys general.

The bill contains two exceptions that would permit entities to collect and use information collected online from users who have enabled the do not track mechanism.  First, entities would be permitted to collect information necessary to the “basic functionality and effectiveness” of a requested service, so long as the information is anonymized or deleted after the provision of the service.  Second, the bill would permit entities to request that users opt-in to collection and use of their information; in other words, entities would be permitted to collect information from users who opt in regardless of whether those users had enabled the Do Not Track mechanism.

The timing of the bill’s reintroduction is significant for at least two reasons.  First, this month marks one year since the release of the FTC’s report in which the FTC urged industry to create a do not track mechanism.  In statements made around the time of the report’s release, FTC commissioners suggested that the agency might support Do Not Track legislation if industry did not establish such a mechanism on its own.  Second, just last month, reports emerged that the principal effort at developing an industry-based Do Not Track mechanism -- the W3C’s Tracking Protection Working Group -- was beginning to make substantial progress in finalizing its specifications.  Additional progress by this group could affect further calls for legislation.

Despite the close attention of regulators and the press to the privacy policies of Internet sites and services, including mobile applications, the number of consumer complaints concerning these entities remains relatively low.  Of the total number of complaints, Internet information services received 1.79%, social networking services received 0.25%, Internet gaming received 0.12%, and mobile applications and other mobile downloads received just 0.02%.  Consumers appear to be far more troubled with identity theft and fraud-related issues, which, combined, accounted for 70% of consumer complaints in 2012.

 In drafting the bill, Johnson and his Web-based initiative, AppRights, held meetings with members of the Internet community, public-interest groups, app developers, and other industry stakeholders. AppRights stated: “Over the coming days, we will release helpful clarifications of the updated provisions of the APPS Act so that everyone is on the same page." It is not yet clear when the bill will be introduced to Congress as possible legislation.

During Thursday’s meeting, participants considered the latest draft of the proposed code of conduct, which is intended to enhance transparency about apps’ data collection and third-party sharing practices. During the meeting, the participants failed to reach a consensus on what data practices need to be disclosed and how the information should be displayed. There was also disagreement as to which practices required heightened disclosure.

There was some progress, however, as the stakeholders agreed that the final draft should contain flexibility, clarifying that the “shall” and “must” language in the latest draft indicated requirements, while the use of “should” indicated best practices that companies should strive to achieve if possible.

The group will reconvene for its ninth meeting on January 31.

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.

As the report explains, “[t]he basic approach . . . is to minimize surprises to users from unexpected privacy practices.”  A practice is “unexpected” when it’s not “related to an app’s basic functionality” or when it involves “sensitive information.”  Minimizing surprises means limiting the collection and retention of data that is unrelated to the app’s core functionality; giving users “enhanced notice” (i.e., notice beyond what is provided in the developer’s general privacy policy) of unexpected practices; and giving users control over those practices.  (These concepts, if not the precise terminology, will be familiar to those who have read the FTC’s March 2012 report, which recommended that companies provide consumers with robust notice and meaningful choices for practices that were “inconsistent with the context” of a particular transaction or with the company’s relationship with the consumer.)

The report goes onto make a number of specific recommendations that build on these basic propositions.  After the jump, we discuss a few that struck us as particularly noteworthy.

• An app’s privacy policy should be available before the app is downloaded.  The report notes that the best way to accomplish this is to make the policy available from the app platform (i.e., on the promotion page).  FTC staff also urged developers to take this step in the recent report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade.”  A more novel recommendation in this area was for ad networks, which were urged to provide links to their privacy policies to app developers so that the developers can make the policies available to users “before they download and/or activate the app.”  This practice seems less likely to be seen as consistent with industry practice or expectations. 

• Make the app’s “general” privacy policy “readily accessible from within the app.”  The report makes clear that a privacy policy is “readily accessible” if its linked from the controls/settings page.  The report also recommends hosting the privacy policy in the browser, in order to facilitate updates in case the developer’s practices change. 

• Include key privacy disclosures in the general privacy statement.  The report lists several disclosures that should be made in the privacy policy.  Several of these reflect familiar requirements in the California Online Privacy Protection Act (“CalOPPA”), but others are less familiar.  For example, the report recommends disclosing the “uses and retention period for each type or category of personally identifiable data collected” as well as “[w]hether your app, or a third party, collects payment information for in-app purchases.”  The privacy policy should also describe—and provide links to the privacy policies from—third parties with whom personally identifiable data may be shared.  

• Provide “enhanced measures” if the app collects “sensitive information” or “personally identifiable data” that are “not needed for basic functionality.  The report defines “personally identifiable data” and “sensitive information” more broadly than these terms are usually defined.  “Personally identifiable data” is “any data linked to a person or persistently linked to a mobile device,” while “sensitive information” is “personally identifiable data about which users are likely to be concerned,” including “precise geo-location data; financial and medical information; passwords; stored information such as contacts, photos and videos; and children’s information.”  Where the app collects this kind of information for purposes other than basic functionality, the report recommends either (1) providing a “special notice,” (i.e., an alert that appears at the time the data is collected) or (2) a combination of “short privacy statement” (i.e., a statement that highlights the “unexpected practices”) and privacy controls that enable the person to make choices about those unexpected practices. 

Security and Accountability

• Use encryption for personally identifiable data in transit—and in storage.  Encrypting certain types of PII in transit has become a common practice thanks to encryption requirements in Massachusetts and Nevada laws, while encryption of stored data, however, is significantly less common.  Given the breadth of the term “personally identifiable data,” many companies may have difficulty complying with this recommendation as it applies to both transmission and storage.  The recommendation that ad networks use encryption for the transmission of permanent unique device identifiers seems particularly unlikely to be adopted.

• Put someone in charge of the general privacy policy.  The report recommends making someone in the organization responsible for reviewing the privacy policy when practices change; maintaining archived versions of the policy; and acting as a point of contact for privacy questions and comments.  Of all the report’s recommendations, this one may be the most important: having a person commit a least some of his or her time to thinking about privacy issues can improve a company’s practices dramatically.  The privacy profession has exploded over the past decade, and this endorsement from General Harris signals the value that such professionals have to offer. 

The report has already drawn criticism from ad industry groups, which have faulted the report for proposing “unworkable” solutions that could create confusion in the industry. 

As we have noted elsewhere, Harris has made mobile privacy a key priority for her office.   Most recently, she sued Delta Airlines for allegedly failing to comply with the California Online Privacy Protection Act, which requires online service providers to post a privacy policy containing certain elements and to comply with the policy.   

As described below, the new law may affect all businesses handling an individual’s “personal electronic information” in China, even if that information is not necessarily processed over the internet.  For many companies operating websites hosted in China, the new law will require only slight modifications to existing data handling practices, as many of the new law’s provisions reflect or only slightly modify other provisions found in existing law.  However, websites providing “internet publication services” such as blogs, microblogs, or online forum providers, will be required to implement a real name registration system for their users.  The specifics of the real name registration system have not been announced and will likely come from China’s principal internet regulator, the Ministry of Industry and Information Technology (“MIIT”), which is drafting regulations in furtherance of the new law. 

The new law, entitled the Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (全国人大常委会关于加强网络信息保护的决定) (the “Online Information Decision”), requires “network service providers” (网络服务提供者) and other “enterprises or public institutions” (其他企业事业单位) to clearly indicate the “use, method, and scope” of their collection of an individual’s “personal electronic information,” and not to collect or use this information without the individual’s consent.  It is not clear at this time how a user may evidence consent.

 “Personal electronic information” is described as information “by which the individual identity of citizens can be distinguished as well as that which involves a citizen’s privacy,” but no formal definition or further interpretive guidance is provided.  

The application of the notification requirement to “other enterprises and public institutions” (also undefined) would presumably require all institutions to notify users of the collection and use of their “personal electronic information,” even for information that is not collected online (such as information collected at the point-of-sale), so long as that information is transmitted or stored electronically.  Further interpetative guidance and implementation will likely provide a clearer understanding.

Real Name Registration Requirements for Certain Providers

The Online Information Decision requires network service providers “providing internet publication services” or "website access services" to require their users to supply verified identify information when registering on the provider’s website or for online access. (This is often referred to as "real name registration.")  Although “network service providers” is undefined in the regulation, the delineation of  “internet publication” and “website access” indicates the term may encompass, at the least, both content providers such as websites as well as network access providers such as China Unicom or China Mobile. (We have spoken with officials at MIIT who indicated that their personal understanding is that “network service providers” includes websites and that further implementing legislation for the Online Information Decision is now being drafted.)   

Other Significant Requirements

In addition to the requirement of real name registration, the Online Information Decision also contains the following significant provisions, some of which mirror or expand upon existing law or regulations:

• Network service providers, other enterprises or public institutions, or their employees may not obtain an individual’s “personal electronic information” via theft or other means, nor sell or “illegally provide” an individual’s “personal electronic information” to others.      
• Network service providers, other enterprises or public institutions, or their employees must “strictly maintain the confidentiality” of personal electronic information collected during their provision of services and may not “divulge, distort, or damage” that information, though these terms remain undefined. 
• Network service providers must ensure that any information disseminated by users on their networks does not violate PRC law. If such information is published, the network service provider must report such publication to the appropriate authorities (although undefined in the regulation, this is likely to be MIIT), cease its further dissemination, and preserve the records for later investigation. 
• Network service providers and other enterprises or public institutions must adopt technological and other measures necessary to ensure information security and to protect against “disclosure, damage, or loss of an individual’s personal electronic information.”  
• Without the consent or request of an email recipient, or following a user’s clear refusal, no organization or individual may send “commercial electronic information” (e.g., spam or other commercial solicitation) to a recipient’s email box, fixed-line telephone, or mobile phone. 

Violation of the Online Information Decision may lead to warnings, fines, confiscation of illegal income, cancellation of operating permits, website closure, or the prohibition of involved individuals from engaging in other network services business.

China’s state-affiliated news media has in recent weeks run a number of stories regarding stricter regulation of the internet, and the Online Information Decision may foreshadow a number of new regulations in 2013.  At a press conference announcing the passage of the Online Information Decision,  a representative of MIIT noted that it is currently in the process of drafting regulations in response to the Online Information Decision that may cover the protection of users’ electronic information, commercial solicitations, and the collection and handling of personal information over mobile networks.

The Tenth Circuit affirmed these holdings last week.  Although the trade press and bloggers have focused on the court’s holding that there is no civil liability for aiding and abetting under the Wiretap Act, this aspect of the decision is less remarkable, as a number of courts, including at the circuit level, have held this in the past. 

Perhaps more interesting is the Tenth Circuit’s discussion of the “ordinary course of business” (or “business use”) exclusion in the statute.  The court explained that the exclusion permits ISPs to access data travelling over their networks in the ordinary course of business; thus, to the extent Embarq had access to the data that NebuAd intercepted, that access was permitted.   While the lower court seemed to suggest that if Embarq had “acquired” (rather than merely “accessed”) such data it might have violated the Wiretap Act, the Tenth Circuit explained that even if the data had been “acquired” by the ISP, there still would not have been an actionable “interception.”   In fact, the court seemed to suggest that, as long as Embarq did not gain “access to . . . more of its users’ electronic communications than it had in the ordinary course of its business as an ISP,” its activities were protected by the business use exception. 

Only a week earlier, a district court reached a very similar decision Valentine v. WideOpen West Finance, LLC, which also concerns an ISP's alleged partnership with NebuAd.  Judge Edmond E. Chang of the Northern District of Illinois dismissed plaintiffs’ claim that the WOW violated the Wiretap Act by intercepting their communications.  (Judge Chang noted that the parties did not brief the issues of whether WOW is liable for using or disclosing intercepted communications, which is independently actionable conduct under the Wiretap Act.)  Like the Tenth Circuit in Embarq, Judge Chang held that WOW could not be liable for aiding and abetting NebuAd’s interception of the plaintiffs’ communications. 

The FCC also made recommendations that touch on the role of in-app privacy disclosures ―a topic that has received attention recently from state regulators and the Federal Trade Commission.  Specifically, the FCC recommends that users understand app permissions before accepting them.  The FCC says, “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone.  Make sure to also check the privacy settings for each app before installing.” 

While the FCC has not been as active as the FTC and others on mobile privacy issues that do not affect the telephone portion of the mobile service, the FCC’s announcement demonstrates that it continues to see a role for itself in helping “consumers understand and combat cyber threats and mobile device theft.”  Earlier this year, the FCC partnered with mobile operators to launch their “PROTECTS Initiative” which was designed to combat mobile device theft and trafficking. 

Staff found the results of the second report "disappointing," concluding that many apps do not contain privacy disclosures that fully explain how the app collects, uses, and discloses children's data.  Among other things, the report focused on disclosures related to advertising, links to social media, and in-app purchases. 

Announcing the release of the report, Jessica Rich, Associate Director, FTC Division of Financial Practices, expressed concern that a number of the apps disclosed device identifiers to third parties, including ad networks and analytics companies.  She emphasized that the staff made no findings about how these third parties used the device identifiers, but noted that the FTC's proposed revisions to the Children's Online Privacy Protection Act (COPPA) Rule would treat this information as "personal information" for purposes of COPPA, unless the data is used to support internal operations.  (Ms. Rich declined to comment on the timing of the release of a final COPPA Rule; other FTC staff previously have suggested the final Rule might come in the next few weeks or early next year.) 

Ms. Rich also stated that the Commission is investigating whether the apps violate laws such as COPPA or Section 5 of the FTC Act.  At the same time, she emphasized that the issues raised in the second report are widespread and that the report is focused on identifying industry best practices.  She encouraged industry to accelerate self-regulatory efforts to improve mobile app disclosures.  In particular, she applauded recent efforts to develop icons and similar mechanisms to shorten privacy policies for mobile apps. 

Interestingly, Harris also alleges that Delta “fail[ed] to comply with the provisions of its privacy policy,” which itself is a violation of CalOPPA.  This allegation is somewhat puzzling given that the core assertion of the suit is that Delta has failed to maintain any privacy policy at all in its app.  But it appears possible that Harris will argue Delta has failed to comply with its website privacy policy, which, the complaint notes, does not disclose certain categories of PII that are being collected through the app (e.g., location information). 

Also noteworthy are allegations that the “Fly Delta app is not the primary commercial activity of Delta,” and that “CalOPPA does not relate to rates, routes or services of any air carrier.”  These allegations anticipate a preemption challenge by Delta pursuant to the Airline Deregulation Act.  Delta would appear to have a strong argument that the suit is, indeed, preempted.  As noted in the complaint, the app enables people to search for and book flights.  Thus, the Attorney General’s argument that the app is not related to the “routes and services” of Delta would seem to face an uphill battle.

The one-count complaint seeks recovery under Cal. Bus. & Prof. Code § 17200, alleging that the violations of CalOPPA are “unfair” acts.  In addition to injunctive relief, Harris seeks a $2,500 per-violation civil penalty.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

There Are Benefits of Tracking

The experts all agreed that there are obvious benefits of data collection. The aggregation of data can be used to provide data security, offer effective personalization for consumers, and aid in the development of new products and services.

Consumers Can Also Be Harmed by Tracking

Conversely, everyone agreed that the more data that is collected, the greater the risk for harm from certain uses of the data. This harm is often recognized is economic in nature, but some participants pointed out that harm can also be reputational. Where consensus broke down was over the question of whether the data collection, itself, is a form of harm.

Most Consumers Don’t Understand Data Collection

Consumers, in general, have little understanding about how much of their personal data is collected online—let alone who is collecting it, how they are doing it, and why it is being done. Because so much of the data collection happens behind the scenes, it is hard to say that consumers are making informed decisions about the web-based products they use in their everyday lives, even when they are provided with notice and choice.

The Need for Technology-Neutral Regulation

Although the FTC moderators were interested in DPI—a technology that can be used by Internet service providers and other companies to inspect the content of packets as they travel over the Internet—the experts emphatically stated that regulators should not demonize technology, but instead, regulate certain uses. Panelists explained that by focusing on specific technologies, such as DPI or cookies, regulators miss the complexity of the issues. Because technology is ever changing, there will always be an alternative way of collecting large amounts of data. Since there is no single choke point, participants suggested that regulators examine the harmful uses of data that need to be prevented and policed against