Inside Privacy - Updates on Developments in Global Privacy & Data Security

The Federal Trade Commission has sent letters to more than 90 different companies who develop mobile apps that the FTC claims may be directed to children.  The letters emphasize that the FTC has not evaluated the apps or the companies’ practices to determine if they comply with the current or revised COPPA Rule.  Instead, the letters remind these companies that if their apps collect, use, or disclose children's images and voices, mobile device identifiers, and other types of "personal information," they must bring their apps into compliance with the revised COPPA Rule by July 1, 2013.  

The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

The US Department of Transportation (DOT) announced today that the fourth in a series of public meetings of the Advisory Committee on Aviation Consumer Protection will focus on privacy issues.  This DOT Committee has been working on various rulemaking and enforcement initiatives affecting consumer protection in air travel, but this will be the first time that privacy practices and use of data have been made the central topic of a Committee meeting.  The DOT supervises airlines privacy practices because airlines are subject to sector-specific oversight (air carriers are among the businesses that are excluded from the FTC’s Section 5 authority). 

The announcement states that the meeting will address the treatment of personally identifiable information collected in connection with the purchase of air travel from airlines and travel agents.  Issues to be discussed include: 

• what information is collected and by whom?
• who retains information (airlines, travel agents, including on-line travel agents (OTAs), and global distribution systems (GDSs))?
• what privacy policies are in place and is information used consistent with those policies?
• what security measures are in place to protect against unauthorized access?  

Continue Reading

At a recent forum in New York, a team of Covington lawyers addressed the growing concern among companies that their most valuable assets could leave the building on a thumb drive in an employee’s pocket or be disclosed through an employee’s use of a social media site.  Addressing this threat involves many disciplines beyond trade secret law, including employment, employee benefits and executive compensation, white collar crime, corporate and securities, insurance coverage, and crisis management.  This post identifies five proactive ways in which companies can use comprehensive privacy programs and robust data security measures to help prevent and respond to an insider’s intentional or inadvertent disclosure of confidential company information.

1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

Yesterday the FTC released its annual report of consumer complaints, highlighting identity theft as the leading category of complaints, with 18% of the total.  The 2012 report analyzes complaints received by the FTC, certain other federal agencies, state law enforcement agencies, and non-governmental organizations such as the Better Business Bureau.  After identity theft, consumers filed the most complaints about debt collection (10%); banks and lenders (6%); shop-at-home and catalog sales (6%); prizes, sweepstakes and lotteries (5%); impostor scams (4%); Internet services (4%); auto-related complaints (4%); telephone and mobile services (4%); and credit cards (3%).

Despite the close attention of regulators and the press to the privacy policies of Internet sites and services, including mobile applications, the number of consumer complaints concerning these entities remains relatively low.  Of the total number of complaints, Internet information services received 1.79%, social networking services received 0.25%, Internet gaming received 0.12%, and mobile applications and other mobile downloads received just 0.02%.  Consumers appear to be far more troubled with identity theft and fraud-related issues, which, combined, accounted for 70% of consumer complaints in 2012.

Politico is reporting that California Attorney General Kamala Harris will release a report containing privacy recommendations for key players in the mobile app ecosystem (including developers, advertisers, and others).  The report could be released as early as this week. 

As we have noted elsewhere, Harris has made mobile privacy a key priority for her office.   Most recently, she sued Delta Airlines for allegedly failing to comply with the California Online Privacy Protection Act, which requires online service providers to post a privacy policy containing certain elements and to comply with the policy.   

The Federal Trade Commission has released its revised final rule implementing the Children’s Online Privacy Protection Act (“COPPA”), which governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13.

The Commission retained the “e-mail plus” consent method and supported a number of new parental consent methods, streamlined the notice requirements, and encouraged the use of automatic filtering tools.  Although the Commission pushed forward with its proposal to define “personal information” to include persistent identifiers, it also broadened the definition of support for internal operations.  Below is a summary of the highlights. 

Continue Reading

The Federal Trade Commission released today its second report on mobile apps directed to children.  The report, which follows up on an analysis that staff conducted in February 2012, examined the privacy disclosures of hundreds of kid-directed mobile apps and tested the apps’ practices against these disclosures to determine if the disclosures were accurate and complete.  

Staff found the results of the second report "disappointing," concluding that many apps do not contain privacy disclosures that fully explain how the app collects, uses, and discloses children's data.  Among other things, the report focused on disclosures related to advertising, links to social media, and in-app purchases. 

Announcing the release of the report, Jessica Rich, Associate Director, FTC Division of Financial Practices, expressed concern that a number of the apps disclosed device identifiers to third parties, including ad networks and analytics companies.  She emphasized that the staff made no findings about how these third parties used the device identifiers, but noted that the FTC's proposed revisions to the Children's Online Privacy Protection Act (COPPA) Rule would treat this information as "personal information" for purposes of COPPA, unless the data is used to support internal operations.  (Ms. Rich declined to comment on the timing of the release of a final COPPA Rule; other FTC staff previously have suggested the final Rule might come in the next few weeks or early next year.) 

Ms. Rich also stated that the Commission is investigating whether the apps violate laws such as COPPA or Section 5 of the FTC Act.  At the same time, she emphasized that the issues raised in the second report are widespread and that the report is focused on identifying industry best practices.  She encouraged industry to accelerate self-regulatory efforts to improve mobile app disclosures.  In particular, she applauded recent efforts to develop icons and similar mechanisms to shorten privacy policies for mobile apps. 

On Thursday, November 15, 2012, Judge Robert S. Lasnick of the Western District of Washington dismissed Del Vecchio v. Amazon, stating that the parties had reached a settlement, the details of which were not disclosed.  The suit had alleged (among other things) that Amazon used Flash cookies to backup and “respawn” browser cookies that plaintiffs had deleted, and thereby “circumvented” plaintiffs’ browser privacy controls.  The complaint (which was amended several times) included claims under the federal Computer Fraud and Abuse Act and the Washington Consumer Protection Act, as well as several common law claims. 

Prior to the settlement, Amazon had filed three separate motions to dismiss, and succeeded twice in getting major claims tossed out.  Amazon filed its initial motion to dismiss in May 2011, but eventually withdrew it after the court granted a request by plaintiffs to amend their complaint for the first time.  The court later granted Amazon’s motion to dismiss the first amended complaint in its entirety, citing plaintiffs’ failure to “establish any plausible harm.”  In June 2012, the key claims in the second amended complaint also were dismissed based on similar reasoning. 

The fact that this settlement was limited to the individual plaintiff suggests that Amazon’s strategy of vigorously defending the litigation appears to have brought it more success than some defendants in other “Flash cookie” lawsuits (such as QuantCast and Clearspring) who agreed to more sizeable class settlements early in their litigations.

On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.　 The final settlements follow a notice-and-comment period opened to the public in June 2012.

Continue Reading

A Web analytics company recently settled FTC charges that it deceptively collected consumers’ personal information.

According to the FTC, Compete, Inc. provided a free toolbar that consumers installed on their web browsers.  Compete informed consumers that “the web pages you visit will be anonymously pooled with the Compete community to provide site trust rankings and analytics.”  Compete also offered a “Consumer Input Panel,” which gathered consumers’ opinions about products and services in exchange for rewards.  Compete told consumers that the Consumer Input Panel software “anonymously transmits aspects of your Internet browsing behavior so that we can understand the sites, products, and services you interact with.”  Compete’s privacy policy stated that all data “is stripped of personally identifiable information before it is transmitted to our servers.”

Continue Reading