Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Harris has stated that she plans to police mobile app privacy using CalOPPA. Her office released a set of best practices for mobile app privacy policies in January, a month before the Federal Trade Commission released its own mobile app guidelines. But considering federal regulators’ interest in the issue, it is debatable whether, like the Delta case, such matters are better left for enforcement at the Federal level.

Delta added a prominent link to its privacy policy on the home screen of the Fly Delta App not long after the filing of the suit and has had a public privacy policy on its main Web site all along.

The decision adds to the growing case law around screenscraping, and serves as a timely reminder of the fact that the language of a Web site’s terms of use (TOU) is an important factor in such cases.  In this case, Craigslist faces questions over whether it has standing to sue for copyright infringement because of the drafting of the content license in the Craigslist TOU.  The license grant provision in the Craigslist TOU is arguably ambiguous as to whether it provides for an “exclusive” license from users to Craigslist.  Citing Ninth Circuit case law, the order noted, “[O]nly the owner of an exclusive right under the copyright is entitled to sue for infringement.”  TOUs are often drafted with a non-exclusive license to user created content or with ambiguity as to exclusivity, and thus some Web site owners  may lack sufficient standing to bring copyright infringement claims in relation to some of the content on their sites.  Of course, it may not always be appropriate to request an exclusive license from users, but it is a question that all Web site owners should consider when preparing or maintaining their TOU.

Privacy advocates, including public interest organizations and Internet businesses, have long urged Congress to update ECPA to bring it in line with the myriad technological changes that have taken place since its enactment nearly 30 years ago, as well as consumers' evolving expectations of privacy in their electronic communications. A statement by Computer & Communications Industry Association president and CEO Ed Black reflects that widespread position: "This is a long overdue step toward bringing our online privacy laws closer to both our existing Fourth Amendment protections and our reasonable expectations for privacy. . . . Most people don't realize that six-month-old emails have different levels of privacy protection than newer emails." The Internet Association, an organization of prominent Internet businesses including Facebook, Google, and eBay, called the Senate Judiciary Committee's passage of the ECPA reform bill "a significant step in safeguarding the privacy of users' electronically stored content." The passage of the bill through the Judiciary Committee on a voice vote bodes well for its chances of being passed by the full Senate.

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child's image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
3. Third-party services that are integrated on child-directed sites will be deemed to have "actual knowledge" if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC's Chief Technologist, Steve Bellovin.
4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child's facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don't forget to scrub for metadata as well -- photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
5. A third party who is integrated on a child-directed site may rely on the "support for internal operations" exception to support the third-party's own internal operations.  There actually was text in the final COPPA Rule's Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:

The revised COPPA Rule takes effect on July 1, 2013. Approximately twenty industry organizations have asked the FTC to grant a six-month extension of this deadline so that industry has adequate time to implement unanticipated changes that were adopted in the final COPPA Rule and to incorporate the additional guidance outlined in the revised COPPA FAQs. A coalition of consumer groups, in contrast, have argued that no additional time is needed. Speaking at a seminar hosted by the International Association of Privacy Professionals earlier yesterday, Peder Magee, a senior attorney in the FTC's Division of Privacy and Identity Protection, declined to comment on whether the extension requests were likely to be granted.

So far this year, Utah, New Mexico, and Arkansas have enacted their own restrictions. Utah enacted two laws — the Internet Employment Privacy Act and the Internet Postsecondary Education Privacy Act — as part of one bill, HB100, which was signed into law on March 26 and takes effect May 14. New Mexico enacted two separate bills — SB 371 and SB 422 — focusing on employers and post-secondary schools, respectively. Both bills were signed April 5 and take effect on June 14. In Arkansas, a bill imposing restrictions on public and private post-secondary schools was enacted as Act 998 on April 8.  Below is more information about each.

Utah’s employment-focused law bars employers from asking employees or job applicants to disclose usernames or passwords to “personal Internet accounts” and also prohibits retaliation against employees or applicants who refuse such requests. The law defines a “personal Internet account” as “an online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer,” while specifically excluding “an account created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer.”

The education-focused law imposes largely parallel restrictions on the ability of postsecondary schools to request that students or prospective students disclose usernames or passwords to their personal Internet accounts.

New Mexico

New Mexico’s employment-focused law makes it unlawful “for an employer to request or

require a prospective employee to provide a password in order to gain access to the prospective employee’s account or profile on a social networking web site or to demand access in any manner to a prospective employee’s account or profile on a social networking web site.” Notably, the law consistently refers only to “prospective” employees, without specifically addressing post-hiring practices.

The education-focused law makes it unlawful “for a public or private institution of post-secondary education to request or require a student, applicant or potential applicant for admission to provide a password to gain access” to his or her account or profile on a social networking web site or “to demand access in any manner” to those accounts or profiles. Colleges and universities also may not deny admission or take disciplinary action on the basis of a person’s having refused such a request.

Both laws define a “social networking web site” as “an internet-based service that allows individuals to: (1) construct a public or semi-public profile within a bounded system created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.”

Arkansas

The Arkansas law applies only to public and private post-secondary institutions such as colleges, universities, and vocational schools. These institutions may not “require, request, suggest, or cause” current or prospective employees or students to disclose usernames or passwords to their social media accounts. These institutions also may not require current or prospective students to change their account privacy settings or add school officials to their contact lists as a condition of participating in extracurricular activities.

The law defines a “social media account” as a “personal account with an electronic medium or service where users may create, share, or view user-generated content,” including but not limited to items such as videos, photos, blogs, or messages. The law does not apply to accounts provided by the school, opened on behalf of the school or at its request, or if the account is used to impersonate the school.

Schools may not penalize or fail to hire or admit anyone who exercises their rights under the statute.

Ensuring that your company has appropriate insurance coverage is a critical step in managing the risk of these kinds of claims.  Join us, along with Marsh Risk Consulting ― a global leader in insurance broking and risk management, for an interactive discussion that will cover the legal and practical issues facing corporate policyholders in connection with employment-related claims and liabilities.  The presentation will be held on Wednesday, April 17, 2013, from 3:00-4:30 pm at Covington & Burling, New York Times Building, 620 Eighth Avenue, New York, New York, 10018-1405.  A cocktail reception will follow the presentation.  There is no charge, but please RSVP to 202-662-6440 or RSVP9@cov.com by April 12th if you wish to attend.

1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

Despite the close attention of regulators and the press to the privacy policies of Internet sites and services, including mobile applications, the number of consumer complaints concerning these entities remains relatively low.  Of the total number of complaints, Internet information services received 1.79%, social networking services received 0.25%, Internet gaming received 0.12%, and mobile applications and other mobile downloads received just 0.02%.  Consumers appear to be far more troubled with identity theft and fraud-related issues, which, combined, accounted for 70% of consumer complaints in 2012.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. 

Rep. Eliot Engel (D-N.Y.) introduced the bill, H.R. 537, with Reps. Jan Schakowsky (D-Ill.), Michael Grimm (R-N.Y.), Keith Ellison (D-Minn.), Paul Tonko (D-N.Y.), and Chellie Pingree (D-Me.) as co-sponsors.

Engel first introduced the bill in April 2012, but it never advanced beyond the subcommittee stage before the end of the 112th Congress.

As we have reported previously, several states -- including New Jersey, California, Delaware, Maryland, and Illinois -- have enacted similar restrictions on employer and/or school access to personal social-media accounts. A number of other states are considering similar measures.

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. 

The Path settlement is one of several recent efforts to improve mobile app developers’ privacy practices, particularly in the area of children’s privacy.  On the same day that the Path settlement was announced, the FTC released new mobile app privacy guidelines.  These guidelines follow two FTC reports analyzing whether child-directed apps are providing adequate notice about their privacy practices, and the FTC has actively enforced COPPA against mobile app developers.  In addition to the FTC’s efforts, the Department of Commerce and State Attorneys General in California and New Jersey have been focused on mobile privacy issues as well.

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

1. A governance structure with clear roles and responsibilities for the Board of Directors or senior management to direct how social media contributes to the strategic goals of the institution, establish controls, and assesses risk on an ongoing basis;
2. Policies and procedures regarding the use of social media and monitoring for compliance with consumer protection laws and regulations;
3. Due diligence for selecting and managing third-party service provider relationships in social media;
4. An employee training program for official, work-related use of social media and other uses of social media;
5. An oversight process for monitoring information posted to proprietary social media sites administered by the institution;
6. Audit and compliance functions to ensure ongoing compliance with internal policies and applicable laws and regulations; and
7. Parameters for appropriate reporting to the Board of Directors or senior management regarding the effectiveness of the risk management program.

The guidance also highlights the unique privacy risks raised by social media to institutions and their customers. In particular, the guidance notes the Gramm-Leach-Bliley Act, CAN-SPAM Act and Telephone Consumer Protection Act, Children’s Online Privacy and Protection Act, and Fair Credit Reporting Act as all posing unique compliance challenges to institutions using social media to advertise and provide financial products and services.

Comments to the proposed guidance must be submitted within 60 days of the guidance’s publication in the Federal Register. The FFIEC is requesting specific comment on the following three questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account. Schools may not retaliate against students who refuse to provide access to their accounts, and the law voids any agreement to waive the statute’s protections.

A separate bill pending in the New Jersey General Assembly would impose similar restrictions on the ability of employers to demand access to their employees’ personal online accounts. Both the General Assembly and the state Senate have approved versions of the bill, which is awaiting the General Assembly’s concurrence to a Senate amendment exempting law enforcement agencies and corrections departments. Unlike the student-focused law, the employer-focused bill includes a definition of “personal accounts” (as distinguished from business accounts) and an explicit exception for measures designed to comply with applicable laws, regulations, or the rules of self-regulatory bodies.

Maryland, Illinois, and California also have enacted legislation this year generally prohibiting the forced disclosure of employees’ personal social media accounts to employers.

Citing its decision in Costco, which we blogged about here, the decision found that the social media policy would reasonably tend to chill employees in the exercise of their Section 7 rights.  As in Costco, DISH Network's policy apparently did not contain an exception for NLRA-protected activity.

California Gov. Jerry Brown signed two bills into law on Sept. 27.  The first, A.B. 1844, bars employers from requiring or requesting that employees or job applicants disclose personal social media usernames or passwords, access personal social media accounts in the employer’s presence, or otherwise “[d]ivulge any personal social media.” Employers are barred from firing or otherwise retaliating against anyone who refuses to comply with a request that is prohibited under the law. Employers may require employees to disclose information needed to access employer-issued devices and may request access to personal social media the employer reasonably believes is relevant to a misconduct investigation.

S.B. 1349 creates parallel protections for students, prospective students and student groups at public and private colleges and universities.

Eric Goldman, posting at Forbes, expects that broad definition to have unintended consequences. Goldman also questions the law’s assumption that “personal” social media accounts can easily be distinguished from “non-personal” accounts, at least in the employment context.

As we have reported, Maryland and Illinois passed similar laws earlier this year restricting employers’ ability to demand access to employees’ social-media accounts. In addition, a Delaware law enacted in July prohibits public and private colleges and universities from demanding access to students’ personal social-media accounts under most circumstances.

The state laws vary on some key points. For instance, the Illinois law prohibits employers from demanding access to an employee or applicant’s account or profile on a “social networking website,” but the law excludes e-mail from the definition of such websites. In contrast, California’s definition of “social media” specifically includes e-mail, as well as a broad range of other types of online content.

The laws also differ on the scope of the prohibitions they impose. Maryland’s law bars employers from demanding usernames or passwords to employees’ personal accounts, while the California and Illinois laws also specifically prohibit employers from demanding that employees provide access to personal social-media accounts in other ways. The Delaware student-privacy law goes further, specifically barring colleges and universities from accessing student social-media profiles indirectly through the students’ friends or from installing monitoring software on students’ personal electronic devices.

Lawmakers have considered legislation on this topic in other states — including Washington, New Jersey and Colorado — as well as in Congress.

The order is the NLRB’s first on an employer’s social media policy.  The decision suggests that the NLRB may be implementing the approach reflected in a series of reports issued by NLRB general counsel Lafe Solomon analyzing employer social media policies under the NLRA. 

According to the court, the Plaintiffs’ first Complaint was over 150 pages, cited a confusing jumble of Texas, California, and federal laws, contained material that was repetitive and unnecessary, and showed “a general attitude of smug pomposity.”  Although the court had stated that it hoped the Plaintiffs’ Amended Complaint would fix these problems, it found that the Amended Complaint was more than twice as long and full of the same problems, leading the court to theorize that the Plaintiffs had “the court of public opinion in mind” when drafting it.

The court held that, because of these flaws, both versions of the Complaint violated Federal Rule of Civil Procedure 8(a)(2), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.”  Consequently, he dismissed the Complaints without prejudice, allowing the Plaintiffs to file a Second Amended Complaint within twenty days.  The judge warned, however, that if the next complaint does not comply with the “letter and spirit” of the Federal Rules, it will be dismissed with prejudice, ending the case. 

Twitter’s appeal consists of six primary arguments that fall within two key issues.  First, Twitter makes several arguments regarding why the protestor has standing under New York law and the SCA to challenge the subpoena issued to Twitter.  According to Twitter, New York law grants the protester standing because he has a proprietary interest in his tweets, as established in Twitter’s Terms of Service.  And the SCA provides standing under 18 U.S.C. § 2704(b), which allows a user who receives notice of a subpoena for account records to “file a motion to quash such subpoena . . . in the appropriate . . . state court.”

Second, Twitter argues that the protester’s tweets are protected by the Fourth Amendment to the U.S. Constitution and Article I, § 12 of the New York Constitution. Because the government cannot publicly access the tweets, Twitter claims, the protester maintains a reasonable expectation of privacy in them. (The government acknowledged that the tweets are no longer visible on the Twitter platform. It is unclear whether the tweets were deleted or are no longer visible for some other reason, such as that only the 3,200 most recent tweets remain visible.) Moreover, according to Twitter, even if the tweets are publicly available, case law suggests that public information that allows law enforcement to draw mere inferences about a citizen’s thoughts and associations is entitled to Constitutional protection.

The appellate brief is available here.

The legislation amends the Illinois Right to Privacy in the Workplace Act to make unlawful an employer’s request or requirement that an employee or prospective employee provide “any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website….”  The term “social networking website” means an Internet-based service that allows individuals to (1) construct a public or semi-public profile within a bounded system, created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.  The legislation makes clear that emails are not included in the term “social networking website.” 

Legislation to prohibit employer access to employee social networking information currently is being considered in several states, including Washington, New Jersey, California, and Colorado.

Among other things, the EDPS expressed support for: 

• The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
• Clear notice about the impact a change to a default setting would have on a child's privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the "extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings." 
• A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
• A restriction on industry's ability to create online behavioral advertising segments that target children.
• A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.

And with respect to age verification, the EDPS stated that volunteered age information may not be reliable, but also recognized that age verification models that are designed to infer a user's age or verify the user's identity may involve a disproportionate amount of data collection and processing and could be unreliable as well. Without taking a firm position on age verification, the EDPS stated that age verification tools must take care to collect and maintain only "necessary data" and indicated that a future opinion will address the proposed Regulation on electronic identification and trust services.

As background, EU law currently does not include specific requirements for children. Instead, data protection authorities have interpreted existing data protection laws to require children's privacy and data protection rights to be respected in a manner appropriate to the child's level of maturity and comprehension.

The proposed EU Data Protection Regulation, however, would include requirements specific to children and harmonize children's privacy laws across the member states. Article 4(18) of the proposed Regulation would define a child as a person under the age of 18 years. Among other things, data controllers would be required to provide information to children in a language that the child can easily understand, provide children with a "right to be forgotten" online, and provide children with certain default, age-appropriate privacy settings. In addition, the proposed Data Protection Regulation would require verifiable parental consent before personal data of children under the age of 13 could be processed in the context of information society services.

The trial court judge found that the Fourth Amendment did not apply to the government’s subpoena.  The defendant had no privacy interests in his tweets, the judge held, because of the public nature of the Twitter platform.  Pointing out that the “very nature and purpose of Twitter” is to share messages with a broad online audience, the judge concluded that the “defendant’s contention that he has privacy interests in his Tweets . . . [is] without merit.”

In order to obtain the court order found in § 2703(d), the People must offer “specific and articulable facts showing that there are reasonable grounds to believe” that the Tweets “are relevant and material to an ongoing criminal investigation.”(18 USC § 2703[d]).  This court finds that the factual showing has been made.  In the response to the defendant’s motion, the People state that the information sought by the subpoena is needed to refute the defendant’s anticipated defense, that the police either led or escorted the defendant into stepping onto the roadway of the Brooklyn Bridge. 

In announcing the company’s decision to appeal the ruling, Twitter counsel Benjamin Lee explained that the trial court result “doesn’t strike the right balance between the rights of users and the interests of law enforcement.”

The trial court’s order in People v. Harris is available here.