Inside Privacy - Updates on Developments in Global Privacy & Data Security

As we have been documenting, recently Congress and a number of state legislatures have been considering legislation that would prevent employers from demanding social networking site passwords from employees and job applicants, and Maryland has already enacted such a law.  These bills have gained support amid reports of some employers demanding access to social networking accounts from job-seekers.  The latest developments took place in California and New Jersey:

• The California Assembly unanimously approved a bill, A.B. 1844, that would prohibit employers from demanding social media account passwords from employees or prospective employees.  The bill does not specify a remedy for violations.  To become law, the bill must be passed by the state Senate and signed by the governor.  A bill on the same topic, S.B. 1349, is under consideration in the Senate Appropriations Committee.
• In New Jersey, the Consumer Affairs Committee of the New Jersey Assembly approved a two-bill package (A2878 and A2879) that would prohibit employers or from requiring current or prospective employees to disclose user names or passwords for social media sites.  The bills also would apply to colleges and universities with respect to students or applicants.  The bills authorize private civil suits for violations.

Yesterday, Maryland became the first state to pass legislation banning employers from asking employees or job applicants to provide their passwords to social media sites.  The legislation also prohibits employers from taking, or threatening to take, disciplinary action on employees or applicants who refuse to disclose such information. The bill now has to be signed into law by Maryland Governor Martin O’Malley. 

The Maryland legislation was spurred by an incident in which, during a recertification interview, a Director of Corrections officer reportedly was asked to provide his Facebook account information so that his interviewer could log into his account and review activity.

Beyond Maryland, this issue has gained widespread attention recently at both the federal and state law, as we’ve written previously.  Lawmakers in multiple other states, including Washington, New Jersey, California, Illinois, and Colorado have introduced, or indicated they plan to introduce, similar legislation.  Additionally, Senators Charles Schumer (NY) and Richard Blumenthal (CT) have asked the Equal Employment Opportunity Commission and Department of Justice to investigate whether employers violate any privacy, fraud, or anti-discrimination laws by demanding access to job applicants' social networking accounts for hiring purposes.

Over the last few weeks, a number of cosponsors have been added to the Do Not Track Kids Act of 2011 (H.R. 1895), bringing the total number of cosponsors to 29.  The bill was introduced by Rep. Markey and Rep. Barton on May 13, 2011.  Earlier this month, the two members also hosted a Congressional briefing to discuss how to protect children and teens online.

As we blogged about here, the bill would expand the Children’s Online Privacy Protection Act ("COPPA").  In addition, the bill would introduce new privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that operators of websites and online services provide "eraser buttons" that enable the deletion of personal information shared publicly by minors.

We will continue to monitor this legislation as these two senior, bipartisan members of the Committee press for a mark-up of their bill.  

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

Earlier today, the House of Representatives approved an amendment to the Video Privacy Protection Act (VPPA) (H.R. 2471) that would clarify certain ambiguities in the 1988 law in light of technological changes in the marketplace.  In his remarks on the House floor, Rep. Bob Goodlatte (R-VA) – the primary author of H.R. 2471– explained that the amendment will facilitate the sharing of video usage information on social media networks. 

During a debate on the legislation, Rep. Melvin Watt (D-NC) opposed the bill as he did in the committee markup, expressing concern about the adequacy of one-time consent to the sharing of information on dynamic social media sites.  He emphasized the sensitivity of video usage information and expressed concerns about whether Congress has given sufficient thought to the impact of H.R. 2471 on state video privacy laws.  Rep. Watt also questioned the propriety of Congress acting in light of a number of pending private law suits under the VPPA.  Rep. John Conyers, Jr. (D-MI) lent his support to H.R. 2471, but stated that he would have preferred the bill require consumers to renew their consent periodically.

Under the VPPA, which was passed long before the Internet was widely available, “video tape service providers” generally are not permitted to share a consumer’s video usage information without “the informed, written consent of the consumer given at the time the disclosure is sought.”  If enacted into law, H.R. 2471 would clarify this limitation in the context of online distribution in the following ways:

Continue Reading

Judge Koh of the District Court for the Northern District of California recently granted LinkedIn’s motion to dismiss with leave to amend in Low v. LinkedIn.  Covington represents LinkedIn in this case, in which Plaintiff alleges that he suffered injury by virtue of LinkedIn’s purported transmittal of a unique UserID to certain third parties as a portion of a URL referrer header.

The Court held that the plaintiff had not alleged sufficient injury-in-fact to satisfy Article III standing, because “Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him.”  In making this determination, the Court rejected Plaintiff’s theories of  “emotional” and “economic” harm.

With respect to emotional harm, the court noted that Plaintiff was “unable to articulate a theory of what information had actually been transmitted to third parties, how it had been transferred to third parties, and how LinkedIn had actually caused him harm.”  Similarly, in considering Plaintiff’s theory of economic harm, the Court held that Plaintiff’s allegations were “too abstract and hypothetical to support Article III standing,” citing a growing body of precedent, including Judge Koh’s own recent decision in In re iPhone Application Litigation, in which courts have held that the unauthorized collection of personal information does not create an economic loss.  Quoting Specific Media, the Court observed that Plaintiff had failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was “deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.”

Continue Reading

Following a public comment period that began in March of this year, the Federal Trade Commission has accepted as final a settlement with Google relating to the social network “Buzz” product that was launched in 2010.  (For more details about the Buzz product and its launch see Inside Privacy’s prior post, here).  As the Commission’s press release states, “The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz . . . .”

The Commission voted 4-0  to approve the settlement, which imposes numerous requirements on Google, including:

Continue Reading

The Federal Communications Commission has adopted rules implementing the Protecting Children in the 21st Century Act. Like the Act, the FCC's rules require elementary and secondary schools that have applied for discounted Internet access services through the FCC's E-rate program to certify that the school's Internet safety policy provides for the education of minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and increasing cyberbullying awareness.

This requirement builds off existing rules that schools participating in the E-rate program certify that their Internet safety policy includes a technology protection measure, such as filtering software, that protects against Internet access through the school's facilities to visual depictions that are (1) obscene, (2) child pornography, or (3) harmful to minors.  An earlier audit administered by the Universal Service Administrative Company (which administers the E-rate program) had found that a school violated this requirement by allowing access to certain social networking websites.  In its Order, the FCC clarified that social networking websites are not per se "harmful to minors," noting that a contrary conclusion would be inconsistent with the Protecting Children in the 21st Century Act's focus on educating minors about how to interact with others on social networking websites.  The FCC also quoted a recent U.S. Department of Education report, which found that social networking websites have the potential to support student learning. 

Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues.  In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC.  What did you do wrong, and what can you do to get out of this mess?

That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media.  On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement. 

One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used.  That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively.  (You can read more about privacy by design here.)

Continue Reading

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today -- such as social media and mobile apps -- didn't exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven't yet seen. 

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.

Continue Reading

For the second time in a week, the California Senate has voted down “The Social Networking Privacy Act” (S.B. 242), a bill that would have required social networking services to, among other things, restrict the sharing of information by default, establish a process for new users to configure privacy settings during registration, and remove all of a user’s personal information from the service within 96 hours of the user’s request for removal. 

The bill had been vigorously opposed by leading Internet companies who argued that the bill would harm California’s economy and violate the U.S. Constitution. 

S.B. 242, which would have been the first law to specifically target the privacy practices of social networking services, is not the only controversial privacy bill to have been recently introduced in the California Senate.  S.B. 761, which would establish a “do not track” requirement to be implemented by the California attorney general, has also raised constitutional concerns.  As we noted in this previous post, S.B. 761 would prohibit any covered entity (a term that is broadly defined) from selling, sharing or transferring a consumer’s information.   This provision has been amended since our post to provide a limited exception allowing a covered entity to share information when necessary to complete a transaction.  Some have argued that even with this exception, the restriction on sharing would violate the Dormant Commerce Clause and the First Amendment.      

The Federal Trade Commission today reached a $3 million settlement with 20 operators of online virtual worlds.  The settlement is the largest civil penalty that the FTC has obtained to date for a violation of the Children's Online Privacy Protection Act (COPPA). 

The FTC alleged that the operators collected children’s ages and email addresses during registration and then enabled children to publicly post their full names, email addresses, instant messenger IDs, and location, among other information, on personal profile pages and in online community forums before obtaining parental consent.  Specifically, if a user entered age information indicating he or she was under 13, the operator displayed a message warning the user that: "You are under 13 years old and we cannot ask you for your email address.  In order to register, you must ask your Parent or Guardian to fill out this screen..."  Once a parent's email address was provided, the child was granted full access to the virtual world.  The FTC did not believe this approach constituted the verifiable parental consent required for public disclosures of children's information.  The FTC made similar claims against the social networking website Imbee.com in 2008.  

Children's privacy is receiving the heightened attention of regulators.  For example, last week Senator Markey released a discussion draft of his Do Not Track Kids Act.  The bill would expand COPPA's scope and impose new restrictions on the collection, use, and disclosure of information from children, and, in some cases, individuals under the age of 18.  In addition, the FTC is expected to announce the next steps in its COPPA Rule review in the next few months. 

I attended the ABA's Antitrust Law Spring Meeting the last two days.  What struck me the most was the increased prominence of data and privacy as factors in analysis of markets and competition in antitrust law.  This was the topic in the Chairman's Showcase session on Thursday.  Julie Brill, the FTC Commissioner, perhaps made the point the best.  She explained that if privacy is becoming a competitive differentiator (e.g., consumers are persuaded to use one service over another because the chosen service has better privacy practices), then privacy is clearly a non-price factor in competition law analysis.  Commissioner Brill provided an overview of the FTC's report on consumer privacy and emphasized three parts of the report: privacy by design, transparency and choice.  She also emphasized that the FTC was focused on the fact that technical approaches to privacy solutions could impact competition in the market.  However, her view was that standards bodies would mitigate against this concern.  Ken Anderson, Assistant Commissioner for Privacy in Ontario provided an explanation of privacy by design.  Much of the information from his presentation is readily available in a useful video presentation at  www.privacybydesign.ca. 

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP "Accountablity Model Tool" sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the "data liberation front" which enables users to extract their data from Google products - see www.dataliberation.org.

Continue Reading

Yesterday, the American Bar Association Forum on Communications Law and the ABA Center for Continuing Legal Education sponsored the program "Marketing to Minors: Traps for the Unwary in a Rapidly Evolving Legal Landscape."  Representatives from the Federal Trade Commission, Federal Communications Commission, and Gannett provided an overview of the current rules for marketing to children, discussed the status of a number of ongoing proceedings that propose changes to these rules, and explained how industry is reacting. 

Of particular interest were the remarks of Phyllis Marcus, senior staff attorney in the FTC's Division of Advertising Practices.  Ms. Marcus explained why the agency is undertaking a review of its COPPA Rule and noted that she didn't think the agency was "too far away" from making a decision on whether or not the Rule needs updating.  (COPPA governs website operator's online collection, use, and disclosure of personal information from children under 13.)  Ms. Marcus also explained that, even though Facebook requires users to be 13 or over, marketers with Facebook pages "should be reviewing pages and unfriending people who are, or appear to be, underage."  She acknowledged that some might view this interpretation as "controversial," but encouraged marketers to adopt this approach as a best practice.  And if a marketer's Facebook page is likely to attract children, she warned that the marketer needs "to be very, very careful."

Rob Pegoraro at The Washington Post reported today on Facebook's announcement that it will offer users a way to download all of the information they've uploaded to the service.  The move is an implicit response to critics who complain about social media services that lock users in by preventing them from recovering their data.

Based on Facebook's announcement, it looks like Facebook is offering a particularly easy-to-use portability feature.  But Facebook isn't alone in offering this functionality -- industry leaders like Microsoft and Google have been focused on data portability for years.

What Facebook's announcement leaves out is that, in the data portability world, it takes two to tango.  For portability to work in the long run, the various services will need to work together to develop standards that allow data exported from one service to be imported just as easily into another.  The members of the DataPortability Project -- which include Facebook, Microsoft, Yahoo, LinkedIn, and MySpace -- are working toward that goal, and it will be interesting to see how that work develops.  But in the meantime, Facebook's new feature offers a promising glimpse of new functionality that may come out of the standards process.