FTC Hosts Workshop to Examine Comprehensive Data Collection

Posted by Kristi Cercone on December 07, 2012

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

Continue Reading

Government May be Immune to Suits Alleging Violations of FACTA

Posted by Kristi Cercone on November 14, 2012

The U.S. Supreme Court ruled on Tuesday that the federal government does not always lose its sovereign immunity to damages lawsuits claiming that an agency violated the Fair and Accurate Credit Transactions Act (“FACTA”) by printing the expiration date of a credit card on a receipt issued to a consumer. In a unanimous decision, authored by Justice Antonin Scalia, the Court rejected a November 2010 ruling by the Federal Circuit that the Little Tucker Act authorized the government to be sued for money damages under the Fair Credit Reporting Act (“FCRA”), which FACTA amended.  

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA's prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.

Continue Reading

DOT issues final rule on passenger rights

Posted by Nigel Howard on April 26, 2011

Yesterday the Department of Transportation issued its final rule on "Enhancing Airline Passenger Protections."  The proposed rule had been published in December 2009 and received over 2,000 comments.  One of the most controversial aspects of the original proposed rule was a requirement that airlines must provide all their fare and product information to Global Distribution Systems (GDSs) to enable full disclosure of product and price information to consumers.  Most airlines and a number of commentators pointed out that this proposal would have a number of unintended consequences which would be detremental to consumers, including impacting the privacy and security of passenger information.  The GDSs and travel agency groups disagreed and welcomed the requirement.  In Monday's final rule the DOT states that it needs more time to consider this issue in relation to the GDSs and thus has deferred its decision on this requirement.  Thus the debate on this topic will continue.

Survey Indicates Banks Taking "Wait and See" Approach to Mobile Payments

Posted by Mike Nonaka on April 14, 2011

Fiserv, Inc. recently released the results of a survey suggesting banks are taking a "wait and see" approach to mobile payments. Fiserv commissioned and Forrester Consulting conducted the survey of 15 large U.S. banks, which found that most of the banks offered mobile banking services allowing customers to make transfers between accounts, find an ATM, and pay bills online. Only one of the banks offered mobile banking for purposes of person-to-person payments and none offered mobile banking for making brokerage trades. The survey found that all of the banks had clear mobile banking strategies but few had a defined strategy for mobile payments, including point-of-sale or contactless payments and person-to-person payments.

The law governing mobile payments is a complex blend of existing laws including the Electronic Fund Transfer Act and Gramm-Leach-Bliley as well as rapidly-changing state laws. In deploying mobile payment technologies, depository institutions should carefully analyze and address all of the relevant authorities.

Privacy increasingly a factor in antitrust/competition law analysis

Posted by Nigel Howard on March 31, 2011

I attended the ABA's Antitrust Law Spring Meeting the last two days.  What struck me the most was the increased prominence of data and privacy as factors in analysis of markets and competition in antitrust law.  This was the topic in the Chairman's Showcase session on Thursday.  Julie Brill, the FTC Commissioner, perhaps made the point the best.  She explained that if privacy is becoming a competitive differentiator (e.g., consumers are persuaded to use one service over another because the chosen service has better privacy practices), then privacy is clearly a non-price factor in competition law analysis.  Commissioner Brill provided an overview of the FTC's report on consumer privacy and emphasized three parts of the report: privacy by design, transparency and choice.  She also emphasized that the FTC was focused on the fact that technical approaches to privacy solutions could impact competition in the market.  However, her view was that standards bodies would mitigate against this concern.  Ken Anderson, Assistant Commissioner for Privacy in Ontario provided an explanation of privacy by design.  Much of the information from his presentation is readily available in a useful video presentation at  www.privacybydesign.ca

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP "Accountablity Model Tool" sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the "data liberation front" which enables users to extract their data from Google products - see www.dataliberation.org.

Continue Reading

Implications of the FTC Report and DOC Green Paper for IT Contracts

Posted by Nigel Howard on January 28, 2011

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

Continue Reading

Older Posts