Inside Privacy - Updates on Developments in Global Privacy & Data Security

Earlier today, members of Congress and regulators gathered for a symposium on “The Impact of Media on the Health & Well-Being of Children.”   Participants included Congressman Edward Markey (D-MA), Congresswoman Debbie Wasserman Schultz (D-FL), Senator Richard Blumenthal (D-CT), Jon Leibowitz, Chairman, Federal Trade Commission, and Mignon Clyburn, Commissioner, Federal Communications Commission, as well as researchers and members of the public interest community.  In response to a question, Chairman Leibowitz informed the audience that the FTC expects to issue a revised Children’s Online Privacy Protection Act (“COPPA”) Rule by “the end of the year and hopefully sooner.” 

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Continue Reading

Yesterday, the FTC announced that MySpace has agreed to settle charges that it engaged in deceptive practices by disclosing personal information to third parties despite statements in its privacy policy suggesting it would not engage in such sharing.  The proposed settlement with MySpace reflects the FTC’s continuing concern with the privacy practices of social networking services and follows on the heels of settlements with Facebook, Twitter, and Google (the latter relating to Google's "Buzz" social networking service).  Like Facebook and Google before it, MySpace agreed to a consent order that (if it becomes final) would require the company to implement a comprehensive privacy program and submit to third-party privacy audits for the next 20 years. 

As with many of the incidents involving consumer privacy that have been subject to recent FTC action (as well as private litigation), MySpace’s practices appear to have been first explored by the Wall Street Journal, as part of its “What They Know” series on online privacy.

The Federal Trade Commission recently announced a preliminary agenda for its upcoming public workshop called Advertising and Privacy Disclosures in a Digital World.  The goal of the workshop is to discuss revisions to the Dot Com Disclosures, the FTC’s current guidance document on online advertising disclosures, which was published in 2000. The Dot Com Disclosures discusses the application of consumer protection laws and Commission rules to online advertising, and how companies can make required advertising disclosures “clear and conspicuous.” The workshop will explore how to revise the Dot Com Disclosures in light of developments in online and mobile advertising, and the advent of social media. The FTC sought public comment on possible revisions last year, and solicited input for discussion topics when it announced the workshop in February.  The preliminary agenda features four panels: (1) Universal and Cross-Platform Advertising Disclosures, (2) Social Media Advertising Disclosures, (3) Mobile Advertising Disclosures, and (4) Mobile Privacy, and lists two to three specific questions that it plans to discuss at each panel.  For example, the social media panel will discuss “the challenges and best approaches to making adequate disclosures on social media platforms that restrict message length."

The workshop will be held on May 30, 2012 at the FTC Conference Center, 601 New Jersey Avenue, NW, Washington, DC.    The program begins at 8:30 am and will conclude at 5:30 pm.  The workshop is free, open to the public, and no registration is required.  The FTC will also provide a webcast.

Last week, a district court declined to stay a lawsuit against Google Inc. and group-texting service Slide, Inc. alleging a violation of the Telephone Consumer Protection Act (“TCPA”).  The court found that a related, ongoing proceeding at the Federal Communications Commission relating to the scope of the definitions of “consent” and “automatic telephone dialing system” under the Act did not compel the court to stay the case.  Applying the doctrine of primary jurisdiction, the court concluded that it was as competent to determine the scope of the definitions of these terms as the FCC.

In a separate, but related proceeding, the FCC has requested public comments on the question of whether a company violates the TCPA when it sends a text message to a subscriber’s mobile device to confirm that the subscriber has opted out of receiving text messages ― a practice that is endorsed under the Mobile Marketing Association’s best practices guidelines.  This issue is also the subject of ongoing court proceedings:  there are more than a dozen lawsuits pending against companies for sending such confirmation messages.

The FCC received initial comments yesterday, including comments from industry participants, such as the Mobile Marketing Association and the CTIA―The Wireless Association, urging the Commission to find that one-time, precise opt-out confirmation text messages are not prohibited by the TCPA.  While the National Association of Consumer Advocates argued that even one-time confirmatory text messages should be understood to violate the TCPA, the Future of Privacy Forum agreed with industry commenters, stating that one-time opt-out confirmation text messages help protect individual privacy.  Reply comments are due to the FCC May 15, 2012. 

As we previously have reported, Congress also is considering the need for legislation to amend the TCPA to clarify the scope of limitations under the Act.

Following on its passage on Thursday of the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523) and the Federal Information Security Amendments Act of 2012 (H.R. 4257), the House on Friday approved two additional cybersecurity measures.

The Cybersecurity Enhancement Act (H.R. 2096), sponsored by Rep. Michael T. McCaul (R-TX), passed by a vote of 395-10. The bill would require certain federal agencies to develop and submit to Congress a cybersecurity strategic research and development plan that takes into consideration the views of stakeholders in industry and academia. The bill would also provide scholarships for students studying cybersecurity, in exchange for federal or other government service after graduation.

The Advancing America’s Networking and Information Technology Research and Development Act of 2012 (H.R. 3834), sponsored by Rep. Ralph Hall (R-TX), passed on a voice vote. This bill also addresses cybersecurity research and development and would require certain federal agencies to develop periodically updated strategic plans for achieving cybersecurity research and development goals, taking into account recommendations from stakeholders. The bill would encourage agencies to support large-scale, long-term, interdisciplinary research activities that have the potential to improve, inter alia, U.S. economic competitiveness. In addition, the bill would require the Director of the National Coordination Office, which reports to the White House’s Office of Science and Technology Policy, to establish a task force of academic, industry, and government representatives to explore mechanisms for collaborative research and design, and to convene a governmental interagency working group to address increasing use of cloud computing for research.

On Thursday, the House voted on and passed two cybersecurity bills.

The Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523), sponsored by Rep. Mike Rogers (R-MI) and more than a hundred other Congressmen, passed by a vote of 248-168. As previously discussed on this blog, CISPA would facilitate information sharing between private entities and the intelligence community via the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and would provide liability protection for entities that share cyber threat information. 

Despite a formal statement by the White House threatening a Presidential veto of CISPA in its then-current form, the bill garnered bipartisan support, with 42 Democrats and 206 Republicans voting in favor. Before the final vote, the House adopted several amendments. One of the amendments limits the federal government to using shared cyber threat information for five enumerated purposes: cybersecurity, investigation and prosecution of cybersecurity crimes, protection of individuals from death or serious bodily harm, protection of minors from sexual exploitation or physical threat, and protection of national security.

The House also passed by a voice vote the Federal Information Security Amendments Act of 2012 (H.R. 4257), sponsored by Rep. Darrell Issa (R-CA). The bill would reform the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems. FISMA reform is also included in the two cybersecurity bills pending in the Senate, the Cybersecurity Act of 2012 (S. 2105), introduced by Sen. Joseph Lieberman (I-CT), and the SECURE IT Act (S. 2151), introduced by Sen. John McCain (R-AZ).

Earlier this week, Federal Communications Commission Chairman Julius Genachowski, together with major U.S. wireless carriers and chiefs of police, announced a plan to develop databases that will allow consumers whose mobile devices have been stolen to render the devices inoperable on mobile networks.  The database will be created over the next eighteen months. 

Using the planned system, customers could report their phone stolen to their carrier, which would then render the phone inoperable on its network remotely using the unique ID associated with each mobile device.  At first, carriers would only render the stolen device inoperable on their own network; eventually, carriers will work together to render devices inoperable on all major networks.  The database system will be created by major U.S. wireless carriers, including Verizon, AT&T, T-Mobile, and Sprint, with the support of phone manufacturers, mobile OS makers, and CTIA, the wireless industry trade association. 

Genachowski stated that Senator Chuck Schumer (D-NY) will introduce legislation that would support the initiative by making it a crime to tamper with the unique identifiers on mobile devices.  He also stated that wireless carriers would set up automatic prompts on devices encouraging consumers to use passwords and that the FCC and others would undertake a public education campaign promoting mobile device security, including promoting use of remote “wipe” data erasure features in the event of theft.

It is possible that this development and others like it will improve consumer confidence in the security of data on mobile devices; as we have discussed previously, consumer concerns over mobile data security reportedly have hindered the growth of certain mobile services that depend on sensitive data, such as mobile financial services. 

Yesterday, Maryland became the first state to pass legislation banning employers from asking employees or job applicants to provide their passwords to social media sites.  The legislation also prohibits employers from taking, or threatening to take, disciplinary action on employees or applicants who refuse to disclose such information. The bill now has to be signed into law by Maryland Governor Martin O’Malley. 

The Maryland legislation was spurred by an incident in which, during a recertification interview, a Director of Corrections officer reportedly was asked to provide his Facebook account information so that his interviewer could log into his account and review activity.

Beyond Maryland, this issue has gained widespread attention recently at both the federal and state law, as we’ve written previously.  Lawmakers in multiple other states, including Washington, New Jersey, California, Illinois, and Colorado have introduced, or indicated they plan to introduce, similar legislation.  Additionally, Senators Charles Schumer (NY) and Richard Blumenthal (CT) have asked the Equal Employment Opportunity Commission and Department of Justice to investigate whether employers violate any privacy, fraud, or anti-discrimination laws by demanding access to job applicants' social networking accounts for hiring purposes.

In the face of calls by the FTC for improved mobile privacy protections, as well as interest by members of Congress, mobile advertising companies are actively working on privacy initiatives.  Yesterday, a group of companies in the mobile advertising industry announced that they are working to create an industry standard for anonymous mobile device identification.  The Companies include Velti PLC, Jumptap, RadiumOne, mdotm, StrikeAd, Smaato, Adfonic and SAY Media.  This standard would replace the need to use unique device ID numbers.

Also this week, TrustE announced the creation of a tool to provide consumers with a single source of information about the information being collected from them both online and through mobile apps.  The TrustED Mobile Ads tool would allow consumers to opt out of receiving mobile ads through this unified platform.

These industry self-regulatory efforts come at a time when the FTC and members of Congress have expressed concern about consumer privacy in the mobile ecosystem.  As we previously reported, last month’s FTC report called for improved mobile privacy protections and urged the mobile industry to develop standards to address data collection, transfer, use, and disposal in the mobile context.  The topic will be addressed at a workshop that the FTC is hosting May 30, 2012.

This week the U.S. Supreme Court held in Federal Aviation Administration v. Cooper that an individual harmed by a federal agency’s violation of the Privacy Act cannot recover damages unless he or she is able to prove an economic loss.  Under the Privacy Act, federal agencies are prohibited from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains,” unless one of twelve statutory exceptions applies.  An individual may sue an agency for “actual damages” if the agency intentionally or willfully violates the Act’s requirements. 

At issue in the case was whether mental and emotional distress could constitute “actual damages.”  The respondent, a pilot whose pilot certificate was revoked based on medical records that were wrongfully disclosed by the Social Security Administration (SSA) to another government agency, claimed that the SSA’s disclosure of his confidential medical information (including his HIV status) had caused him mental and emotional distress.  Acknowledging that the meaning of “actual damages” is ambiguous and varies depending on the context, Justice Alito, writing for a 5-3 majority (Justice Kagan did not participate in the case), interpreted the term narrowly in the government’s favor based on the concept of sovereign immunity, which limits a person’s ability to recover from sovereign governments.  Under this narrow interpretation, “actual damages” as used in the Privacy Act requires an economic loss and excludes recovery for mental and emotional distress.  Consequently, the respondent was left without recourse for the SSA’s unlawful disclosure of his medical information.     

Although the holding turned on the fact that the federal government -- as opposed to, for example, a private entity -- disclosed the information, the majority opinion drew parallels between the Privacy Act and common law defamation and privacy torts to differentiate between “general damages” and “special damages.”  Justice Alito equated “actual damages” with “special damages,” which he argued are limited to pecuniary losses.  In contrast, he argued that “general damages” cover nonpecuniary damages, including mental and emotional distress.   

By Daniel Kahn and Kerry Monroe

Following more than a year of deliberation, the Federal Trade Commission today released its seminal report on consumer privacy, entitled Protecting Consumer Privacy in an Era of Rapid Change.  The report contains “best practices” for businesses as well as recommendations to Congress for legislation.  The final report issued today builds upon and revises a preliminary FTC staff privacy report previously released in December 2010.  At a press conference announcing the release of today’s report, FTC Chairman Jon Leibowitz stated that in promulgating the report, the FTC does not “want to erect a stoplight” to innovation but rather to “monitor the traffic.” 

The report proposes that companies adopt “privacy by design” principles, provide consumers simpler choices about privacy, and offer greater transparency into their data practices.  The report also advocates data security and breach notification legislation as well as legislation concerning data brokers and asks Congress to consider baseline privacy legislation.  In addition, it outlines privacy regulatory priorities for the FTC for the next year, including Do Not Track, mobile, promoting self-regulatory codes, and addressing data brokers and “large platform providers.” 

Privacy Framework — Generally

The centerpiece of the report is a privacy “framework” recommended by the FTC.  Unlike some federal agencies, the FTC does not have general rulemaking authority, so the framework does not provide a set of binding rules.  Instead, the FTC describes its framework as a set of “best practices” designed to guide industry, consumers, and regulators.  However, as Commissioner J. Thomas Rosch notes in his dissent from the report, the FTC’s framework may provide guidance on when the FTC will exercise its authority to take enforcement action against “unfair” or “deceptive” trade practices.  Accordingly, the FTC’s framework is noteworthy.

Privacy Framework — Scope

Companies:  The framework generally applies to almost all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.  However, contrary to the preliminary staff report issued in December 2010, the final framework excludes entities that collect “only non-sensitive data from fewer than 5,000 consumers per year and do[] not share that data with third parties.”  Sensitive data includes, but is not necessary limited to, Social Security numbers and financial, health, children’s, and precise geolocation data.  The framework does not apply to the extent that a requirement would conflict with the requirements of a sector-specific privacy law such as GLBA or HIPAA.

Data:  Despite concerns raised by some commenters about the extent to which the framework should apply to data collected offline, the final report reiterated that that framework “applies in all commercial contexts, both online and offline.”  It also applies broadly to all “consumer data that can be reasonably linked to a specific consumer, computer, or other device.”  Companies may render data not “reasonably linked” and therefore not within the scope of the report if they: (1) take reasonable measures to ensure the data is de-identified, i.e. anonymized; (2) publicly commit to maintaining the data in de-identified form; and (3) prohibit, by contract, the re-identification of the data by any third parties to whom the company makes the data available.

Privacy Framework — Privacy By Design

In its report, the FTC continues to support the proposed “privacy by design” principles described in its draft report, which shift the burden away from consumers and place obligations on businesses to treat consumer data in a responsible manner.  The FTC does, however, respond to a number of comments on the principles, noting that broad support for the privacy by design concept was especially encouraging in light of the increasingly global nature of data transfers.

Providing Reasonable Security for Consumer Data:  The FTC makes note of a variety of data security protection initiatives implemented by certain private sector entities, and it calls on industry sectors to develop and implement best data security practices. 

Limiting Collection of Consumer Data:  In response to commenters’ concerns about vagueness and potential inflexibility in the FTC’s approach to limiting the collection of consumer data, the FTC clarifies the collection limitation principle as follows:  Companies should limit consumer data collection to that which is consistent with the context of a particular transaction or to the consumer’s relationship with the business, or as required or specifically authorized by law.

Implementing Reasonable Data Retention and Disposal Policies:  The FTC confirms its conclusion that companies should implement reasonable restrictions on the retention of data and should dispose of data once it has outlived the legitimate purpose for which it was collected.  Retention periods, however, can be flexible and scaled according to the type of relationship and use of the data.

Maintaining Reasonable Accuracy of Consumers’ Data:  The FTC agrees with commenters that the approach to maintaining the accuracy of consumers’ data should be flexible, scaled to the intended use of the data and the sensitivity of the information.  The maintenance of reasonable data accuracy is particularly important if the use of such data could cause significant harm or be used to deny consumers services.

Maintaining Comprehensive Data Management Procedures:  In response to comments in support of the preliminary staff report’s call for organizations to maintain comprehensive data management procedures, the FTC agrees that companies should implement accountability mechanisms and conduct regular privacy risk assessments to ensure that privacy issues are addressed throughout an organization.  The FTC describes its recent Google and Facebook settlements to illustrate how procedural protections might work in practice.  The FTC also calls on companies to look for new ways to protect consumer privacy throughout the life cycle of their products and services, including through the development and deployment of privacy-enhancing technologies.  Finally, the FTC recognizes that, although companies need to apply the substantive privacy by design elements to their legacy data systems, companies need a reasonable transition period to update their systems.

Privacy Framework — Simplified Consumer Choice

The report criticizes the previous “notice-and-choice” approach to privacy, which it asserts has resulted in long and incomprehensible privacy policies, many of which are presented on a take-it-or-leave-it basis.  The overall theme of the FTC’s framework is that, in contrast to what it describes as existing practices, consumers should have clear choices concerning their privacy, and their ability to exercise choice should be simplified. 

When Choice Is Required:  The framework first identifies situations in which choice is not required.  The overall principle adopted is that “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.”  The report characterizes this contextual standard as a concrete approach that looks to objective factors rather than subjective consumer expectations.  Examples of data collection practices for which consent is not required include fulfillment, fraud prevention, internal operation, legal compliance, public purpose, and most first-party marketing (the last of which is subject to a number of exceptions, such as for first-party marketing that relies on sensitive information). 

What Choice Should Be Presented - Generally: The FTC states that companies generally should provide choices at a time and in a context in which the consumer is making a decision about his or her data.  Precisely how that choice will be given will depend on factors such as the nature or context of the consumer’s interaction with a company or the type or sensitivity of the data.

What Choice Should Be Presented - Special Circumstances: The FTC identifies a number of circumstances in which special principles should apply with respect to choice:

• Take-It-or-Leave-It: The FTC states that “take-it-or-leave-it” choice for “important products or services” raises concerns when consumers have few alternatives, such as, it asserts, in the market for broadband Internet access.
• Do Not Track:  The FTC continues to advocate providing a Do Not Track mechanism to give consumers choice concerning the collection of Web surfing data. 
• Large Platforms:  The report notes that the activity of “large platforms” such as ISPs, operating systems, browsers, and certain social networks raises special concerns due to their ability to collect information from a broad range of online activity.  The FTC raises concerns, in particular, about deep packet inspection by ISPs.
• Affirmative, Express Consent:  The FTC identifies at least two circumstances in which advance affirmative, express consent should be obtained: (1) before material retroactive changes to privacy practices are made, or (2) when collecting sensitive data for certain purposes.

Privacy Framework — Transparency

The report indicates that, while privacy notices should account for variations in business models, such notices should be clearer and shorter and should contain some standardized elements.  The FTC calls on industry sectors to develop standard formats and terminology for privacy statements applicable to their particular industries.  In the FTC workshop to be held later this year, one topic to be addressed is how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens. 

The report also lays out a categorization of companies with regard to the reasonable extent of an individual consumer’s access to his or her own data.  These categories reflect different levels of data sensitivity: 

• First, the FTC recognizes that, for entities that maintain data for marketing purposes, the costs of providing individualized access would likely outweigh the benefits.  However, the FTC supports the idea of providing consumers with a list of categories of data that such entities hold and the ability to suppress the use of such data for marketing. 
• Second, the FTC observes that, where entities subject to the Fair Credit Reporting Act (“FCRA”) are concerned, the FCRA provides consumers with rights to access and correct their information. 
• Third, regarding entities not subject to the FCRA, but which maintain data for non-marketing purposes, the FTC supports a sliding scale approach, with a consumer’s ability to access his or her data scaled to the use and sensitivity to the data.  At a minimum, the report states, consumers should have access to the types of information such companies maintain about them and the sources of such information.  In appropriate circumstances, the FTC also urges companies to provide the names of third parties with whom consumer information is shared.

Legislative Recommendations: Baseline Privacy, Data Security/Breach Notification, and Data Brokers

In addition to providing its privacy framework detailed above, the FTC also made recommendations with respect to two key pieces of privacy legislation.  First, it called on Congress to “consider” enacting baseline privacy legislation that would provide clear standards and appropriate incentives across all industry sectors, while still being “technologically neutral” and “sufficiently flexible” to allow for innovation.  The FTC noted that any privacy legislation enacted by Congress would be more effective if the FTC were authorized to impose civil penalties for violations.  It also reiterated its earlier calls for federal data security and breach notification legislation, as well as targeted legislation allowing consumers to access and dispute data held by data brokers. 

Areas of Emphasis

Finally, the FTC identified five areas where it plans to be especially active during the next year:

Do Not Track (“DNT”): The report noted that several legislative proposals had called for the creation of a DNT mechanism, and the FTC praised the efforts of the browser vendors, the DAA, and the W3C.  However, the FTC warned that “the work is not done.”  The FTC will collaborate with these industry groups to complete implementation of a DNT system that is universal, easy to use, persistent, enforceable, and that allows consumers to opt out of the collection of behavioral data for all purposes (other than expected contextual uses).  

Mobile:  The report called for improved mobile privacy protections, including better disclosures.  Mobile privacy disclosures will be addressed during the workshop that the FTC is hosting on May 30, 2012, as part of its ongoing project to update the Dot Com Disclosures guidelines. The FTC also called on entities involved in the mobile ecosystem to develop standards addressing data collection, transfer, use, and disposal, particularly for location data. 

Data Brokers:  The report supported targeted legislation to provide consumers with access to information held by data brokers, similar to legislation that has already been introduced in data security bills in the 111th and 112th Congress.  The FTC also called on data brokers to create a centralized website where consumers can learn about the data brokers’ information-handling practices and the access rights they offer.

Large Platform Providers: The FTC noted that privacy concerns are heightened when “large platforms” – including ISPs, operating systems, browsers, search engines, and social media providers – comprehensively track consumers’ online activities.  The staff plans to host a public workshop in the second half of 2012 to explore collection, use, and competition issues. 

Promoting Enforceable Self-Regulatory Codes:  The report pledged that FTC staff will participate in the Department of Commerce’s ongoing project to facilitate the development of sector-specific codes of conduct.  The report took both carrot and stick approaches to the codes:  the FTC will view adherence to strong privacy codes “favorably” in connection with its enforcement actions, but the report warned that failure to abide by self-regulatory programs will continue to be an unfair or deceptive practice under the FTC Act. 

Over the last few weeks, a number of cosponsors have been added to the Do Not Track Kids Act of 2011 (H.R. 1895), bringing the total number of cosponsors to 29.  The bill was introduced by Rep. Markey and Rep. Barton on May 13, 2011.  Earlier this month, the two members also hosted a Congressional briefing to discuss how to protect children and teens online.

As we blogged about here, the bill would expand the Children’s Online Privacy Protection Act ("COPPA").  In addition, the bill would introduce new privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that operators of websites and online services provide "eraser buttons" that enable the deletion of personal information shared publicly by minors.

We will continue to monitor this legislation as these two senior, bipartisan members of the Committee press for a mark-up of their bill.  

The Seventh Circuit held yesterday, in a decision written by Judge Posner, that damages are not available under the Video Privacy Protection Act (“VPPA”) for violations of the statute’s data deletion requirement, only for unlawful disclosures of video-viewing information. 

Subsection (b) of the VPPA prohibits knowing disclosure of personally identifiable information that identifies a person as having requested specific video materials from a video service provider.  Subsection (c) authorizes private actions, including statutory damages of $2,500.  Subsection (e) requires that old records be destroyed “no later than one year from the date the information is no longer necessary for the purpose for which it was collected.”  

Plaintiffs Kevin Sterk and Jiah Chung sued video-kiosk operator Redbox for both unlawful disclosure under subsection (b) and unlawful retention under subsection (e).  Judge Posner, observing that the VPPA “is not well drafted,” held that the more plausible interpretation is that subsection (c) was intended to enforce only the prohibition against disclosure.  Besides looking at the placement of subsection (c) immediately after subsection (b), the court noted that there is no injury and thus no need to award damages if the information, “though not timely destroyed, . . . remained secreted in the video service provider’s files until it was destroyed.”   Even though the statute permits liquidated damages, the court stated that such damages are meant only as a proxy for actual damages: if no injury results, “the only possible estimate of actual damages for violating subsection (e) would be zero.”

According to media reports, plaintiffs’ counsel plans to seek rehearing en banc and will also continue to pursue the disclosure claim against Redbox. 

The Department of Commerce’s National Telecommunications and Information Administration (NTIA) sought public comment Wednesday on how to begin the process of developing voluntary codes of conduct governing consumer privacy, as called for in the privacy framework released by the White House last month.

That report argues that companies should follow seven basic principles — a Consumer Privacy Bill of Rights — when collecting, using, or disclosing consumers’ personal data. These principles are: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.

The framework calls on Congress to codify the general principles through legislation while stakeholders develop voluntary codes of conduct to implement the principles in particular sectors. The framework tasks the NTIA with setting up an open process in which all interested stakeholders — including companies, consumer advocates, and government officials — would develop conduct codes by consensus.

Continue Reading

The Federal Trade Commission on Feb. 24 announced it had approved a new safe-harbor program for online services that are subject to the Children’s Online Privacy Protection Act (COPPA), a federal law that regulates the online collection of personal information from children under 13. Under COPPA and the FTC’s implementing rule, online services that comply with FTC-approved, industry-developed safe-harbor programs generally are considered by the FTC to be compliant with COPPA. Approval requires an FTC determination that the proposed safe-harbor program will provide at least as much protection as the FTC rule and will be able to encourage and monitor compliance effectively.

The newly approved safe-harbor program, run by Aristotle International, Inc., is the fifth such program approved by the FTC.  The program sets out requirements for the format and content of participants’ privacy policies, parental notices, and procedures for obtaining verifiable parental consent. Among other provisions, COPPA requires websites and other online services that are directed at children or that have actual knowledge that a user is a child to notify a parent and obtain the parent’s verifiable consent before collecting, using, or disclosing personal information from a child.

Continue Reading

An action brought by the Electronic Privacy Information Center (“EPIC”) asking that the FTC be compelled to enforce its Google Buzz consent order (previously described, here) was dismissed by Judge Amy Berman Jackson of the United States District Court for the District of Columbia, who held that “enforcement decisions are committed to agency discretion and are not subject to judicial review.”

EPIC contended that Google’s announced changes to its user privacy policies for all of its services, scheduled to take effect on March 1, 2012, would violate various portions of the consent order Google reached with the FTC regarding its former social networking service Google Buzz by “altering the use of personal information” obtained by users and “consolidat[ing] user data from across [Google’s] services and creat[ing] a single merged profile for each user.”

Continue Reading

Judge Mary McLaughlin of the Eastern District of Pennsylvania recently dismissed a class action complaint brought against CVS Pharmacy and CVS Caremark for selling information provided by prescription drug purchasers.  Notably, in its decision in Steinberg v. CVS Caremark Corp., the court found that information on a customer’s prescription drug and medical history “carries with it no compensable value at the individual level.”  

The plaintiffs, on behalf of a class of Pennsylvania prescription drug purchasers, brought claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law and for unjust enrichment and invasion of privacy.  The UTPCPL claim was based on defendants’ representations that they did not share customer information in violation of federal or state law.  Plaintiffs alleged that the defendants’ sale of information violated HIPAA, even though they conceded that the information the defendants sold was “de-identified.”  The information consisted of medical history, prescription drugs dispensed, dates of prescriptions, diagnoses, and physician names, but not of patient names, birth dates, or Social Security numbers. 

Plaintiffs argued, however, that the information shared could be “re-identified,” or associated with a specific person in violation of HIPAA.  The court found plaintiffs’ generalized warning of re-identification insufficient to show a HIPAA violation without demonstrating how the threat applied in the circumstances of the case: “The Court was referred to the name of an article in an academic journal discussing risks associated with re-identification of data, but counsel did not explain how or whether the theory applied to this case.” 

In the end, the court dismissed all three claims, determining that “the defendants neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied . . . .”  Moreover, “the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy.”  The court also dismissed the claims with prejudice, finding that the plaintiffs had not presented a viable alternate theory of recovery.

Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law.  Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.   

Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.

Continue Reading

The FTC staff released a report today calling for participants in the mobile app ecosystem -- including app developers, app stores, and third parties who collect data through mobile apps -- to provide better privacy notices to parents about mobile apps directed to children, and warning that over the next six months, staff will be conducting additional reviews "to determine whether there are COPPA violations and whether enforcement is appropriate."

The report is based on the staff's survey of apps offered in the Android Market and the Apple App store. Staff focused on "the types of apps offered to children; the age range of the intended audience; the disclosures provided to users about the apps’ data collection and sharing practices; the availability of interactive features, such as connecting with social media; and the app store ratings and parental controls offered for these systems."

Notably, the report stated that the FTC expects the whole app ecosystem to "play an active role in providing key information to parents who download apps." Specifically, the report outlined the following:  

• App developers should provide parents information about (1) what information an app collects, (2) how the information will be used, and (3) with whom the information will be shared, using short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with social media, or allows targeted advertising to occur through the app.
• Third parties that collect information through apps should disclose their privacy practices, whether through a link on the app promotion page or another easily accessible method.
• App stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. The FTC stated, for example, that app stores could provide a designated space for developers to disclose this information and standardized icons to signal specific features, such as connections with social media services. In addition, the FTC emphasized that app stores should be enforcing developer agreements that require developers to disclose the information their apps collect.

The report expressed a preference for disclosures that are provided prior to the parent's purchase of the app, noting that "[i]nformation provided to parents after downloading an app is, in staff’s view, less useful in the parent’s decision-making since, by then, the child may already be using the app and the parent already could have been charged a fee."

In addition, the report focused on disclosures involving in-app purchases, interactive features, and targeted advertising.  The report states that the FTC is considering whether additional protections are needed with respect to in-app purchase capabilities in apps for children.  It emphasized that "confusing and hard-to-find disclosures do not give parents the control that they need in this area." Staff believe that the presence of social features within an app is highly relevant to parents selecting apps for their children, and that such functionality should be disclosed prior to download.  And the report states that "parents need clear, easy-to-read, and consistent disclosures regarding the advertising that their children may view on apps, especially when that advertising is personalized based on the child’s in-app activities.”

As we have blogged about here and here, the FTC currently is reviewing its rules implementing the Children’s Online Privacy Protection Act, which governs the online collection, use, and disclosure of personal information from children under the age of 13.  

Today, the Federal Communications Commission adopted new rules that strengthen its restrictions on autodialed or prerecorded telemarketing calls.  The FCC billed the new rules as an effort to maintain consistency with the Federal Trade Commission’s telemarketing sales rule, which also governs telemarketing calls, and to give consumers control over the calls that they receive.

Under the new rules, companies will need to obtain prior express written consent from consumers before making prerecorded or autodialed telemarketing calls to consumers.  The FCC’s rule changes also eliminate the “established business relationship” exemption in its existing rule, which allows these calls to residential “landline” phones without consent.  The new restrictions will require written consent even for companies that have done business with the call recipient in the past. 

One area of dispute over the new rules related to whether the “written” consent requirement could be satisfied electronically and what steps were necessary to make the consent effective.  Consistent with the FTC’s approach, the FCC concluded that “written” consent can be provided electronically, such as through a website form.  However it is provided, though, the FCC requires “clear and conspicuous disclosure” about what the consumer is consenting to and an “unambiguous” agreement to receive calls at a phone number designated in the consent document.  Like the FTC, the FCC also warned that consents would not be effective if the consent is a condition of purchasing goods or services.

An additional change to maintain consistency with the FTC’s rule is a requirement that telemarketing calls that use a prerecorded voice include an interactive “opt-out” mechanism, which would allow the call recipient to opt out of future calls by pressing a button.  Finally, the FCC imposed new restrictions on so-called “call abandonment,” which occurs when there is no live telemarketer available to take an autodialed call.

Although the FCC’s rule changes have a broad impact on the telemarketing business, they do not impact non-telemarketing calls, even if they are made using an autodialer or include a prerecorded voice.  As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account, and exclude certain health care-related calls that are regulated under HIPAA, which already imposes a written consent requirement.

The new FCC rules will not be effective until they are approved by the Office of Management and Budget.  Once that happens, companies will have a year to obtain prior written consent to covered telemarketing calls and to stop covered calls to consumers with whom they have established business relationships.  The other rule changes have shorter timetables:  the interactive opt-out requirement will go into effect after 90 days, and the abandonment restrictions after 30 days.

Last week, the American Bar Association adopted a rule calling on U.S. courts to “consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign . . . with regard to data sought in discovery in civil litigation.”  In an extensive report accompanying the new rule, the ABA detailed the tensions that exist between the liberal discovery standards under the Federal Rules of Civil Procedure and the strict data protection regimes in many foreign countries. 

Continue Reading

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took effect in March 2010— require companies to implement a written information security program containing certain elements, including a requirement that personal information be encrypted when transmitted wirelessly or across public networks, and when stored on portable computing devices (including laptops).  The regulations also require companies to take “reasonable steps” when selecting a service provider to ensure that the provider is capable of maintaining appropriate measures for the protection of personal information.  

To be clear, the service provider contract provision has been in effect since March 2010 for all contracts entered into after that date.  But the provision contains a grandfather clause that exempted pre-March 2010 contracts from the requirement.  This exemption expires on March 1, 2012.

The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on the provider’s shared equipment rather than on the organization’s own servers.

The new NIST security guidelines do not recommend any particular services, providers, or service models; instead, the guidelines highlight the steps organizations should take and the issues they should consider when evaluating any public cloud service.

Continue Reading

As we previously reported, the Video Privacy Protection Act reform bill sponsored by Rep. Bob Goodlatte (R-VA) passed the House.  And now the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law has scheduled a hearing on video privacy, to be held next Tuesday, January 31.

The VPPA has come under scrutiny in recent months because of what some say are ambiguities over how the statute applies to online video distribution.  According to Rep. Goodlatte, the House legislation was designed to address those ambiguities and clarify how companies can share information about video watching activity on social media and other websites.

Tuesday’s hearing will include testimony from Netflix General Counsel David Hyman.  Netflix, which is in mediation relating to privacy litigation brought against it in California, made news when it declined to roll out new social features within the U.S., citing confusion over how the VPPA would apply.  Also testifying are University of Minnesota Law School Professor William McGeveran, and Marc Rotenberg, Executive Director of the public interest group the Electronic Privacy Information Center. 

The hearing will be webcast on the Subcommittee’s website.

An Eastern District of Michigan judge held that a personal injury defendant could not discover the plaintiff’s private Facebook content under Rule 26(b) governing the discoverability of evidence.  Tompkins v. Detroit Metropolitan Airport, No. 2:10-cv-10413-BAF-RSW (E.D. Mich, Jan. 18, 2012).  Although—as the court noted—the private portions of a user’s Facebook account are not generally privileged or protected by common law privacy rights, “the Defendant does not have a generalized right to rummage at will through information that Plaintiff has limited from public view.”

The court required the defendant to make “a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence” so as to avoid “the proverbial fishing expedition.”  The defendant proffered some of the plaintiff’s public postings as support, including photographs showing the plaintiff holding a dog and grocery shopping.  Because these pictures were not inconsistent with the plaintiff’s claims of injury, the defendant did not establish relevance. 

“If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account,” the court noted.

A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com.  An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not impacted, but stated that names, email address, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and/or cryptographically scrambled passwords (but not actual passwords) may have been improperly accessed.

The complaint, filed in the United States District Court for the Western District of Kentucky (the location of the purportedly compromised servers), includes claims for violation of the Fair Credit Reporting Act, negligence, and invasion of privacy.  The complaint alleges that the named plaintiff and proposed class members now are subject to a heightened risk of identity theft and will have to spend time changing the passwords on their Zappos.com accounts as well as other accounts with the same or similar passwords.

Denying the motion of the defendant internet service provider, Clearwire, to compel arbitration, the U.S. District Court for the Western District of Washington held last week that Clearwire's e-mail confirmation to the plaintiffs was inadequate notice of the terms of service.  This e-mail confirmation included, on the third page of the e-mail, a link to Clearwire's home page rather than a direct link to Clearwire's terms of service.  To navigate to the terms of service from the home page, the plaintiffs would have had to follow two hyperlinks.  The court held that this "trail of breadcrumbs" left by Clearwire to lead the plaintiffs to its terms of service did not constitute sufficient or reasonably conspicuous notice of the terms of service.  Accordingly, the court declined to enforce the arbitration clause of the terms of service without an evidentiary hearing with respect to the factual issue of the plaintiffs' assent to the terms.

The court applied Washington and Texas law to reach this decision, but it was heavily informed by well-known federal court decisions on the formation of contracts on the Internet.  Under those cases, Internet users must have reasonable notice of the terms of an agreement in order to be found to have assented to the agreement.  Courts considering whether users have reasonable notice of the terms have considered how conspicuous the placement of the terms is on the web page and whether it was possible to determine that a user has actually seen the terms.  

Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance.  The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking.  Starting this year, FFIEC information technology examinations will include reviews for compliance with the supplement. 

A study released by Guardian Analytics suggests that institutions are moving towards compliance with the supplement but may not be completely prepared for FFIEC IT examinations to be conducted in 2012.  The Guardian Analytics study polled executives at 100 U.S.-based financial institutions in November 2011.  The study found that 43 percent of institutions had not yet completed a risk assessment of online banking, and 41 percent had not developed a plan for addressing online banking security gaps.  Further, 22 percent of institutions had not reviewed the FFIEC supplement.  It is expected that the supplement will be a hot topic throughout 2012 as FFIEC IT examinations reveal the agencies’ stance on the supplement as well as institutions’ compliance with the supplement.    

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise's privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years. 

A bill introduced in the House of Representatives Thursday would require the Department of Homeland Security to take a lead role in identifying and developing cybersecurity standards for systems that control critical infrastructure. The bill also would create a non-profit clearinghouse for the sharing of cybersecurity threat information between government agencies and the private sector. Unlike some other pending data-security proposals, the bill does not include provisions requiring businesses to establish comprehensive data-security programs or to provide breach notifications.

H.R. 3674, titled the “PRECISE Act” and introduced by Rep. Dan Lungren (R-Calif.), directs the Department of Homeland Security to identify and evaluate cybersecurity risks to critical infrastructure, including private infrastructure; to identify existing standards for mitigating those risks, or to develop such standards if necessary; to create market incentives to encourage the use of the identified performance standards; and to work with the relevant agencies to incorporate “the most effective and cost-efficient” of the identified standards into the regulatory regimes governing covered critical infrastructure. The bill defines “covered critical infrastructure” as facilities or functions in which a disruption could cause significant loss of life, major economic disruption, mass evacuations for an extended length of time, or a severe degradation of national security.

Continue Reading

Class action lawsuits are increasingly being brought against organizations that have suffered data breaches, as well as against companies that are alleged to have allowed third parties access to online or mobile users’ confidential information without authorization (for example the recent Del Vecchio v. Amazon and Low v. LinkedIn cases).  A repeated issue in these cases is what kind of harm plaintiffs must allege to state a cognizable claim.  To the extent sufficient harm can be pled, what related legal issues loom on the horizon, such as proof of causation, the definition of “reasonable security,” the applicability of federal statues, and class certification efforts?  Simon Frankel and Mali Friedman from Covington and David Navetta from InformationLawGroup will be discussing these issues, examining several prominent cases to look for trends (including cases such as LinkedIn, which Covington has litigated), and providing practical steps your organization can take to help mitigate these risks.   

The Webinar, which is hosted by IAPP, will take place this Friday, December 16 from 1:00-2:30 pm EST.  You can register here.

The Department of Education has amended the implementing regulations for the Family Educational Rights and Privacy Act (“FERPA”).  According to the Department, the new regulations are intended to “safeguard student privacy while giving states the flexibility to share school data.”   

Among other things, the new regulations:

• Make it easier for educational authorities to share educational records in order to carry out audits, evaluations, or enforcement or compliance activities relating to education programs. A written agreement must be in place to govern the use and protection of the disclosed information.  In addition, reasonable efforts must be used to ensure that authorized representative receiving the records is FERPA-compliant to the greatest extent practicable.   
• Make it easier to share educational records with organizations conducting research studies for, or on behalf of, educational agencies.  The existing FERPA regulations already require that the parties execute a written agreement when disclosing educational records under this “studies exception.”  
• Recommend best practices for written agreements.  In its accompanying guidance, the Department identified and discussed best practices for written agreements, such as binding individuals, not just the entity, to the agreement; agreeing on use limitations; prohibiting redisclosures; identifying data custodians; identifying penalties; setting terms for data destruction; maintaining a right to audit; and having a data breach plan.
• Recommend best practices for ensuring compliance by authorized representatives that receive educational records.  Some of the best practices identified by the Department include verifying the existence of disciplinary policies to protect data; verifying the existence of a data security plan; verifying the existence of a data stewardship program; conducting background investigations of employees who will have access to educational records; and verifying training.
• Clarify the scope of the Department’s enforcement authority.  The regulations make clear that the Department has the authority to investigate and enforce alleged FERPA violations committed by any recipient of Department funds under a program administered by the Secretary -- including nonprofit organizations, student loan lenders, and student loan guaranty agencies.  

The changes will become effective on January 3, 2012.  For written agreements that are already in place prior to the effective date, the new requirements will be triggered when the agreements are renewed or amended.

Last week, the FTC announced that it has agreed to end its 18-month investigation of Facebook’s privacy practices, with a settlement that involved a twenty-year compliance plan and specific steps to formalize privacy within Facebook’s organization.  Though the proposed settlement, which will now be open for public comment, has met with a range of reactions, what we’re hearing most are questions about what the development means for the rest of the industry.

In its investigation, the FTC focused on a number of privacy practices that it claimed were misleading.  For example, the agency looked at changes that Facebook made to its privacy practices in 2009 that the FTC alleged led to changes in the privacy status of certain information.  The FTC also argued that Facebook hadn’t done enough to explain to users when their information might be shared with apps by their friends and how Facebook handled deletion of information.

In settling these charges, Facebook didn’t agree to these allegations or admit that it violated the law.  Instead, the company explained in a blog post that it signed the agreement to formalize its “commitment to do the things we’ve always tried to do and planned to keep doing -- giving you tools to control who can see your information and then making sure only those people you intend can see it.”  Facebook also said that it agreed to “embrace [the FTC’s] ideas” about how it could enhance its internal privacy practices.

So what lessons can you take from the Facebook agreement if you’re not Facebook and aren’t directly obligated to comply with its terms? 

Continue Reading

On Wednesday, the Supreme Court heard oral argument in Federal Aviation Administration v. Cooper, a case that raises the question of whether a plaintiff who alleges only mental and emotional distress can establish “actual damages” within the meaning of the federal Privacy Act’s civil remedies provision.  The question is crucial to determining the scope of relief afforded under one of the principal legal restraints on the federal government’s use and disclosure of the “records” it maintains about individuals.

Continue Reading

The Ninth Circuit reversed the district court’s approval of a class action settlement last Monday in Nachshin v. AOL, remanding the two-year old case back to the district court for a new round of settlement negotiation and approval. No. 10-55129 (9th Cir. Nov. 21, 2011).  The class action was brought in 2009, alleging that the Internet company violated the Electronic Communications Privacy Act (ECPA) when it inserted footers containing promotional messages into e-mails sent by its users. The complaint also alleged unjust enrichment, breach of contract, and violations of state law.

The problem with the settlement was not that the class representatives failed to adequately represent class members, as in the Second Circuit’s recent decision in the latest iteration of the Tasini v. New York Times case, or that the interests of the members of the proposed class (all 66 million of them) were too factually and legally different to proceed in a class action, as in the Ninth Circuit’s recent decision in Ellis v. Costco Wholesale Corp. Instead, the Ninth Circuit reversed the settlement on the less common ground that it provided for distributions from the settlement fund to charities that were unrelated to the claims underlying the lawsuit.

Continue Reading

Judge Koh of the District Court for the Northern District of California recently granted LinkedIn’s motion to dismiss with leave to amend in Low v. LinkedIn.  Covington represents LinkedIn in this case, in which Plaintiff alleges that he suffered injury by virtue of LinkedIn’s purported transmittal of a unique UserID to certain third parties as a portion of a URL referrer header.

The Court held that the plaintiff had not alleged sufficient injury-in-fact to satisfy Article III standing, because “Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him.”  In making this determination, the Court rejected Plaintiff’s theories of  “emotional” and “economic” harm.

With respect to emotional harm, the court noted that Plaintiff was “unable to articulate a theory of what information had actually been transmitted to third parties, how it had been transferred to third parties, and how LinkedIn had actually caused him harm.”  Similarly, in considering Plaintiff’s theory of economic harm, the Court held that Plaintiff’s allegations were “too abstract and hypothetical to support Article III standing,” citing a growing body of precedent, including Judge Koh’s own recent decision in In re iPhone Application Litigation, in which courts have held that the unauthorized collection of personal information does not create an economic loss.  Quoting Specific Media, the Court observed that Plaintiff had failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was “deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.”

Continue Reading

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

Continue Reading

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies.  The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the information available to policymakers, and facilitate the further development of the cloud computing model.  The deadline for comments is December 2, 2011. 

The roadmap is composed of three volumes: Volume I establishes priorities for implementation and provides a general understanding and overview of the background, purpose, and next steps for the U.S. government’s cloud computing initiatives.  Volume II is a technical reference guide for people actively working on cloud computing initiatives, while volume III is intended for policymakers who are implementing cloud computing solutions.  Volume I identifies ten requirements that must be satisfied in order for cloud computing initiatives to be implemented, including international interoperability, portability, and security standards; defined government regulatory requirements, technology gaps, and solutions; and defined and implemented reliability design goals.

Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

• expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
• delete special requirements for information brokers;
• restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
• expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).

On October 27, 2011, Senator John D. Rockefeller, chairman of the Senate Commerce, Science, and Transportation Committee, sent letters to Visa and Mastercard requesting information regarding the companies’ data collection and aggregation practices and proposals.  An October 25, 2011, Wall Street Journal article outlined various initiatives from the two companies pertaining to online behavioral advertising. 

Senator Rockefeller’s letters pose questions about the companies’ current data collection practices, anonymization of data sold to third-parties, plans to combine purchasing data with data from other sources, and compliance with the Gramm-Leach-Bliley Act.  The letters require responses by November 30, 2011. 

Online behavioral advertising proposals that rely on financial data remain a hot topic to be closely monitored.  Such proposals potentially implicate the Gramm-Leach-Bliley Act among other statutes and regulations. 

Last week, U.S. District Judge Richard Seeborg dismissed a putative class action against Facebook alleging that the company violated users’ rights of publicity by using their names and pictures for its Friend Finder service.  The Judge concluded that the class failed to demonstrate that they suffered any injury as a result of the service.  The Judge emphasized that Facebook did not publicize the plaintiffs’ names or profile pictures to any audience or in any context where they did not already appear.  Rather, the names and profile pictures were merely displayed on the pages of other users who were the plaintiff’s Facebook friends. 

The decision is welcome news not only to Facebook, but also Facebook app developers, some of whom have created innovative ways to allow users to interact with the developers’ products or services using friends’ names and likenesses. 

Last month, as we previously reported, the Federal Trade Commission (FTC) announced that it will host a December workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  Yesterday, Senator John D. Rockefeller IV (D-W.Va.), chairman of the Commerce, Science, and Transportation Committee sent a letter to the FTC commending the agency for its examination of this emerging technology and requesting a report following the workshop.  Senator Rockefeller indicated that the report should include potential legislative approaches to protect consumer privacy as facial recognition technology proliferates.

New uses for facial recognition technology are being deployed in both the public and private sectors.  The Federal Bureau of Investigations is working to activate a nationwide facial recognition service, Next Generation Identification, which will be available to law enforcement authorities in select states by January 2012.  And, as Senator Rockefeller noted in his letter, "facial recognition technology is already being put to use in a broad range of commercial areas," including real-time scanning to identify the demographic features of crowds or of individuals standing next to advertising displays, as well as scanning of photographs users upload to an online service to identify the individuals depicted in them.

The FTC workshop is scheduled for December 8, 2011, and Senator Rockefeller has requested that the FTC provide a preliminary report to the Senate Committee on Commerce, Science, and Transportation by February 8, 2012.

A federal district court in Michigan recently held that the federal CAN-SPAM Act preempts Michigan’s anti-spam law.  Unlike the federal law, Michigan’s statute offers individuals who receive unsolicited commercial email, or “spam,” a private cause of action.  The decision, by Judge Janet T. Neff of the Western District of Michigan in Hafke v. Rossdale Group, LLC, is one of only a few court opinions construing the scope of state laws preempted by the federal CAN-SPAM Act.

The federal Controlling the Assault of Non-Solicited Pornography And Marketing Act (or CAN-SPAM Act), enacted in 2003, regulates the transmission of spam email.  For violations meeting specified criteria, it provides for criminal penalties and permits civil enforcement by the Federal Trade Commission and other federal agencies, Internet Service Providers, and state attorneys general.  It does not, however, permit individuals who have received unwanted email to bring suit. 

Therefore, those who have wished to bring suit for receiving unwanted spam have looked to states’ anti-spam laws, such as that of Michigan.  However, CAN-SPAM contains an express “preemption” provision, meaning it specifies the circumstances under which states may or may not regulate the same subject matter as the federal statute.  CAN-SPAM states that it supersedes state law “that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception.”  It also states that it does not preempt state laws “that are not specific to electronic mail” or those that “relate to acts of fraud or computer crime.”

In Hafke, the court had to interpret whether CAN-SPAM preempted the Michigan anti-spam law.  To reach a decision, the judge first reviewed the handful of prior cases on the scope of CAN-SPAM’s preemption.  Those cases, relying on CAN-SPAM’s preservation of state laws that prohibit “falsity or deception,” have differentiated state laws regulating “base error” from state laws regulating tortious conduct or material misrepresentations -- the courts have held that CAN-SPAM preempts the first kind of laws but not the second.  Building on those decisions, the judge held that because the Michigan law does not by its text require falsity or deception and because the plaintiff alleged only “technical” violations, CAN-SPAM barred the plaintiff’s claim.

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled , “Understanding Consumer Attitudes About Privacy.”  The hearing featured a single panel with a mix of industry representatives and consumer privacy advocates, including representatives from Intuit, Microsoft, the Digital Advertising Alliance, Evidon, and the World Privacy Forum. 

A primary focus of the hearing was the efficacy of industry self-regulatory initiatives and other efforts to provide consumers with information and choices about managing their online privacy.  In particular, members expressed interest in the “About Ads” self-regulatory principles for online behavioral advertising and other company-specific efforts to provide consumers with notice and choice. 

Continue Reading

Following up on a meeting last week, today the House Judiciary Committee held a hearing on Rep. Bob Goodlatte’s proposed amendment to the Video Privacy Protection Act (VPPA). The Committee favorably reported (i.e., approved) a modified version of Rep. Goodlatte’s bill, H.R. 2471, which would permit consent to be given to sharing video usage information electronically (1) on a one-time basis or (2) in advance of the disclosure for a set period of time or until consent is withdrawn by the consumer. The modified version approved by the Committee includes an amendment, introduced by Rep. Jerry Nadler and supported by Goodlatte, requiring the consent to be obtained distinctly and separate from any other legal or financial terms presented.

Congress passed the VPPA, which protects the privacy of certain video records, in 1988 in the wake of a scandal concerning the release of videotape rentals for then-Supreme Court nominee Robert Bork. The VPPA, which has not been amended since passage, currently permits sharing of protected information with consent only if the consent is in “writ[ing]” and obtained “at the time the disclosure is sought.”

Continue Reading

The House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade held the latest in its series of hearings on Internet privacy Wednesday morning. The hearing — titled “Protecting Children’s Privacy in an Electronic World” — focused on the Federal Trade Commission’s proposed updates to the regulations implementing the Children’s Online Privacy Protection Act (COPPA), which generally bars website operators from collecting or disclosing personal information from children under 13 without first obtaining parental consent. Lawmakers and witnesses also discussed whether Congress should enact additional legislation, particularly to protect teenagers. Click the jump to see a summary of some of the key issues addressed at the hearing and in witness’ prepared statements.

Continue Reading

Reps. Lee Terry (R-NE) and Ed Towns (D-NY) have introduced the Mobile Informational Call Act of 2011 (H.R. 3035).  H.R. 3035 would amend the Telephone Consumer Protection Act — which is administered and enforced by the Federal Communications Commission but also authorizes private rights of action —  to clarify the scope of limitations under the Act.  

Under the TCPA, it is unlawful for a person to use an “automatic telephone dialing system” to call any telephone number assigned to a cellular telephone service without the prior express consent of an individual.  H.R. 3035 would clarify the scope of this prohibition in several respects:

• The bill would make clear that oral or written approval by an individual in the context of an established  business relationship constitutes “prior express consent” under the Act;
• Commercial calls to cellular telephone numbers would no longer be covered by the prohibition, except to the extent that the calls are “telephone solicitations”; and
• The definition of an “automatic telephone dialing system” would cover only equipment that actually produces and dials randomly generated telephone numbers.

These clarifications would resolve certain reported ambiguities under current law, including the ability of firms to contact existing and former customers using automated telephone dialing technologies. 

Today, Senator Charles Schumer (D-NY) sent letters to Federal Trade Commission chairman Jon Liebowitz and OnStar executive director Linda Marshall regarding recent controversial changes to OnStar’s privacy policies.  OnStar provides in-vehicle GPS navigation, emergency response, and concierge services for millions of U.S.-manufactured vehicles.  In providing these services, OnStar collects data regarding customers’ location, speed, driving habits, odometer mileage, and other personal information.  Prior to the changes announced last week, OnStar ceased collecting information about a customer if the customer decided to cancel his or her service.  It has been reported that, going forward, OnStar plans to continue to collect location and speed information about a customer even if the customer cancels the service, unless the customer specifically and explicitly instructs OnStar to no longer collect information. 

Senator Schumer’s letter to the FTC calls for an investigation into whether OnStar’s privacy practices constitute an unfair trade practice under section 5 of the Federal Trade Commission Act.  His letter to OnStar asks the company to reverse the changes to its privacy practices.

UPDATE (Sept. 27, 2011): OnStar reversed the changes to its privacy practices and will now only collect information from a former customer if the customer opts in.

The Federal Trade Commission announced this week that it will host a workshop to explore potential privacy and security implications raised by the increasing use of facial recognition technology.  The discussion will take place on December 8, 2011 in Washington, DC.

According to the FTC, the workshop, which is free and open to the public, may focus on topics including:

Continue Reading

Last Thursday, the Senate Judiciary Committee began its consideration of the several pending data security bills by marking up S. 1151, the legislation introduced by Sen. Patrick Leahy (D-VT). 

S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach.

The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee on Thursday.  The panel also accepted an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access, and a separate manager’s amendment which limited civil liability and penalties.

Continue Reading

By Lindsey Tonsager

This morning the FTC released its long anticipated proposed revisions to its rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  COPPA governs (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. Below is a summary of the highlights.  Comments on the proposed revisions are due by November 28, 2011.

Continue Reading

Yesterday, a subcommittee of the House Financial Services Committee held a hearing to discuss cybersecurity and security threats to the financial sector.  The panelists included officials from the Secret Service, Federal Bureau of Investigation, and Department of Homeland Security, as well as representatives from Verizon, Symantec, Bank of America, and public interest organizations.  The panelists generally discussed trends in cybersecurity threats, including the rise in security breaches affecting small- to medium-sized banks and other financial institutions. 

One noteworthy item discussed during the hearing was the Office of Financial Research established by Title I of the Dodd-Frank Act to collect and analyze U.S. financial data for financial regulators.  The Office of Financial Research is tasked with, among other responsibilities, supporting the Financial Stability Oversight Council’s oversight of systemic risk, developing tools for measuring risk levels and trends in the U.S. financial sector, and performing applied financial research for financial regulators.  Representative Shelley Moore Capito (R-WV) voiced concerns over the possibility of a security breach affecting the Office:

“I am especially interested to hear from our witnesses about the creation of the Office of Financial Research as called for by the Dodd-Frank Act.  I have serious reservations about the creation of this new bureaucracy, and I am most concerned with the potential for new cyber threats.  By compiling sensitive financial information into one federal agency, are we just making it easier for hackers to attack us?”

Some witnesses agreed with Rep. Capito’s concern and others downplayed her concern by pointing out other targets more attractive to hackers.  We will continue to monitor and report any financial privacy implications of the Office of Financial Research and other governmental bodies established by Dodd-Frank such as the Financial Stability Oversight Council and Consumer Financial Protection Bureau.

As The Hill and other news outlets are reporting, Sen. Richard Blumenthal (D-CT) — who previously was one of the most active state attorneys general on privacy and data security issues before joining the Senate in 2011 — has introduced data protection legislation. This will be the eighth breach notification bill introduced on Capitol Hill during the 113th Congress.

The breach notification components of Sen. Blumenthal’s draft bill share some similarities with legislation introduced by Sen. Patrick Leahy (D-VT) (S. 1151):

• The legislation would give the Attorney General the primary enforcement role, but would authorize the Federal Trade Commission to craft rules as to appropriate data security controls and safeguards.
• Notice to the FBI and Secret Service would be required within 14 days of discovering a breach and 48 hours before notifying any individuals for any breach involving a certain number of individuals or a database of a certain size.
• Businesses would be require to notify individuals of a breach without unreasonable delay, but in any event within 60 days of discovering a breach.
• Like S. 1151, the Blumenthal legislation would relieve businesses from the obligation to notify consumers if there is no significant risk of harm to individuals, but would require businesses to document their risk of harm analysis in a written risk assessment submitted to law enforcement.

However, there apparently are a number of significant differentiators between Senator Blumenthal’s draft legislation and the other bills that have circulated. These include providing a private right of action -- with attendant substantial civil penalties -- for individuals to pursue in the event they are aggrieved by a violation of the Act's data security protections or breach notification requirements.  The draft bill also would create a presumption of commonality for class certification purposes and limit the ability of businesses to direct disputes to arbitration in advance of a breach. And, the bill would impose criminal penalties for certain online data collection practices conducted without the consent of individuals.

The Federal Communications Commission has adopted rules implementing the Protecting Children in the 21st Century Act. Like the Act, the FCC's rules require elementary and secondary schools that have applied for discounted Internet access services through the FCC's E-rate program to certify that the school's Internet safety policy provides for the education of minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and increasing cyberbullying awareness.

This requirement builds off existing rules that schools participating in the E-rate program certify that their Internet safety policy includes a technology protection measure, such as filtering software, that protects against Internet access through the school's facilities to visual depictions that are (1) obscene, (2) child pornography, or (3) harmful to minors.  An earlier audit administered by the Universal Service Administrative Company (which administers the E-rate program) had found that a school violated this requirement by allowing access to certain social networking websites.  In its Order, the FCC clarified that social networking websites are not per se "harmful to minors," noting that a contrary conclusion would be inconsistent with the Protecting Children in the 21st Century Act's focus on educating minors about how to interact with others on social networking websites.  The FCC also quoted a recent U.S. Department of Education report, which found that social networking websites have the potential to support student learning. 

Resolving the FTC's first complaint against a mobile app developer under the Children's Online Privacy Protection Act ("COPPA"), W3 Innovations, LLC, a developer of children's games for the iPhone and iPod touch, has agreed to pay $50,000 to settle allegations that it collected and disclosed the personal information of thousands of children under the age of 13 without first providing parents notice of their children's privacy practices or obtaining parental consent.

The FTC alleged that several of the mobile apps operated by W3 Innovations, including the Emily's Girl World app, Emily's Dress Up app, Emily's Dress Up & Shop app, and Emily's Runway High Fashion app, are directed to children under the age of 13.  In addition to collecting and maintaining children’s email addresses, the FTC claimed that the defendants also allowed children to publicly post personal information, including their full names, on message boards in violation of COPPA.

The settlement provides industry guidance on a few of the issues that the FTC raised as part of its 2010 COPPA Rule review and is a reminder that the FTC may decide to resolve some of these issues through enforcement actions rather than through the rulemaking process.  For example, the FTC's 2010 Notice of Inquiry on COPPA asked for comment on how the definition of "Internet" applies to mobile communications.  The FTC's complaint clarifies that the FTC believes COPPA is broad enough to cover mobile applications.  The complaint also clearly defined the term "online service" for the first time, stating that W3 Innovations' mobile apps are "online services" covered by the COPPA rule because they "send and receive information via the Internet." 

As we blogged about here, the FTC has told industry to expect more enforcement actions against mobile app developers under Section 5 of the FTC Act.  This settlement suggests that the FTC also plans to use its enforcement authority under COPPA to help ensure that mobile app developers fulfill their obligations to protect children's privacy.  

New York start-up SocialGuide has launched from beta and released its first television ratings report this week, based on information mined and filtered from more than 10.5 million social media comments by more than 2.6 million unique users.  This report, the Social100, gets most of its information from Facebook and Twitter, using application programming interface ("API") streams to capture real-time social media comments on 4,150 television shows.

According to SocialGuide:

Our proprietary Intelligent Social TV Recognition System uses programmatic rulesets to dynamically create keywords and phrases about a specific program that we use to identify potential social conversation about a TV show. We then use additional natural language processing techniques to identify the "Social TV Comments" and "Social TV Uniques" of programs, matching them to specific episodes or program events - as they air within their timezones. Our editorial staff further augments our efforts by manually reviewing thousands of the most popular TV shows.

SocialGuide is far from the only start-up operating on a business model that relies on gathering information from API streams.  Of particular note is GNIP, which launched from beta in 2010.  This API aggregation company combines data from more than 100 social media sources into a single API and sells access to this data to other companies that wish to monitor social media, typically for marketing purposes. 

SocialGuide's television ratings have begun to garner attention from mainstream press and from the television industry.  However, so far only the tech industry has focused on the issues surrounding the technology underlying SocialGuide's rating system, namely, the sharing of user information between social media and other companies, using API.

For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard.  Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard.  In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151). 

We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future.  And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee. 

Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements.  Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).

Continue Reading

Jon Leibowitz, chairman of the Federal Trade Commission, and Cameron Kerry, general counsel of the Department of Commerce, spoke today about the need for industry codes of conduct to address emerging privacy issues.  They were the featured speakers at an event held by the Brookings Institution on strategies to protect consumer privacy while ensuring continued innovation on the Internet.

As we previously discussed, the Commerce Department has called for baseline consumer privacy protections that would serve as the basis for codes of conduct that specify how the baseline principles apply in particular contexts.  At today’s event, Kerry provided more detail about the Department’s proposal.

Continue Reading

By David Fagan and Libbie Canter

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade voted to report the Secure and Fortify Electronic Data Act (H.R. 2577) — the SAFE Data Act — to the full House Energy & Commerce Committee, moving the legislation one step closer to passage. The legislation creates a national breach notification standard that would preempt the 46 state laws (plus District of Columbia and Puerto Rico laws) that presently require entities to notify consumers of breaches of their personal information.

The legislation was introduced formally on July 19 by Rep. Mary Bono Mack (R-CA) and was approved by the Subcommittee by a voice vote that appeared to track party lines. Rep. Bono Mack had circulated a discussion draft of the SAFE Data Act last month that we discussed here.

Prior to voting the bill out of the Subcommittee, members considered several amendments to the legislation, focusing in particular on issues relating to the rulemaking authority of the Federal Trade Commission and the scope of the definition of personal information. The Subcommittee took the following actions on proposed amendments:

• It approved an amendment offered by Rep. Bobby Rush (D-IL) that is intended to clarify that the Act's information security obligations apply to paper records in addition to electronic records. 
• It approved an amendment offered by Reps. Marsha Blackburn (R-TN) and Pete Olson (R-TX) that appears designed to make it more difficult for the Federal Trade Commission to expand the definition of personal information. Prior to the amendment, the bill expressly authorized the FTC to modify the definition of personal information through an Administrative Procedures Act rulemaking process.

Continue Reading

The Federal Financial Institutions Examination Council (FFIEC) released the long-awaited supplement to its authentication guidance, Authentication in an Internet Banking Environment.  The supplement represents the most current and authoritative guidance regarding data security in connection with online banking platforms. 

Here are a few highlights of the supplement:

• Financial institutions should perform periodic risk assessments that take into account, among other factors, changes in the internal and external threat environment. 
• Institutions should implement more robust controls for business and commercial banking as opposed to retail and consumer banking. 
• Institutions should implement a layered approach to security for high-risk Internet-based banking applications, including processes to detect and respond to anomalies and tighter access controls for administrative functions. 
• The supplement discusses the effectiveness of authentication techniques such as device identification and challenge questions. 

The federal banking regulators are expected to more closely scrutinize banking institutions' security practices, especially in light of recent data breaches affecting the industry, and to use the supplement in conducting examinations.  

By Katie Keith

Yesterday, two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing and Trade and Communications and Technology) held a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA” that featured testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  Topics discussed included the need for privacy and data security legislation, the development of baseline governing principles, and current efforts by each agency to engage stakeholders on these issues. 

Legislators from both Subcommittees recognized the economic and social value of the Internet throughout the hearing and emphasized that nearly every aspect of our daily lives now has an online component.  Despite its “incalculable value,” the Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Cal.), characterized the Internet as a “work in progress” and expressed concerns shared by many Members of the two Subcommittees over the collection, use, sharing and protection of online data and the need to improve consumer education.  The witnesses generally shared these concerns, and although their testimony did not reflect a shift in policy at the FTC, FCC, or NTIA, the dialogue between the legislators and regulators did shed light on the current state of thinking about privacy regulation at the federal level. 

Continue Reading

On Thursday, July 14, 2011 two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing, and Trade and Communications and Technology) will hold a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA."  The hearing, which is the first in a series of anticipated dialogues aimed at examining how information is collected, protected, and utilized in the online ecosystem, will feature witness testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  These federal regulators were called to testify about existing federal laws and practices to protect online consumer privacy and are expected to provide an overview of the existing federal privacy framework and help identify key issues to address.

On March 16, 2011, FTC Chairman Jon Leibowitz and Strickling testified in a Senate Commerce Committee hearing on “The State of Online Consumer Privacy.”  As we wrote about here, Strickling made news at the last hearing by stating that Obama administration supports comprehensive privacy legislation, which represented a shift in Administration policy.  Given the topic of this week’s hearing, we would expect Strickling to discuss the Administration’s position in the context of the current federal framework.

Check back after Thursday’s hearing for Inside Privacy’s summary and analysis of the discussion.

Among the numerous federal privacy and data security bills that have been introduced in Congress over the last four months, Senator Franken's "Location Privacy Protection Act" (S. 1223) focuses specifically on the collection of geolocation data by covered entities through mobile devices.  The bill would prohibit entities that offer or provide services to certain mobile devices from collecting and disclosing a consumer’s geolocation information, unless the company has obtained the consumer’s express consent.

“Geolocation information” is defined to include any information that (1) concerns the location of an electronic communications device that is generated or derived from the consumer’s use of the device and (2) may be used to identify or approximate the location of the device.  The term does not include, however, any temporarily assigned network address or IP address.  

The legislation would be enforced by the U.S. Attorney General, state attorneys general, and private individuals (who would have the right to bring private lawsuits).

Sen. Franken has shown a strong interest in mobile privacy issues.  As we blogged here in May, Sen. Franken has requested that Apple and Google require all applications available in the Apple App Store and the Android App Market to have “clear and understandable” privacy policies.

Last week, the Supreme Court issued its much anticipated decision in the Brown v. Entertainment Merchant's Association case.  Justice Scalia, writing for Justices Kennedy, Ginsburg, Sotomayor, and Kagan, held that a California law restricting the sale or rental of violent video games to minors, and mandating “18” labels for such games, violates the First Amendment.

The decision is not only a resounding victory for the entertainment software industry, but its views on the protection of minors under the First Amendment could have a profound impact on future legislative efforts as well.  In his dissent, Justice Thomas argued that the First Amendment does not include the right to speak to minors without obtaining the prior consent of their parents or guardians.  This approach supports many of the children's privacy laws that are on the books today.  The majority soundly rejected this approach, however, stating that laws that prevent children from hearing or saying anything without their parents' prior consent “do not enforce parental authority over children's speech and religion; they impose governmental authority, subject only to a parental veto.”  

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

• BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
• Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

• Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

• Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

• Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
• Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
• Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
• Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
• Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

• Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
• Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
• Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

• Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

• Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

by David Fagan, Libbie Canter, and Josephine Liu

The House Subcommittee on Commerce, Manufacturing and Trade held a hearing yesterday on draft data security legislation authored by Chairwoman Mary Bono Mack (R-CA).  The hearing was very well attended with significant substantive engagement by Subcommittee members on both sides of the aisle — an indication that the Subcommittee and the broader House Energy and Commerce Committee are committed to moving data security legislation this year.  To that end, it is worth noting that while the House last year passed legislation drafted by Rep. Bobby Rush (D-IL) — which was re-introduced earlier this year, along with a similar legislation from Rep. Cliff Stearns (R-FL) — Rep. Bono Mack’s legislation, the Secure and Fortify Electronic Data Act, or SAFE Data Act, is expected now to form the basis for legislation in the House this year.

Continue Reading

by Rob Sherman and Allison Ray

The FTC’s recent announcement [PDF] that it will update its decade-old guidance on online advertising—known as Dot Com Disclosures [PDF]—has inspired animated industry discussion.

In its request for comments, the FTC highlighted that forums for online advertising that we take for granted today -- such as social media and mobile apps -- didn't exist when the Disclosures were released in 2000, and so the guidelines will need to be updated to address these new forms of communication.  (Eric Robinson discusses this point in his post at the Citizen Media Law Project,)  For companies that place or distribute online advertising, these changes may have a particularly significant impact, particuarly since they will need to be framed in a way that is flexible enough to account for changes in the industry and technology that we haven't yet seen. 

When they were first released, the FTC intended the Dot Com Disclosures to import traditional advertising disclosure rules into the online context. The guidelines set a performance standard for disclosures rather than a technical checklist, allowing marketers some flexibility in creating disclosures as long as disclosures met a “clear and conspicuous” standard. Both the FTC and industry commenters noted the danger of creating overly rigid rules at a time when consumer understandings and the internet itself were constantly transforming.

Continue Reading

Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month.  The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks.  The hearing focused mainly on the specifics of the recent attacks, the companies' notification of affected individuals, and the steps the companies have since taken to improve the security of their networks.  The prospect of federal data security legislation was discussed briefly, however, and both the members and the witnesses agreed that such legislation would ease the burdens on businesses, which currently must navigate a complex (and sometimes inconsistent) terrain of state data security laws. 

As we have previously noted, two members of the Subcommittee, Reps. Rush and Stearns, have introduced comprehensive data security legislation in this Session.  At yesterday's hearing, Subcommittee Chairman Mary Bono Mack reaffirmed her intention to do the same.  In her opening statement, she explained that her bill would be based on three guiding principles: 

• First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data.
• Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards.
• Third, consumers should be promptly informed when their personal information has been jeopardized. 

It is unclear whether Rep. Bono Mack's bill will differ substantially from those introduced by Reps. Rush and Stearns (which are themselves very similar to each other).  But based on this brief statement, it appears that the bill might distinguish between the security requirements for different types of data, which neither the Rush nor the Stearns bill does. 

The Illinois legislature has passed a bill that would require data owners to include specific information in a letter notifying an Illinois resident of a data breach affecting that resident’s personal information.  The bill, which still must be signed by Governor Pat Quinn, would require notice letters to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.”  The bill would also require that the letters not include “information concerning the number of Illinois residents affected by the breach.”

Illinois would join several other states whose breach notice laws require consumer letters to include specific contents.   If Gov. Quinn signs the bill, its requirements would take effect next year.   

Senator Al Franken recently sent a letter to Apple and Google asking them to require all applications available in the Apple App Store and the Android App Market to have “clear and understandable” privacy policies.  He made a similar request at a Senate hearing on mobile privacy earlier this month. 

Franken’s letter cites a study by TRUSTe and Harris Interactive that found that only 19 percent of the top free apps link to a privacy policy.  Franken’s letter describes requiring privacy policies as a “simple first step” toward protecting mobile privacy, suggesting privacy policies would aid federal consumer protection authorities in understanding apps’ information practices.  He states that, at minimum, Apple and Google should require location-aware applications to disclose what location information is gathered and how is used and shared.

Franken’s effort to expand the role of privacy policies in the mobile realm comes at a time of growing criticism of the role of privacy policies on traditional websites.  For instance, the Federal Trade Commission staff’s influential privacy report, released last December, criticized privacy policies as overly lengthy and difficult for consumers to understand.  On the other hand, privacy policies only serve their function if they offer sufficiently comprehensive information to provide adequate notice of privacy practices.  The challenges of balancing simplicity with comprehensiveness are heightened in the mobile space, where smaller screens limit flexibility in how information is displayed.  

Senator Rockefeller, Chairman of the Senate Commerce Committee, has asked Apple, Google, and the Association for Competitive Technology to respond to questions to help determine whether the applications running on their mobile platforms comply which the Children's Online Privacy Protection Act (COPPA). COPPA requires operators of certain websites and online services to obtain parental consent before collecting, using, or disclosing personal information from children under the age of 13.

It is not entirely clear whether COPPA applies to mobile applications. In connection with a review of the regulations implementing COPPA, the Federal Trade Commission asked for public comment on whether COPPA's text is broad enough to cover mobile applications. Separately, Rep. Markey introduced a bill last week that would amend COPPA to explicitly cover "mobile applications" and "online applications" -- terms which would be defined by the FTC.

By Elizabeth Katz

As Senate Judiciary Committee Chairman Patrick Leahy prepares to introduce legislation to reform the Electronic Communications Privacy Act, the Brookings Institution today held a panel on ECPA reform issues. The discussion began with a keynote address delivered by George Washington University Law School professor Orin S. Kerr. Following Mr. Kerr’s remarks, four panelists offered their perspectives: James Dempsey, Vice President for Public Policy at the Center for Democracy and Technology; Albert Gidari, Jr., a Partner at Perkins Coie LLP; Valerie E. Caproni, General Counsel in the Office of the General Counsel for the FBI; and James A. Baker, Associate Deputy Attorney General of the U.S. Department of Justice.

There was a consensus among participants that ECPA needs to be updated to reflect the technological changes that have occurred since the statute’s enactment in 1986 and that legislation should leave room for additional advancements in technology. The panelists also generally agreed that it is important for any statutory revisions to balance privacy interests and law enforcement needs, although they disagreed as to the proper balance.

During the course of the discussion, panelists analogized various types of technology – including email, cloud storage, GPS, and cell phone tower tracking – to more traditional forms of communication, such as mail and telephone conversations. Participants focused particularly on the government’s use of "location information," which can be obtained through a range of methods, including cell phone tower tracking, GPS, social networking posts, and other sources.

UPDATE: Senator Leahy has introduced legislation to reform ECPA 

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

• National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
• Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
• Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading

This is another big week for privacy. On Monday, Senate Commerce Chairman Jay Rockefeller introduced the Do-Not-Track Online Act of 2011, which we posted about here. And yesterday, the newly created Senate Subcommittee on Privacy, Technology and the Law held its first hearing.  The hearing focused on mobile privacy issues, but also touched on other important privacy-related matters, including reform of the Electronic Communications Privacy Act and data security breaches. The following are highlights from the hearing:

• Jessica Rich, Deputy Director of the Federal Trade Commission's Bureau of Consumer Protection, testified that the FTC has "a number of active investigations into privacy issues associated with mobile devices, including children's privacy."
• Ms. Rich also noted that the draft Staff Report published by the FTC in December addresses mobile privacy issues in certain respects, including recommending that companies obtain affirmative express consent before collecting or sharing sensitive information such as precise geolocation data. In response to a question from Senator Al Franken, Ms. Rich explained that location data is especially sensitive because it often involves the data of children and teens and, when gathered over time, can be used to determine what church or political meetings a person attends and when and where a child walks to and from school. She also noted stalking concerns. Ms. Rich also expressed concerns that mobile users are even less likely than other online consumers to read detailed privacy screens, given the small screens of most mobile devices, but noted that the FTC Staff Report recommends clearer disclosures and simpler consent mechanisms. With respect to the status of the Staff Report, Ms. Rich’s written remarks indicate that FTC staff is analyzing the comments it received on its draft Staff Report and will take them into consideration in preparing a final report for release later this year.

Continue Reading

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

• Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
• Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
  • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
  • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
  • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
  • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
  • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading

In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act ("CIPA") and the California Computer Crime Law ("CCCL") and that these claims were not preempted by the federal Electronic Communications Privacy Act ("ECPA").

With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd).  (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here).  On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim.  Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.

Continue Reading

By Libbie Canter & Steve Satterfield

Members of a key committee in the House have announced their intention to introduce data security legislation in the near future.  In a statement released Wednesday, Rep. Mary Bono Mack, who chairs the House Subcommittee on Commerce, Manufacturing and Trade, cited the recent Sony Playstation breach in calling for congressional legislation.  The subcommittee chaired by Rep. Bono Back will hold a hearing -- entitled “The Threat of Data Theft to American Consumers” -- on May 4, 2011 on data security issues.

Rep. Bobby Rush, also a member of the subcommittee and who served as chairman during the last Congress, likewise plans to re-introduce a data security bill, which passed in the House in the last session of Congress.  Data security legislation, in fact, has been proposed in the last several Congresses, but last year was the first time it passed either chamber.  Whether Rep. Bono Mack and Rep. Rush will work together on legislation is not yet clear, but these latest development indicate, at least, that Rep. Bono Mack is inclined to make privacy and data security a part of her agenda as Subcommittee Chair (a role she assumed in January).  Rep. Bono Mack has been active on FTC issues in the past, but she was not a key driver on privacy legislation during the 111th Congress.

As our colleague, Gerry Waldron, wrote in a blog post several months ago, if Subcommittee Chair Bono Mack wants to move forward a privacy agenda, she will need to educate new members through hearings to get them comfortable with the substance and hear from stakeholders. The May hearing will be an opportunity to do just that on data security and breach notification issues.

CNET reports that Rep. Jay Inslee (D-WA) is calling on the FTC to investigate Apple's privacy practices, particularly with respect to location-based services.  In a letter to FTC Chairman John Leibowitz, Inslee expressed concern about users' lack of awareness of "location-aware technology."  He writes: 

"Citizens expect to be able to know the extent to which their private information is being collected. In this case, Apple's only apparent disclosure comes buried in the vaguely worded language of a lengthy terms and conditions agreement. Furthermore, agreement on the part of the user is apparently granted simply by 'using location-based services on your iPhone.' The fact that no iPhone user was aware of this activity until two tech-savvy researchers stumbled upon it illustrates the lack of adequate disclosure."

Inslee's letter is only the most recent statement of concern by a member of a Congress about the privacy implications of location-based services.  Sen. Al Franken (D-MN), who chairs the Senate Subcommittee on Privacy, Technology, and the Law, has scheduled a hearing for May 10 on mobile technology and privacy, at which representatives from Apple and Google will testify along with officials from the Department of Commerce and the FTC.   Sen. Jay Rockefeller reportedly also plans to hold a hearing in May on mobile privacy, but no date has been set.     

It is noteworthy that, thus far, members of Congress appear only to be concerned to with the makers of operating systems for smartphones, and not the makers of "apps" that often use location-based information to provide services to smartphone users.  This parallels a similar narrowing of focus in the most prominent lawsuit arising out of alleged tracking in the mobile context, In re iPhone Application Litigation.  As we noted last week, although the original complaint named several app makers as defendants, the amended complaint has dropped those companies from the suit.

As we have previously posted, California State Senator Alan Lowenthal has introduced do-not-track legislation with the support of Consumer Watchdog and other public advocacy groups.  Most recently, the California Senate Judiciary Committee has scheduled a May 3, 2011 hearing on the bill.  

SB 761 directs the California attorney general to adopt regulations requiring companies that collect online data to allow consumers to opt out of the collection or use of their personal information – including online tracking.  The attorney general would be authorized to include an access requirement so that consumers could access personal information collected about them.  The legislation contemplates that the attorney general could exempt from the requirements of SB 761 commonly accepted practices such as providing a requested service, fulfilling basic business functions, or complying with legal requirements. 

InsidePrivacy will keep you informed of further meaningful developments with respect to this bill and other privacy legislation moving at the federal and state levels.

California state Senator Joe Simitian (D-Palo Alto) certainly can be credited with persistence when it comes to expanding California’s data breach notification law, and with Jerry Brown replacing Arnold Schwarzenegger as governor, the fourth time may be the charm.  On April 14, 2011, the California State Senate voted to approve Senate Bill 24, which now moves to the State Assembly for consideration.

The new legislation would amend California’s existing security breach notification requirements by:

• Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the time of breach, and a toll-free telephone number of major credit reporting agencies; and
• Requiring public agencies, business, and individuals subject to California’s security breach notification law to send an electronic copy of the breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.

Continue Reading

The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, provides an organizational platform for facilitating international payments.  U.S. and foreign financial institutions use SWIFT messages to initiate, process, receive, and settle payment orders.  The amount of information exchanged via SWIFT is immense.  More than 9,000 financial institutions in 209 countries rely on SWIFT to process international payments, and an average of 17,000,000 SWIFT messages are sent in a given day.  SWIFT messages contain sensitive financial information about consumers, businesses, and governments and for that reason raise unique financial privacy concerns.

In recent years, governments such as the United States have obtained access to the SWIFT database, including transactions involving citizens as well as foreign residents, in order to combat terrorism.  However, certain countries have criticized and pushed back against such access out of concerns for their citizens’ privacy.  In 2010, the United States and European Union reached an agreement whereby SWIFT message information will be made available only for the purpose of preventing, detecting, and prosecuting terrorism and only upon a showing that such information is necessary.

More broadly, the Dodd-Frank Act provides for Federal Reserve supervision of systemically important payment and settlement activities, and it is generally expected that the international payments system will receive more attention from regulators in the future.  For instance, recent Treasury rulemakings have requested further comment on the subject of non-U.S. payment and settlement providers. 

As expected, Rep. Cliff Stearns (R-FL) and co-sponsor Rep. Jim Matheson (D-UT) introduced the “Consumer Privacy Protection Act of 2011” earlier today.  The bill follows closely on the heels of the “Consumer Privacy Bill of Rights Act” (S. 799), which was introduced yesterday by Senators John Kerry (D-MA) and John McCain (R-AZ).  (You can read our summary of S.799 here.)  The following is a summary of Rep. Stearns’ bill that highlights its key differences from S.799.

Scope:  The bill would regulate the online and offline collection and use of traditional forms of personally identifiable information (e.g., name, address, email).  The scope is therefore narrower than S.799, which also covers the collection and use of “unique identifiers” and IP addresses. 

Notice obligations:  The bill requires covered entities to provide notice in three instances: 

• Notice in a privacy policy;
• Notice in a “statement” made before any PII collected from a consumer is used for a purpose unrelated to the transaction for which it was collected; and
• Notice for material changes to privacy policy statements.    

S.799 contemplates the first and third forms of notice; not the second. 

Consent obligations:  Unlike S.799, the Stearns bill does not obligate entities to obtain opt-in consent in any circumstance.  It requires opt-out consent before selling PII that may be used for a purpose unrelated to the transaction in which the PII was collected unless the purchasing entity is (1) under common control with the covered entity; or (2) contractually obligated to comply with the practices enumerated under the entity’s privacy policy.  A covered entity may provide the consumer an opportunity to permit the sale (or disclosure for consideration) of such information in exchange for a benefit to the consumer. 

In other circumstances, a covered entity may offer consumers other opportunities to limit collection or use of PII, but is not required to do so. 

Continue Reading

On April 7, 2011, the Securities and Exchange Commission announced a total of $55,000 in fines against three former executives of a securities broker-dealer for violations of the privacy and safeguard rules in Regulation S-P.  The fines mark the first time the SEC has imposed administrative fines for violations of these rules.  Copies of the SEC’s announcement and orders can be found here. 

The SEC alleged that, in the course of winding down the business operations of GunnAllen Financial, the former president and former national sales manager downloaded customer records, including names and addresses, account numbers, and asset values, and provided the records to the sales manager’s new employer.  The SEC found that their actions violated the privacy rule, which obligates broker-dealers to give customers a reasonable opportunity to opt out before customer information is shared with unaffiliated third-parties, and the safeguards rule, which requires broker-dealers to have adequate policies and procedures in place to safeguard customer data.  The SEC found that the company’s former chief compliance officer was culpable for violations of the safeguards rule.  The SEC also found that the company’s policies and procedures were inadequate because they simply recited Regulation S-P and were not modified over time, even after the company was affected by security breaches.

Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon.

The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud.  Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records.  According to one estimate, the total number of affected individuals could be as high as 100 million. 

Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. 

Continue Reading

Although concerns about locational privacy are hardly new, recent developments suggest that policymakers and government officials are taking a close look at the privacy issues raised when geolocation data is collected via smartphones.

• The Wall Street Journal reports that a federal grand jury in New Jersey is probing the data collection practices of smartphone applications.  According to the article, one of the issues in the ongoing investigation is whether applications need information such as a user’s location, and whether applications adequately advise users that the data is being collected and why it is needed.  Online music service Pandora Media Inc., which received a subpoena for documents in early 2011, believes that “similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications.” 
• Reps. Edward Markey (D-MA) and Joe Barton (R-TX), co-chairmen of the House Bi-Partisan Privacy Caucus, sent letters last week to the four major U.S. wireless carriers, asking them to explain how they collect, use, and store cell phone data.  Among the issues being examined: what mechanisms are used to determine the location of a mobile phone, the purpose of these mechanisms, and the procedures used to obtain express prior authorization if customers’ location information is used for commercial purposes.  A copy of the letter is available here.  Reps. Markey and Barton's inquiry was prompted by this New York Times article, which described how a German cellphone carrier recorded and saved one customer's longitude and latitude coordinates more than 35,000 times in a six-month period.
• Sen. Ron Wyden (D-OR) is reportedly preparing legislation that would provide greater protection for geolocation information.  Under the proposed Geolocation Privacy and Surveillance Act, or GPS Act, law enforcement officers would be required to obtain search warrants in order to wirelessly track the locations of cars and cell phones; individuals whose location data was illegally intercepted or used could sue for actual or statutory damages. As Sen. Wyden noted in an interview, “everyone is walking around with a handheld electronic device. And if you go out and ask these people about everybody collecting vast amounts of information about them that is really quite accurate and quite detailed, most people on the street would say, what’s the deal here?  How’s my privacy going to be protected?”
• In its December 2010 staff report, the Federal Trade Commission noted that retention of location-based data “and its use to build consumer profiles . . . raise[] important privacy concerns.  For instance, the retention of location information about a consumer’s visits to a doctor’s office or hospital over time could reveal something about that consumer’s health that would otherwise be private.”  The FTC staff recommended that companies seek affirmative express consent before collecting, using, or sharing precise geolocation data. 

Today, the Federal Trade Commission announced that it has accepted, subject to final approval, a consent agreement from Google that would resolve the Commission's allegations that Google engaged in deceptive trade practices when it launched its "Buzz" social networking service in February 2010. The FTC's complaint alleges, among other things, that the launch violated Google's  privacy policy in effect at the time, which promised users that Google would not use personal information "in a manner different than the purpose for which it was collected [without] your consent prior to such use." The complaint alleges that notwithstanding this promise, Google used information it had collected from users who signed up for Gmail to establish Buzz. Moreover, the Commission alleges that Gmail users were in many instances automatically set up with Buzz "followers" and were also automatically set up to "follow" other users. Because these connections to other users were based on the number of emails exchanged between users, the connections--which were public by default--indirectly revealed information about users' correspondence on Gmail. The Commission alleges that Google failed to adequately disclose that this information would be made public, and, in light of representations that users could control access to this information, Google’s failure was a deceptive act or practice.

The consent agreement would require Google to "establish . . . a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [certain consumer] information." The elements of the privacy program will be familiar to readers of the recent FTC staff report on consumer privacy, particularly the section discussing the principle of "privacy by design." The report recommended that businesses incorporate substantive privacy and security protections into their everyday practices and at all stages of the development of their products and services. Under the preliminary agreement, "privacy by design" will be mandatory for Google--for the next 20 years. As the FTC noted in its press release, "[t]his is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information."

Although all five commissioners voted to accept the agreement--subject to final approval--Commissioner J. Thomas Rosch filed a concurrence, noting some reservations about a part of the agreement that would require Google to obtain "affirmative consent" form users for any change from "stated sharing practices in effect at the time [Google] collected [the user's information]." Rosch notes that this requirement is potentially of unprecedented breadth. While it is well-settled FTC policy to require companies to obtain affirmative consent from users before using personal information in a materially different way than claimed when the information was collected, the requirement in the consent agreement contains no materiality threshold.  Google would have to obtain affirmative (i.e., opt-in) consent for any"new or additional" sharing of personal information not disclosed when the information is collected. You can read the full text of Rosch's statement here. 

The agreement will be subject to public comment for 30 days, beginning today and continuing through May 1, 2011. At that point, the Commission will decide whether to make the proposed consent order final. Inside Privacy will keep a close eye on the comments that are filed and will report on key stakeholders' reactions to this proposed settlement.

United States District Judge Denny Chin's decision [PDF] denying final approval of the Google Books Settlement included an interesting discussion of privacy issues that were raised by the proposed settlement agreement [PDF].  The decision may draw attention to the emerging privacy issues surrounding reading on computers and other Internet-enabled devices, such as popular e-Readers.

The Google Books settlement agreement would have resolved a copyright suit filed against Google by authors and publishers, parts of whose books Google had made available through its search engine without first securing copyright permission.  Under the agreement, Google would, among other things, have been permitted to (1) continue to digitize books, (2) sell subscriptions to an electronic books database, (3) sell online access to individual books, and (4) sell advertising on pages from books.  

A number of consumer groups -- including Consumer Watchdog and EPIC -- had filed briefs in opposition to the settlement arguing that allowing Google to engage in these activities raised privacy concerns.  Consumer Watchdog contended that the agreement would give Google "the ability to collect nearly unlimited data about the activities of users of its Book Search and other programs, including users' search queries, the identity of books a particular user reads, how long that reader spends on each book, and even what particular pages were read."  The court acknowledged that the privacy concerns about Google Books "are real."  However, Judge Chin noted that the agreement contained privacy protections for the authors and publishers that comprised the class.  Judge Chin did not focus on the privacy interests that Consumer Watchdog and others had raised with respect to users of Google Books. 

Continue Reading

Yesterday, Senator Jay Rockefeller announced that the Senate Committee on Commerce, Science & Transportation, which he chairs, will hold a hearing on cybersecurity issues on March 29.  This is not a new issue for Senator Rockefeller or the Senate Commerce Committee, which approved cybersecurity legislation during the 111th Congress.  The Senate Homeland Security Committee had its own competing cybersecurity bill last Congress.  Majority Leader Harry Reid and his staff have been working to develop a consensus cybersecurity bill, which would reconcile the various jurisdictional interests in the Senate.

As we have previously posted, there is also engagement on cybersecurity issues in the House.  Rep. Robert Goodlatte (R-Va.) -- a senior member of the House Committee on the Judiciary and the chair of the Subcommittee on Intellectual Property, Competition, and the Internet -- has indicated his intent to take up cybersecurity legislation during the 112th Congress.  And most recently, Rep. Jim Langevin (D-RI) has introduced cybersecurity legislation.

Two of the country’s largest video rental services, Netflix and Redbox, have been sued for allegedly violating the federal Video Privacy Protection Act (“VPPA”).  The plaintiffs in both suits contend that the rental services stored information about their rental histories for long after that information had ceased being “necessary” to provide the services for which customers had signed up, in violation of the VPPA.  The Netflix complaint also alleges that the company unlawfully maintained the information even after customers had cancelled subscriptions to the service.

One central issue in both cases will be the question of the point at which information collected by a company is “no longer necessary for the purpose for which it was collected" -- specifically, with respect to Netflix, whether it was reasonable for it to retain subscriber information after cancellation of the service.  

The answer to this question about the substantive requirements of the VPPA may also have ramifications beyond the law of video privacy.  As we have previously detailed, the FTC’s recent staff report on consumer privacy recommended that businesses do more to incorporate substantive privacy protections at every stage of a product’s lifecycle.  The FTC, which characterized this approach as “privacy by design,” stressed the importance of limited data retention.

Continue Reading

Speaking at today’s Senate Commerce Committee hearing on “The State of Online Consumer Privacy,” Assistant Secretary of Commerce Lawrence E. Strickling stated that the Obama administration supports comprehensive privacy legislation.  As we noted in yesterday’s post, this announcement represents a shift in Administration policy.  Although in its December 2010 “Green Paper,” Commerce recommended that consumers’ online activities be subject to greater protections, the Department stopped short of embracing baseline legislation as the way to ensure such protections.  Strickling explained today that after reviewing the dozens of comments submitted in response to the Green Paper, the Department concluded that privacy legislation should be the foundation of the U.S. privacy framework.

Continue Reading

According to an article written by Jeff Swiatek in the Indianapolis Star, an Indiana judge has ruled that the state's reporters' shield law does not prevent two newspapers from being compelled in a lawsuit to disclose identifying information about online commenters in their Web forums.  The ruling is the first considering the application of the state's shield law to a media entity's online forum.

The plaintiff in the lawsuit alleges that commenters on websites run by two newspapers and a television station in Indianapolis posted harmful and false information about him.  He sought to compel the media companies to reveal technical information concerning the anonymous commenters so that he could obtain their identities and proceed in a suit against them.  Although the media organizations are not the targets of the suit, they resisted revealing the commenters' technical identifying information.  

Like many states, Indiana has a "reporters' shield law," which protects reporters from being compelled by courts from revealing the identities of their sources in certain situations.   Indiana's law states that reporters (including print, television, and radio reporters) cannot be forced to disclose the identity of the source of any information procured or obtained in the course of reporting for their employing media organization, regardless of whether the information is published/broadcast or not.  The judge ruled that the shield law does not prevent newspapers from revealing identifying information concerning commenters in their online forums (as opposed to a more traditional source).  He has not yet ruled on whether the television station must turn over information concerning the commenters as well.  

The application of state shield laws to online activities has been controversial since many of the laws, such as Indiana's, were passed long before the development of the Internet.  Although the judge's decision construes Indiana law, it provides an important datapoint as traditional media businesses develop approaches to privacy for online forums and state judges consider how to apply their shield laws in the Internet age.

Today the District Court for the Northern District of Alabama dismissed the class action lawsuit filed against our client, Cable One, Inc., for lack of subject matter jurisdiction because the named plaintiff lacked standing.  The litigation arose out of a limited test of NebuAd Inc.’s “deep packet inspection” technology, which was used to create anonymous, non-sensitive interest categories for subscribers for the purpose of serving targeted ads.  Of six putative class actions filed against Internet service providers in connection with tests of this NebuAd technology, this is the only one to be dismissed to date. 

Cable One initially was sued in the Northern District of California along with NebuAd, Inc., and five other ISPs—Bresnan Communications, CenturyTel, Embarq, Knology, and Wide Open West.  Covington's team of Simon Frankel and Mali Friedman secured the dismissal of that complaint against Cable One in October 2009 for lack of personal jurisdiction. 

Plaintiff’s counsel then filed a complaint against Cable One in Alabama (where Cable One was alleged to have allowed NebuAd to conduct its test). In the course of responding to discovery, plaintiff’s counsel stipulated to dismiss with prejudice the Computer Fraud and Abuse Act (“CFAA”) claim and related common law claims—the first dismissal of a CFAA claim in any lawsuit involving the NebuAd technology.  The Covington team of Eric Bosset and Andrew Bernie, along with Frankel and Friedman, also established in discovery that the named plaintiff lacked standing to sue on the remaining claim brought under the Electronic Communications Privacy Act (“ECPA”).  The court disposed of the action on Covington's motion to dismiss today.

For more information on private actions challenging online data collection practices, please see our recent publication in the Intellectual Property and Technology Law Journal and E-Alert. 

For the fourth time in the past two months, Apple has been sued for allegedly violating the privacy of iPad and iPhone users.  Like the previous three suits (two of which we discussed in this post), Rodimer v. Apple, Inc. [PDF] alleges that Apple transmitted "personal information," including Unique Device IDs ("UDIDs") to application developers, who, in turn, shared the information with mobile advertising networks.  The complaint, filed this past Tuesday in California federal court, names a number of application developers--including The New York Times Co., Pandora Media, and National Public Radio--as well as several mobile advertising firms. 

Although the 92-page complaint is long on detail, it may come up short at the motion-to-dismiss stage given that it does not appear to allege sufficiently that the defendants' acts caused any injury to the plaintiffs.  The closest the complaint comes to alleging injury is its discussion of the lead plaintiff's "belief" that after accessing certain applications on his iPhone, the device's UDID was transmitted to application developers and their advertising affiliates. 

The complaint goes on to allege that the lead plaintiff "believes" that the transmission of the UDID "permitted one or more objects within his mobile device" to be used to facilitate the tracking of his online activities and geolocation so that the device could be sent targeted advertisements.  It appears that the sole basis for this belief is that the iPhone at some point began to operate "more slowly," leading the plaintiff to believe that the "Defendants [had] used his bandwith." 

These vague allegations of harm may be insufficient to establish standing to sue in federal court.  A recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds suggests that plaintiffs alleging the kind of speculative harm that the Rodimer plaintiffs assert may be unable to maintain their suits.     

We covered in a previous post ongoing litigation in the D.C. Circuit between the American Bar Association and Federal Trade Commission over the scope of the FTC’s Red Flags rule.  On January 20, 2011, the FTC filed a supplemental brief analyzing the impact of the recently-enacted Red Flag Program Clarification Act of 2010 on the permissible scope of the rule.  The ABA filed a response brief on February 3, 2011, and the FTC filed a reply brief on February 10, 2011. 

The ABA’s response brief emphasized the view that Congress never intended for the Red Flags requirements to apply to lawyers and used the Clarification Act and its deliberations in Congress as further evidence of that congressional intent.  The Clarification Act does not contain an express authorization for the FTC to apply the Red Flags rule to attorneys and, in fact, narrows the definition of “creditor.”  It points to legislative history that suggests Congress intended to prevent the FTC from applying the rule to professionals such as attorneys. 

The FTC’s reply brief argued that the Clarification Act provided no categorical exemption from the definition of “creditor” for attorneys and that the definition, as amended, continues to encompass certain attorney billing or credit arrangements.  Moreover, Congress considered but ultimately did not pass bills that explicitly exempted attorneys from the scope of the rule.

Ringleader Digital -- an online advertising firm specializing in the mobile market -- has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users' online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys' fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of "Flash cookies" to track users' browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        

Continue Reading

In a decision with implications for all California retailers, the California Supreme Court ruled [PDF] yesterday that a customer may not be asked to provide his or her ZIP code during an in-person credit card transaction.  At issue in Pineda v. Williams-Sonoma Stores, Inc. was the scope of California's Song-Beverly Credit Card Act of 1971, Cal. Civ. Code § 1747.08, which provides that (subject to narrow exceptions) no entity that “accepts credit cards for the transaction of business” may:

• “Request, or require as a condition to accepting the credit card as payment . . . the cardholder to write any personal identification information upon the credit card transaction form or otherwise”;
• “Request, or require as a condition to accepting the credit card as payment . . . the cardholder to provide personal identification information, which the [entity] accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise”; or
• “Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.”

“Personal identification information” is defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number.”  The question before the court in Pinedawas whether "personal identification information" also includes a customer's ZIP code.  In a unanimous decision, the California Supreme Court held that it does, reversing the lower court and allowing a putative class action against Williams-Sonoma to proceed.   

At least 14 other states and the District of Columbia have laws similar to the Credit Card Act--many of which provide private rights of action--but these appear to have been rarely, if ever, enforced.  By contrast, California has recently seen a surge in Credit Card Act litigation.  Today's ruling suggests that the surge will continue. 

It is no surprise that the 97 comments filed in response to the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” take a range of positions on issues such as the need for federal privacy legislation, the relevance of the Fair Information Practice Principles (FIPPs), the efficacy of Privacy Impact Assessments (PIAs), and the value of voluntary codes of conduct.  But there is a prevalent theme echoed in several of the comments:  individuals' privacy expectations depend on context.  Privacy notices should be clearer and shorter but there is not likely a one-size-fits-all approach to the structure or content of such notices.  Individuals should be given greater control over the use of their data but the level of control should depend on the type of data at issue, the type of use involved and the relationship between the individuals and the entities that use their data.  

This recognition that context matters has led to the sector-specific and practice-specific privacy laws in the US, which include laws governing kids privacy, email marketing, telemarketing, financial privacy, cable privacy, and health privacy.  It certainly is possible to draft comprehensive baseline federal privacy legislation.  But any such legislation will need to appreciate that not all of the rules can or should apply in the same way all of the time.  Just like data security rules (which are tailored to the risks at issue), privacy rules around issues such as transparency, individual control, and access will need to be tailored to account for individuals' different expectations in different circumstances.  

Commenters appear to agree that both government and industry have a role to play in developing a meaningful privacy framework that protects individuals' varied privacy interests and allows for innovation to flourish.  The debate centers around how to balance these important interests.  But there seems to be a growing consensus that any privacy framework -- whether codified or not -- will need to recognize the importance of context.

Blog readers in the U.S. may have missed this month's Wired U.K.,  which included "ultra personalized" covers that provided detailed information about each of a small number of subscribers who received it.  The cover included hand-collected data about subscribers' telephone numbers, social networking activities, eBay purchases, property sales, and other activities, and was designed to highlight Wired's cover story on "what the end of privacy means for you."

Wired has received mostly positive reactions, and a fair amount of attention, concerning its cover.  U.K. journalist Benjamin Cohen blogged after receiving the magazine that he was "shocked" at how much Wired learned about him, including details such as the address to which Cohen's parents had moved and the fact that he recently had a meeting with an ex-boyfriend.

Writer Andrew Losowsky observes that this is not the first time magazines have offered hyper-personalized content, but the cover comes at a time when the policy debate over information privacy continues at a rapid clip, with the FTC and NTIA in the U.S. working to develop new frameworks for regulating privacy and the EU regulator taking a hard look at data security.

It will come as no surprise to privacy professionals that online sources and government records can include information about individuals -- particularly if those individuals do not use existing social media privacy settings, as Cohen says he did not.  But, just as a series of reports in the Wall Street Journal last year led to a high-profile congressional investigation, renewed attention to consumer privacy issues in the press has the potential to focus regulators' attention on these issues as they consider whether new legislation in the U.S. is necessary to address concerns about consumer privacy.

Later this week, we'll look in more depth at the major considerations that are likely to influence regulators' approach to privacy in the coming year.

The deadline to submit comments in response to the Consumer Financial Protection Bureau (CFPB) Implementation Team’s notice to establish the “Consumer Inquiry and Complaint Database” is less than two weeks away. 

Title X of the Dodd-Frank Act establishes the CFPB to enforce federal consumer financial laws through rulemaking, supervision, and enforcement authority.  Dodd-Frank grants the CFPB province over, among other federal statutes, the Electronic Fund Transfer Act, Fair Credit Reporting Act, and Fair Debt Collection Practices Act.  The CFPB will officially open for business on July 21, 2011.  In the meantime, the CFPB Implementation Team has been active in taking steps to ensure the bureau gets off the ground running, including with its notice to establish the Consumer Inquiry and Complaint Database. 

The Consumer Inquiry and Complaint Database will contain information concerning complaints or inquiries submitted directly to the CFPB and those submitted to other agencies and referred to the CFPB.  Specifically, the database will include (1) information about the individual or entity that is the subject of the complaint, (2) information about the individual or entity submitting the complaint, (3) correspondence and any documentation associated with the complaint, and (4) information about how complaints or inquiries were addressed.  The purpose of the database is to enable the CFPB to collect, respond to, and refer complaints or inquiries regarding consumer financial products or services.  However, information in the database may be disclosed in the course of civil discovery, litigation, or settlement; to Congress, law enforcement agencies, regulatory agencies, and self-regulatory agencies; and in aggregate form to the public for purposes of analytical and statistical reporting.  The database presents a number of privacy-related issues that will not be fully recognized until the CFPB commences operations. 

Comments regarding the database must be submitted by February 9, 2011.

According to a Federal Deposit Insurance Corporation survey of depository institutions, approximately 38 percent of institutions offer some form of remote deposit capture (RDC) service.  RDC enables a customer to deposit checks and other items electronically through the internet or the customer’s mobile phone.  The service was first authorized in 2004 when Congress passed the “Check Clearing for the 21st Century Act.”  RDC may help an institution expand its geographic reach by offering deposit services to customers who are not located nearby one of the institution’s branches or other offices.  However, the federal banking agencies are mindful of the risks involved with RDC services, including the need to protect customers’ nonpublic personal information, and have stressed sound risk management practices tailored to RDC.

The federal banking agencies recommend that institutions address RDC services in their existing risk assessments, implement physical and logical access controls over RDC data and services, impose risk-based guidelines to determine which customers should be eligible for use of the service, offer RDC training for customers, and consider applicable laws and regulations such as the Check Clearing for the 21st Century Act, Federal Reserve Regulation CC and Regulation J, applicable state laws and regulations, and other guidance.  Risk management for RDC should also address the use of third-party vendors and service providers.  According to the survey, 68 percent of institutions that offer RDC rely on either a third-party program or third-party software or hardware owned by the third-party.  For this reason, institutions should pay close attention to third-party risk in providing RDC services. 

Here’s a five-minute overview of the five major bodies that will influence the privacy, data protection and data security areas as we start 2011.

1.       The Federal Trade Commission.  The FTC’s privacy efforts focus on the FTC Act’s broad prohibition against “unfair or deceptive” acts or practices.  The FTC also has played a valuable role in providing guidance to companies on appropriate privacy practices and has fostered valuable groups heading up industry self-regulatory efforts.  But in December 2010, the FTC signaled that “self-regulation has not kept pace with technology.”  The FTC’s report suggests a new normative framework for all commercial entities -- online and offline -- that handle any data that “can be reasonably linked to a specified consumer.”  The report has three core principles:

• Privacy by Design.  Companies should adopt practices to limit data collection, protect data that is collected, implement reasonable data retention periods, and ensure the accuracy of data as part of the design of their products and services.
• Choice.  Companies should provide real choices to consumers, unless data is collected for “commonly accepted practices.”  These choices should be clear and presented at the point where data is provided.  A do-not-track option for targeted advertising also is suggested.
• Transparency.  The FTC calls for privacy policies that are short, clear and standard.

Comments are due February 18, and the FTC will issue a final report in the late spring.

2.       The Obama Administration.  The Department of Commerce in December 2010 issued a “green paper” on privacy practices in the commercial sector.  It recommends adoption of a national framework that would be built around a set of “fair information practice principles,” many of which would track the FTC’s recommendations.  However, the Commerce approach is more encouraging to industry self-regulation than the FTC.  It suggested that those adhering to self-regulatory guidelines might gain the benefit of a safe harbor.  Comments on its report are due on January 28.

3.       Congress.  Privacy bills were introduced in the last Congress, after much study and debate, but the 111th Congress expired without new legislation.  Whether the 112th Congress will start with a march toward legislation is an open issue.  My colleague Gerry Waldron has a post that provides a great look at the prospects for legislation.  In short, the Senate Commerce Committee may be able to move more quickly than the House Commerce Committee, given the significant changes in membership on the House side.

4.       The Plaintiffs’ Trial Bar.  More than 35 major privacy lawsuits were filed in 2010.  The lawsuits have targeted unexpected sharing of consumer data with third parties.  They also have focused on new tracking technologies that are alleged to circumvent user control, such as “Flash cookies,” “history sniffing,” “cookie re-spawning” and “deep packet inspection.”  Privacy litigation can be expected to be a significant focus in 2011.

5.       The European Commission.  And if the developments on this side of the Atlantic weren’t enough, consider that the 1995 EU Data Protection Directive will be reconsidered in 2011.  The safe harbor -- the EU regulation that permits data to pass from countries that have privacy laws on par with Europe and those, like the U.S., that don’t -- also is being reconsidered on its 10-year anniversary.  Some 2,500 companies and organizations now are certified under the safe harbor, which raises the stakes for American industry.

Earlier this week, Gerry Waldron discussed the 2011 outlook for online privacy legislation in the House, examining the impact that major changes to membership of the House Energy & Commerce Committee will have.  We now know that, despite former Telecom Subcommittee chairman Rick Boucher's loss in the November election, his influence may live on in the form of a reworked version of the draft privacy legislation he developed with Rep. Cliff Stearns (R-FL).

Last term, Reps. Boucher and Stearns circulated a draft of comprehensive privacy legislation, which drew strong criticism from industry and consumer groups.  The draft bill would have required websites to inform users how they collect and use personally identifiable information but would have maintained an opt-out standard for collection of consumer data, except where certain types of particularly sensitive information are shared with third parties.  Industry leaders protested that the draft legislation was too restrictive and could hamper the current system of ad-supported free content on the Internet, while privacy advocates argued that the draft bill did not go far enough in protecting consumer privacy.  Rep. Stearns has revealed that he is currently revising the draft bill to address those concerns and plans to offer a new version soon. 

Yesterday, the U.S. Supreme Court refused to reconsider Shlahtichman v. 1-800 Contacts Inc., in which the U.S. Court of Appeals for the Seventh Circuit held that an email confirmation of an online purchase is not “electronically printed” for purposes of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”).  Among other restrictions, FACTA prohibits merchants who accept credit cards as payment from printing the expiration date on any receipt provided to the purchaser at the point of sale or transaction. This prohibition applies only to receipts that are “electronically printed.” 

The plaintiff, Eduard Shlahtichman, sued 1-800 Contacts, alleging that the company’s email confirmation violated FACTA because it listed his credit card's expiration date.  After considering the issue, the district court dismissed the case, strongly suggesting that FACTA does not apply to e-commerce because emailed receipts are not "electronically printed."  On appeal, the Seventh Circuit agreed with the district court, finding that the ordinary meaning of the term “electronically printed” reaches only those receipts that are printed on paper, and that the use of the term "electronic" did not broaden the scope of the statute beyond paper receipts.

Shlahtichman is one in a series of cases in which courts are struggling to determine the extent to which laws enacted before e-commerce was as widespread as it is today should apply in today's information economy.

The key House committee with jurisdiction over privacy legislation is changing from top to bottom, undergoing as big a change as any committee in Congress, and is experiencing the largest turnover of Members and leadership in more than two decades.  These changes will have a profound impact on not just who is driving the privacy agenda but also how quickly the committee can act. 

The House Energy & Commerce Committee has jurisdiction over privacy legislation and the Federal Trade Commission and Federal Communications Commission, and in the past has tried to tackle privacy and consumer-protection legislation in a bipartisan fashion.  In the last Congress, the drivers of the debate on privacy legislation were the Subcommittee leaders:  Congressmen Rick Boucher (D-VA) and Cliff Stearns (R-FL), along with Congressman Bobby Rush (D-IL) and full Committee Chair Henry Waxman (D-CA) and Ranking Member Joe Barton (R-TX), one of the founders of the Privacy Caucus.  But in this Congress, the players are almost completely different.  For starters, Rep. Boucher is out of Congress, Barton is out of a leadership role, Waxman is out as Chair, Upton is in, and Rep. Stearns is now chairing an Oversight Subcommittee.  Taking Boucher’s place is Rep. Greg Walden (R-OR), who has not been particularly involved on privacy issues and is more likely to defer to Rep. Mary Bono Mack (R-CA), who is the new chair of the Consumer Protection Subcommittee.  What that means is that the Members who led the long discussions with industry last year on drafting a privacy bill will no longer be in the room as the Consumer Protection Subcommittee considers privacy legislation.

Continue Reading

In July of last year, the U.S. Department of Health & Human Services Office for Civil Rights issued a proposed regulation implementing changes to HIPAA resulting from the HITECH Act.  As we previously reported, the proposed regulation significantly expands the scope of the privacy, security, and enforcement provisions of HHS's existing HIPAA rules.

Last month, in the Executive Branch's Unified Reglatory Plan, the Department indicated that the final regulation will be published in March.  According to media reports, HHS officials plan to simltaneously issue a final breach notification rule, final HIPAA enforcement rule, and a final rule implementing HIPAA changes resulting from the Genetic Information Nondiscrimination Act.

The next public step in the process is for the Office of Management and Budget, which is a part of the Executive Office of the President, to review the proposed regulation.  Once the rule rule reaches OMB, it is likely to be issued within 120 days.

Earlier this week, Comcast -- the largest cable operator in the U.S. -- stated in a filing to the Federal Communications Commission that it would commit to limit interactive advertising in children's programming as a condition of obtaining approval of its acquisition of NBC Universal.  Specifically, as long as they have control over the program's advertising, Comcast and NBCU will not insert interactive advertising into broadcast and cable programming that targets an audience of children 12 years old and younger.  Comcast defined "interactive advertising" to mean:

advertising for commercial products that is primarily targeted to children 12 and under and includes: interactive, overlap pop-up advertising; telescoping; long-form advertising (but does not include enabling the consumer to 'telescope' to additional linear or on demand programs); voting or polling requests that promote a product or service or gain information about consumer commercial preferences; T-Commerce that enables a consumer to purchase advertised products using a remote; and branded, interactive gaming which promotes a product.

In 2004, the FCC released a Notice of Proposed Rulemaking on interactive advertising, but the Commission hasn't taken any further action to adopt any new rules in this area.  In its Notice, the FCC tentatively concluded that it should prohibit interactivity during children's programming that connects viewers to commercial matter unless parents opt in to such services.  As noted by FCC staff during a recent ABA program on marketing to minors, however, industry and even some consumer groups have urged that requiring opt-in consent for interactive advertising in children's programming might not be the right approach.   As technology improves and interactive advertising becomes more widely used, marketers should pay attention to this ongoing proceeding.    

A recent decision from the Eleventh Circuit highlights an ongoing issue under the Computer Fraud and Abuse Act (“CFAA”): the significance of policy-based restrictions when determining whether a person accessed a protected computer “without authorization” or “exceeded authorized access.”

In United States v. Rodriguez [PDF], the Eleventh Circuit upheld the criminal conviction of a Social Security Administration (“SSA”) employee, who, as part of his job duties, had access to SSA databases containing sensitive information about individuals.  According to the Eleventh Circuit, Rodriguez exceeded his authorized access when he looked up personal acquaintances in the databases, in violation of agency policies that prohibited employees from obtaining database information without a business reason.

Continue Reading

On December 29, President Obama signed the “Restore Online Shoppers’ Confidence Act” into law.  The legislation prohibits e-commerce retailers from passing customers’ billing information to post-transaction third-party sellers, and also requires post-transaction sellers to meet certain requirements before charging consumers’ financial accounts.  Specifically, the post-transaction seller must (1) disclose all material terms of the transaction, including the fact that the post-transaction seller is not affiliated with the initial retailer; and (2) obtain billing information and affirmative consent for the transaction directly from the customer. 

The Act arose out of an investigation by the Senate Committee on Commerce, Science, and Transportation into the sales practices of Affinion, Vertrue, and Webloyalty.  These post-transaction sellers offered membership club enrollment to consumers who were completing transactions at popular online retail sites, although consumers often did not understand that they were entering into a separate relationship with the membership club or that they would be charged periodic fees. 

Continue Reading

Last week, the FTC filed a complaint against an Internet-based enterprise that allegedly caused hundreds of thousands of consumers to pay millions of dollars in unauthorized credit card charges.  According to the complaint, the defendants’ websites advertise the availability of government grants to pay personal expenses and offer “free” information at no risk.  The websites ask consumers to provide credit or debit card numbers to pay a small shipping and handling fee, but consumers are charged large one-time fees of up to $129.95 and monthly recurring fees of up to $59.95 for the grant services. 

The FTC also has accused the defendants of posting deceptive positive reviews and testimonials.  The FTC has asked for the court to order refunds for affected consumers and for disgorgement of all ill-gotten payments, among other relief.

In an interview with ClickZ, the FTC's incoming chief technologist, Edward Felten, provides insight into the scope of the Commission's proposed "Do Not Track" mechanism and how compliance could be enforced.  Felten makes three key points:  

• The proposed mechanism applies only to third-party tracking for behavioral advertising.  It would not apply to a publisher's use of a service provider for website analytics -- that is, unless the analytics provider makes further use of the data it collects.
• It makes sense to first offer a Do Not Track mechanism in the traditional web context while continuing to examine its feasibility for other technology platforms (including mobile and gaming devices).
• The FTC's enforcement role will depend on whether Do Not Track is created by self-regulation or legislation.  If the former, the FTC's role may simply be to prevent companies from misrepresenting their compliance with the system.  But if Do Not Track becomes law, the FTC may be in the position of investigating improper tracking.

The Do Not Track mechanism is part of the FTC's recently-proposed framework for privacy protection. You can read our summary of the framework here.  The Commission has invited comments on its proposal, which are due by January 31, 2011.   

Just days after the Wall Street Journal reported that a number of popular mobile phone applications have been transmitting information about users to third parties without consent, the Mobile Marketing Association has announced a plan to create privacy guidelines for mobile advertising.  The Journal's article had quoted an MMA official as saying that "[i]n the world of mobile, there is no anonymity."  

The MMA's announcement comes amid increasing scrutiny of the data practices of entities in the mobile advertising ecosystem. Earlier this year, a well-publicized study by researchers at Penn State, Duke, and Intel Labs found, among other things, that certain Android applications transmitted user location information to advertisers without first notifying the user of the transmission or obtaining consent.  In addition, two lawsuits have been filed against Ringleader Digital, a mobile ad network, for allegedly using HTML5 software to track users without their knowledge or consent.  The Journal's coverage of the privacy issues relating to applications will likely lead to more suits, just as many of its recent articles have spurred litigation.       

Last week, the Ninth Circuit issued two opinions in connection with the theft of an unencrypted laptop that contained personal information about Starbucks employees.  First, the court held in a published opinion that Starbucks employees whose names, addresses and Social Security numbers were on the stolen computer could show that they had suffered enough injury to sustain their claim for purposes of getting into federal court.  Specifically, the court found that the increased risk of identity theft satisfies the requirement that plaintiffs show an injury so long as there is a “credible threat of harm” that is “both real and immediate, not conjectural or hypothetical.”  The court also found that “generalized anxiety and stress” are other kinds of harm that could satisfy the requirement.

Although the Starbucks employees satisfied the injury requirement, a second, unpublished Ninth Circuit opinion issued the same day indicated that they had not shown damages -- a key issue in privacy litigation.  “The mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” held the court. (We have elsewhere reported on the challenges that individuals affected by security breaches face in establishing damages.)  The Ninth Circuit also found that the Starbucks employees failed to show the existence of an implied contract under Washington law.

On Tuesday, the Sixth Circuit Court of Appeals ruled in U.S. v. Warshak [PDF] that the government may not compel a commercial Internet service provider to turn over the contents of a subscriber's e-mails without first obtaining a warrant based on probable cause.  The court recognized fundamental similarities between e-mail and more traditional forms of communication, such as letters and telephone calls, stating that "it would defy common sense to afford e-mails lesser Fourth Amendment protection."  As a result, the court held the Stored Communications Act unconstitutional, to the extent that the statute purports to permit the government to obtain e-mails warrantlessly from a commercial ISP.

If this decision is upheld by the U.S. Supreme Court, or even spurs Congress to update the nearly 25-year-old Stored Communications Act to reflect the changes in technology that have taken place since its passage, it may provide more clarity around the protections for data stored on server-based email systems and other cloud computing services, which could receive less protection than the same data stored locally.  The shift is consistent with an overall trend to update privacy laws to reflect new technology, a goal urged most recently by the FTC, as well as by the Department of Commerce in the privacy report that it issued today.

New York has amended its Do Not Call law to cover automated telephone calls that deliver pre-recorded messages--so-called "robocalls."  The New York law generally prohibits businesses from making "telemarketing sales calls" to consumers who have registered their telephone numbers on the national Do Not Call Registry, which is administered by the FTC and FCC. 

The heart of the amendments, which took effect on December 11, is the redefinition of "telemarketing sales call."  While the previous version of the law defined that term to mean only "a call made by a telemarketer to a customer," the revised definition also covers calls made using "any outbound telephone calling technology that delivers a prerecorded message either to a customer or to their voicemail or answering machine service."  The amendments also set limits on when a telemarketer may place calls (only between 8 a.m. and 9 p.m.) and require that telemarketers disclose at the outset of any call: (1) the telemarketer's name and the person on whose behalf the call is being made; (2) the purpose of the call; and (3) the goods or services the telemarketer is selling. 

New York's changes come as the FTC and FCC re-examine their telemarketing rules (a development Dan Kahn discussed in his December 13 post) and exemplify regulators' renewed concerns about protecting consumers from unsolicited calls in the evolving telecommunications environment.  While New York's amended Do Not Call law does well to recognize the increasing prevalence of automated calls, it is unclear whether the law will actually address consumer complaints, which have tended to arise from receiving large numbers of automated political calls before elections.  Such calls, along with calls from charities and from businesses with which a consumer has an existing relationship, are exempt from federal and state regulation. 

Just two days after the Director of the FTC's Bureau of Consumer Protection announced that the agency would not tolerate an "arms race" aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring--which provide web analytics and certain functionality to consumer-facing websites--were named in several class action complaints this summer.  The suits alleged that the companies used "Flash cookies" (i.e., local shared objects stored in the memory of Adobe's Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional "HTTP" cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or "respawn" browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to "circumvent" users' privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.

Continue Reading

On the eve of the reported settlement of the Flash cookie litigation by Quantcast and Clearspring, Covington alum Kashmir Hill reports at Forbes about an online practice that could be the next "Flash cookie" among privacy advocates:  web history sniffing.

According to the Complaint (PDF) filed last week in federal court in California, a Netherlands company called Midstream Media illicitly collected information about users' web histories on its network of "YouPorn" websites.  The litigation claims that Midstream used a JavaScript security flaw to determine whether particular pages had been visited by particular browser, apparently to track which users had also visited its competitors' sites.

Like other online privacy litigation litigation that we've seen this year, the Midstream plaintiffs' case relies on state consumer protection statutes and the Computer Fraud and Abuse Act, or CFAA -- which existed long before both history sniffing and video streaming.  Even with the creative license that comes from extending these laws to the Internet, it's not at all clear that the plaintiffs will be able to succeed.

Continue Reading

Individual plaintiffs have not had much success bringing private actions against businesses affected by security breaches.  In particular, a number of courts have held that the abstract risk of identity theft is not a cognizable injury.  And most recently, the Maine Supreme Judicial Court has determined that even those individuals actually victimized by identity theft may have difficulty establishing injury if they are reimbursed in full by their financial institutions. 

The Maine court found that time and effort that victims of identity theft spend identifying and correcting fraudulent credit card activity is not sufficient to show a cognizable injury for purposes of a negligence or breach of an implied contract claim.  The court found these are uncompensable as the “typical annoyances or inconveniences that are a part of everyday life.” 

The court was responding to a question certified by the U.S. District Court for the District of Maine in connection with more than two dozen class complaints filed against Maine-based grocery chain Hannaford Bros. Co.  The claims against Hannaford were filed after its May 2008 announcement that a hacker had compromised its electronic payment processing system and stolen up to 4.2 million customer debit and credit card numbers, expiration dates, security codes, PINs, and other customer information.

Courts have started to address the tricky -- but important -- question of whether IP addresses are personal information in which users have a right to privacy -- statutory or otherwise. 

Most recently, the U.S. District Court for the District of Columbia found that “Internet subscribers do not have an expectation of privacy in their subscriber information as they already have conveyed such information to their Internet Service Providers.”  (MediaPost provided good coverage of the decisions.) The district court declined to quash a subpoena that had been issued to an ISP seeking subscriber information. 

But just two days earlier, Switzerland’s highest court had held that IP addresses are personal data protected by under Switzerland’s data privacy laws.  It found that the privacy rights of ISP subscribers outweigh the intellectual property interests of copyright holders.  The New Jersey Supreme Court has also held that subscribers have a privacy interest in their IP addresses.  Invoking the New Jersey Constitution’s protections against unreasonable search and seizure, the court required a lawful subpoena to access subscriber information provided to an individual’s Internet service provider.  The court noted that its decision was dependent on existing technology and practices.