Inside Privacy - Updates on Developments in Global Privacy & Data Security

California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Continue Reading

Speaking at a seminar hosted by the International Association of Privacy Professionals, Assistant Director Chris Olsen and Senior Attorney Peder Magee, both of the Federal Trade Commission's Division of Privacy and Identity Protection, provided a useful overview of the FTC's recent enforcement actions and current enforcement priorities.  Based on this discussion, the following infographic identifies the FTC's top four enforcement priorities, and recent and future activity that will inform its path forward:  

Yesterday, the Federal Trade Commission announced that it would hold a public workshop on November 21, 2013 on “the growing connectivity of consumer devices, such as cars, appliances, and medical devices”―also known as, “the Internet of Things.”  The FTC will accept public comments (due June 1, 2013) in advance of the workshop.

In describing the Internet of Things, the FTC noted that consumers can already use mobile phones to adjust thermostats and open car doors and that these types of services and technologies are rapidly developing.  While the FTC recognized that these functionalities may have benefits for consumers, the FTC is seeking input on the “unique privacy and security concerns associated with smart technology and its data.”  For example, in a blog entry on the workshop, the FTC’s Business Center Blog asks, “What if when we drive near a grocery store, our refrigerator lets us know we’re low on milk?  Would that be convenient?  Disconcerting?  Or maybe a little bit of both?” 

Among the questions that the FTC is seeking specific input are the following:

Continue Reading

On March 12, 2013, the Federal Trade Commission (FTC) released new guidance for online advertisers, providing specific tips and examples of how to make disclosures clear and conspicuous, and, therefore, not deceptive in the context of emerging technologies, space-constrained screens, and social media platforms.

The guidelines—titled “.com Disclosures:  How to Make Effective Disclosures in Digital Advertising”—update prior guidance known as “Dot Com Disclosures,” which was released in 2000.  The updated guidelines emphasize that consumer protection laws apply to commercial activities across all mediums, including on computers, mobile devices, and tablets.

Continue Reading

News outlets are reporting that the White House will appoint FTC Commissioner Edith Ramirez to lead the Commission.  She would replace current FTC Chairman Jon Leibowitz, who announced his resignation in January.  Ramirez’s appointment to chair the Commission would leave it evenly split between Democrats and Republicans, with one empty seat until another person is nominated to fill her vacated seat.

Commissioner Ramirez has voted with Chairman Leibowitz on important privacy decisions, including adoption of the March 2012 FTC privacy report and a number of high profile consent decrees and settlements, such as those with Google, Twitter, and advertising network Chitika, Inc., among others.   A few highlights from Commissioner Ramirez’s activity on privacy issues are as follows:

• Commissioner Ramirez has said that the Commission’s recent reforms to the Children’s Online Privacy Protection Act rules were “measured and balanced.”   She commented that the expansion of the COPPA rules to cover mobile apps was “critical if COPPA is to remain relevant as the world goes mobile.”

• In 2011, Commissioner Ramirez testified before the House Commerce Subcommittee on Commerce, Manufacturing and Trade that Representative Mary Bono Mack’s (R-CA) data breach notification legislation did not go far enough since it lacked a specific deadline for companies to evaluate whether consumer notification is required and provide that notice to consumers.

• Commissioner Ramirez was personally involved in developing the APEC Cross-Border Privacy Rules System, which sets out a voluntary enforcement scheme to promote cross-border privacy.  She applauded the development as holding promise “to bridge the gaps between different legal systems and privacy regimes.”  As recently as November 2012, she has spoken about the importance of cross-border coordination and privacy.  She said:  “Despite the differences in privacy and legal regimes across the vast Asia-Pacific region, APEC members have developed a system that reflects a consensus on what constitutes sound cross-border data protection. This approach – of agreeing on common rules to which companies can pledge their adherence that are then enforceable across jurisdictions – has immense potential.”

President Obama first nominated Ramirez to serve as a Commissioner to the FTC in November 2009, and she has served in that role since 2010.  

Mobile device manufacturer HTC America has settled Federal Trade Commission (“FTC”) charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.  The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in the HTC devices.  The settlement also requires the company to establish a comprehensive security program designed to address security risks relating to the development of HTC devices and to undergo an independent security assessment every other year for the next 20 years.

HTC America develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems.  The FTC charged that the company failed to employ reasonable and appropriate security practices in both the design and customization of the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to: provide its engineering staff with adequate security training; review or test the software on its mobile devices for potential security vulnerabilities; follow well-known and commonly accepted secure coding practices; and establish a process for receiving and addressing vulnerability reports from third parties.

Because of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications—Carrier IQ and HTC Loggers—as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.  Due to these vulnerabilities, the FTC charged that millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device without the user’s knowledge or consent.

This week, the Federal Trade Commission released a study of the U.S. credit reporting industry and credit report accuracy.  The study found that five percent of consumers had errors on one of their three nationwide credit reports that could lead them to pay more for financial products.  The study is required under section 319 of the Fair and Accurate Credit Transactions Act of 2003.

The study evaluated 1,001 consumers and 2,968 credit reports.  Of these totals, the study found that as many as 206 consumers identified material errors in their credit reports.  The most common errors identified were errors in tradeline data (consumer accounts) and collections information.  Another common error was inaccuracies in the header information such as current and previous address, age, and employment.

The FTC study is the first major study to take into consideration all of the primary groups that play a role in the credit reporting industry:  consumers; furnishers of information to consumer reporting agencies, including creditors, debt collection agencies, and courts; the Fair Isaac Corporation; and the national consumer reporting agencies.  The FTC will issue a final report on credit report accuracy in 2014.

Path, a social networking mobile app, has agreed to enter into a settlement with the Federal Trade Commission (“FTC”) regarding charges that the company deceived consumers by collecting contact information from users’ mobile address books without notice and consent.  The agreement also resolves charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from children under  13 years old without parental notice and consent.  Path did not admit any liability by entering into the consent decree, which is for settlement purposes only.

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. 

Continue Reading

Yesterday, industry and government panelists participated in a conference sponsored by the Congressional Internet Caucus Advisory Committee that included a panel discussion on “Plumbing the Policy Implications of Data Analytics and Defining Big Data,” The Year’s Most Overused Term.” 

According to press reports, Federal Trade Commission Senior Policy Adviser and panelist Paul Ohm acknowledged that big data may have potential benefits to public health and research, but also noted that the benefits of big data “tend to get overblown.”  Mr. Ohm stated that, “when there is an expense to privacy, I think we should have discussions about whether the benefits [of big data] outweigh the costs.” 

Erik Jones, Deputy General Counsel of the Senate Commerce Committee, told participants that the Committee is investigating the collection of big data for use by companies to market to consumers.  He pointed specifically to last year’s inquiry by Commerce Committee Chairman, John D. Rockefeller IV (D-WV) into the activities of nine data brokers.  According to press reports, Mr. Jones stated that the Committee is “not suggesting that there’s something inherently wrong” with the use of big data for marketing purposes, but indicated that the Committee wants to learn more about what information is being collected and how that information is used.

Mr. Ohm also expressed concern generally about whether supposedly anonymous data can be linked to real people in a world of “big data.” 

Continue Reading

Last week, the Federal Trade Commission entered into a consent order with two companies alleged to have operated as consumer reporting agencies, by providing criminal record reports through mobile applications, without complying with the Fair Credit Reporting Act (FCRA).  The consent order represents the FTC’s first FCRA case involving mobile applications. 

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.