October 2015

By Hannah Lepow

Yesterday California Attorney General Kamala D. Harris released guidance on how smartphone and tablet users can manage GPS and other location tracking functions on their mobile devices.

The brief information sheet, designed for consumers, details how Android and iOS users can control different types of location information on their devices, including

The U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754) today.  In material part, the bill:

  • establishes a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between private organizations (defined to also include state and local governments) and the federal government;
  • with respect to information sharing among private

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

In another ruling that adopts a narrow reading of the term “personally identifiable information” (“PII”) in the Video Privacy Protection Act (“VPPA), a New York district court held in Robinson v. Disney Online that a plaintiff failed to plead a VPPA claim against Disney based on Disney’s sharing a device ID and viewing information with a third party.

Plaintiff Robinson used a Roku, a video-streaming set-top box, to watch Disney videos on Disney’s Roku channel.  Each Roku device has a “Roku ID,” a unique serial number assigned to the device itself.  Robinson alleged that Disney sent a record of the videos he watched on its channel, along with a hashed version of his Roku ID, to Adobe, a third-party analytics company.  Adobe allegedly had the capability to use aggregated consumer data from various sources to identify users based on their hashed Roku IDs.  Robinson sued Disney under the VPPA.
Continue Reading Device IDs alone are not PII under the VPPA, New York district court rules.

A man who alleges he received an unauthorized prerecorded call on the landline he shared with his roommate has standing to proceed with his lawsuit under the Telephone Consumer Protection Act (“TCPA”), the U.S. Court of Appeals for the Third Circuit ruled.

Mark Leyse’s lawsuit against Bank of America alleges that a telemarketer advertising Bank of America credit cards called a residential landline registered to Genevieve Dutriaux, Leyse’s roommate, using a prerecorded message. Among other things, the TCPA generally prohibits making a non-emergency call “to any residential telephone line using an artificial or prerecorded voice” unless the caller has “the prior express consent of the called party” or the FCC has exempted the type of call at issue. The TCPA further states that “[a] person or entity” may sue based on a violation of that restriction, and may seek $500 in statutory damages for each violation (or $1,500 if the plaintiff proves the violation was willful or knowing).

The parties agreed that the telemarketer intended to call Dutriaux, who was listed as the subscriber to the phone line. Accordingly, Bank of America moved to dismiss Leyse’s lawsuit, arguing that Leyse was not the “called party” and thus had no standing to sue under the TCPA. Courts have disagreed on whether a TCPA plaintiff must be the “called party,” and if so whether the “called party” is the same as the “intended recipient.”
Continue Reading Third Circuit: TCPA Suit By Roommate Who Answered Prerecorded Call Can Proceed

The Federal Trade Commission will hold a workshop on November 16 to address cross-device tracking.  The FTC’s announcement highlights two forms of cross-device tracking: “deterministic” tracking, which requires that a user log in to the same service across multiple devices, and “probabilistic” tracking, which collects data about users to create a digital fingerprint that links

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.


Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps

By Megan L. Rodgers

The FTC has announced its agenda and panelists for its conference on data security, which will be held on November 5th, 2015, at the University of Texas, in Austin.

This is the second in a series of conferences aimed at helping small- to medium-sized businesses protect consumers’ information.  The first conference

On October 9, the Eleventh Circuit affirmed in Ellis v. Cartoon Network, Inc. that a person who downloads and uses a free mobile application to view freely available content is not, without more, a “subscriber” under the Video Privacy Protection Act (“VPPA”).

Cartoon Network offers a free mobile app that people can download to watch