Online

On July 1, 2015, China’s State Administration for Industry and Commerce published a draft of the Interim Measures on Supervision of Internet Advertising (“Draft Internet Advertising Measures”; original Chinese here) for public comment. If adopted as drafted, the Draft Internet Advertising Measures would (1) require advertisements in email and instant messaging to contain conspicuous options for the user to agree to, refuse, or unsubscribe from advertisements; (2) require websites to allow users to block pop-ups for certain repeat visitors; and (3) require advertisements sent via email or instant message to identify the sender and be marked as an advertisement. Public comments on the Draft are due by July 31, 2015. Once finalized, the Draft is expected to come into effect on September 1, 2015.
Continue Reading Draft Regulations in China Preview Stricter Rules on Internet Advertising

As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.

We have answered your key questions about this proposed legislation below, including:

Who would the bill apply to?

How is “personal data” defined under the bill?

What are the substantive obligations?

Are there any safe harbors?

How would the bill be enforced?

Does the bill preempt state laws?Continue Reading White House Privacy Bill: A Deeper Dive

The White House’s much anticipated draft privacy legislation has now been released.   We are digesting its content now and will post an update with some additional comments shortly.

The draft appears to include an expansive definition of “personal data.”  In addition, early press reports note that the draft bill would require companies to inform consumers

Last week, the Online Interest-Based Advertising Accountability Program released a compliance warning to clarify that its Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles) apply―not just to traditional HTTP cookies―but to other types of tracking technologies that enable the tracking of consumers across different platforms and devices.  

The compliance warning admonished companies developing and implementing

Last Friday, the FTC announced an agenda for its upcoming workshop, “Big Data: A Tool for Inclusion or Exclusion?” which will take place on Monday, Sept. 15, starting at 8:00 a.m.  As we’ve previously reported, the workshop will build on recent efforts by the FTC and other government agencies to understand how new technologies affect the economy, government, and society, and the implications on individual privacy.  In particular, while there has been much recognition for the value of big data in revolutionizing consumer services and generally enabling “non‐obvious, unexpectedly powerful uses” of information, there has been parallel focus on the extent to which practices and outcomes facilitated by big-data analytics could have discriminatory effects on protected communities.

The workshop will explore the use of big data and its impact on consumers, including low-income and underserved consumers, and will host the following panel discussions:

  • Assessing the Current Environment.  Examine current uses of big data in various contexts and how these uses impact consumers.
  • What’s on the Horizon with Big Data?  Explore potential uses of big data and possible benefits and harms for particular populations of consumers.
  • Surveying the Legal Landscape.  Review anti-discrimination and consumer-protection laws and discuss how they may apply to the use of big data, and whether there may be gaps in the law.
  • Mapping the Path Forward.  Consider best practices for the use of big data to protect consumers.

The FTC hopes that the workshop will build on the dialogue raised in its Spring Privacy Seminar Series held from February through May, which addressed mobile-device tracking, data brokers and predictive scoring, and consumer generated and controlled health data.  The workshop will convene academic experts, business representatives, industry leaders, and consumer advocates, and will be open to the general public. In advance of the workshop, the FTC has invited the public to file comments, reports, and original research on the proposed topics. The deadline to submit pre-workshop comments is August 15. Following the workshop on September 15, the comment period will remain open until October 15.

The workshop comes on the heels of the White House’s anticipated report on big data released in May, which outlined the administration’s priorities in protecting privacy and data security in an era of big data.  With an entire section dedicated to “Big Data and Discrimination,” the report warned that big data “could enable new forms of discrimination and predatory practices.”  Chiefly focusing on the use of information, the report showed concern about using data to discriminate against vulnerable groups.  Specifically, the report stated that “the ability to segment the population and to stratify consumer experiences so seamlessly as to be almost undetectable demands greater review, especially when it comes to the practice of differential pricing and other potentially discriminatory practices.” 
Continue Reading The FTC’s Agenda to Tackle Big Data and Discrimination

By Dan Cooper, Mark Young and Kristof van Quathem

On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.

In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine.  The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law.  The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person.  Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time.  The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.

The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship.  For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.Continue Reading Google, the CJEU, and the Long Arm of European Data Protection Law

Last Thursday, the United States Court of Appeals for the Ninth Circuit affirmed dismissal of claims for violations of the Electronic Communications Privacy Act (“ECPA”), holding that the plaintiffs had failed to allege Facebook and Zynga disclosed the “contents” of a communication, a necessary element under the Act.

The court’s ruling applies to the consolidated cases In re Zynga Privacy Litig. and In re Facebook Privacy Litig., in which plaintiffs alleged that the social network and popular gaming company disclosed personally identifiable information to third parties.  Continue Reading Ninth Circuit Holds Facebook IDs and URLS Not “Content” under ECPA

FDA has previously included claims made on Facebook or other social media platforms along with broader allegations of misbranding using a variety of sources in its enforcement letters . . . [b]y contrast, the present untitled letter focuses solely on a single statement on a Facebook page, and does not take issue with any statements outside the Facebook page.
Continue Reading FDA Issues Untitled Letter Focused On Promotional Claims On Facebook

California’s recent amendments to the California Online Privacy Protection Act require certain online services to make additional disclosures about how they respond to browser-based Do Not Track signals―new obligations that went into effect on January 1.  Along with Joanne McNabb of the Office of the California Attorney General, Kurt Wimmer and I will be discussing

Yesterday, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”   Committee members expressed interest in bringing about greater transparency to what information is collected by data brokers and how it is used at the hearing, which consisted of a single panel of witnesses from the FTC’s Bureau of Consumer Protection, the World Privacy Forum, Experian, and the Direct Marketing Association.

In advance of the hearing, Chairman John D. Rockefeller IV (D-WV) released a majority staff report summarizing the Commerce Committee’s investigation into how data brokers collect, compile, and sell consumer information.  The staff report notes that data brokers serve a beneficial function in enabling companies to provide customers with products and services specific to their interests and needs, but that certain data brokers “operate with minimal transparency” and that consumer profiling can raise “unintended privacy issues.”  For this proposition, the staff report cited media reports that a major retailer had developed a pregnancy prediction model to enable the company to target marketing towards expectant mothers. 

According to the Committee’s staff report, a perceived lack of transparency may present further concerns when data broker information “end[s] up in the hands of predatory businesses seeking to identify vulnerable consumers, or when marketers use consumers’ data to engage in differential pricing.”

Senate Commerce Committee members generally echoed these concerns at yesterday’s hearing.  For example:Continue Reading Senate Panel Examines Data Broker Industry; Releases Staff Report