Online

As part of its broader effort to develop a “Do Not Track” (DNT) web browser privacy standard, the World Wide Web Consortium (“W3C”), an international organization that develops Internet standards, recently released a draft of one technical component of the standard to gather implementation experience from the developer community.
Continue Reading Web Standards Group Releases Candidate Recommendation As Part of Broader “Do Not Track” Review

On July 1, 2015, China’s State Administration for Industry and Commerce published a draft of the Interim Measures on Supervision of Internet Advertising (“Draft Internet Advertising Measures”; original Chinese here) for public comment. If adopted as drafted, the Draft Internet Advertising Measures would (1) require advertisements in email and instant messaging to contain conspicuous options for the user to agree to, refuse, or unsubscribe from advertisements; (2) require websites to allow users to block pop-ups for certain repeat visitors; and (3) require advertisements sent via email or instant message to identify the sender and be marked as an advertisement. Public comments on the Draft are due by July 31, 2015. Once finalized, the Draft is expected to come into effect on September 1, 2015.
Continue Reading Draft Regulations in China Preview Stricter Rules on Internet Advertising

As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.

We have answered your key questions about this proposed legislation below, including:

Who would the bill apply to?

How is “personal data” defined under the bill?

What are the substantive obligations?

Are there any safe harbors?

How would the bill be enforced?

Does the bill preempt state laws?Continue Reading White House Privacy Bill: A Deeper Dive

The White House’s much anticipated draft privacy legislation has now been released.   We are digesting its content now and will post an update with some additional comments shortly.

The draft appears to include an expansive definition of “personal data.”  In addition, early press reports note that the draft bill would
Continue Reading White House Privacy Bill Is Released

Last week, the Online Interest-Based Advertising Accountability Program released a compliance warning to clarify that its Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles) apply―not just to traditional HTTP cookies―but to other types of tracking technologies that enable the tracking of consumers across different platforms and devices.  

The compliance warning
Continue Reading Compliance Warning States OBA Principles Apply to Cross-Device and Cross-Platform Tracking

Last Friday, the FTC announced an agenda for its upcoming workshop, “Big Data: A Tool for Inclusion or Exclusion?” which will take place on Monday, Sept. 15, starting at 8:00 a.m.  As we’ve previously reported, the workshop will build on recent efforts by the FTC and other government agencies to understand how new technologies affect the economy, government, and society, and the implications on individual privacy.  In particular, while there has been much recognition for the value of big data in revolutionizing consumer services and generally enabling “non‐obvious, unexpectedly powerful uses” of information, there has been parallel focus on the extent to which practices and outcomes facilitated by big-data analytics could have discriminatory effects on protected communities.

The workshop will explore the use of big data and its impact on consumers, including low-income and underserved consumers, and will host the following panel discussions:

  • Assessing the Current Environment.  Examine current uses of big data in various contexts and how these uses impact consumers.
  • What’s on the Horizon with Big Data?  Explore potential uses of big data and possible benefits and harms for particular populations of consumers.
  • Surveying the Legal Landscape.  Review anti-discrimination and consumer-protection laws and discuss how they may apply to the use of big data, and whether there may be gaps in the law.
  • Mapping the Path Forward.  Consider best practices for the use of big data to protect consumers.

The FTC hopes that the workshop will build on the dialogue raised in its Spring Privacy Seminar Series held from February through May, which addressed mobile-device tracking, data brokers and predictive scoring, and consumer generated and controlled health data.  The workshop will convene academic experts, business representatives, industry leaders, and consumer advocates, and will be open to the general public. In advance of the workshop, the FTC has invited the public to file comments, reports, and original research on the proposed topics. The deadline to submit pre-workshop comments is August 15. Following the workshop on September 15, the comment period will remain open until October 15.

The workshop comes on the heels of the White House’s anticipated report on big data released in May, which outlined the administration’s priorities in protecting privacy and data security in an era of big data.  With an entire section dedicated to “Big Data and Discrimination,” the report warned that big data “could enable new forms of discrimination and predatory practices.”  Chiefly focusing on the use of information, the report showed concern about using data to discriminate against vulnerable groups.  Specifically, the report stated that “the ability to segment the population and to stratify consumer experiences so seamlessly as to be almost undetectable demands greater review, especially when it comes to the practice of differential pricing and other potentially discriminatory practices.” 
Continue Reading The FTC’s Agenda to Tackle Big Data and Discrimination

By Dan Cooper, Mark Young and Kristof van Quathem

On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.

In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine.  The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law.  The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person.  Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time.  The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.

The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship.  For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.Continue Reading Google, the CJEU, and the Long Arm of European Data Protection Law

Last Thursday, the United States Court of Appeals for the Ninth Circuit affirmed dismissal of claims for violations of the Electronic Communications Privacy Act (“ECPA”), holding that the plaintiffs had failed to allege Facebook and Zynga disclosed the “contents” of a communication, a necessary element under the Act.

The court’s ruling applies to the consolidated cases In re Zynga Privacy Litig. and In re Facebook Privacy Litig., in which plaintiffs alleged that the social network and popular gaming company disclosed personally identifiable information to third parties.  Continue Reading Ninth Circuit Holds Facebook IDs and URLS Not “Content” under ECPA

FDA has previously included claims made on Facebook or other social media platforms along with broader allegations of misbranding using a variety of sources in its enforcement letters . . . [b]y contrast, the present untitled letter focuses solely on a single statement on a Facebook page, and does not take issue with any statements outside the Facebook page.
Continue Reading FDA Issues Untitled Letter Focused On Promotional Claims On Facebook

California’s recent amendments to the California Online Privacy Protection Act require certain online services to make additional disclosures about how they respond to browser-based Do Not Track signals―new obligations that went into effect on January 1.  Along with Joanne McNabb of the Office of the California Attorney General, Kurt Wimmer

Continue Reading Industry Grapples With Implementing “Do Not Track” Disclosures; IAB Outlines “Guiding Principles” for a Post-Cookie World