Privacy Policies

China’s top internet regulator, the Cyberspace Administration of China (“CAC”), continues to show interest in setting more stringent rules governing the protection of minors in the context of online activities and data privacy. Immediately prior to the October holiday, CAC released for public comment new draft regulations aimed at protecting minors on the Internet, the Regulations on the Protection of Minors in Cyberspace (“Draft Regulations”), which contain significant provisions addressing minors’ data privacy. Note that the scope of this new regulation is broader than the US’s Children’s Online Privacy Protection Act (“COPPA”), which focuses primarily on children’s privacy issues.
Continue Reading China Issues Draft Regulations on Protecting Minors in Cyberspace

Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC).  The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and
Continue Reading ONC Report to Congress Identifies Gaps in Oversight of Privacy and Security of mHealth Technologies and Health Social Media

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not
Continue Reading Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufactures

As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.

We have answered your key questions about this proposed legislation below, including:

Who would the bill apply to?

How is “personal data” defined under the bill?

What are the substantive obligations?

Are there any safe harbors?

How would the bill be enforced?

Does the bill preempt state laws?Continue Reading White House Privacy Bill: A Deeper Dive

China’s principal internet regulator, the Cyberspace Administration of China (“CAC”), announced this week that China will move forward new legislation to combat the improper collection, use, and sale of personal information. The new legislation, announced during an interview of a senior CAC official by state-owned Xinhua News, is reportedly being
Continue Reading China’s Internet Gatekeeper Announces Legislation to Enhance Personal Information Protection

New consumer protection provisions that clarify how companies may collect, use, and protect personal information of consumers will come into effect in China on March 15, 2015.

On January 5, 2015, China’s State Administration of Industry and Commerce (“SAIC”) issued measures to implement China’s Consumer Rights Protection Law (“CRPL”), which was amended effective March 2014 to include, among other things, provisions on the protection of personal information of consumers and administrative penalties for the misuse of personal information.   The newly promulgated measures, entitled Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“CRPL Penalty Measures”; Covington’s translation is available here) flesh out the CRPL by addressing a range of consumer protection issues.  From a privacy perspective, the CRPL Penalty Measures (1) clarify the definition of “personal information of consumers,” (2) provide more detail on the CRPL’s requirements for the collection, use, and protection of consumer personal information, and (3) provide for significant penalties for violations.  The CRPL Penalty Measures take effect on March 15, 2015, China’s Consumer Protection Day.
Continue Reading China Clarifies Requirements for Companies Regarding Consumers’ Personal Information

Researchers at Carnegie Mellon University have designed a website that doles out grades to Android apps based on their privacy practices. The website, privacygrade.org, assigns grades based on a model that measures the gap between people’s expectations of an app’s behavior and how the app actually behaves. The grades range from A+, representing no privacy concerns, to D, representing many concerns.

To determine its grades, the Carnegie Mellon model relies on both static analysis and crowdsourcing. In the static analysis component, Carnegie Mellon’s software analyzes what data an app uses, why it uses such data, and how that data is used. For example, the software assessed whether an app used location data, whether that location data was used to provide location features (such as a map app), or whether that location data was used to provide the user with targeted advertising (or for other purposes). In the crowdsourcing component, Carnegie Melon solicited user privacy expectations for certain apps. For example, researchers asked whether users were comfortable with or expected a certain app to collect geolocation information. Where an app collected certain information and users were surprised by that collection, the surprise was represented in the model as a penalty to the app’s overall privacy grade.
Continue Reading Carnegie Mellon Grades Privacy of Android Apps

By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

In May 2014, the Global Privacy Enforcement Network (“GPEN”) performed its second Global Privacy Sweep, in which 26 privacy enforcement authorities from 19 countries downloaded 1,211 mobile apps and assessed their privacy practices. On September 10, 2014, the Office of the Privacy Commissioner of Canada (“OPC”) published the results of the Sweep (the “OPC Report”). The main findings can be summarized as follows:

  • While most apps provided some privacy information, only 15% clearly explained the app’s privacy practices.
  • 30% of the apps tested provided no privacy communications to users—such as a link to or information about the app’s privacy policy—other than communications requesting access to information (referred to as “permissions”).
  • Nearly 60% of the apps tested raised privacy concerns before the app was downloaded—meaning that there was not enough information available prior to download for potential users to adequately assess or review the app’s privacy policies.
  • 43% of the apps reviewed did not tailor privacy communications to small screens such as those present on smartphones and tablets.
  • 31% of the apps requested access to more information than necessary, based on GPEN’s understanding of the app’s functionality. Of the types of data requested, location was the most popular, followed by device IDs.

Continue Reading Global App Review Finds 85% of Apps Have Privacy Shortcomings

Fast fashion retailer Forever 21 Retail Inc. faces a putative class action lawsuit alleging that the retailer violated California law by requesting and recording shoppers’ credit card numbers and personal identification information at the point-of-sale.

Forever 21 shopper Tamar Estanboulian filed the lawsuit on September 7 in U.S. District Court for the Central District of California.  Estanboulian alleges that Forever 21 has a policy requiring its cashiers to request and record credit card numbers and personal identification information from customers using credit cards at the point-of-sale in Forever 21’s retail stores in violation of the Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08.  The complaint further alleges that the retailer pairs the obtained personal identification information with the shopper’s name obtained from the credit card used to make the purchase to get additional personal information.

According to the complaint, Estanboulian purchased merchandise with a credit card at a Forever 21 store in Los Angeles, CA this summer.  The cashier asked Estanboulian for her email address without informing her of the consequences of not providing the information.  Estanboulian alleges that she provided her email address because she believed that it was required to complete the transaction and receive a receipt.  She also claims that she witnessed cashiers asking other shoppers for their email addresses.  Shortly after completing her purchase and leaving the store, Estanboulian received a promotional email from Forever 21.Continue Reading Forever 21 Faces Point-of-Sale Data Collection Class Action Lawsuit