ECPA

By Elizabeth Katz

Twenty-five years after authoring the Electronic Communications Privacy Act (“ECPA”), Senator Patrick Leahy has introduced a bill, the ECPA Amendments Act of 2011 (S. 1011), that is intended to adapt the Act to the privacy and security challenges of the 21st Century.  The bill would amend Title II of ECPA, commonly called the “Stored Communications Act” or “SCA,” which regulates the disclosure to private parties and the U.S. government of electronic communications in storage with certain service providers.  Much of S. 1011 increases the requirements that the U.S. government must satisfy to compel disclosure of covered communications.

The bill was introduced amid a flurry of activity in the Senate related to privacy and data security.  Last week, the newly formed Senate Subcommittee on Privacy, Technology and the Law held a hearing on privacy in the mobile communications context (which also touched on ECPA reform), and the Senate Commerce Committee held a similar hearing today (its sixth hearing on consumer privacy in the past 13 months).

After the jump is a summary of S. 1011’s key provisions.Continue Reading Senator Leahy Proposes Amendments to ECPA

By Elizabeth Katz

As Senate Judiciary Committee Chairman Patrick Leahy prepares to introduce legislation to reform the Electronic Communications Privacy Act, the Brookings Institution today held a panel on ECPA reform issues. The discussion began with a keynote address delivered by George Washington University Law School professor Orin S. Kerr.

Continue Reading Brookings Institution Holds Panel on Reforming ECPA

This is another big week for privacy. On Monday, Senate Commerce Chairman Jay Rockefeller introduced the Do-Not-Track Online Act of 2011, which we posted about here. And yesterday, the newly created Senate Subcommittee on Privacy, Technology and the Law held its first hearing.  The hearing focused on mobile privacy issues, but also touched on other important privacy-related matters, including reform of the Electronic Communications Privacy Act and data security breaches. The following are highlights from the hearing:

  • Jessica Rich, Deputy Director of the Federal Trade Commission’s Bureau of Consumer Protection, testified that the FTC has “a number of active investigations into privacy issues associated with mobile devices, including children’s privacy.”
  • Ms. Rich also noted that the draft Staff Report published by the FTC in December addresses mobile privacy issues in certain respects, including recommending that companies obtain affirmative express consent before collecting or sharing sensitive information such as precise geolocation data. In response to a question from Senator Al Franken, Ms. Rich explained that location data is especially sensitive because it often involves the data of children and teens and, when gathered over time, can be used to determine what church or political meetings a person attends and when and where a child walks to and from school. She also noted stalking concerns. Ms. Rich also expressed concerns that mobile users are even less likely than other online consumers to read detailed privacy screens, given the small screens of most mobile devices, but noted that the FTC Staff Report recommends clearer disclosures and simpler consent mechanisms. With respect to the status of the Staff Report, Ms. Rich’s written remarks indicate that FTC staff is analyzing the comments it received on its draft Staff Report and will take them into consideration in preparing a final report for release later this year.

Continue Reading Mobile Hearing Covers Mobile Privacy, ECPA Reform, and Data Breach Issues

In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act (“CIPA”) and the California Computer Crime Law (“CCCL”) and that these claims were not preempted by the federal Electronic Communications Privacy Act (“ECPA”).

With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd).  (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here).  On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim.  Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.Continue Reading California Privacy Claims Survive Motion to Dismiss In NebuAd Lawsuit

On Wednesday, April 6, the Senate Judiciary Committee held a hearing to examine ECPA, the Electronic Communications Privacy Act.  The hearing, which focused on the federal government’s perspective on ECPA reform, followed up on a hearing held last September and Sen. Patrick Leahy’s (D-VT) January 2011 pledge that “[t]he Judiciary

Continue Reading Senate Judiciary Committee Continues ECPA Review

Today the District Court for the Northern District of Alabama dismissed the class action lawsuit filed against our client, Cable One, Inc., for lack of subject matter jurisdiction because the named plaintiff lacked standing.  The litigation arose out of a limited test of NebuAd Inc.’s “deep packet inspection&rdquo

Continue Reading Privacy Lawsuit Against Cable One Dismissed

For the fourth time in the past two months, Apple has been sued for allegedly violating the privacy of iPad and iPhone users.  Like the previous three suits (two of which we discussed in this post), Rodimer v. Apple, Inc. [PDF] alleges that Apple transmitted “personal information,” including Unique Device

Continue Reading Apple Sued Again For Alleged Privacy Violations

The Department of Commerce has just issued its much-anticipated “green paper” on online privacy. The paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” [PDF], reflects Commerce’s stepped-up focus on privacy issues coming out the formation of its Internet Policy Task Force
Continue Reading Covington Analysis on Commerce Privacy Report: Urges Self-Regulation and “Privacy Bill of Rights”

Just two days after the Director of the FTC’s Bureau of Consumer Protection announced that the agency would not tolerate an “arms race” aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring–which provide web analytics and certain functionality to consumer-facing websites–were named in several class action complaints this summer.  The suits alleged that the companies used “Flash cookies” (i.e., local shared objects stored in the memory of Adobe’s Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional “HTTP” cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or “respawn” browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to “circumvent” users’ privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.Continue Reading Quantcast, Clearspring Agree to Settle “Flash Cookies” Suits