Judiciary

This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”

Continue Reading Senate Subcommittee Examines “Stalking Apps” Bill

Today, the Senate Judiciary Committee passed the much-discussed update to the Electronic Communications Privacy Act of 1986 and the Video Privacy Protection of 1988 (“VPPA”).  The Committee adopted Senator Leahy’s manager’s amendment (which we discussed here), with a minor modification proposed by Senators Cornyn and Lee. 

Senator Feinstein also offered an amendment to the

An action brought by the Electronic Privacy Information Center (“EPIC”) asking that the FTC be compelled to enforce its Google Buzz consent order (previously described, here) was dismissed by Judge Amy Berman Jackson of the United States District Court for the District of Columbia, who held that “enforcement decisions are committed to agency discretion and are not subject to judicial review.”

EPIC contended that Google’s announced changes to its user privacy policies for all of its services, scheduled to take effect on March 1, 2012, would violate various portions of the consent order Google reached with the FTC regarding its former social networking service Google Buzz by “altering the use of personal information” obtained by users and “consolidat[ing] user data from across [Google’s] services and creat[ing] a single merged profile for each user.”

Continue Reading No Federal Court Jurisdiction to Review FTC Enforcement of Google Buzz Consent Decree, Judge Rules

Following up on a meeting last week, today the House Judiciary Committee held a hearing on Rep. Bob Goodlatte’s proposed amendment to the Video Privacy Protection Act (VPPA). The Committee favorably reported (i.e., approved) a modified version of Rep. Goodlatte’s bill, H.R. 2471, which would permit consent to be given to sharing video usage information electronically (1) on a one-time basis or (2) in advance of the disclosure for a set period of time or until consent is withdrawn by the consumer. The modified version approved by the Committee includes an amendment, introduced by Rep. Jerry Nadler and supported by Goodlatte, requiring the consent to be obtained distinctly and separate from any other legal or financial terms presented.

Congress passed the VPPA, which protects the privacy of certain video records, in 1988 in the wake of a scandal concerning the release of videotape rentals for then-Supreme Court nominee Robert Bork. The VPPA, which has not been amended since passage, currently permits sharing of protected information with consent only if the consent is in “writ[ing]” and obtained “at the time the disclosure is sought.”

Continue Reading Video Privacy Protection Act Consent Bill Passes House Committee

Last Thursday, the Senate Judiciary Committee began its consideration of the several pending data security bills by marking up S. 1151, the legislation introduced by Sen. Patrick Leahy (D-VT). 

S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach.

The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee on Thursday.  The panel also accepted an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access, and a separate manager’s amendment which limited civil liability and penalties.

Continue Reading Senate Judiciary Committee Weighs Data Security Legislation

Multiple press outlets are reporting on remarks from Rep. Robert Goodlatte (R-Va.) regarding his intent to take up cybersecurity legislation during the 112th Congress.  In remarks at the 2011 State of the Net Conference, sponsored by the Congressional Internet Caucus, Goodlatte reportedly said that the Judiciary Committee should explore the use of “limited liability protections” as an incentive