On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” 
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation

By Alyson Sandler

On April 10, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced new privacy legislation titled the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act.  In a statement published on his website, Senator Markey referred to the legislation as a “privacy bill of rights” and explained that “[t]he avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land.”

The CONSENT Act directs the Federal Trade Commission (FTC) to “establish privacy protections for customers of online edge providers.”  These protections include requiring edge providers to notify customers about the collection and use of “sensitive customer proprietary information,” which the Act defines to include, among other things, financial and health information, the content of communications, and web browsing and application usage history.  Customers must also be notified about the types of sensitive customer proprietary information that the edge provider collects, how the information will be used and shared, and the types of entities the edge provider will share the information with.

The centerpiece of the CONSENT Act is its “opt-in” requirement for edge providers to obtain consent from customers for the use of “sensitive information.”  This differs from the model currently employed by most online companies, under which customers may opt out of data collection.  The Act also prohibits an edge provider from refusing to serve customers who do not consent to the use and sharing of their sensitive proprietary information for commercial purposes.
Continue Reading Senate Democrats Propose CONSENT Act

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

The FCC recently agreed to grant limited waivers for violations of its “opt out notice” rule for solicited faxes (i.e., faxes sent with the recipient’s prior express invitation or permission).  That rule requires that senders of faxes include opt-out notices on fax transmissions that contain advertisements or promotions.  The FCC initially promulgated its opt-out notice

The Federal Communications Commission has ruled that companies may send a one-time text message to confirm that a subscriber has opted out of receiving text messages without violating the Telephone Consumer Protection Act (TCPA).  In the FCC’s view, if a consumer has consented to receiving text messages and subsequently opts out, the consumer’s prior express

In the face of calls by the FTC for improved mobile privacy protections, as well as interest by members of Congress, mobile advertising companies are actively working on privacy initiatives.  Yesterday, a group of companies in the mobile advertising industry announced that they are working to create an industry standard for anonymous mobile device identification. 

Today, the Federal Communications Commission adopted new rules that strengthen its restrictions on autodialed or prerecorded telemarketing calls.  The FCC billed the new rules as an effort to maintain consistency with the Federal Trade Commission’s telemarketing sales rule, which also governs telemarketing calls, and to give consumers control over the calls that they receive.

Under

Last week, a federal judge denied a motion to dismiss a putative class action brought under the Telephone Consumer Protection Act (TCPA) against Citibank concerning its transmission of text messages.  The case — Ryabyshchuk v. Citibank N.A., — is notable because one of the issues it addresses is whether an entity that transmits a text message to confirm a consumer’s opt out request has transmitted the message without the consumer’s prior express consent.  The Mobile Marketing Association’s Guidelines for text message campaigns advises that such confirmation messages should be sent.  In the ruling, Judge Irma Gonzalez of the Southern District of California held that Citibank could be liable for two messages: the first that allegedly inviting the applicant to call to discuss a credit card application, and the second that allegedly confirmed the consumer’s request to opt out of receiving future messages.  The consumer sought to opt out of receiving future messages after receiving the first text message from Citibank.
Continue Reading Court Permits Class Action to Proceed Where Text Message Confirmed Opt Out Request

Earlier this week, the industry self-regulatory program set up by online advertisers to deal with reported privacy problems released decisions in its first six compliance cases.  The Online Internet-Based Advertising Accountability Program, which was established in August, determines whether reported businesses are complying with the self-regulatory principles for online behavioral advertising.  The Better Business Bureau

Earlier this week, the Federal Trade Commission announced that it has reached a settlement with Chitika, Inc., an ad network that tracks a user’s online activities in order to deliver advertising targeted to the individual user’s interests.  In its complaint, the FTC claimed that Chitika made statements that (1) users could opt out of targeted advertising by clicking on an “Opt-Out”