On July 26, four Chinese agencies, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MoPS”), and the National Standards Committee, announced their plan to begin the government’s campaign to improve the protection of personal information, according to Xinhua News Agency (link is in Chinese).  The campaign, called “Action Plan to Improve Personal Information Protection,” will start with the audit of privacy policies of the ten most popular online services in China.

Officials from CAC’s Cybersecurity Coordination Bureau indicated that the privacy policy audit is an important step to implement China’s new Cybersecurity Law, which took effect on June 1, 2017.  Through this process, the regulators will balance the protection of personal information with the use of data to improve services for Chinese users.

This development signals the government agencies’ increased focus on companies’ data protection practices.  Companies operating in China should consider reviewing their privacy policies and data practices in country to conform with legal requirements and best practices.
Continue Reading Chinese Agencies Announce Plan to Audit Privacy Policies of Ten Popular Online Services

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

By Stephen Kiehl and Hannah Lepow

Over the last year, the National Telecommunications and Information Administration, an arm of the Department of Commerce, has convened a series of meetings regarding voluntary best practices for privacy, accountability and transparency in the use of drones (“UAS”) by commercial and private users.  A number of stakeholders have participated in these meetings, including representatives of insurance companies, technology companies, news organizations, drone manufacturers, and consumer and privacy groups.  This week the stakeholders reached consensus on a “Best Practices” draft document that contains voluntary privacy guidance, which the NTIA has posted on its website.

Importantly, the document recognizes that the benefits of UAS are substantial, and that UAS integration will have a significant positive economic impact in the United States.  The document also stresses that the best practices it outlines are voluntary and do not create a legal or regulatory standard, nor should they be used as a basis for any local, state or federal law or regulation.  The privacy guidance focuses on data collected by a UAS — and not on data collected by any other means.  And, as we discuss below, the best practices do not cover newsgathering activities.
Continue Reading NTIA Multistakeholder Group Reaches Consensus on Best Practices for Drone Privacy

Following the Guardian’s recent exposé on Whisper’s consumer-privacy practices, alleging that the social-media app that supposedly allows people “to anonymously share [their] thoughts with the world . . . in a community built around trust and honesty,” in fact tracks the geolocation of users who opted out of such data collection, Chairman of the Senate

South by Southwest (“SXSW”) Interactive kicked off last week, and Covington was there to cover privacy and big data’s big buzz, a topic which dominated much of the conference.  Among the events that took place last Friday were “Big Data Inverted: The Best Candy from Strangers?” and “Privacy Under the Covers: The Naked Truth.”  The big-data panel included Chris Colborn, R/GA Global Chief Experience Officer; Dinkar Jain, Google Product Manager; and Maria Bezaitis, Principal Engineer at Intel.  The privacy event was a “Core Conversation” that featured MeMe Jacobs Rasmussen, Adobe’s Chief Privacy Officer, VP, and Associate General Counsel; and Shaina Boone, SVP of Marketing Science at Critical Mass.

Big Data Inverted started with the premise that, as big data transforms relationships and information sharing, “people are beginning to unintentionally ‘barricade’ themselves from new experiences.”  While much of the discussion focused on how businesses can structure their models to leverage big data so that it is useful and relevant, better connected, and more available, privacy and consumer trust necessarily came up throughout the discussion.  In particular, many focused on the two sides of the big data coin:  potential and privacy.  Businesses stand to benefit if they can tame and harness big data, but not if they ignore privacy concerns inherent in amassing huge quantities of sensitive information.  Many are suggesting, however, that businesses can profit from privacy too  that is, because privacy has become so important to consumers, it can be used competitively.


Continue Reading Covington at #SXSW: If “Big Data Is the New Oil” Then “Privacy Is the New Green”

On Tuesday, 19 November, the Regional Court of Berlin ruled against Google in a case brought by the Federation of German Consumer Associations (vzbv).  The vzbv had initiated an action for injunction against Google, requesting it to stop using certain clauses in its Terms of Use and Privacy Policy.  In Germany, consumer associations have a right to bring legal proceedings against companies that engage in commercial practices which are illegal under the Act Against Unfair Competition.

The court sided entirely with the plaintiff and ruled that Google must refrain from using the relevant (and similar) clauses in agreements with consumers in Germany. If Google breaches this prohibition monetary penalties of up to €250,000 or imprisonment of up to six months can be imposed (to be enforced against Google’s legal representatives).

The court’s reasoning is not yet available, but according to press reports the court considered the relevant clauses to be overly vague and broad and to restrict the rights of consumers. The vzbv had argued that users were “unreasonably disadvantaged.”  The court’s press release lists all the relevant clauses which the court considered to be illegal.  We break these down after the jump. 


Continue Reading Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms

Last week, dating website PlentyOfFish withdrew its offer to buy bankrupt rival True.com, citing concerns raised by Texas Attorney General Greg Abbott that the sale would violate True.com’s privacy policy and expose its members to unexpected privacy risks.  Two weeks ago, Abbott filed an objection in U.S. Bankruptcy Court to block the proposed transfer of True.com’s membership database, which contains personal information about the website’s 43 million subscribers.  True.com has been in Chapter 11 bankruptcy proceedings since 2012.

The Texas Attorney General objected to the proposed sale on the grounds that that it was inconsistent with True.com’s privacy policy, which Abbott argued “contains ambiguities as to whether Customers will have a right to opt-out or opt-in to consent to the transfer of their [personal information].”  As part of the bankruptcy proceeding, True.com had entered into an Asset Purchase Agreement with PlentyOfFish, another popular dating website, under which PlentyOfFish would gain access to True.com’s extensive database of members’ personal information.  But last week, PlentyOfFish withdrew from the Asset Purchase Agreement, citing the Texas Attorney General’s objection.  In a letter filed with the court on October 23, PlentyOfFish stated that the transfer of True.com’s customer information “do[es] not appear to be legal, valid and effective,” and that the sale “appears to violate Seller’s privacy policy which affects and binds Seller’s assets.”  Markus Frind, the CEO and founder of PlentyOfFish, addressed the problem candidly in his blog, asking “Who in their right mind is going to buy a dating site with 43 million members if you are not allowed access to those members?” 


Continue Reading Texas AG Objections To Transfer of Personal Data Demonstrate Significance of Privacy Policy Disclosures

Earlier this week, the Huffington Post’s Jennifer Kerr reported on the practice of tracking of merchandise returns by retailers.  According to the article, some retailers track merchandise returns to identify “chronic returners or gangs of thieves trying to make off with high-end products that are returned later for store credit.”  The article notes that

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act.  The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA).  An earlier version of the bill passed the House in December but was never taken up by the Senate.  We previously covered similar legislation

At the Wired for Change conference earlier this week, FTC Chairman Jon Leibowitz noted that the FTC is developing a “nutrition label” for data collection and use, modeled after the nutrition facts label for food and beverages.  Leibowitz reportedly said that the agency’s chief technologist and the Bureau of Consumer Protection are working to identify “five essential terms” that should be included in these standardized privacy policies.  California Attorney General Kamala Harris, who spoke on the same panel as Leibowitz, supported the idea of food labels for mobile apps, according to reporters’ tweets

The concept of a nutrition label for privacy has been under discussion in the privacy community for some time.  In July 2001, FTC Commissioner Sheila Anthony suggested that nutrition labels and EnergyGuide labels could serve as models for standardized privacy policies.  Several academics have developed standardized table formats for privacy policies, and research from Carnegie Mellon’s CyLab has found that standardized privacy policy formats allow readers to find information more accurately and quickly. 


Continue Reading FTC Working on Privacy “Nutrition Label”; Industry Focusing on Icons