By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.


Continue Reading Top 10 U.S. Privacy Developments of 2014

Google has entered into a $17 million settlement agreement with attorneys general from 37 states and the District of Columbia over allegations that the company engaged in unauthorized tracking of users of Apple’s Safari browser in 2011 and 2012.  The allegations stemmed from 2012 reports that Google had bypassed Safari’s default privacy settings and placed

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company’s relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

Continue Reading FTC Hosts Workshop to Examine Comprehensive Data Collection

A new bill introduced by Rep. Ed Markey, titled the Mobile Device Privacy Act, would require mobile device sellers, manufacturers, service providers, and app offerors to disclose to consumers the existence of any monitoring software.  Monitoring software is defined as “software that has the capability to monitor the usage of a mobile device or the

By: Shel Abramson

The United States District Court for the Northern District of California recently dismissed with prejudice most claims asserted by consumer plaintiffs in In re iPhone Application Litigation, including causes of action under the Stored Communications Act (“SCA”), the Wiretap Act, and other federal and state laws.  Plaintiffs asserted that Apple and a group of “Mobile Industry Defendants,” including Google, violated federal and state laws by allowing third party applications for “iDevices”—the iPhone, iPad, and iPod Touch—to collect and use plaintiffs’ personal information without consent.  This personal information included geolocation information, the iPhone’s unique device identifier (UDID), and other consumer information, such as age or gender.  Two separate putative classes of plaintiffs brought claims against Apple—an iDevices Class and a Geolocation Class.  With respect to defendant Apple, Judge Lucy H. Koh dismissed all of plaintiffs’ claims with prejudice, except for two California state law claims.  All claims against the Mobile Industry defendants were dismissed with prejudice.

In rejecting the SCA and Wiretap claims, Judge Koh provided a thorough analysis of why plaintiffs’ theories did not comport with these complex and specific statutes.  If followed by other courts, this precedent could have a far-reaching effect in limiting plaintiffs’ ability to use these federal statutes to pursue alleged harms arising out of online data collection and use.  We examine Judge Koh’s discussion in some detail after the jump.

Continue Reading Key Holdings in the In re iPhone Application Dismissal Order

The federal government conducted a search for purposes of the Fourth Amendment when it attached a GPS tracking device to a suspect’s car and used the device to track the suspect’s movements for 28 days, the U.S. Supreme Court ruled Monday.

All nine justices voted to uphold the decision by the U.S. Court of Appeals for the D.C. Circuit reversing Antoine Jones’s drug-trafficking conviction, which was partly based on evidence obtained from the tracking device. But the Court split 5-4 on how the government’s actions constituted a search within the meaning of the Fourth Amendment.

A five-justice majority, in an opinion written by Justice Antonin Scalia, held that the government’s physical attachment of the device to Jones’s car was the critical factor because the Fourth Amendment specifically protects “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”  Physically trespassing on one of Jones’s “effects” — the car — in order to obtain information would have been considered a search when the Fourth Amendment was adopted, the Court held, and such an intrusion therefore requires the government to obtain a warrant under most circumstances. Chief Justice John Roberts and Justices Anthony Kennedy, Clarence Thomas and Sonia Sotomayor joined Justice Scalia’s majority opinion.

Continue Reading Supreme Court: Attaching GPS Tracker to Suspect’s Car Constitutes Search For Purposes of Fourth Amendment

Government officials must seek a warrant to compel the disclosure of cell phone location data, a federal district court ruled, holding that a federal law allowing the government to obtain some information without a warrant violates the Fourth Amendment.

In a one-page order upholding a magistrate judge’s decision, U.S. District Judge Lynn N. Hughes, of the Southern District of Texas, held Nov. 11 that records showing the “date, time, called number, and location of the telephone when the call was made” are constitutionally protected, and thus the government needs a warrant based on probable cause to compel the disclosure of such data. That standard is higher than the standard required for a court order under the Stored Communications Act, which requires a government entity to demonstrate that there are “specific and articulable facts showing that there are reasonable grounds to believe” the contents of or records about an electronic communication are “relevant and material to an ongoing criminal investigation.”

Continue Reading Federal Court Finds Warrant Required to Obtain Cell-Phone Locations

This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner.  According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting.  Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking.   This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.    

The preliminary study results also reportedly show that at least eight NAI members—including prominent networks such as 24/7 Real Media and Audience Science—commit in their privacy policies to stop tracking users following an opt-out request, but nonetheless leave tracking cookies in place.  Although the media and, increasingly, plaintiffs’ counsel can be quick to latch onto these types of reports, it will be critical to closely examine each company’s privacy policy language in the context of the company’s actual practices.

Continue Reading Preliminary Results Reported From Stanford “Tracking the Trackers” Study

Ringleader Digital — an online advertising firm specializing in the mobile market — has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users’ online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys’ fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of “Flash cookies” to track users’ browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        

Continue Reading Ringleader Agrees to Settle Privacy Suits

The United States District Court for the District of Montana has dismissed [PDF] several class action claims against the Internet service provider Bresnan Communications arising out of its partnership with the controversial (and now defunct) online advertising firm NebuAd. 

Bresnan subscribers alleged that the ISP allowed NebuAd to test a system to profile subscribers’ online activity using deep packet inspection (“DPI”) for the purpose of serving targeted ads.  The system allegedly enabled NebuAd to (1) intercept and read essentially all subscriber communications transmitted over Bresnan’s network and (2) set cookies by forcing users’ browsers to send requests to a NebuAd server.  The plaintiffs pleaded claims under the Wiretap Act and the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.  The court dismissed the Wiretap Act and a state law claim, finding that the plaintiffs had impliedly consented to any interception and had no reasonable expectation of privacy in the contents of their communications.  The court pointed to statements in Bresnan’s privacy notice and subscriber agreement that disclosed the possibility of tracking. 

Continue Reading Court Holds Subscribers Consented to “Deep Packet Inspection”