As reported in the Hunton Employment & Labor Perspectives Blog:
Beginning January 1, 2013, employers must issue an updated notice form to applicants and employees when using criminal background information under the federal Fair Credit Reporting Act.
On December 21, 2012, the Article 29 Working Party issued a press release announcing the launch of Binding Corporate Rules (“BCRs”) for processors effective January 1, 2013. This announcement follows the Article 29 Working Party’s adoption of a Working Document (WP 195) on June 6, 2012, which set forth requirements for BCRs for processors, and an application form for submitting BCRs for processors issued on September 17, 2012.
On December 18, 2012, the U.S. House of Representatives passed H.R. 6671, a bill that would amend the Video Privacy Protection Act (“VPPA”) consent requirements for disclosing consumers’ viewing information. The Senate approved the bill without changes on December 20, 2012. The bill would make it easier for companies to develop innovative technologies for the sharing of consumers’ video viewing habits. The current version of the VPPA requires certain video providers to obtain a consumer’s consent each time they wish to share the consumer’s viewing information ...
On December 19, 2012, the European Commission announced its formal recognition of personal data protection in New Zealand. The European Commission approved New Zealand’s status as a country that provides “adequate protection” of personal data under the European Data Protection Directive 95/46/EC. This determination means that personal information from Europe may flow freely to New Zealand. Although the law in New Zealand has been modernized over the years, it is not new. New Zealand will be celebrating the 25th anniversary of its data protection law in 2013. Furthermore, New Zealand has been very active in the development of international standards at the OECD and APEC, and has participated in initiatives such as the Global Accountability Project. New Zealand’s request to be deemed adequate has been pending for several years. This determination follows the positive Opinion of the Article 29 Working Party issued on April 4, 2011, concerning the level of protection under New Zealand’s law.
On December 18, 2012, the Federal Trade Commission issued Orders to File Special Report (the “Orders”) to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers. In the Orders, the FTC requests detailed information about the data brokers’ privacy practices, including:
- the data brokerage companies’ online and offline products and services that use personal data;
- the sources and types of personal data the data brokerage companies collect;
- whether, and how, the companies acquire consumer consent before obtaining, collecting, generating, deriving, disseminating or storing the personal data;
- whether, and how, the personal data is aggregated, anonymized or de-identified;
- how the companies monitor, audit or evaluate the accuracy of the personal data they obtain;
- if, and how, consumers are able to access, correct, delete or opt out of the collection, use or sharing of the personal data the data brokerage companies maintain about the consumers;
- how the data brokerage companies provide notice to consumers about their data privacy practices;
- the advertisements or promotional materials the companies use to describe their products and services; and
- information about any complaints or disputes, or governmental or regulatory inquiries or actions, related to the companies’ data privacy practices.
U.S. Federal Trade Commission Chairman Jon Leibowitz announced on Monday that David C. Vladeck, director of the FTC's Bureau of Consumer Protection, is leaving the Commission on December 31, 2012 to return to the Georgetown University Law Center.
On December 19, 2012, the Federal Trade Commission announced the adoption of its long-awaited amendments to the Children’s Online Privacy Protection Rule (the “Rule”). The FTC implemented the Rule, which became effective on April 21, 2000, pursuant to provisions in the Children’s Online Privacy Protection Act of 1998 (“COPPA”).
On December 10, 2012, Tom Field of HealthcareInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the top legal issues in 2012, Lisa said that data breaches remain at the top of the list, with an increase in malicious cyberattacks. She also addressed the need to combat cybercrime.
On December 13, 2012, the UK Information Commissioner’s Office (“ICO”) announced a consultation on a draft subject access code of practice (the “Code”). The Code is open for public comment until February 21, 2013.
On December 18, 2012, the Information Commissioner’s Office (“ICO”) released an enforcement report (the “Report”) on the extent of compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011). The ICO previously issued an interim report on organizations’ attempts to achieve compliance, in which it concluded that organizations “must try harder” with their cookie compliance efforts.
On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.
On December 10, 2012, the Federal Trade Commission issued a new report, Mobile Apps for Kids: Disclosures Still Not Making the Grade, which follows up on the FTC’s February 2012 report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. The FTC conducted a follow-up survey regarding pre-download mobile app privacy disclosures, and whether those disclosures accurately describe what occurs during use of the apps.
On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.
On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”
On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.
On December 5, 2012, the Federal Trade Commission announced that the online advertising company Epic Marketplace, Inc. (“Epic”) agreed to settle charges that it engaged in “history sniffing” to secretly and illegally collect information about consumers’ interest in sensitive medical and financial issues. History sniffing is the practice of determining whether a consumer has previously visited a webpage by checking how a browser displays a hyperlink. The consent order requires Epic to destroy all data collected from history sniffing and bars Epic from engaging in history sniffing in the future.
The Hunton Employment & Labor Perspectives Blog examines issues related to professional use of social media: who owns social media accounts, contacts and valuable consumer data when an employee resigns? Read the full blog entry.
On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.
On November 30, 2012, the Federal Trade Commission announced the issuance of an interim final rule (“Interim Final Rule”) that makes the definition of “creditor” in the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) consistent with the definition contained in the Red Flag Program Clarification Act of 2010.
On November 21, 2012, the UK Committee of Advertising Practice (“CAP”) released new rules on online behavioral advertising (“OBA”). CAP is the UK body which writes and maintains the UK advertising codes, which are administered and enforced by the UK Advertising Standards Authority (“ASA”).
On November 29, 2012, the Federal Communications Commission (“FCC”) issued a declaratory ruling finding that certain text messages businesses send to confirm a consumer’s request to opt out of text message programs do not violate a federal prohibition on sending text messages without prior express consent. This prohibition has spawned class actions against companies that have followed the provisions in the Mobile Marketing Association’s U.S. Consumer Best Practices and other industry guidelines that require companies to send a confirmatory text message in response to a consumer’s opt-out request. The FCC’s finding is limited to sending confirmatory text messages under the following conditions:
On November 21, 2012, the UK Supreme Court handed down a judgment in The Rugby Football Union vs. Consolidated Information Services Limited (Formerly Viagogo Limited), a case addressing the application of Article 8 of the EU Charter of Fundamental Rights (Protection of Personal Data) in the context of court orders seeking to disclose the identities of alleged wrongdoers.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code