Privacy & Information Security Law Blog

On November 30, 2016, the FTC released a staff summary (the “Summary”) of a public workshop called Putting Disclosures to the Test. The workshop, which was held on September 15, 2016, examined ways of testing and evaluating company disclosures regarding advertising claims and privacy practices. The Summary reviews the workshop and its key takeaways.

On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).

Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for Best AmLaw Blog of 2016. From all of the editors, lawyers and contributors that make our blog a success, we appreciate your continued support and readership, and ask that you please take a moment to vote for our blog!

The Privacy & Information Security Law Blog was ranked as the #1 Privacy & Data Security blog in LexBlog’s 2015 AmLaw 200 Blog Benchmark Report, and named PR News’ Best Legal PR Blog in 2011. It was noted that the ...

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?

The Federal Trade Commission announced that it will host a workshop on September 15, 2016, “Putting Disclosures to the Test,” on the efficacy and costs of consumer disclosures in advertising and privacy policies. Planned discussion topics include examining disclosures meant to avoid deception in advertising, disclosures designed to inform consumers of data tracking, and industry-specific disclosures for jewelry, environmental and fuel-saving claims. The workshop is open to the public and will take place at the FTC’s Constitution Center offices in Washington, D.C ...

On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at www.bloctel.gouv.fr.

Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.

On December 30, 2015, the Pew Research Center released a report on the results of a recent survey that asked 461 Americans about their feelings toward sharing personal information with companies. The survey found that a “significant minority” of American adults have felt “confused over information provided in company privacy policies, discouraged by the amount of effort needed to understand the implications of sharing their data, and impatient because they wanted to learn more about the information-sharing process but felt they needed to make a decision right away.”

On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.

Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen understanding of the complexities of the revised regulations, as well as broader issues relating to student privacy, mobile applications and the Internet of Things.

On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.

On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.

On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

On May 7, 2015, the Digital Advertising Alliance (“DAA”) announced that, as of September 1, 2015, the Council of Better Business Bureaus and the Direct Marketing Association will begin to enforce the DAA Self-Regulatory Principles for Online Behavioral Advertising and the Multi-Site Data Principles (collectively, the “Self-Regulatory Principles”) in the mobile environment.

On November 16, 2015, the Federal Trade Commission will host a workshop in Washington, D.C., to examine the benefits and privacy risks associated with “cross-device tracking.” The workshop intends to highlight the types of cross-device tracking techniques and how businesses and consumers can benefit from these practices. The workshop also will address related privacy and security risks, and discuss whether self-regulatory programs apply to these practices.

On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.

On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

On September 3, 2014, the Federal Communications Commission announced that Verizon has agreed to pay $7.4 million to settle an FCC Enforcement Bureau investigation into Verizon’s use of personal information for marketing. The investigation revealed that Verizon had used customers’ personal information for marketing purposes over a multiyear period before notifying the customers of their right to opt out of such marketing.

On September 2, 2014, a federal district court in California granted final approval to a settlement ending a class action against Bank of America (“BofA”) and FIA Card Services stemming from allegations that the defendants “engaged in a systematic practice of calling or texting consumers’ cell phones through the use of automatic telephone dialing systems and/or an artificial or prerecorded voice without their prior express consent, in violation of the Telephone Consumer Protection Act (“TCPA”).” The court granted preliminary approval to the settlement in December 2013.

On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.

On May 27, 2014, the Federal Trade Commission announced the release of a new report entitled Data Brokers: A Call for Transparency and Accountability, detailing the findings of an FTC study of nine data brokers, representing a cross-section of the industry. The Report concludes that the data broker industry needs greater transparency and recommends that Congress consider enacting legislation that would make data brokers’ practices more visible and give consumers more control over the collection and sharing of their personal information.

On May 19, 2014, the Federal Communications Commission announced that Sprint Corporation agreed to pay $7.5 million to settle an FCC Enforcement Bureau investigation stemming from allegations that the company failed to honor consumers’ requests to opt out of telemarketing calls and texts. Sprint also agreed to implement a two-year plan to help ensure future compliance with Do-Not-Call registry rules.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.

On November 4, 2013, the China Insurance Regulatory Commission, which is the Chinese regulatory and administrative authority for the insurance sector, issued the Interim Measures for the Management of the Authenticity of Information of Life Insurance Customers (the “Measures”). The Measures require life insurance companies and their agents to ensure the authenticity of personal data of life insurance policy holders. To help achieve this objective, the Measures impose rules for the collection, recording, management and use of the personal data of policy holders.

On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:

On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...

On October 16, 2013, the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules go into effect. As we previously reported, the revisions require that businesses obtain “express written consent” prior to advertising or telemarketing through (1) autodialed calls or text messages, or prerecorded calls to consumers’ mobile numbers, and (2) prerecorded calls to consumers’ residential lines. In addition, the FCC’s revisions eliminate the exemption that allowed businesses to place prerecorded advertising or telemarketing calls to a consumer’s residential phone line if the business had a pre-existing business relationship with the consumer.

On September 25, 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, expanded his investigation of the data broker industry by asking twelve popular health and personal finance websites to answer questions about their data collection and sharing practices.

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

Today, September 23, 2013, marks the deadline for compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule that was issued in January 2013. Covered entities, business associates and subcontractors that access, use or disclose protected health information (“PHI”) will need to take the following actions:

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance for companies receiving unwanted marketing (the “Guidance”). This Guidance was published as part of a broader focus on unwanted marketing in the UK.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) the Data Protection Act 1998 (the “DPA”), which governs data protection issues generally. The Guidance is not legally binding, but it reflects the ICO’s interpretation of the requirements and indicates how the ICO is likely to enforce them.

As reported by Bloomberg BNA, the South African Parliament passed the Protection of Personal Information Bill on August 22, 2013. The bill, which was sent to President Jacob Zuma to be signed into law, represents South Africa’s first comprehensive data protection legislation.

On July 26, 2013, the Federal Trade Commission announced updates to its frequently asked questions regarding the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The updated FAQs, which have replaced the June 2013 version on the FTC’s Business Center website, provide additional information in the sections addressing websites and online services directed to children and disclosure of information to third parties.

Senior Attorney Rosemary Jay reports from London:

On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).

The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.

On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.

On May 31, 2013, the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On May 20, 2013, the Estonian Data Protection Inspectorate issued its Annual Report 2012 (the “Report,” summary available in English). The number of inquiries, complaints and supervision proceedings have remained the same over the last few years. The main topics of complaints include employment relations, CCTV, electronic direct marketing and social media. The Inspectorate stated that its primary goal is to stop violations of the law, not to impose sanctions. According to the Report, the Inspectorate issued orders regarding compliance in 48 cases and imposed fines in 39 cases.

On May 9, 2013, the Federal Communications Commission (“FCC”) released a declaratory ruling clarifying the liability of a seller for violations of the Telemarketing Consumer Protection Act (“TCPA”) made by third-party telemarketers and others who place calls to market the seller’s products or services.

On May 16, 2013, UK Trade & Investment (“UKTI”), a UK government department working with businesses based in the UK to ensure their success in international markets, published the first export strategy paper (the “Paper”) on the UK’s approach to the $100 billion annual cybersecurity export market.

In November 2011, the UK’s Cyber Security Strategy was published. ‘Objective 1’ of the strategy’s implementation plan recognized that cyberspace is an important and expanding part of the UK economy. One of the supporting actions for Objective 1 was to develop a ...

On April 30, 2013, the regional court of Berlin enjoined Apple Sales International, which is based in Ireland, (“Apple”) from relying on eight of its existing standard data protection clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.

On April 10, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) enacted two draft rules (“Provisions on the Protection of Personal Information of Telecommunications and Internet Users” and “Provisions on the Registration of Real Identity Information of Telephone Users”) to solicit public comments. The comment period is open until May 15, 2013. Both Drafts include proposals for substantial provisions on the protection of personal information and were enacted according to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (issued by the Standing Committee in December 2012) and some other telecommunications rules.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On March 20, 2012, the UK Information Commissioner’s Office announced that it has issued a monetary penalty of £90,000 against DM Design Bedrooms Ltd. (“DM Design”) for making thousands of unwanted marketing calls.

On January 28, 2013, European Data Privacy Day, the London office of Hunton & Williams hosted the launch of senior attorney Rosemary Jay’s fourth edition book, Data Protection Law & Practice, by publisher Sweet & Maxwell.

Reporting from Australia, former Australian Privacy Commissioner Malcolm Crompton, Managing Director of Information Integrity Solutions Pty Ltd (“IIS”), writes:

The Australian Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the “Act”) will make significant changes to the Privacy Act 1988. It’s early days for the changes and the impact for organizations will depend on their circumstances. Over the next 15 months we expect to see a range of guidance material from the Office of the Australian Information Commissioner.

On December 18, 2012, the Federal Trade Commission issued Orders to File Special Report (the “Orders”) to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers. In the Orders, the FTC requests detailed information about the data brokers’ privacy practices, including:

• the data brokerage companies’ online and offline products and services that use personal data;
• the sources and types of personal data the data brokerage companies collect;
• whether, and how, the companies acquire consumer consent before obtaining, collecting, generating, deriving, disseminating or storing the personal data;
• whether, and how, the personal data is aggregated, anonymized or de-identified;
• how the companies monitor, audit or evaluate the accuracy of the personal data they obtain;
• if, and how, consumers are able to access, correct, delete or opt out of the collection, use or sharing of the personal data the data brokerage companies maintain about the consumers;
• how the data brokerage companies provide notice to consumers about their data privacy practices;
• the advertisements or promotional materials the companies use to describe their products and services; and
• information about any complaints or disputes, or governmental or regulatory inquiries or actions, related to the companies’ data privacy practices.

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On December 5, 2012, the Federal Trade Commission announced that the online advertising company Epic Marketplace, Inc. (“Epic”) agreed to settle charges that it engaged in “history sniffing” to secretly and illegally collect information about consumers’ interest in sensitive medical and financial issues. History sniffing is the practice of determining whether a consumer has previously visited a webpage by checking how a browser displays a hyperlink. The consent order requires Epic to destroy all data collected from history sniffing and bars Epic from engaging in history sniffing in the future.

On November 29, 2012, the Federal Communications Commission (“FCC”) issued a declaratory ruling finding that certain text messages businesses send to confirm a consumer’s request to opt out of text message programs do not violate a federal prohibition on sending text messages without prior express consent. This prohibition has spawned class actions against companies that have followed the provisions in the Mobile Marketing Association’s U.S. Consumer Best Practices and other industry guidelines that require companies to send a confirmatory text message in response to a consumer’s opt-out request. The FCC’s finding is limited to sending confirmatory text messages under the following conditions:

On November 28, 2012, the UK Information Commissioner’s Office (“ICO”) issued monetary penalties totaling £440,000 to two owners of a marketing company that sent millions of unlawful spam SMS text messages over a period of three years.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

On November 15, 2012, the UK Office of Fair Trading (the “OFT”) launched a call for information to investigate whether offering “personalized pricing” based on data companies collect about consumers’ online behavior violates consumer protection legislation in the UK. The OFT will look at how companies gather data related to “consumers’ browsing history, purchases, demographic, hardware, operating system, etc and use this to personalise products and prices.” In particular, as indicated on the OFT’s website, the OFT will analyze:

On November 9, 2012, a federal District Court in Washington certified a national class and a Washington state sub-class in an action alleging that Papa John’s International, Inc. (“Papa John’s”) violated the Telephone Consumer Protection Act (“TCPA”) by sending unsolicited text messages advertising its pizza products. The court determined that plaintiffs had standing and satisfied all other requirements for class certification.

In a joint-agency media conference and press release with the Federal Trade Commission today, the Consumer Financial Protection Bureau (“CFPB”) used the “rulemaking-through-enforcement” method of regulation to create several de-facto guidelines for what is “unfair, deceptive, or abusive” in mortgage advertising. Bypassing the more arduous rulemaking process, the CFPB published “sample warning letters” that effectively made the following advertising practices illegal:

On October 30, 2012, the U.S. District Court for the Southern District of California ruled that an opt-out confirmation text sent by Citibank (South Dakota), N.A. (“Citibank”) did not violate the Telephone Consumer Protection Act (“TCPA”). Under a “common sense” interpretation, the court determined that Citibank’s opt-out text does not demonstrate the type of invasion of privacy the TCPA seeks to prevent.

On October 22, 2012, the Federal Trade Commission announced a proposed settlement agreement with Compete, Inc. (“Compete”), an online market research company that collects clickstream data from consumers to generate and sell analytical reports about consumer behavior on the Internet.

On October 10, 2012, the Federal Trade Commission announced that consumer reporting agency Equifax Information Services LLC (“Equifax”) and several of its customers, including Direct Lending Source, Inc. (“Direct Lending”), have agreed to pay a combined total of nearly $1.6 million to settle FTC allegations that they violated the Fair Credit Reporting Act (“FCRA”) in connection with the sale of data regarding consumers in financial distress. 

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

On August 23, 2012, the Federal Trade Commission announced that it had filed suit against DISH Network LLC (“DISH Network”) alleging violations of the FTC’s Telemarketing Sales Rule (“TSR”). The FTC’s complaint claims that DISH Network is a “seller” and “telemarketer” as such terms are defined by the TSR because the company sells satellite television programming to consumers and also markets its programming through a variety of methods, including telemarketing. According to the complaint, since September 2007, DISH Network has engaged in initiating ...

In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

On June 11, 2012, the Federal Communications Commission published in the Federal Register its final revised rules requiring prior express written consent for all autodialed or prerecorded telemarketing “calls” to wireless phones, and for prerecorded telemarking calls to residential lines. The FCC takes the position that the “calls” covered by this written consent requirement include essentially all marketing-oriented text messages. The FCC’s rules implement the findings of the Commission’s February 2012 Report and Order.

On May 8, 2012, the Federal Trade Commission announced a settlement agreement with the social networking service Myspace LLC (“Myspace”). The FTC alleged that Myspace’s practice of sharing users’ personal information with unaffiliated third-party advertisers conflicted with representations the company made in its privacy policy, and could allow those advertisers to obtain users’ names, publicly available information and information about their online browsing habits.

On May 2, 2012, Australia’s Attorney General Nicola Roxon announced that the Australian government will introduce a bill to the Australian Parliament that will enact a number of the recommendations from the 2008 Law Reform Commission Report (ALRC Report 108) and reform privacy law in Australia. Discussion drafts of segments of the bill were considered by a Senate Committee in 2011. On May 4, Australian Privacy Commissioner Timothy Pilgrim presented an overview of the draft legislation at an event held during the iappANZ Privacy Awareness Week. Commissioner Pilgrim noted that the legislative package includes:

On April 5, 2012, social media giant Twitter, Inc. (“Twitter”) filed a civil lawsuit against spammers and makers of spamming software claiming violations of Twitter’s user agreement and various California state and common laws. Borrowing from the popular term for unsolicited email messages, Twitter’s complaint describes “spam” on Twitter as “a variety of abusive behaviors” including “posting a Tweet with a harmful link … and abusing the @reply and @mention functions to post unwanted messages to a user.” The suit alleges that certain defendants violated Twitter’s Terms of Service, which prohibit “spam and abuse,” by distributing software tools “designed to facilitate abuse of the Twitter platform and marketed to dupe customers into violating Twitter’s user agreement.” Other defendants allegedly operated large numbers of automated Twitter accounts through which they attempted to “trick Twitter users into clicking on links to illegitimate websites.”

In its new report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, the Federal Trade Commission issues a “warning call to industry that it must do more to provide parents with easily accessible, basic information about the mobile apps that their children use.” The report indicates:

“Parents should be able to learn what information an app collects, how the information will be used, and with whom the information will be shared. App developers also should alert parents if the app connects with any social media, or allows targeted advertising to occur through the app. Third parties that collect user information through apps also should disclose their privacy practices, whether through a link on the app promotion page, the developers’ disclosures, or another easily accessible method.”

Since October 2011, the Hong Kong Office of the Privacy Commissioner for Personal Data has published three “Guidance Notes” to help data users comply with the Personal Data (Privacy) Ordinance (the “Ordinance”). These Notes are not legally binding, nor are they intended to serve as an exhaustive guide to the application of the Ordinance, but they provide good, practical examples and tips that the Commissioner has developed as it has implemented the Ordinance.

On July 13, 2011, Hong Kong’s Personal Data (Privacy) (Amendment) Bill 2011 (the “Bill”), was introduced in the Legislative Council. Although the Bill has not yet been subject to an official vote, there have been several noteworthy developments.

On February 6, 2012, the Federal Trade Commission warned six marketers of background screening mobile applications that they may be violating the Fair Credit Reporting Act (“FCRA”). In a sample letter posted on the FTC website, the FTC indicates that at least one of the recipient marketer’s mobile apps involves background screening reports that include criminal history checks. Pursuant to the FCRA, this could make the marketers of the mobile apps “consumer reporting agencies” if they are “providing information to employers regarding current or prospective employees’ criminal histories [that] involves the individuals’ character, general reputation, or personal characteristics.”

On December 8, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Advertising Standards Alliance (“EASA”) and IAB Europe best practice recommendations for the online behavioral advertising (“OBA”) industry to comply with Article 5.3 of the revised e-Privacy Directive 2002/58/EC (the “cookie clause”). The cookie clause requires a user’s informed consent for the use of cookies and similar technologies that store and access information in the user’s terminal device. Finding practical ways of complying with the cookie clause has proven challenging for the OBA industry, which relies heavily on these kinds of tracking mechanisms.

On November 4, 2011, Congressmen Edward Markey (D-MA) and Joe Barton (R-TX) reiterated their privacy concerns over the handling of customer preferences in connection with Verizon’s new advertising initiative. After learning that Verizon had notified its customers of the implications of a targeted advertising campaign, on October 6, 2011, Reps. Markey and Barton, Co-Chairmen of the bipartisan Congressional Privacy Caucus, wrote a letter containing several inquiries to both Verizon and Verizon Wireless. In particular, Reps. Markey and Barton requested clarification regarding the companies’ potential disclosure of aggregated customer location information and website viewing history to third parties.

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

On September 27, 2011, OnStar announced it was reversing proposed changes to its Terms and Conditions that would have allowed the company to continue to receive data from former subscribers’ vehicles unless they specifically opted out.  OnStar’s current Privacy Statement indicates that the GM subsidiary collects information regarding its customers’ vehicle operation, location, approximate speed, collision data and safety belt usage in connection with OnStar’s in-vehicle GPS navigation and emergency response services, and that the company “may share or sell” any of this data in anonymized form with third parties.  OnStar recently notified customers by email that it would continue to collect data from former subscribers, and that it reserved the right to distribute such data to third parties.  The announcement prompted a swift and strong reaction from members of Congress skeptical of the proposed policy changes.

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation.  In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Industry Canada and the Canadian Radio-television and Telecommunications Commission (“CRTC”) have released draft regulations for Canada’s Anti-Spam Legislation (“CASL”).  CASL imposes a consent-based anti-spam regime that restricts organizations’ ability to send commercial electronic messages.  Industry Canada and the CRTC are charged with the task of implementing regulations under CASL.

On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech.  Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case.  The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.

In a pair of lawsuits filed against Twitter, Inc. and American Express Centurion Bank, plaintiffs in a California federal court are seeking class-action status to assert claims that the defendants violated the Telephone Consumer Protection Act (“TCPA”) by sending each plaintiff a single text message to confirm that they had processed the plaintiff’s request to opt-out of receiving further text messages.  This litigation highlights a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association’s U.S. Consumer Best Practices (the “MMA’s Best Practices”), the authoritative compilation of policies enforced by the major wireless carriers.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

On April 26, 2011, the United States Supreme Court heard oral argument in Sorrell v. IMS Health, a case concerning the constitutionality of a Vermont law that restricts access to prescription drug records.  Laws enacted by New Hampshire, Maine and Vermont prohibit pharmacies from selling prescriber-identifiable information in prescription records to third parties for marketing purposes.  The Supreme Court seeks to resolve a circuit split that resulted from legal challenges to the statutes in all three states.  Thomas Julin, partner at Hunton & Williams LLP, represents IMS Health ...

On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year.  In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues: