Privacy & Information Security Law Blog

On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.

On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order. The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

On November 25, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 9/2014 (the “Opinion”) on device fingerprinting. The Opinion addresses the applicability of the consent requirement in Article 5.3 of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) to device fingerprinting. As more and more website providers suggest using device fingerprinting instead of cookies for the purpose of providing analytics or for tracking purposes, the Working Party clarifies how the rules regarding user consent to cookies apply to device fingerprinting. Thus, the Opinion expands on Opinion 04/2012 on the Cookie Consent Exemption.

On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.

On November 12, 2014, the Federal Trade Commission announced that in response to FTC complaints, a federal court has ordered two debt brokerage companies to notify over 70,000 consumers whose sensitive personal information was posted on a public website by the debt brokerage companies.

On October 22, 2014, the Federal Trade Commission announced that several interrelated online marketing and advertising companies (“Stipulating Defendants”) agreed to pay nearly $10 million to settle allegations that they engaged in a pattern of text message spamming, robocalling and mobile cramming practices in violation of Section 5 of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule.

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

A recent decision by the United States Court of Appeals for the Ninth Circuit reinforces the importance of obtaining affirmative user consent to website Terms of Use for website owners seeking to enforce those terms against consumers. In Nguyen v. Barnes & Noble Inc., the Ninth Circuit held that Barnes & Noble’s website Terms of Use (“Terms”) were not enforceable against a consumer because the website failed to provide sufficient notice of the Terms, despite having placed conspicuous hyperlinks to the Terms throughout the website.

On September 17, 2014, the Federal Trade Commission announced that the online review site Yelp, Inc., and mobile app developer TinyCo, Inc., have agreed to settle separate charges that they collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On September 18, 2014, the French Data Protection Authority (the “CNIL”) announced plans to review 100 French websites on September 18-19, 2014. This review is being carried out in the context of the European “cookies sweep day” initiative, an EU online compliance audit. The Article 29 Working Party organized this joint action, which runs from September 15-19, 2014, to verify whether major EU websites are complying with EU cookie law requirements.

On September 16, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including updates in the EU and Germany, highlights on the UK Information Commissioner’s Office annual report and an APEC update.

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep carried out in May of this year to assess mobile app compliance with data protection laws. Twenty-six data protection authorities worldwide evaluated 1,211 mobile apps and found that a large majority of the apps are accessing personal data without providing adequate information to users.

On September 4, 2014, the Federal Trade Commission announced a proposed settlement with Google Inc. (“Google”) stemming from allegations that the company unfairly billed consumers for mobile app charges incurred by children. The FTC’s complaint alleges that since 2011, Google violated the FTC Act’s prohibition on unfair commercial practices by billing consumers for in-app charges made by children without the authorization of the account holder.

On September 15-16, 2014, the National Institute of Standards and Technology (“NIST”) will sponsor a workshop to further its Privacy Engineering initiative. The workshop will focus on developing draft privacy engineering definitions and concepts that will be explored in a forthcoming NIST report.

On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

On August 14, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) submitted its response to the National Telecommunications and Information Administration’s (“NTIA’s”) request for public comment on big data and consumer privacy issues. The NTIA’s request, which follows the White House’s recent study of big data, the May 2014 Big Data Report, and the associated President’s Council of Advisors on Science and Technology Report, seeks further public input on how big data impacts the Consumer Privacy Bill of Rights, and whether the Consumer Privacy Bill of Rights should be modified to contemplate big data.

On August 6, 2014, the Federal Trade Commission announced that it had approved a safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”), stating the program provides the “same or greater protections” for children under the age of 13 as those contained in the new Children’s Online Privacy Protection Rule (the “COPPA Rule”). An updated version of the COPPA Rule came into effect July 1, 2013.

On August 1, 2014, the Federal Trade Commission released a new staff report examining the consumer protection implications of popular mobile device applications that provide shopping and in-store purchase services. The report, What’s the Deal? An FTC Study on Mobile Shopping Apps, details the findings from a recent FTC staff survey that studied consumer rights and data protection issues associated with some of the most popular mobile shopping apps on the market.

On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.

The EU Sub-Committee on Home Affairs, Health and Education of the UK House of Lords has published its Second Report for 2013-14, entitled EU Data Protection Law: A 'Right to Be Forgotten'? (the “Report”). The Report summarizes the findings of the Sub-Committee’s investigation into the right to be forgotten, and was triggered in large part by the European Court of Justice’s (“ECJ’s”) decision in Google v. Costeja (Case C-131/12, “Costeja”). In Costeja, the ECJ held that individuals have a right to request that their personal data no longer be displayed by online search engines in the results for searches made on the basis of the individual’s name, particularly if the information is inadequate, irrelevant or excessive (commonly referred to as the “right to be forgotten”).

On July 15, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including the recent judgment in the Costeja case, the Centre for Information Policy Leadership’s work on a risk-based approach to privacy, the new Canadian anti-spam legislation that went into effect on July 1, and other developments in the U.S. and EU.

On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

On July 10, 2014, the Federal Trade Commission announced that it filed a complaint against Amazon.com, Inc. (“Amazon”) for failing to obtain the consent of parents or other account holders prior to billing them for in-app charges incurred by children. According to the complaint, Amazon, which offers children’s apps through its Appstore, bills Amazon account holders in real money for virtual items that children obtain within an app (i.e., “in-app” charges).

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a white paper entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice. This is the first paper in the Centre’s new multi-year Privacy Risk Framework Project. It follows the Centre’s March 2014 Risk Workshop, held in Paris with Centre members, privacy experts, regulators and other stakeholders. The Risk Framework Project is the next phase of the Centre’s earlier work on organizational accountability, focusing specifically on one important aspect of accountability – conducting risk assessments that identify, evaluate and mitigate the privacy risks to individuals posed by an organization’s proposed data processing.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On June 4, 2014, the U.S. Government Accountability Office (“GAO”) testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law on GAO’s findings regarding (1) companies’ use and sharing of consumer location data, (2) privacy risks associated with the collection of location data, and (3) actions taken by certain companies and federal agencies to protect the privacy of location data. GAO’s testimony relates to its 2012 and 2013 reports that examined the collection of location data by certain mobile industry companies and in-car navigation providers.

On May 27, 2014, the Federal Trade Commission announced the release of a new report entitled Data Brokers: A Call for Transparency and Accountability, detailing the findings of an FTC study of nine data brokers, representing a cross-section of the industry. The Report concludes that the data broker industry needs greater transparency and recommends that Congress consider enacting legislation that would make data brokers’ practices more visible and give consumers more control over the collection and sharing of their personal information.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 14, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program provided a global overview of some of the most debated topics in data protection and privacy, including cross-border data flows, global data breach issues and the EU Cybersecurity Directive. In addition, we highlighted the latest information regarding the GPEN enforcement sweep.

On May 23, 2014, the Federal Trade Commission announced that the FTC’s Bureau of Consumer Protection sent a letter to the court overseeing the bankruptcy proceedings for ConnectEDU Inc. (“ConnectEDU”), an education technology company, warning that the proposed sale of the company’s assets raises privacy concerns. ConnectEDU’s assets include personal information collected from students, high schools and community colleges in connection with the company’s website and affiliated services.

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

On May 13, 2014, the French data protection authority (“CNIL”) decided to examine 100 mobile apps most commonly used in France.

On May 6, 2014, the Office of the Privacy Commissioner of Canada announced the Global Privacy Enforcement Network’s (“GPEN’s”) second annual enforcement sweep. The sweep will focus on mobile app privacy and how mobile apps collect and use personal data.

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

On April 24, 2014, the Belgian Data Protection Authority (the “Privacy Commission”) published a Draft Recommendation regarding cookie usage, inviting all stakeholders to provide their input on the text. The Draft Recommendation clarifies the Belgian legal framework for the use of cookies and similar technologies, examining in detail the different purposes for which cookies and similar technologies may be used (e.g., authentication, storage of preferences) and explaining the steps to be taken to ensure compliance for each type of cookie use.

On April 25, 2014, a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant, even if the data is stored outside of the U.S.

On April 23, 2014, Brazilian President Dilma Rousseff enacted the Marco Civil da Internet (“Marco Civil”), Brazil’s first set of Internet regulations. The Marco Civil was approved by the Brazilian Senate on April 22, 2014. President Rousseff signed the law at the NETMundial Internet Governance conference in São Paulo, a global multistakeholder event on the future of Internet governance.

On April 10, 2014, the Federal Trade Commission announced that the Director of the FTC’s Bureau of Consumer Protection had notified Facebook and WhatsApp Inc., reminding both companies of their obligation to honor privacy statements made to consumers in connection with Facebook’s proposed acquisition of WhatsApp.

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.

Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

On March 18, 2014, Brazilian lawmakers announced the withdrawal of a provision in pending legislation that would have required Internet companies to store Brazilian users’ data within the country.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On the 25th anniversary of his first proposal for what would become the World Wide Web (the “Web”), Sir Timothy John “Tim” Berners-Lee expressed concern at what he sees as the increasing threat that governments and commercial interests pose to the openness and accessibility of the Web. In a wide-ranging interview with the UK’s The Guardian newspaper, Berners-Lee criticized the approach that some lawmakers have taken on issues such as net neutrality and copyright legislation, as well as the decision by some countries to limit access to the wider Internet. He also called for an end to the control that the U.S. Department of Commerce exerts over the Internet Domain Name System.

The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Cybersecurity Framework, as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Framework, which includes standards, procedures and processes for reducing cyber risks to critical infrastructure, reflects changes based on input received during a widely-attended public workshop held last November in North Carolina and comments submitted with respect to a preliminary version of the Framework that was issued in October 2013.

On January 22, 2014, at the World Economic Forum in Davos-Klosters, Switzerland, Sweden’s Minister for Foreign Affairs Carl Bildt announced the creation of a new independent commission that will examine the future of Internet governance. The Global Commission on Internet Governance (the “Commission”) is being launched by think tanks Chatham House and The Centre for International Governance Innovation (“CIGI”). The Commission will be chaired by Bildt, Sweden’s former Prime Minister, and supported by expert members representing business, government, academia and civil society. In announcing the initiative, Bildt stated that “[n]et freedom is as fundamental as freedom of information and freedom of speech in our societies.”

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

On November 21, 2013, the Supreme People’s Court of China passed the Provisions on the Online Issuance of Judgment Documents by People’s Courts (the “Provisions”), which will take effect on January 1, 2014. The Provisions replace earlier rules (of the same title) enacted by the Supreme People’s Court on November 8, 2010, and generally focus on improved implementation of the principles of standardizing the online issuance of judgment documents, promoting judicial justice and enhancing the public credibility of the judiciary.

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

On December 5, 2013, the Federal Trade Commission announced a proposed settlement with mobile app developer Goldenshores Technologies, LLC (“Goldenshores”) following allegations that Goldenshores’ privacy policy for its popular Brightest Flashlight Free app deceived consumers regarding how the app collects information, including geolocation information, and how that information may be shared with third parties. Brightest Flashlight Free, developed for the Android operating system, allows its users to use their cell phones as flashlights.

On December 3, 2013, Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, spoke at the American European Community Association Conference in Brussels on Data Protection: The Challenges and Opportunities for Individuals and Businesses. Strickling discussed the Obama Administration’s commitment to “preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.” He addressed the issues surrounding U.S. surveillance operations and the European Commission’s recent report on Safe Harbor. Strickling also provided a progress report on improvements to consumer privacy protection since the White House released its Consumer Privacy Bill of Rights in February 2012, including an update on the National Telecommunications and Information Administration’s (“NTIA’s”) multistakeholder process to develop industry codes of conduct.

On December 3, 2013, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced a new multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology. The first meeting is set for February 6, 2014 in Washington, D.C., and will provide stakeholders with background on the privacy issues associated with facial recognition technology, including how facial recognition technology currently is being used by businesses and how it may be used in the near future. The February meeting is open to all interested stakeholders and will be available for viewing via webcast. Additional meetings are planned for the spring and summer of 2014.

On November 22, 2013, New Jersey’s Acting Attorney General announced that the State had entered into a settlement agreement with Dokogeo, Inc. (“Dokogeo”), a California-based company that makes mobile device applications, regarding allegations that one of the company’s mobile apps violated the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the recently amended Children’s Online Privacy Protection Rule (the “Rule”) and the New Jersey Consumer Fraud Act.

On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.

Brazilian lawmakers, including José Eduardo Cardozo, the Minister of Justice of Brazil, and Ideli Salvatti, the Secretariat of Institutional Relations, held several consensus-building meetings with party leaders over the past two weeks to reach a voting agreement on the Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011. The Marco Civil would establish Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality.

On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 13, 2013, the Federal Trade Commission announced that it denied a proposal submitted by AssertID, Inc. for a mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...

On November 26, 2013, Kazakhstan’s new data privacy law, On Personal Data and Their Protection, will come into effect. The law was passed on May 21, 2013. Kazakhstan is the second country in Central Asia to enact a data privacy law, joining the Kyrgyz Republic, which passed the Law on Personal Data in 2008.

On November 2, 2013, Hunton & Williams partner Paul M. Tiao was featured on the Voice of America discussing the importance of the National Security Agency restoring trust among industry and foreign government allies. In the feature, “Next NSA Chief to Face Challenges, Change,” Tiao talked about some of the difficulties that will confront the NSA Director’s successor, and why government surveillance is likely to continue.

On October 25, 2013, the Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests (the “Amendment”). The Amendment, which was adopted after three readings and will take effect on March 15, 2014, adds provisions designed to respond to the recent boom in online shopping and focuses on improving protections in the area of consumer rights and interests by:

On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.

On October 22, 2013, the National Institute of Standards and Technology (“NIST”) issued the Preliminary Cybersecurity Framework (the “Preliminary Framework”), as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Preliminary Framework includes standards, procedures and processes for reducing cyber risks to critical infrastructure. It will be published in the Federal Register within a few days for public comment. Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014. NIST is planning to host a public workshop on the Preliminary Framework in mid-November to give industry and other groups an opportunity to provide their views on this document.

On October 12, 2013, California Governor Jerry Brown vetoed an electronic communications privacy bill. The bill, SB 467, would have compelled law enforcement to obtain a search warrant before seeking to access any email or other electronic communication maintained by service providers. The bill went beyond the scope of the federal Electronic Communications Privacy Act, which obligates law enforcement to obtain search warrants only for electronic communications that are unopened or stored by service providers for fewer than 180 days. The California bill was very similar to a bill signed into law in Texas earlier in 2013 that required law enforcement agencies to obtain warrants before accessing customer electronic data held by email service providers.

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

On October 8, 2013, a Royal Decree was published completing the transposition of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) into Belgian law. The Royal Decree was adopted on September 19, 2013.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

On September 27, 2013, California Governor Jerry Brown signed into law a bill amending the California Online Privacy Protection Act (“CalOPPA”) to require website privacy notices to disclose how the site responds to “Do Not Track” signals, and whether third parties may collect personal information when a consumer uses the site. Although the changes to the law do not prohibit online behavioral advertising, this is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.

On September 25, 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, expanded his investigation of the data broker industry by asking twelve popular health and personal finance websites to answer questions about their data collection and sharing practices.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

On September 23, 2013, California Governor Jerry Brown signed a bill that adds “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”). The new CalOPPA provisions prohibit online marketing or advertising certain products to anyone under age 18, and require website operators to honor requests made by minors who are registered users to remove content the minor posted on the site. In addition, operators must provide notice and instructions to minors explaining their rights regarding the removal of content they’ve posted.

Recent months have seen a significant increase in highly-publicized cyber attacks and cybersecurity incidents, including an August 2013 attack on The New York Times’ website that shut down the site twice in two weeks. Unsurprisingly, there also has been an upswing in the demand for, and underwriting of, cyber insurance. In a recent Law360 article, Takeaways from Recent Cyberattack on New York Times, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk considers whether a hypothetical cyber insurance policy would have covered such a loss.

As reported in the Hunton Employment & Labor Perspectives Blog:

The U.S. District Court for the District of New Jersey recently ruled that non-public Facebook wall posts are protected under the Federal Stored Communications Act (the “SCA”) in Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-CV-3305 (WMJ) (D.N.J. Aug. 20, 2013). The plaintiff was a registered nurse and paramedic at Monmouth-Ocean Hospital Service Corp. (“MONOC”). She maintained a personal Facebook profile and was “Facebook friends” with many of her coworkers but none of the MONOC managers. She adjusted her privacy preferences so only her “Facebook friends” could view the messages she posted onto her Facebook wall. Unbeknownst to the plaintiff, a coworker who was also a “Facebook friend” took screenshots of the plaintiff’s wall posts and sent them to a MONOC manager. When the manager learned of a wall post in which the plaintiff criticized Washington, D.C. paramedics in their response to a museum shooting, MONOC temporarily suspended the plaintiff with pay and delivered a memo warning her that the wall post reflected a “deliberate disregard for patient safety.” The plaintiff subsequently filed suit alleging violations of the SCA, among other claims.

On September 9, 2013, the Federal Trade Commission announced that it is seeking public comment on another proposed mechanism (submitted by Imperium, LLC) to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. This announcement follows on the heels of a similar recent announcement that the Commission is seeking public comment on a parental consent mechanism proposed by a different company.

On September 4, 2013, California state legislators passed an amendment to the state’s breach notification law. The bill, SB 46, would expand notification requirements to include security incidents involving the compromise of personal information that would permit access to an online or email account. Pursuant to SB 46, the definition of “personal information” contained in Sections 1798.29 and 1798.82 of California’s Civil Code would be amended to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Notably, the compromise of these data elements alone  ̶  even when not in conjunction with an individual’s first name or first initial and last name  ̶  would trigger a notification obligation under the amended law. In addition, the bill does not limit the data elements that constitute “personal information” to those that would permit access to an individual’s financial account.

On August 8, 2013, the State Council of the People’s Republic of China released its “Opinions Regarding Facilitating Information Consumption and Boosting Domestic Demand” (Guofa [2013] No. 32, the “Opinions”). The Opinions provide guidelines for encouraging the development of the “consumption of information” in the next few years. “Consumption of information” is a recently-coined Chinese term that encompasses the demand for, and possession, processing and reproduction of, information.

On September 5, 2013, Pew Research Center released a report detailing the results of a new survey that questioned 792 Internet and smartphone users in the United States about their desire for anonymity and issues they have faced regarding privacy and security online. The report indicates that although most Internet users may wish to be anonymous online, they don’t believe complete anonymity is possible.

On August 29, 2013, the FTC announced that it had filed a complaint against LabMD, Inc. (“LabMD”) for failing to protect consumers’ personal data. According to the complaint, LabMD, which performs various laboratory tests for consumers, exposed the personal information of more than 9,000 consumers on a peer-to-peer (“P2P”) file-sharing network. Specifically, a LabMD spreadsheet that was found on the P2P network contained names, Social Security numbers, dates of birth, health insurance information and medical treatment codes. In another instance, identity thieves were able to obtain LabMD documents that contained the personal information of more than 500 consumers, including names, Social Security numbers and bank account information.