Privacy & Information Security Law Blog

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation ...

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices.  The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties.  In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

Maybe, but it's not that kind of "boxing"...think walls and a lid instead of a ring.  "Boxing is where a consumer’s vision and choices are limited by his or her digital history and the analytics that make judgments based on that digital history."  Government agencies are concerned with outcome-based analytics and its impact on consumer choice.  Read more on "Boxing and Concepts of Harm," written by Marty Abrams of the Centre for Information Policy Leadership, published in the September 2009 issue of Privacy and Data Security Law Journal

In its announcement that it would convene a series of public roundtables to address developing privacy issues, the Federal Trade Commission requested empirical data on consumer privacy expectations. In response to that request, researchers at the University of California at Berkeley and the University of Pennsylvania have released a study entitled "Americans Reject Tailored Advertising." Survey data reported in the study found that 66% of Americans reject targeted advertising online; 86% reject such ads when told they are made possible through online data collection. The ...

On September 15, 2009, the Federal Trade Commission unveiled a series of public roundtables that will focus on the effect of modern technology and business practices on the privacy of consumer information.  The goal of the panels is to explore how to best balance the concerns for consumer privacy, beneficial use of consumer information and technological innovation.  The discussions will address myriad technologies and practices, such as social networking, cloud computing, behavioral marketing, mobile marketing and, generally, the collection of consumer information for ...

On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations.  In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”

On July 28, 2009,  the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon.  Among the highlights:

• On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010 
• Vietnam is set to enact consumer protection legislation including privacy provisions in 2010 
• Hong Kong's Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
• The Philippines is set to enact ...

The Federal Trade Commission (“FTC”) recently issued new rules and guidelines to promote the accuracy of consumer information included in credit reports.  The final rules and guidelines were issued in conjunction with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the “Agencies”) pursuant to Section 312 of the Fair and Accurate Transactions Act of 2003 (“FACTA”).  The Agencies’ release regarding the new rules, entitled “Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act” and “Guidelines for Furnishers of Information to Consumer Reporting Agencies,” was issued on July 1, 2009.  The final rules and guidelines will take effect on July 1, 2010. 

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade ...

The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry.  The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests.  The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area.  We will keep you posted as more details regarding the plan emerge.

On June 4, 2009, the Federal Trade Commission (“FTC”) reported that Sears Holdings Management Corporation (“Sears”) agreed to enter into a settlement regarding the Commission’s allegations that the company violated Section 5 of the FTC Act in connection with a new online community application it had developed.  Participation in the community allowed Sears to track consumers’ online and, to some extent, offline activities.  The FTC’s action is notable as a potential precursor to future enforcement by the FTC in the areas of both transparency and tracking online behavior, the latter having been previously highlighted as an area of interest for the agency.  The settlement, discussed in more detail below, is notable in that its requirements make clear that substantial tracking of consumer behavior must be sufficiently transparent (not disclosed only in a lengthy privacy policy or agreement), consumers’ opt-in consent to such tracking must be obtained and, disclosures regarding the nature of the tracking must be made at a meaningfully early stage of the transaction.

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different ...

In February 2009, the Ponemon Institute published the results of its inaugural study "Germany - 2008 Annual Study: Cost of a Data Breach."  The study is the first such research study undertaken in Germany, using data from actual incidents to estimate the costs of dealing with data breaches by German companies.  The study examined the experience of 18 German organizations that suffered a breach.  These case studies reviewed ranged in size an incident involving less than 3,750 records to an incident involving more than 90,000 records.  The breaches reviewed occurred across ten industry ...

On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221).  The Act would require companies to implement reasonable data security policies and procedures to protect personal information.  It would also mandate security breach notifications for consumers affected by data security breaches.

Federal Trade Commission Chairman Jon Leibowitz has appointed six senior staff members with extensive experience in the private sector, in the public interest community, in academia, and in government.

“We’re delighted to attract such a talented and creative group of people,” Leibowitz said. “Their leadership and expertise will help ensure that the Commission’s work on behalf of American consumers will continue to be effective. We’re very fortunate.”

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. 

This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers.  The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications.  The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.