Posts tagged Consumer Protection.
Time 1 Minute Read

On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.

Time 2 Minute Read

On October 20, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a finalized rule that enables certain financial institutions to comply with the Gramm-Leach-Bliley Act (“GLB”) by publishing their financial privacy notices online instead of mailing them to their customers. The GLB Privacy Rule requires financial institutions to provide privacy notices to their customers on an annual basis. The new disclosure method only applies to financial institutions regulated by the CFPB and does not impact those entities regulated by the Securities and Exchange Commission, Commodity Futures Trading Commission or Federal Trade Commission.

Time 3 Minute Read

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

Time 2 Minute Read

On October 17, 2014, the White House announced that the President signed a new executive order focused on cybersecurity.  The signed executive order, entitled Improving the Security of Consumer Financial Transactions (the “Order”), is focused on securing consumer transactions and sensitive personal data handled by the U.S. Federal Government.

Time 2 Minute Read

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

Time 3 Minute Read

On October 8, 2014, the Federal Trade Commission announced an $80 million settlement with mobile phone carrier AT&T Mobility, LLC (“AT&T”) stemming from allegations related to mobile cramming. The $80 million payment to the FTC is part of a larger $105 million settlement between AT&T and various federal and state regulators, including the Federal Communications Commission and the attorneys general of all 50 states and the District of Columbia. According to the FCC, “[t]he settlement is the largest enforcement action in FCC history.”

Time 4 Minute Read

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

Time 2 Minute Read

A recent decision by the United States Court of Appeals for the Ninth Circuit reinforces the importance of obtaining affirmative user consent to website Terms of Use for website owners seeking to enforce those terms against consumers. In Nguyen v. Barnes & Noble Inc., the Ninth Circuit held that Barnes & Noble’s website Terms of Use (“Terms”) were not enforceable against a consumer because the website failed to provide sufficient notice of the Terms, despite having placed conspicuous hyperlinks to the Terms throughout the website.

Time 4 Minute Read

On September 17, 2014, the Federal Trade Commission announced that the online review site Yelp, Inc., and mobile app developer TinyCo, Inc., have agreed to settle separate charges that they collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

Time 1 Minute Read

On September 16, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including updates in the EU and Germany, highlights on the UK Information Commissioner’s Office annual report and an APEC update.

Time 2 Minute Read

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

Time 2 Minute Read

On September 3, 2014, the Federal Communications Commission announced that Verizon has agreed to pay $7.4 million to settle an FCC Enforcement Bureau investigation into Verizon’s use of personal information for marketing. The investigation revealed that Verizon had used customers’ personal information for marketing purposes over a multiyear period before notifying the customers of their right to opt out of such marketing.

Time 2 Minute Read

On September 4, 2014, the Federal Trade Commission announced a proposed settlement with Google Inc. (“Google”) stemming from allegations that the company unfairly billed consumers for mobile app charges incurred by children. The FTC’s complaint alleges that since 2011, Google violated the FTC Act’s prohibition on unfair commercial practices by billing consumers for in-app charges made by children without the authorization of the account holder.

Time 4 Minute Read

On August 14, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) submitted its response to the National Telecommunications and Information Administration’s (“NTIA’s”) request for public comment on big data and consumer privacy issues. The NTIA’s request, which follows the White House’s recent study of big data, the May 2014 Big Data Report, and the associated President’s Council of Advisors on Science and Technology Report, seeks further public input on how big data impacts the Consumer Privacy Bill of Rights, and whether the Consumer Privacy Bill of Rights should be modified to contemplate big data.

Time 2 Minute Read

On August 14, 2014, the Center for Digital Democracy (“CDD”) filed a complaint with the Federal Trade Commission and requested that the Commission investigate 30 companies certified to the U.S.-EU Safe Harbor Framework. In the complaint, CDD maintains that it analyzed 30 data marketing and profiling companies that currently are Safe Harbor-certified and identified the following five overarching themes that CDD claims “underscore the fundamental weakness of the Safe Harbor in its current incarnation,” including that the companies: 

Time 1 Minute Read

On August 6, 2014, the Federal Trade Commission announced that it had approved a safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”), stating the program provides the “same or greater protections” for children under the age of 13 as those contained in the new Children’s Online Privacy Protection Rule (the “COPPA Rule”). An updated version of the COPPA Rule came into effect July 1, 2013.

Time 3 Minute Read

On August 1, 2014, the Federal Trade Commission released a new staff report examining the consumer protection implications of popular mobile device applications that provide shopping and in-store purchase services. The report, What’s the Deal? An FTC Study on Mobile Shopping Apps, details the findings from a recent FTC staff survey that studied consumer rights and data protection issues associated with some of the most popular mobile shopping apps on the market.

Time 1 Minute Read

On July 30, 2014, the European Commission announced two new EU standards to help users of Radio Frequency Identification (“RFID”) smart chips and systems comply with both EU data protection requirements and the European Commission’s 2009 Recommendation on RFID. Among other suggestions, the Recommendation discussed the development of a common European symbol or logo to indicate whether a product uses a smart chip. One of the new standards will provide companies with a framework for the design and display of such a logo. The logo will inform consumers of the presence of RFID chips (for example, when using electronic travel passes or purchasing items with RFID tags). The Commission reiterated that such smart chips should be deactivated by default immediately, and free of charge, at the point of sale.

Time 2 Minute Read

On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.

Time 2 Minute Read

On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The new law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of electronic or paper records. The law will take effect on January 1, 2015.

Time 2 Minute Read

On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.

Time 3 Minute Read

On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).

Time 2 Minute Read

Hunton & Williams, in collaboration with the U.S. Chamber of Commerce, recently issued Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, a report which highlights the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

Time 2 Minute Read

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.

Time 3 Minute Read

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a white paper entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice. This is the first paper in the Centre’s new multi-year Privacy Risk Framework Project. It follows the Centre’s March 2014 Risk Workshop, held in Paris with Centre members, privacy experts, regulators and other stakeholders. The Risk Framework Project is the next phase of the Centre’s earlier work on organizational accountability, focusing specifically on one important aspect of accountability – conducting risk assessments that identify, evaluate and mitigate the privacy risks to individuals posed by an organization’s proposed data processing.

Time 2 Minute Read

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

Time 2 Minute Read

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

Time 3 Minute Read

On June 4, 2014, the U.S. Government Accountability Office (“GAO”) testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law on GAO’s findings regarding (1) companies’ use and sharing of consumer location data, (2) privacy risks associated with the collection of location data, and (3) actions taken by certain companies and federal agencies to protect the privacy of location data. GAO’s testimony relates to its 2012 and 2013 reports that examined the collection of location data by certain mobile industry companies and in-car navigation providers.

Time 2 Minute Read

On May 27, 2014, the Federal Trade Commission announced the release of a new report entitled Data Brokers: A Call for Transparency and Accountability, detailing the findings of an FTC study of nine data brokers, representing a cross-section of the industry. The Report concludes that the data broker industry needs greater transparency and recommends that Congress consider enacting legislation that would make data brokers’ practices more visible and give consumers more control over the collection and sharing of their personal information.

Time 2 Minute Read

On May 23, 2014, the Federal Trade Commission announced that the FTC’s Bureau of Consumer Protection sent a letter to the court overseeing the bankruptcy proceedings for ConnectEDU Inc. (“ConnectEDU”), an education technology company, warning that the proposed sale of the company’s assets raises privacy concerns. ConnectEDU’s assets include personal information collected from students, high schools and community colleges in connection with the company’s website and affiliated services.

Time 2 Minute Read

On May 22, 2014, the United States House of Representatives passed H.R. 3361, a bill aimed at limiting the federal government’s ability to collect bulk phone records and increasing transparency regarding decisions by the Foreign Intelligence Surveillance Court (“FISC”). The bill was approved by a vote of 323-121 by majorities of both Democrat and Republican members of the United States House of Representatives. It now moves to the Senate where it is likely to pass.

Time 2 Minute Read

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

Time 1 Minute Read

On May 19, 2014, the Federal Communications Commission announced that Sprint Corporation agreed to pay $7.5 million to settle an FCC Enforcement Bureau investigation stemming from allegations that the company failed to honor consumers’ requests to opt out of telemarketing calls and texts. Sprint also agreed to implement a two-year plan to help ensure future compliance with Do-Not-Call registry rules.

Time 2 Minute Read

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report entitled Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, highlighting the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

Time 2 Minute Read

On May 12, 2014, the Federal Trade Commission announced that it has approved final consent orders with two companies that marketed genetically customized nutrition supplements. In addition to charges that the companies’ claims regarding the effectiveness of their products were not sufficiently substantiated, the settlements also allege that the companies misrepresented their privacy and security practices. The two companies, Gene Link, Inc. (“Gene Link”) and foru™ International Corp. (“foru” – a former subsidiary of Gene Link), represented in their privacy policy that they had “taken every precaution to create a process that allows individuals to maintain the highest level of privacy” and that the companies’ third party service providers are “contractually obligated to maintain the confidentiality and security of the Personal Customer Information and are restricted from using such information in any way not expressly authorized” by the companies.

Time 3 Minute Read

As reported in the Hunton Employment & Labor Perspectives Blog:

On April 9, 2014, the Sixth Circuit of Appeals not only affirmed summary judgment in EEOC v. Kaplan Higher Education Corp., et al. but also chastised the Equal Employment Opportunity Commission (“EEOC”) for applying a flawed methodology in its attempts to prove that using credit checks as a pre-employment screen had an unlawful disparate impact against African-American applicants.

Time 2 Minute Read

On May 12, 2014, the U.S. Chamber of Commerce released a report highlighting the benefits of cross-border data transfers across all sectors of the economy. Hunton & Williams LLP’s Global Privacy and Cybersecurity team developed the report with the Chamber of Commerce. The report, Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, presents pragmatic solutions for developing international mechanisms that both protect privacy and facilitate cross-border data flows.

Time 2 Minute Read

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

Time 2 Minute Read

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

Time 2 Minute Read

On April 24, 2014, the Belgian Data Protection Authority (the “Privacy Commission”) published a Draft Recommendation regarding cookie usage, inviting all stakeholders to provide their input on the text. The Draft Recommendation clarifies the Belgian legal framework for the use of cookies and similar technologies, examining in detail the different purposes for which cookies and similar technologies may be used (e.g., authentication, storage of preferences) and explaining the steps to be taken to ensure compliance for each type of cookie use.

Time 2 Minute Read

On April 10, 2014, Kentucky Governor Steve Beshear signed into law a data breach notification statute requiring persons and entities conducting business in Kentucky to notify individuals whose personally identifiable information was compromised in certain circumstances. The law will take effect on July 14, 2014.

Time 3 Minute Read

On April 9, 2014, the Federal Trade Commission announced settlements with two data brokers, Instant Checkmate, Inc. (“Instant Checkmate”) and InfoTrack Information Services, Inc. (“InfoTrack”), which sell public record information about consumers. The settlements stem from allegations that Instant Checkmate and InfoTrack violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the FTC asserts that the companies violated the FCRA by “providing reports about consumers to users such as prospective employers and landlords without taking reasonable steps to make sure that they were accurate, or without making sure their users had a permissible reason to have them.”

Time 1 Minute Read

On April 10, 2014, the Federal Trade Commission announced that the Director of the FTC’s Bureau of Consumer Protection had notified Facebook and WhatsApp Inc., reminding both companies of their obligation to honor privacy statements made to consumers in connection with Facebook’s proposed acquisition of WhatsApp.

Time 1 Minute Read

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.

Time 1 Minute Read

As reported in the Hunton Employment & Labor Perspectives Blog, on March 10, 2014, the Federal Trade Commission and the Equal Employment Opportunity Commission issued joint guidance regarding the use of background checks in the employment context. The agencies issued two guidance documents: Background Checks: What Employers Need to Know (which advises employers on their existing legal obligations under both the Fair Credit Reporting Act and federal non-discrimination laws) and Background Checks: What Job Applicants and Employees Should Know (which informs job applicants ...

Time 2 Minute Read

The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.

Time 3 Minute Read

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Time 2 Minute Read

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

Time 2 Minute Read

On February 21, 2014, Peter Hustinx, the European Data Protection Supervisor (“EDPS”), highlighted the need to enforce existing EU data protection law and swiftly adopt EU data protection law reforms as an essential part of rebuilding trust in EU-U.S. data flows.

Time 2 Minute Read

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

Time 2 Minute Read

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

Time 2 Minute Read

On January 31, 2014, the Federal Trade Commission announced a settlement with GMR Transcription Services, Inc. (“GMR”) stemming from allegations that GMR’s failure to provide reasonable security allowed certain patients’ medical transcripts to be exposed to the public on the Internet. The FTC issued an accompanying press release stating it was the FTC’s 50th data security settlement.

Time 1 Minute Read

On January 29, 2014, the National Security Agency (“NSA”) announced that Rebecca Richards has been appointed to serve as the NSA’s new Civil Liberties and Privacy Officer. Ms. Richards, who previously worked as the Senior Director for Privacy Compliance at the Department of Homeland Security, will advise the NSA Director on civil liberties and privacy issues and implement reforms in those areas.

Time 3 Minute Read

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

Time 2 Minute Read

On January 23, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report (the “Report”) concluding that the National Security Agency (“NSA”) does not have a valid legal basis for its bulk telephone records collection program. The NSA’s bulk collection of consumer telephone records has been under increased scrutiny since Edward Snowden leaked information about the program in June 2013, and recently has faced legal challenges. According to the Report, the NSA’s program exceeded its statutory parameters.

Time 1 Minute Read

It appears as though 2014 will be a banner year for class actions, including numerous cases concerning privacy and cybersecurity issues. In an article published in Law360, two Hunton & Williams litigation partners summarize recent case law and statistics related to class actions and offer predictions for the year ahead.

Time 2 Minute Read

On January 16, 2014, the Federal Trade Commission announced a settlement with TeleCheck Services, Inc., and its affiliated debt-collection entity, TRS Recovery Services, Inc. (collectively, “TeleCheck”). The settlement stems from allegations that TeleCheck violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the settlement is “part of a broader initiative to target the practices of data brokers, which often compile, maintain, and sell sensitive consumer information” and is similar to an FTC settlement with a different company in August 2013.

Time 2 Minute Read

On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.

Time 3 Minute Read

As reported in the Hunton Employment & Labor Perspectives Blog:

While much attention has been paid this year to the Equal Employment Opportunity Commission’s (“EEOC’s”) agenda and litigation over criminal background checks (the agency asserts such background checks have a disparate impact on minority groups), a parallel challenge kept pace in the form of private class action litigation under the Fair Credit Reporting Act (“FCRA”). 2013 saw a number of significant class action settlements against both employers and consumer reporting agencies (“CRAs”) for alleged violations of the FCRA in the use of criminal background checks:

Time 2 Minute Read

On January 8, 2014, Senator Patrick Leahy (D-VT), Chair of the U.S. Senate Judiciary Committee, reintroduced the Personal Data Privacy and Security Act of 2014, comprehensive information security legislation that would establish a national standard for data breach notification and require businesses to safeguard customers’ sensitive personal information from cyber threats. The bill also would establish criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the incident causes economic damage to consumers.

Time 2 Minute Read

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

Time 2 Minute Read

On December 31, 2013, the Federal Trade Commission announced that Accretive Health, Inc. (“Accretive”) has agreed to settle charges that the company’s inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse. Accretive experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

Time 2 Minute Read

On December 16, 2013, the United States District Court for the District of Columbia granted a preliminary injunction barring the federal government from collecting and analyzing metadata related to two consumers’ mobile phone accounts. The court held that the two individual plaintiffs were entitled to a preliminary injunction because they had standing to challenge the government’s data collection practices and were substantially likely to succeed on the merits of their claim. The court has stayed issuance of the injunction pending appeal to the D.C. Circuit Court.

Time 4 Minute Read

On December 12, 2013, Fred H. Cate, Senior Policy Advisor in the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”), submitted comments in response to the National Institute of Standards and Technology’s (“NIST’s”) Preliminary Cybersecurity Framework (the “Preliminary Framework”). On October 22, NIST issued the Preliminary Framework, as required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (“Executive Order”), and solicited comments on the Framework. The Preliminary Framework includes standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.

Time 2 Minute Read

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

Time 2 Minute Read

On December 5, 2013, the Federal Trade Commission announced a proposed settlement with mobile app developer Goldenshores Technologies, LLC (“Goldenshores”) following allegations that Goldenshores’ privacy policy for its popular Brightest Flashlight Free app deceived consumers regarding how the app collects information, including geolocation information, and how that information may be shared with third parties. Brightest Flashlight Free, developed for the Android operating system, allows its users to use their cell phones as flashlights.

Time 1 Minute Read

On December 3, 2013, Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, spoke at the American European Community Association Conference in Brussels on Data Protection: The Challenges and Opportunities for Individuals and Businesses. Strickling discussed the Obama Administration’s commitment to “preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.” He addressed the issues surrounding U.S. surveillance operations and the European Commission’s recent report on Safe Harbor. Strickling also provided a progress report on improvements to consumer privacy protection since the White House released its Consumer Privacy Bill of Rights in February 2012, including an update on the National Telecommunications and Information Administration’s (“NTIA’s”) multistakeholder process to develop industry codes of conduct.

Time 1 Minute Read

On December 3, 2013, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced a new multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology. The first meeting is set for February 6, 2014 in Washington, D.C., and will provide stakeholders with background on the privacy issues associated with facial recognition technology, including how facial recognition technology currently is being used by businesses and how it may be used in the near future. The February meeting is open to all interested stakeholders and will be available for viewing via webcast. Additional meetings are planned for the spring and summer of 2014.

Time 2 Minute Read

On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report (the “Report”) finding that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” the Fair Information Practice Principles (“FIPPs”). The Report focused primarily on companies that gather and resell consumer personal information, and on the use of consumer personal information for marketing purposes.

Time 2 Minute Read

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

Time 5 Minute Read

On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:

Time 2 Minute Read

On November 13, 2013, the Federal Trade Commission announced that it denied a proposal submitted by AssertID, Inc. for a mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

Time 1 Minute Read

On November 13, 2013, Google entered into a $17 million settlement agreement with the attorneys general from 37 states and the District of Columbia related to allegations that the company bypassed users’ cookie-blocking settings on Apple’s Safari browser in 2011 and 2012. The settlement requires Google to refrain from bypassing cookie controls in the future and requires Google to maintain a page on its site informing users about cookies and how to manage them. Last year, Google agreed to a $22.5 million settlement with the Federal Trade Commission in connection with similar ...

Time 2 Minute Read

On October 25, 2013, the Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests (the “Amendment”). The Amendment, which was adopted after three readings and will take effect on March 15, 2014, adds provisions designed to respond to the recent boom in online shopping and focuses on improving protections in the area of consumer rights and interests by:

Time 3 Minute Read

On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.

Time 2 Minute Read

On October 16, 2013, the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules go into effect. As we previously reported, the revisions require that businesses obtain “express written consent” prior to advertising or telemarketing through (1) autodialed calls or text messages, or prerecorded calls to consumers’ mobile numbers, and (2) prerecorded calls to consumers’ residential lines. In addition, the FCC’s revisions eliminate the exemption that allowed businesses to place prerecorded advertising or telemarketing calls to a consumer’s residential phone line if the business had a pre-existing business relationship with the consumer.

Time 2 Minute Read

On September 27, 2013, California Governor Jerry Brown signed into law a bill amending the California Online Privacy Protection Act (“CalOPPA”) to require website privacy notices to disclose how the site responds to “Do Not Track” signals, and whether third parties may collect personal information when a consumer uses the site. Although the changes to the law do not prohibit online behavioral advertising, this is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.

Time 2 Minute Read

On September 25, 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, expanded his investigation of the data broker industry by asking twelve popular health and personal finance websites to answer questions about their data collection and sharing practices.

Time 2 Minute Read

On September 23, 2013, California Governor Jerry Brown signed a bill that adds “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”). The new CalOPPA provisions prohibit online marketing or advertising certain products to anyone under age 18, and require website operators to honor requests made by minors who are registered users to remove content the minor posted on the site. In addition, operators must provide notice and instructions to minors explaining their rights regarding the removal of content they’ve posted.

Time 2 Minute Read

On August 30, 2013, following the effort by the People’s Republic of China to establish a Consumer Rights Protection Bureau in 2012, the China Banking Regulatory Commission (the “CBRC”) issued a document entitled “Guidance for the Banking Sector on the Protection of the Rights of Consumers” (the “Guidance”). Among other things, the Guidance re-emphasizes the principle of protecting personal financial information. Banking institutions are required (1) to take effective measures to protect consumers’ personal financial information; (2) not to modify or illegally use consumers’ personal financial information; and (3) to prevent the disclosure of consumers’ personal financial information to any third party without the relevant consumers’ authorization or consent.

Time 1 Minute Read

On September 9, 2013, the Federal Trade Commission announced that it is seeking public comment on another proposed mechanism (submitted by Imperium, LLC) to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. This announcement follows on the heels of a similar recent announcement that the Commission is seeking public comment on a parental consent mechanism proposed by a different company.

Time 2 Minute Read

On September 4, 2013, California state legislators passed an amendment to the state’s breach notification law. The bill, SB 46, would expand notification requirements to include security incidents involving the compromise of personal information that would permit access to an online or email account. Pursuant to SB 46, the definition of “personal information” contained in Sections 1798.29 and 1798.82 of California’s Civil Code would be amended to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Notably, the compromise of these data elements alone  ̶  even when not in conjunction with an individual’s first name or first initial and last name  ̶  would trigger a notification obligation under the amended law. In addition, the bill does not limit the data elements that constitute “personal information” to those that would permit access to an individual’s financial account.

Time 3 Minute Read

On September 4, 2013, the Federal Trade Commission announced a settlement with TRENDnet, Inc. (“TRENDnet”) stemming from allegations that TRENDnet’s failure to provide reasonable security for its Internet Protocol (“IP”) security cameras allowed hackers to publicly post online live feeds from approximately 700 customers’ cameras. As the FTC noted in its press release, “this is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’”

Time 2 Minute Read

On August 29, 2013, the FTC announced that it had filed a complaint against LabMD, Inc. (“LabMD”) for failing to protect consumers’ personal data. According to the complaint, LabMD, which performs various laboratory tests for consumers, exposed the personal information of more than 9,000 consumers on a peer-to-peer (“P2P”) file-sharing network. Specifically, a LabMD spreadsheet that was found on the P2P network contained names, Social Security numbers, dates of birth, health insurance information and medical treatment codes. In another instance, identity thieves were able to obtain LabMD documents that contained the personal information of more than 500 consumers, including names, Social Security numbers and bank account information.

Time 2 Minute Read

On August 26, 2013, the U.S. District Court for the Northern District of California approved a settlement with Facebook, Inc., related to the company’s alleged misappropriation of certain Facebook members’ personal information, such as names and profile pictures, that was then used in ads to promote products and services via Facebook’s “Sponsored Stories” program.

Time 2 Minute Read

On August 15, 2013 the Federal Trade Commission announced a settlement with Certegy Check Services, Inc. (“Certegy”) stemming from allegations that Certegy violated various provisions of the Fair Credit Reporting Act (“FCRA”). The settlement agreement includes a $3.5 million civil penalty for “knowing violations ... that constituted a pattern or practice of violations.”

Time 1 Minute Read

On August 15, 2013, the Federal Trade Commission announced that it is seeking public comment regarding a proposed mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under 13.

Time 2 Minute Read

On April 19, 2013, the North Dakota legislature amended the state’s breach notification law (Section 51-30-01 of the North Dakota Century Code) to expand the definition of “personal information” to include “health insurance information” and “medical information.” Pursuant to the amended breach law, “health insurance information” is defined to mean an “individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is defined to mean “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” The amendment also carves out an exemption for covered entities, business associates and subcontractors that are subject to the breach notification requirements of 45 C.F.R. 164, Subpart D.

Time 2 Minute Read

On July 25, 2013, the U.S. Department of Commerce’s National Telecommunications and Information Administration announced the release of the Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices, which was developed through the Privacy Multistakeholder Process: Mobile Application Transparency convened by the Department of Commerce. The voluntary Code of Conduct provides guidance regarding short-form notices about the collection and sharing of consumer information with third parties. Short-form notices that comply with the Code of Conduct generally must contain the following content:

Time 2 Minute Read

On July 12, 2013, Illinois Attorney General Lisa Madigan announced that she sent letters to operators of eight popular health-related websites requesting information about the websites’ online data collection practices. The Attorney General’s press release underscored how individuals’ health-related information shared online, which would be protected if disclosed in a traditional medical setting, “can be captured, shared and sold when online users enter their information into a website.” The Attorney General also stated that “website disclosure about the extent to which information is captured or shared is buried in privacy policies not found on the websites’ main pages.”

Time 3 Minute Read

On June 28, 2013, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued its 20th annual Report of Activities (the “Report”), highlighting the FDPIC’s main activities during the period from April 2012 to March 2013. The Report is available in French and in German, and the FDPIC also has prepared a summary of the Report in English.

Time 1 Minute Read

In recent months, the Belgian media has reported on a significant increase in data breaches. In December 2012, the National Belgian Railway Company inadvertently published 1.46 million sets of customer data online. The rise in data security incidents has caught the attention of the Belgian Privacy Commission, which has the authority to make recommendations on any matter relating to the application of the fundamental data protection principles in the Belgian Data Protection Act of December 8, 1992. In a May 2013 article published in Bloomberg BNA’s World Data Protection Report

Time 1 Minute Read

On June 17, 2013, the Federal Trade Commission announced that FTC Chair Edith Ramirez has appointed Jessica Rich as Director of the Bureau of Consumer Protection. Rich has served in several leadership roles in the FTC’s Bureau of Consumer Protection during her 20-year tenure with the agency. Most recently, she served as Associate Director of the Division of Financial Practices.

Time 2 Minute Read

On June 11, 2013, the United States Court of Appeals for the Seventh Circuit denied software maker comScore, Inc.’s petition to appeal class certification in a litigation related to comScore software that allegedly collected extensive data from consumers’ computers without authorization. The plaintiffs alleged that comScore (an online analytics company) gathered data from consumers’ computers through software that it bundled with third-party software, such as free screensavers, games, music-copying programs and greeting card templates. According to the plaintiffs, this software collected data including “the monitored consumer’s usernames and passwords; queries on search engines...; the website(s) the monitored consumer is currently viewing; credit card numbers and any financial or otherwise sensitive information inputted into any website the monitored consumer views; the goods purchased online by the monitored consumer, the price paid by the monitored consumer for the goods, and amount of time the monitored consumer views the goods before purchase; and specific advertisements clicked by the monitored consumer,” as well as data about all files on the consumer’s computer.

Time 3 Minute Read

In May 2013, the Federal Trade Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business (the “Guide”) to help businesses and organizations determine whether they are subject to the FTC’s Red Flags Rule (“Red Flags Rule”) and how to meet the Rule’s requirements. The FTC’s Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs, and a four-step process to achieve compliance.

Time 2 Minute Read

On May 9, 2013, the Federal Communications Commission (“FCC”) released a declaratory ruling clarifying the liability of a seller for violations of the Telemarketing Consumer Protection Act (“TCPA”) made by third-party telemarketers and others who place calls to market the seller’s products or services.

Time 3 Minute Read

In April 2013, the People’s Republic of China’s General Office of the National People’s Congress published a draft amendment to the Law on the Protection of Consumer Rights and Interests (the “ Proposed Amendment”) and solicited public comments on the Proposed Amendment until May 31, 2013. The Proposed Amendment includes provisions that affect the collection and use of consumer personal information.

Time 2 Minute Read

On May 15, 2013, the Federal Trade Commission announced that it sent educational letters to over 90 businesses that appear to collect personal information from children under the age of 13, reminding them of the impending July 1 deadline for compliance with the updated Children’s Online Privacy Protection Rule (the “Rule”). The letters were sent to domestic and foreign companies that may be collecting information from children that is now considered “personal information” under the Children’s Online Privacy Protection Act (“COPPA”) but was not previously considered “personal information.” The definition of “personal information” under COPPA was expanded to include (1) photos, videos and audio recordings of children; and (2) persistent identifiers that may recognize users over time and across various websites and online services (e.g., cookies and IP addresses).

Time 2 Minute Read

On May 7, 2013, the Federal Trade Commission announced that it issued letters to ten data broker companies warning that their practices could violate prohibitions against selling consumer information under the Fair Credit Reporting Act (“FCRA”). The FTC identified the ten data broker companies after a test-shopping operation that indicated these companies were willing to sell consumer information without adhering to FCRA requirements.

Time 1 Minute Read

On May 6, 2013, the Federal Trade Commission announced that it had voted unanimously to reject a request from industry groups to delay the July 1, 2013 deadline for implementation of the updated Children’s Online Privacy Protection Rule (the “Rule”). The groups had argued that the delay was necessary because they needed more time to comply with the changes to the Rule, which the FTC promulgated on December 19, 2012. In its response to the groups, the FTC asserted that the groups have been on notice of the changes since the beginning of the rulemaking process over three years ago, and ...

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page