Posts tagged Consumer Protection.
Time 2 Minute Read

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

Time 2 Minute Read

Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998.  Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”

Time 2 Minute Read

On August 15, 2011, the Federal Trade Commission announced a settlement with W3 Innovations, LLC, doing business as Broken Thumbs Apps (“W3”) for violations of the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule.  This marks the FTC’s first privacy settlement involving mobile applications.

Time 1 Minute Read

On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents.  The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.

Time 1 Minute Read

As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.

Time 2 Minute Read

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

Time 2 Minute Read

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

Time 2 Minute Read

On June 16, 2011, the German Federal Ministry of the Interior officially opened a National Cyber Defense Center as part of the comprehensive cybersecurity strategy that was adopted by the German federal government on February 23, 2011.  The Cyber Defense Center is intended to serve as a common platform for rapid information exchange and better coordination of protective and defensive measures against information technology security incidents.

Time 2 Minute Read

On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11.  Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.

Time 2 Minute Read

On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.”  Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.

Time 3 Minute Read

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  

Time 1 Minute Read

On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”).  The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...

Time 2 Minute Read

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

Time 2 Minute Read

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

Time 2 Minute Read

Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data.  The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.

Time 3 Minute Read

On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.”  Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade.  In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy.  We should take steps to embrace and protect it – and that starts with robust cyber security.”  She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

Time 2 Minute Read

On June 15, 2011, Senator Al Franken (D-MN) and Senator Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (the “Act”).  As we reported previously, Senator Franken is chairman of the newly-created Senate subcommittee on Privacy, Technology and the Law.   In his press release, Senator Franken explained that the Act is designed to “close current loopholes in federal law” while giving customers the ability to learn about and prevent the collection of their location information.  The Act would apply only to non-government entities and would not impact law-enforcement activities.  At a May 10, 2011 hearing, both Google and Apple were questioned about their privacy practices, and Franken subsequently challenged them to require their application developers to adopt clear and understandable privacy policies.

Time 2 Minute Read

On June 10, 2011, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the Federal Trade Commission, claiming that Facebook’s facial recognition and automated online image identification features harm consumers and constitute “unfair and deceptive acts and practices.” According to a post on The Facebook Blog, the Tag Suggestions feature matches uploaded “new photos to other photos [the user is] tagged in.”  Facebook then “[groups] similar photos together and, whenever possible, suggest[s] the name of the friend in the photos.”  On June 13, 2011, Congressman Edward Markey (D-MA) released a statement supporting the complaint and indicating that he will “continue to closely monitor this issue.”

Time 2 Minute Read

On June 9, 2011, two plaintiffs filed a class action complaint against Google in the United States District Court for the Southern District of Florida.  The complaint alleges that Google’s Android phone “engaged in illegal tracking and recording of [p]laintiffs’ movements and locations … without their knowledge or consent” and that Google violated the Computer Fraud and Abuse Act and Florida statutory and common law by failing to inform Android users that their movements were being tracked and recorded through their phones.

Time 3 Minute Read

On May 27, 2011, a class action complaint was filed in the United States District Court for the Northern District of California against Google and its recently acquired subsidiary, Slide, alleging that they violated the Telephone Consumer Protection Act (“TCPA”) when they sent text messages to people’s cell phones without first obtaining their consent.

Time 1 Minute Read

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

Time 2 Minute Read

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

Time 3 Minute Read

From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent.  This change poses significant practical challenges for website operators.  In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.

Time 2 Minute Read

On May 12, 2011, the Federal Trade Commission announced that Playdom, Inc., a Disney subsidiary, has agreed to pay $3 million to settle charges that the company violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Rule (“COPPA Rule”) “by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.”  This settlement marks the largest civil penalty imposed for an FTC COPPA Rule violation.

Time 2 Minute Read

On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information.  According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”

Time 2 Minute Read

On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network.  Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.”  Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.

Time 1 Minute Read

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.

Time 2 Minute Read

On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers.  On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins.  Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained.  The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure.  Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.

Time 3 Minute Read

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

Time 1 Minute Read

On April 5, 2011, Lisa Sotto, partner and head of the Privacy and Data Security practice at Hunton & Williams LLP, discussed the Epsilon email breach in an interview with Tracy Kitten of Information Security Media Group.  The interview covered issues such as data protection requirements for sensitive consumer data, steps companies should take to protect data and lessons to be learned from the breach.  Download the podcast now.

Time 2 Minute Read

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).

Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand.  Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption.  According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.

Time 2 Minute Read

On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe.  As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.

Time 4 Minute Read

On April 13, 2011, Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (the “Act”), which seeks to “protect and enhance consumer privacy” both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information.

Time 2 Minute Read

On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market.  Reports of the completed privacy impact assessments must be made available to the national data protection authorities.  The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks.  It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.

Time 8 Minute Read

On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.”  The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period.  Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.

Time 2 Minute Read

On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.”  According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.”  Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.

Time 2 Minute Read

Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011.  These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011.  The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date.  The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.

Time 2 Minute Read

On March 30, 2011, the Federal Trade Commission announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010.  According to the FTC’s complaint (main document, exhibits), Google led Gmail users to believe that they could choose whether or not they wanted to join Google Buzz.  The options for declining or leaving Google Buzz, however, were ineffective.  For those who joined Google Buzz, the controls for limiting the sharing of their personal information were difficult to locate and confusing.  Furthermore, the FTC charged that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance.  Finally, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.

Time 2 Minute Read

On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information.  The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year.  The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.

Time 1 Minute Read

On March 16, 2011, at a U.S. Senate Commerce Committee hearing, Senator John Kerry (D-Mass.) announced his intention to introduce privacy legislation that would create “a common code of conduct that respects the rights of both the people sharing their information and legitimate organizations collecting and using it on fair terms and conditions.”  Kerry indicated that he had “reached out to our colleagues on both sides of the aisle, to privacy experts at firms, in academia, and in the advocacy community,” and asked for input into the process from witnesses at the hearing.

Time 2 Minute Read

On March 16, 2011, U.S. Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling called on Congress to enact robust, baseline legislation to “reform consumer data privacy in the Internet economy.” Speaking before the U.S. Senate Committee on Commerce, Science and Transportation, Assistant Secretary Strickling emphasized the Department of Commerce’s support for a legislative proposal that would adopt many of the recommendations of the “Green Paper,” a Department report authored last December.

Time 3 Minute Read

On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”

Time 6 Minute Read

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

Time 2 Minute Read

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

Time 1 Minute Read

On March 7, 2011, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund sued CVS Caremark Corporation (“CVS”), alleging that its unauthorized disclosure of protected health information (“PHI”) constituted an unfair trade practice. The complaint claims that CVS, one of the nation’s largest pharmacies, sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send ...

Time 2 Minute Read

On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.

Time 1 Minute Read

On March 4, 2011, Congressman Cliff Stearns (R-FL) announced plans to introduce new online privacy legislation. The proposed bill is based on legislation Stearns drafted in 2005, the Consumer Privacy Protection Act, which was not reported out of committee. While speaking at a Technology Policy Institute event, “Online Privacy After the DOC and FTC Reports,” Stearns stressed that this new legislation would seek to balance “privacy with innovation,” protecting the interests of both businesses and their online customers.

According to Stearns, “[t]he goal of the ...

Time 2 Minute Read

“LOANMOD TXT MSGS VIOL8 LAW, SEZ FTC.”  So reads the headline on the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog.  The posting announced the FTC’s complaint against a marketer who sent more than 5.5 million spam text messages at a “mind boggling” rate of about 85 per minute, every minute of every day.  Allegedly, most or all of the messages were unsolicited, and, like most text messages, they caused many recipients to incur standard text messaging charges.

Time 2 Minute Read

On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act.  The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

Time 2 Minute Read

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

Time 1 Minute Read

In our August 2009 blog post on data protection issues in China, we noted that there was no uniform Chinese law that specifically addresses the protection of personal data, and that it seemed likely that Chinese personal information protection law would continue to develop as a patchwork of piecemeal regulations. This remains true today, and developments since our previous article was published have in fact reinforced this assumption. In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer ...

Time 3 Minute Read

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”).  This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.

Time 2 Minute Read

Connecticut’s newly-elected Attorney General George Jepsen recently announced an agreement with Google, Inc. concerning the company’s refusal to comply with a Civil Investigative Demand brought by his predecessor, freshman Senator Richard Blumenthal (D-CT).  According to a January 28, 2011 press release, to facilitate settlement discussions with the Connecticut-led, 40-state coalition, Google will stipulate that “payload data” compiled in 2008 and 2009 “contained URLs of requested Web pages, partial or complete e-mail communications or other information, including confidential and private information” transmitted by individuals across unsecured wireless networks.

Time 3 Minute Read

On January 28, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments with the United States Department of Commerce in which the Centre stressed privacy governance based on data stewardship by accountable organizations.  The Centre was one of a number of organizations that submitted comments in response to the Department of Commerce’s privacy paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was released in December 2010.  The theme of today’s comments is similar to that which the Centre suggested earlier this month in its comments responding to the European Commission’s consultation paper.

Time 3 Minute Read

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

Time 1 Minute Read

The Federal Trade Commission announced today that it is extending the deadline for public comments on its December 1, 2010 report, “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers.”  In light of the complex issues raised by the report, a number of organizations requested an extension of the original January 31, 2011 deadline.  Stakeholders now have until February 18, 2011, to submit their comments.

Time 3 Minute Read

On January 12, 2011, Adobe Systems Incorporated (“Adobe”) announced in its Adobe Flash Platform Blog that it is working with browser vendors to integrate control features into browser user interfaces that will allow users to more easily control local shared objects (“LSOs”) on their computers.  Local shared objects, often referred to as Flash cookies, store information about online activity, including things like browsing history, login details and preferences.  In August 2010, we reported on several lawsuits that had been filed against online advertising networks for, among other things, using Flash cookies to re-create deleted browser cookies.

Time 2 Minute Read

In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent.  Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications.  The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.

Time 2 Minute Read

On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.  The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

Time 3 Minute Read

On December 14, 2010, the United States Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a “subscriber enjoys a reasonable expectation of privacy in the content of emails” stored, sent or received through a commercial internet service provider (“ISP”).  According to the court, the government must have a search warrant before it can compel a commercial ISP to turn over the contents of a subscriber’s emails.

In 2008, a jury sitting in the Southern District of Ohio convicted defendants Steven Warshak, Harriet Warshak and TCI Media, Inc. of various crimes relating to defrauding customers of Berkeley Premium Nutraceuticals, Inc.  Before trial, Warshak’s motion to exclude thousands of emails that the government obtained from his ISP was denied.  The defendants appealed their convictions, arguing that the government’s warrantless seizure of Warshak’s private emails violated the Fourth Amendment’s prohibition on unreasonable searches and seizures.

Time 3 Minute Read

As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”).  He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust.  The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing.  He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective.  The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.

Time 3 Minute Read

On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation.  The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.

Time 1 Minute Read

On December 7, 2010, Microsoft announced in a blog post that Internet Explorer 9 will feature a new “opt-in mechanism” and “Tracking Protection Lists” to help consumers control tracking of their online activity.  Since the Federal Trade Commission released its privacy report last week, there has been considerable debate regarding consumer protection on the Internet, especially with respect to the “Do Not Track” concept.  Microsoft’s blog post states, “We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection ...

Time 4 Minute Read

On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection.  The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.

Time 1 Minute Read

The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate.  The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.  The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that ...

Time 3 Minute Read

On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”  Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking.  The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.”  It includes the following elements:

Time 3 Minute Read

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

Time 2 Minute Read

On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.”  The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

Time 2 Minute Read

On November 8, 2010, Connecticut Insurance Commissioner Thomas Sullivan announced that Health Net of Connecticut, Inc. (“Health Net”) had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.  The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut.  Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.

Time 1 Minute Read

On October 27, 2010, the U.S. Commodity Futures Trading Commission (the “CFTC”) issued two notices of proposed rulemaking (“NPRMs”), citing Gramm-Leach-Bliley Act (“GLBA”) privacy rules, and marketing and data disposal rules of the Fair Credit Report Act (“FCRA”).

The proposed rules come in the wake of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which places two new categories of covered entities (i.e., “swap dealers” and “major swap participants”) under the CFTC’s jurisdiction.  Under the proposals, those entities would be subject to certain GLBA privacy rules that regulate the treatment of consumers’ nonpublic personal information, and sections of the FCRA that address affiliate marketing and data disposal.

Time 1 Minute Read

The international group of data protection commissioners today admitted the U.S. Federal Trade Commission into membership.

Meeting at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, the commissioners determined that the FTC had the requisite authority and independence to qualify for membership.

The decision has been a long time coming.  The U.S. has long sought to be recognized as a member of the data protection group.  Last year, the U.S. application was rejected at the international conference in Madrid.

Time 2 Minute Read

David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, today provided a high-level outline of the Commission’s forthcoming report on the future of privacy.

Speaking at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Vladeck said the report reflected two broad conclusions.  First, current privacy law places too much burden on consumers to read and understand privacy notices and make privacy choices.  The second conclusion is that there is a pressing need to reexamine the conception of “harm” in U.S. law to move beyond only economic and physical harms.

Time 2 Minute Read

On October 19, 2010, Federal Trade Commissioner Julie Brill indicated that the FTC’s forthcoming behavioral advertising report will recommend a self-regulatory framework, as opposed to new legislation, to help protect consumers’ privacy.  Mediapost.com reported that Ms. Brill offered suggestions on improving privacy practices with respect to Internet advertising, such as by providing “consistent and simplified notice about online tracking and ad-serving,” and that such notice should focus more on the unexpected or non-obvious uses of data (such as an e-commerce company’s transfer of consumers’ addresses to shipping companies).

Time 3 Minute Read

On October 5, 2010, the Department of Energy (“DOE”) released a report entitled “Data Access and Privacy Issues Related to Smart Grid Technologies.”  The idea behind the Smart Grid is that electricity can be delivered more efficiently using data collected through monitoring consumers’ energy use.  In connection with the preparation of its report, the DOE surveyed industry, state and federal practices with respect to Smart Grid technologies, focusing on the issue of residential consumer data security and privacy.  The DOE noted that advanced meters or “smart meters” were a focal point of the report due to their “ability to measure, record and transmit granular individual consumption.”  That said, a Smart Grid consists of “hundreds of technologies and thousands of components, most of which do not generate data relevant to consumer privacy.”

Time 5 Minute Read

David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010.  Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date.  Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own.  Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general.  Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.

Mr. Vladeck noted three key areas for future enforcement.  The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).

Time 2 Minute Read

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws.  On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network.  The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...

Time 2 Minute Read

On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified.  In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals.  The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

Time 2 Minute Read

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted   “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

Time 2 Minute Read

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

Time 2 Minute Read

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.

Time 1 Minute Read

In the latest chapter of the Federal Trade Commission’s ongoing efforts to promote consumer privacy with respect to online behavioral advertising, FTC Chairman Jon Leibowitz has reportedly suggested that the FTC may propose a Do Not Track Registry.  The registry would be similar to the FTC’s popular Do Not Call Registry, which allows consumers to opt-out of many types of telemarketing calls, but registration on the Do Not Track Registry would not stop online advertisements.  Instead, it would prevent those advertisements from being targeted to users based on their prior online ...

Time 1 Minute Read

On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data.  “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement.  Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet.  He indicated that his bill would go beyond the regulation of targeted ...

Time 2 Minute Read

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).

Time 2 Minute Read

Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.  The charges stem from alleged lapses in the company’s data security that permitted hackers to access tweets that users had designated as private and to issue phony tweets from the accounts of some users, including then-President-elect Barack Obama.  According to the FTC’s complaint (main document, exhibits), these attacks on Twitter’s system were possible due to a failure to implement reasonable ...

Time 1 Minute Read

As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule.  The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The FTC previously has stated that health care providers could be deemed “creditors” under the Rule.  The agreement will grant relief to ...

Time 2 Minute Read

The Centre for Information Policy Leadership at Hunton & Williams LLP made ten recommendations in response to the U.S. Department of Commerce’s notice of inquiry, “Information Privacy and Innovation in the Internet Economy.”  The Centre’s recommendations strongly suggest that organizational accountability is the key to providing the flexibility needed to use information robustly while protecting the interest of individuals in maintaining private space in a digital age:

“The flexibility to be innovative must be conditioned on the organization’s accountability for the manner in which it uses, manage, and protects data.  … To strike the appropriate balance between the value created by data use and the risk that use poses to privacy, organizations must implement privacy processes that are as dynamic as their business processes.” 

Time 1 Minute Read

On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information.  In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals.  The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008.  The firm responded quickly by notifying ...

Time 2 Minute Read

Julie Brill and Edith Ramirez took their oaths of office on April 5 and 6, 2010, completing the Federal Trade Commission’s roster of five commissioners and facilitating the Commission’s new tougher stance on privacy.  As we previously reported, Ms. Brill and Ms. Ramirez were confirmed by the U.S. Senate on March 3, 2010.  There are now three Democrats and two Republicans on the Commission.

Last year, when the Commission was comprised of one Democrat, two Republicans, an independent and a vacant seat, FTC Chairman Jon Leibowitz announced an aggressive agenda for the Commission, including a “privacy re-think.”  The new Democratic majority will make it easier to advance that agenda through recommendations to Congress, responses to market requests for greater self regulation and the approach taken with respect to enforcement cases.

Time 2 Minute Read

On March 17, 2010, the Federal Trade Commission convened the last of its three-part series of roundtable discussions entitled “Exploring Privacy.”  In her opening remarks, outgoing Commissioner Pamela Jones Harbour emphasized the critical importance of privacy to consumers, stating that “consumer privacy cannot be run in beta,” and that companies often inappropriately expose consumer data during new product rollout.  David Vladeck, Director of the FTC’s Bureau of Consumer Protection, then set the stage by invoking the “notice is broken” theme that recurred during the first two roundtables on December 7, 2009, and January 28, 2010, and was echoed by participants in the March 17 event.

Time 2 Minute Read

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products.  Ms. Harbour lamented that companies do not take consumer privacy seriously.  She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.”  Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default.  Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data.  Soon after the launch, Google changed the defaults to allow users more control.  Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

Time 2 Minute Read

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...

Time 1 Minute Read

On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms.  Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina.  She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General.  Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles ...

Time 4 Minute Read

The Federal Trade Commission’s second “Exploring Privacy” roundtable concluded Thursday, January 28, 2010.  The roundtable did not provide many firm conclusions, but it did help further refine some hard issues facing privacy protection.

Although Thursday’s hearing was intended to be devoted to technology issues, the role of regulation appeared to dominate the discussions.  “Everyone is dying to talk about regulation,” said Jessica Rich, Deputy Director of the Bureau of Consumer Protection, moderating a panel on Technology and Policy.

Time 1 Minute Read

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers.  The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.”  The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy.  The announcement of a ...

Time 2 Minute Read

On December 7, 2009, the Business Forum for Consumer Privacy released “A Use and Obligations Approach to Protecting Privacy: A Discussion Document" at the Federal Trade Commission’s roundtable entitled “Exploring Privacy.”  The roundtable was a first step in the FTC’s effort to re-examine privacy protection in light of rapid, dynamic changes in technology, advances in data analytics and increasingly ubiquitous data collection and use.  The paper is the product of a three year effort on the part of the Forum to develop an approach to protecting data that meets the needs of businesses and consumers in this emerging environment.  The paper may be found at www.informationpolicycentre.com.

Time 2 Minute Read

On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy."  The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts.  The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace.  Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.

Time 1 Minute Read

Senior staff changes at the Federal Trade Commission have enhanced privacy’s profile within the agency.  Jessica Rich is the new Deputy Director of Consumer Protection.  Ms. Rich has been the Acting Associate Director responsible for the Division of Privacy and Identity Protection following nearly a decade as Assistant Director for the Division.  Rich has long been seen as the FTC’s staff’s privacy thought leader.  The new Privacy Division Associate Director is Maneesha Mithal.  Ms. Mithal brings a strong international background to the position.  The new Assistant Director is ...

Time 2 Minute Read

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions.  The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to ...

Time 2 Minute Read

Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act ("GLBA") model privacy notice.  The final model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information.  Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements.  The final model notice is the result of the agencies' consumer research and testing.  It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.

Time 2 Minute Read

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page