Briefing Room
PR Agency Settles FTC Charges Based on Endorsement Guides
A PR agency will settle FTC charges that the agency's reviews about its clients' apps on the iTunes store were deceptive advertising. The FTC complaint alleged that the reviews were couched as "independent reviews reflecting the views of ordinary consumers." According to the FTC: the PR agency was not independent, but instead was paid to promote the apps and, in some instances, paid a percentage of sales; and the PR agency's posts did not contain any disclosure about the connection between the agency and its clients.
Read More
A Zombie of a Lawsuit
A lawsuit filed recently in the U.S. District Court in Central California calls out many media web sites (such as MTV ESPN, MySpace, Hulu, ABC and NBC) for their use of so-called zombie cookies. Quantcast, creator of the zombies, is also named in the suit, which alleges that companies using the technology violated federal computer intrusion laws, eavesdropping and hacking laws in addition to state and federal fair trade laws by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users. The suit seeks class-action status.
Read More
U.S. Second Circuit Court of Appeals rules FCC's "Indecency Rule" violates the First Amendment
In a decision issued in Fox Television Stations, Inc. v. FCC on July 13, the U.S. Second Circuit Court of Appeals ruled that the Federal Communication Commission’s ("FCC's") policies on broadcast indecency -- collectively, the "Indecency Rule" -- are unconstitutionally vague and violate the First Amendment. The three-judge panel (Leval, Pooler and Hall) found that the Indecency Rule lacked "reliable guidance" and "chills a vast amount of protected speech dealing with some of the most important and universal themes in art and literature."
Read More
Mexico Enacts Data Privacy Law
After nearly ten years of being held up in political wrangling, the Mexican federal legislature passed the "Federal Law Protecting Personal Data in Private Possession," effective July 6, 2010. Key provisions include data breach notification obligations and data subjects' right to access their data and challenge its use. The statute imposes financial penalties and potential imprisonment for mishandling of personal data. Infractions involving "sensitive" personal information (e.g., ethnicity, health information, etc.) subject offenders to heightened penalties of up to $2.4 million fines.
Read More
Twitter Settlement of FTC Charges: Lessons All Companies Should Learn
In May 2009 hackers were able to access certain administrative controls of the popular social networking site Twitter using password-guessing software and other techniques. The FTC opened an inquiry resulting in a complaint, and a proposed consent order was announced June 24, 2010. The FTC complaint alleged that Twitter engaged in deceptive practices by making statements in its privacy policy that it uses reasonable and appropriate security measures to protect unauthorized access to nonpublic user information when it in fact failed to do so. Significantly, the FTC was concerned with not only the security of sensitive data but all non-public information, including non-public tweets. This appears to signal increased scrutiny with regard to all personal information a website collects and stores regarding consumers, at least in the social networking space, even where credit cards, social security numbers and similar types of sensitive data are not at issue.
Read More
AT&T Bug Discloses 114,000 iPad Owners' E-mail Addresses
A glitch in AT&T's web site has exposed the e-mail addresses of more than 100,000 iPad buyers. The data was downloaded by a hacking group known as Goatse Security which obtained the information after stumbling upon a program on AT&T's web site that would send back the iPad user's e-mail address when given a unique SIM card identification number known as an ICC-ID (Integrated Circuit Card Identifier). By guessing ICC-ID numbers, the hackers were able to download 114,000 e-mail addresses, according to the web site Gawker, which reported the news on Wednesday.
Read More
Two Potential Class Actions Filed Against Facebook
In the last week of May, two potential class actions were filed against Facebook in California federal district court. In the first of the complaints, David Gould of South Lake Tahoe alleges that Facebook violated its privacy policy by disclosing to advertisers personal information about users who click on ads, including real names, current cities, attended schools and friends lists. Specifically, the complaint alleges that Facebook provides advertisers with “referrer headers” that, once received by the advertisers, allow advertisers to “simply navigate back to the specific user’s profile and obtain any personal information the user has made publicly available.” The complaint alleges that this is in breach of Facebook’s contract with its users because Facebook’s privacy policy states that it does not disclose user information to advertisers without that user’s consent.
Read More
FTC Delays Enforcement of Red Flags Rule Yet Again
On November 7, 2007 the Federal Trade Commission, the federal bank regulatory agencies, and the National Credit Union Administration published a notice that finalized the Red Flags Rule ("Rule"), 16 C.F.R. Part 681.2, pursuant to authority created by the Fair and Accurate Credit Transactions Act of 2003. The Rule requires financial institutions and creditors with covered accounts to develop and implement written identity theft protection programs that identify, detect, and respond to any ...Read More
Social Networking Web Sites Inadvertently Sent Personal Info to Advertisers
A recent Wall Street Journal news report describes how some of the major social networking web sites, including Digg, Facebook and MySpace, have been sending certain personal information to advertisers when a user clicks an advertisement on the sites. The issue arises because of the use of the HTTP "referrer" header -- a standard data element included with web page requests that includes the URL of the web page on which the user clicked a link. The web site to which the user is redirected (in this case, the advertiser) is provided with this "referrer" header information indicating the user's previous web page (in this case, a social networking profile page).
Read More
Proposed Federal Online Privacy Bill Released
For the past couple of years, website companies, advertisers, internet service providers and privacy advocacy groups have been anxiously anticipating sweeping online privacy legislation from Representative Rick Boucher (D. Va.). On May 4, 2010, Representatives Boucher and Cliff Stearns (R. Fla.) unveiled a proposed bill which, if enacted, would create dramatic new regulations governing the collection, use and disclosure of certain personally identifiable information (PII), both online and offline. This bill, if enacted as currently written, will impact essentially every website and every company that engages in targeted marketing.
Read More
Copiers May Store Digital Copies On Internal Hard Drives
Many copy machines made after 2002 do more than just make copies; they store a digital version of all recent photocopies, scans, or emails on a local hard drive. Recent examples have come to light in which sensitive data has ended up in the wrong hands.
Read More
LifeLock to Pay $12 Million to Settle Charges It Made False Claims
Identity theft protection service LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 states (including California, Florida, Illinois, New York and Texas) to settle charges that the company used false claims to promote its identity theft protection services. Since 2006, LifeLock’s ads have claimed that it could "prevent" identity theft for consumers willing to sign up for its $10-a-month service. LifeLock famously advertised these services by displaying its CEO’s actual Social Security number.
Read More
Washington State Passes Retailer Breach Liability Statute
On March 22, Washington became the second state to pass a statute allowing banks to recover certain costs and damages from retailers and card processors that suffer a data breach if the retailer or processor was not in compliance with the PCI (Payment Card Industry) standards. Only large retailers and card processors are included in the scope of the law – those processing more than 6 million payment card transactions per year. The statute also exempts entities from liability if the card ...Read More
FTC Increases Scrutiny of Consumer Privacy Protection in Cloud Computing
In December of 2009, the Federal Trade Commission (FTC) announced plans to consider stronger regulation of consumer privacy online [FTC December Roundtable]. On March 16, outgoing FTC Commissioner, Pamela Jones Harbour, reconfirmed the FTC’s plans by accusing Google, Facebook, and Microsoft of failing to provide an adequate level of consumer privacy protection online. Commissioner Harbour stated, “I am especially concerned that technology companies are learning harmful lessons from each other’s attempts to push the privacy envelope.”
Read More
Updated EU Standard Contractual Clauses for the Transfer of Personal Data Have "Important Advantages"
On February 5, 2010, the European Commission ("EC") adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside of the EU. Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains important. Since the EU published its set of ...Read More
Illinois Court Holds that FACTA Does Not Cover Electronic Purchase Confirmations
In 2003, Congress amended the Fair Credit Reporting Act by enacting the Fair and Accurate Credit Transactions Act (“FACTA”). FACTA prohibited merchants that accept credit cards from printing more than the last five digits of the card number or the expiration date on any receipt at the point of the sale or transaction. Many class action lawsuits were subsequently filed seeking the statutory damages provided FACTA. Because of the high number of lawsuits filed and the ambiguity regarding whether FACTA prohibited the mere printing of a card’s expiration date, in 2008 Congress passed the Credit and Debit Card Receipt Clarification Act (“CDCRCA”) to shield merchants that had included expiration dates on receipts prior to June 3, 2008 from FACTA liability.
Read More
Heartland Payment Systems to Settle Visa-Related Claims for $60 Million
The fallout continues following the large-scale compromise of financial account information at Heartland Payment Systems. Last week, Heartland announced in its 8-K SEC filing that it had reached a settlement with Visa and Visa payment card-issuing banks affected by the breach. Under the settlement, Heartland will pay a maximum of $60 million to those entities and to settle fines previously imposed on Heartland by Visa. The breach was announced by Heartland last January and was reportedly ...Read More
FTC Seeks Public Comment on iSafe’s Proposed Guidelines for Compliance with the Children’s Online Privacy Protection Rule
On January 6, 2010, the Federal Trade Commission (“FTC”) announced that it is seeking public comment on proposed guidelines submitted by the non-profit iSAFE, Inc. that are designed to foster compliance with the FTC’s Children’s Online Privacy Protection Rule (the “Rule”).
Read More
Supreme Court to Review Text Message Privacy Case
The Supreme Court has agreed to hear a case regarding employees' constitutional privacy rights with respect to text messages sent from an employer-paid mobile or pager device. In City of Ontario v. Quon, members of the city's SWAT team were given pagers with a limited number of employer paid text messages. The employees were told that they would be financially responsible for any texts over the monthly allowance. The city of Ontario had a formal policy reserving the right to monitor ...Read More
House Passes Data Security Legislation – Will the Senate Be Next?
On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," (“DATA”) which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud. The proposed legislation has three primary goals:
Read More
The Five Most Dishonest Online Tracking Practices
A recent Fast Company interview with two supporters of online privacy – Jules Polonetsky (co-chair and director of the Future of Privacy Forum) and Ari Schwartz (vice president and CEO of the Center for Democracy and Technology) – discussed techniques that are used to track consumers online. Polonetsky and Schwartz listed what they consider to be the five most dishonest tracking practices as:
Read More
Court Holds That Metadata Is a Matter of Public Record
Companies and anyone else submitting electronic documents to any government entity should always be aware of the metadata contained in any document submitted, but a recent court case emphasizes the importance of this. In the case of Lake v. City of Phoenix, Arizona's Supreme Court recently ruled that electronic metadata is part of the public record. At issue in the employment discrimination case was whether a work performance document was backdated. The defendant, the city of Phoenix, argued that metadata, including digital information that can reveal when a document was created, accessed, and modified, was not part of the public record and releasing it would result in an "administrative nightmare." The court responded by stating that documents could be easily produced in native, electronic format, rather than printed. The court held that if a public entity maintains a public record in electronic format, then the electronic version, including embedded metadata, is subject to disclosure.
Read More
Federal Agencies Release Final Model Privacy Notice for Financial Institutions
On November 17, eight federal regulatory agencies (the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission (“FTC”), National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission) released a final model privacy notice they jointly developed, in an effort to make it easier for consumers to understand how financial institutions collect and share information about them.
Read More
EU To Regulate Use of Cookies
A recent development in EU law has caught the attention of the Internet business community -- a requirement that a web site obtain consent of a user when using cookies on the user's computer if the cookies relate to the user's "personal data." Interpreted broadly, the requirement could apply to wide variety of web sites.
Read More
Iconix Brand Group Settles Charges Its Apparel Web Sites Violated COPPA
Iconix Brand Group, Inc. (“Iconix”) has agreed to pay a $250,000 civil penalty to settle the Federal Trade Commission’s (“FTC”) charges that Iconix violated the Children’s Online Privacy Protection Act of 1998 (COPPA) and the FTC’s implementing rules and regulations, as well as the Federal Trade Commission Act (“FTC Act”) by knowingly collecting, using, or disclosing personal information from children without first obtaining their parents’ permission, despite a posted privacy notice to the contrary.
Read More
House Cyber Panel Chair Suggests a National Data Breach Law
Rep. Yvette Clarke, the Brooklyn, N.Y., Democrat who chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, says she hopes to hold hearings on what she calls the National Data Breach Law either later this year or in early 2010.
Read More
FTC settles with six companies claiming to comply with Safe Harbor program
Six (6) companies in the United States have agreed to a settlement with the Federal Trade Commission ("FTC") in connection with charges that they deceived consumers by falsely claiming they were abiding by an international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law. According to six (6) separate complaints filed by the FTC, the six (6) companies deceptively claimed they held current ...Read More
Survey: Two-thirds of Americans Object to Online Tracking by Web Sites and Advertisers
A recent survey conducted by professors at the University of Pennsylvania and the University of California, Berkeley revealed that two-thirds of Americans object to online tracking by web sites and advertisers. That number increased even more when participants learned the ways in which they were being tracked. Because this study is believed to be the first independent national telephone survey on the topic, it has garnered widespread attention. Representative Rick Boucher (Virginia ...Read More
Malware Threatens Consumer Privacy, As Well As Media Companies and Their Reputations
Malware is being deployed at alarming rates through unknowing online content providers and media and advertising companies. The latest trend is for hackers to pose as media and advertising companies and place online advertising on popular sites. This "malvertising" works by camouflaging malicious code as harmless online advertisements, which then lead to harmful or deceptive content. Commonly, the ads offer rogue security software, or "scareware," which falsely claims to detect or prevent ...Read More
FTC Publishes Final Guides Governing Endorsements and Testimonials
On Friday, October 2, the FTC published its Final Guides Governing Endorsements & Testimonials. The new Guides will be effective December 1, 2009 and will replace the Endorsement & Testimonial Guides that have existed since 1980. The new Guides are pretty close to the proposed Guides that were commented on in 2007 and 2008 (but the Federal Register comments that were released on Friday give more examples and discussion). Click here for our summary of the new guidelines. For an article on how the new Guides impact Recommendation Marketing Through Evolving Social Media Channels, click here.
Read More
Bank May Have Breached Duty to Protect Account by Failing to Use Multi-Factor Authentication
A bank that failed to use "multi-factor" authentication (as opposed to only usernames and passwords) may have breached its duty to provide online account security owed to the plaintiff individuals whose home equity line of credit account was breached by a hacker. The U.S. District Court for the Northern District of Illinois denied summary judgment to the defendant, Citizens Financial Bank ("Citizens"), on the negligence claim (although the Court granted summary judgment to Citizens on ...Read More
FTC Amendments to Telemarketing Sales Rule Prohibiting Certain Prerecorded Calls Effective September 1
As of September 1, 2009, prerecorded commercial telemarketing calls to consumers, or "robocalls," will be prohibited under the Telemarketing Sales Rule ("TSR"), unless the telemarketer has obtained prior written permission from consumers that explicitly states that they would like to receive such calls. This change is part of the FTC's August 2008 amendments to the TSR. In sum, the amendment prohibits telemarketing calls placed on and after September 1, 2009, that deliver prerecorded messages, whether such calls are answered in person by a live consumer or by an answering machine or voicemail service, and regardless of whether or not the consumer has previously done business with the seller and whether or not the number called is listed on the Do Not Call Registry. Thus, under the new rule an "established business relationship" is no longer sufficient basis to place a prerecorded call to a consumer. Penalties may be up to $16,000 per call.
Read More
Privacy Concerns Over Proposed U.S. Web-Tracking Plan
Many believe that were it not for the Internet, Barack Obama would not be president. It seems only natural then that Obama would change the way the president of the United States governs by utilizing Web 2.0 technologies with the hope of increasing citizen participation in government. A two-week public comment period on such a proposal ended on Monday, August 10, 2009. Federal agencies’ websites have been banned from using web tracking technologies such as persistent cookies since June 2000. The Obama administration proposes to remove the ban, stating that in the past nine years “cookies have become a staple of most commercial websites with widespread public acceptance of their use.” They cite websites’ “shopping carts” as an example of widespread cookie use and acceptance.
Read More
MMA Releases Consumer Best Practices Guidelines Update
On July 1, 2009, the Mobile Marketing Association ("MMA") issued the latest update to its "Consumer Best Practices Guidelines" -- the industry standard for mobile marketing. The new guidelines (the full version of which can be accessed here: http://www.mmaglobal.com/bestpractices.pdf) are, at over 100 pages, significantly longer and more comprehensive than the last version, which weighed in at a mere 21 pages in December, 2008. Most of this bulk can be attributed to the inclusion, for the first time, of individual "carrier playbooks" -- the codes of conduct of the four largest mobile carriers in the U.S. (Verizon, AT&T, Sprint and T-Mobile). The revised guidelines also contain new guidance on: (a) the PIN placement requirement for opt-in confirmation messages, (b) STOP and HELP functionality, (c) cross carrier standardization of "Msg&Data Rates May Apply" language (MMA now recommends ditching the antiquated "Standard Rates May Apply" in favor of this new language), (d) pre-checking "click-wrap" consents to Terms & Conditions, and (e) required initial (pre-opt-in) disclosures.
Read More
Massachusetts Amends Security Regulations: Delays Effective Date
On August 17, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) again revised its data security regulations and delayed enforcement until March 1, 2010. According to OCABR, the new regulations are designed to make clear that companies should take a risk-based approach to data security. The new language requires security safeguards that are appropriate to the size, scope, and type of business handling the information, the resources available to the business, the ...Read More
Does the Arbitration Provision in Your Web Site Terms of Use Need an Update?
One of the largest U.S. administrators of consumer arbitrations, the National Arbitration Forum ("NAF"), recently announced that it will stop administering consumer arbitration disputes as part of a settlement agreement with the Minnesota Attorney General's Office. As of July 24, 2009, the NAF will stop accepting any new consumer arbitrations for the following types of disputes: (i) debts in credit-card, (ii) healthcare, (iii) telecommunications, (iv) utilities, (v) mortgages, and (vi) consumer leases.
Read More
Sen. Leahy Hopes Third Time is a Charm with Latest Federal Privacy/Security Bill
Senator Patrick Leahy (D-Vt.) is trying for a third time to convince Congress that the U.S. needs a national data breach standard through the Personal Data Privacy and Security Act of 2009. Senate Bill 1490 was introduced on July 22, 2009, and like its predecessors, it would preempt 45 states' laws and set standards for data breach notification and require organizations that maintain personal data of Americans to establish an internal security program to protect that data. For example, the bill would require internal testing “to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information.” The bill would also require the government to establish privacy and security rules for using commercial data brokers and to conduct audits of contractors.
Read More
New Maine Statute Regulates Collection and Use of Minors' Personal Information
Maine recently enacted a marketing statute (which becomes effective September 11, 2009) regulating the collection of "personal information" and "health information" from minors for marketing purposes. "Personal information" is broadly defined to include individually identifiable information (e.g., name, address, e-mail address or SSN). "Health information" is also broadly defined as any information about an individual relating to health, nutrition, drug or medication use, physical or bodily condition, mental health, medical history, medical insurance coverage or claims or similar data.
Read More
Court Rules IP Addresses Are Not Personally Identifiable Information
In a putative class action suit against Microsoft relating to anti-piracy tools built into its Windows operating system (Johnson v. Microsoft Corp., W.D. Wash., No. 06-0900), a Washington federal district court held that IP addresses are not "personally identifiable information." The issue arose in a summary judgment motion on the plaintiff's claim that Microsoft violated the contract between the consumer plaintiffs and Microsoft – that contract was the End User License Agreement ("EULA") that consumers must agree to when first using Microsoft Windows XP.
Read More
The Ninth Circuit Holds Text Messages are "calls" subject to the TCPA
In an opinion filed on June 19, 2009 the Ninth Circuit, granting deference to the Federal Communications Commission's rules and regulations, held that text messages are "calls" subject to the Telephone Consumer Protection Act (“TCPA”). Therefore, the court held that use of an automatic telephone dialing system (as defined in the TCPA) to send text messages is a violation of the TCPA unless the recipient provided express consent to receive the text messages. Satterfield v. Simon ...Read More
New Federal Gift Card Regulation
Congress recently passed a new law that limits service charges and expiration dates retailers and other issuers of consumer gift cards can impose on consumer gift cards. It also has certain disclosure requirements that issuers must put on their gift cards if the cards carry service fees or an expiration date. The new regulation, part of the Credit Card Act of 2009, goes into effect on August 22, 2010. The new law does not preempt any state regulation that provides more stringent limitations. Therefore, knowledge of the patchwork of state regulations is still necessary.
Read More
Sears Settles FTC Charges Regarding Tracking Software: Sears Failed to Disclose Adequately that Software Collected Consumers’ Sensitive Personal Information
The Federal Trade Commission announced that it is settling with Sears Holdings Management Corporation (owned by Sears, Roebuck and Company and Kmart Management Corporation) for Sears' alleged failure to adequately disclose the scope of its downloadable tracking software application. The FTC’s administrative complaint alleges that Sears' failure was deceptive and violates the FTC Act.
Read More
Can LifeLock Still Legally Provide Identity Theft Protection Services?
On May 18th, 2009, a federal district court judge ruled that LifeLock's fraud monitoring practices violate California law. LifeLock, a company that gained notoriety for publishing its CEO’s social security number in advertisements and offering a $1 million guarantee to reimburse the expenses of any customer who suffers losses from identity theft while subscribed to LifeLock, charges $120 a year to consumers to place fraud alerts on their credit profiles, among other services. Experian ...Read More
Interactive Advertising Bureau Publishes List of Best Practices for Social Media Advertising
In May, 2009 the Interactive Advertising Bureau (“IAB”) published a list of best practices for social media advertising which address various topics including user privacy and key terms. The best practices are designed to help protect consumer privacy, provide clarity regarding the type of data being collected and how it is being used, and define consumer consent. In addition, the best practices are intended to promote the growth of social media advertising by giving advertisers and social networks a basic set of rules.
Read More
Ex-NCAA Quarterback Brings Class-Action Suit Against NCAA and Video Game Publisher for Violation of Rights of Publicity
Electronic Arts, Inc. (“EA”) and the National Collegiate Athletic Association (“NCAA”) have been sued by a former college football player who claims his and other athletes’ images are used in EA’s video games without authorization and in violation of NCAA rules, which forbid the commercial licensing of current NCAA athlete names, pictures or likenesses. Sam Keller, a former quarterback for Arizona State and Nebraska, filed a proposed class-action suit on May 5, 2009 in the U.S. District Court for the Northern District of California.
Read More
FTC Extends Red Flags Compliance Deadline
On the eve of the compliance deadline, the FTC granted [FTC Press Release] a three month extension to entities under its jurisdiction to comply with the 'Red Flags' Rule under the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"). The new deadline is extended from May 1, 2009 to August 1, 2009. The Red Flags Rule requires covered entities to develop and put into practice written programs to reduce the risks of identity theft to their customers. Covered entities include financial ...Read More
House Subcommittee Reviews Privacy Practices of Cable and Internet Providers
Last Thursday, April 23, the Subcommittee on Communications, Technology and the Internet chaired by Rick Boucher, D-Va, held a hearing entitled “Communications Networks and Consumer Privacy: Recent Developments” that was aimed at the privacy practices of cable and Internet providers. Representatives from major companies including Comcast, Cox Communications and AT&T testified at the hearing. The hearing paves the way for the introduction of broad privacy legislation that would restrict the ability of providers to use behavioral advertising to target consumers online and on their television sets and offer more protections for consumers, including disclosures and requiring informed consent from consumers before employing such technology.
Read More
Should Companies Be Responsible for the Ensuring the Legitimacy of Third Party Marketing Lists? Florida Attorney General Articulates New Due Diligence Standard
On April 8, 2009, Florida Attorney General Bill McCollum announced a settlement with a Pinellas County, Florida telemarketing firm, VICI Marketing LLC ("VICI") pertaining to VICI's alleged deceptive marketing practices and its use of consumer data that ultimately originated from confidential consumer data stolen from Certegy Check Services, Inc. in 2007 ("Certegy"). Under the terms of the settlement, Florida v. VICI Mktg. LLC, Fla. Cir. Ct., No. 09-6306, VICI is permanently enjoined from ...Read More
Cybersecurity Bills Raise Privacy Concerns
Last week, two cybersecurity bills were introduced to the Senate: the Cybersecurity Act of 2009 and a bill creating an Office of the National Cybersecurity Advisor within the White House. Together, the two bills would give the federal government extraordinary power over public and private sector Internet services, applications and software.
Read More
Failure To Authenticate Identity as an Unfair Business Practice
A recent case brought by the FTC highlights the importance of properly identifying persons allowed remote access to corporate networks, and properly authenticating that identity. In U. S. v. Rental Research Services Inc., the FTC alleged that the defendant failed to employ reasonable and appropriate security policies and procedures to "verify or authenticate the identities and qualifications of prospective subscribers." The result was that credit reports were sold to identity thieves posing as legitimate companies who were granted access to the defendant's network based almost entirely on their own representations as to their identity.
Read More
Rodeo Group Must Pay $25k to Settle Case Related to Meritless Takedown Claims
Non-profit animal welfare group Showing Animals Respect and Kindness ("SHARK") announced recently that it has settled its copyright case against the Professional Rodeo Cowboys Association ("PRCA"), the world's largest rodeo-sanctioning organization. SHARK regularly videotapes rodeos in order to expose animal injuries, abuse and death, and had posted dozens of videos critical of PRCA on YouTube from 2006-2007. In response to takedown requests by PRCA related to 13 of the videos, YouTube disabled SHARK's entire account in late 2007. Although its account was later reinstated, SHARK filed suit in federal district court in Chicago in June, 2008, alleging that PRCA did not own the copyrights to the videos, and that PRCA had knowingly made false statements in its takedown claims in order to chill SHARK's efforts to raise public awareness.
Read More
Protecting Children's Privacy Online
To help parents better understand their children's online privacy rights, the Federal Trade Commission ("FTC") has developed a new article, Protecting Kids' Privacy. The article is posted at the following link: http://www.onguardonline.gov/topics/kids-privacy.aspxOnGuardOnline.gov. OnGuardOnline.gov is a web site sponsored by the federal government and the technology industry to help users stay on guard against Internet fraud, secure their computers, and protect their personal information. ...Read More
Report Identifies Top Recommended Data Security Controls
In February 2009, the Center for Strategic & International Studies, a group of federal agencies and private organizations, including the National Security Agency and the Department of Homeland Security, released for comment a draft Report titled "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance." The Report sets forth a list of the top 20 security controls that organizations should take to protect their computer systems. The guidelines are expected to become best practices for computer security. The 20 actions recommended in the guidelines are:
Read More
CVS Caremark Settles with FTC and CVS Pharmacy Settles Allegations of HIPAA Violations for $2.25 Million with HHS
The Federal Trade Commission ("FTC") and the Department of Health and Human Services Office for Civil Rights ("HHS") coordinated their investigations of CVS Caremark, which operates the largest pharmacy chain in the United States, for the pharmacies' alleged failure to protect personal information of customers, employees, and employee job applicants. The FTC and HHS opened their investigations following media reports that CVS pharmacies were dumping items that contained personal information, including pill bottles, employee applications, payroll information, insurance information, credit card information, and HIPAA protected medical information, into open dumpsters. After coordinated efforts, the FTC and HHS reached settlements with CVS Caremark on February 18. 2009.
Read More
FTC Staff Revises Online Behavioral Advertising Principles
On February 12, 2009, as a result of its ongoing examination of this area, the Federal Trade Commission issued a report revising and clarifying the four proposed principles for online behavioral advertising. Because of significant industry concern about the principles' scope, the report clarifies that the privacy principles should provide protection for any data that reasonably can be associated with a particular consumer or computer or other device. Also, the report clarifies that "first party" and "contextual" advertising, which generally involves a site's collection of information to deliver ads on the same site and does not involve sharing information with third parties or involves little or no data storage, does not fall within the principles' scope. These activities, of course, still require compliance with privacy laws in general.
Read More
Facebook Sues Owners of Power.com
Facebook has filed a lawsuit against the company owning Power.com (http://power.com), a web site offering a social networking aggregation service. Users can create a Power.com account that can then be linked to social networking services such as MySpace, Orkut and Facebook, gathering and displaying in a single web site a user's information from each of the social networking sites.
Read More
VA to Pay $20 Million To Settle Lawsuit Over Stolen Laptop
The Veterans Affairs Department ("VA") has agreed to pay $20 million to a group of current and former military personnel to settle a class-action lawsuit. The suit, which was filed in U.S. District Court in Washington, D.C. by five veterans groups, arises from a 2006 data breach.
Read More
Wildman Harrold Launches Privacy Resource Center
In recognition of the increasingly complex web of privacy laws and regulations which confront today's businesses, in-house counsel, and others charged with managing privacy and data security each day, Wildman Harrold has created a portal of information to help users locate practical information to better understand and keep track of a myriad of privacy laws.
Read More
Department of Homeland Security Privacy Practices Guidelines Released
On December 29, 2009, the Department of Homeland Security ("DHS") released a privacy policy guidance memorandum memorializing the Fair Information Practice Principles ("FIPPs") as the foundational basis for its privacy compliance policies and procedures governing the use, collection and dissemination of personally identifiable information ("PII"). According to the memorandum, DHS uses the eight FIPPs in the evaluation and consideration of its systems, processes, and programs that impact individual privacy. The memorandum provides an outline of the eight principles of the FIPPs, which are derived from the Privacy Act of 1974 and reflected in many the laws and regulations of many states, foreign nations and international organizations.
The eight principles include the following:
Read More
California Appeal Court Holds that ZIP Codes Are Not Personal Identification Information
In September, 2007, Rebecca J. Palmer filed a class action suit alleging that Party City’s request for her five-digit ZIP code to process a credit card transaction violated California’s Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08 (“Act”). See Party City Corp. v. The Superior Court of San Diego County. The Act prohibits retailers from collecting personal information as a requirement to conduct credit card transactions. Under the Act ...Read More
FTC Recommends Broad Changes in the Use of Social Security Numbers
The Federal Trade Commission (“FTC”) recently released a report, Security in Numbers: SSNs and Identity Theft (“Report”), which made several strong recommendations for changing the way Social Security numbers (“SSNs”) are used by the private sector and called for national legislation and federal enforcement to back its suggestions. Because SSNs are the most widely-held type of both permanent and unique information that most Americans have to identify ...Read More
Ads Overstating Security of Voice Mail Cost AT&T and T-Mobile Over $70,000 in Fines
The Los Angeles District Attorney brought charges against AT&T and T-Mobile for their ads stating that their voice mail systems were safe from sabotage. Law enforcement authorities who purchased cell phones with these providers' services could easily hack into the voice mail systems to listen to, change, and erase messages. Phony information could also be inserted. The providers agreed to settle the case, even though a spoofing system - illegal in several states - was used to hack into the ...Read More
Largest COPPA Settlement Yet Shows Importance of Following Privacy Policy and Screening for Age
The FTC announced on December 11, 2008, that Sony BMG Music Entertainment ("Sony Music") agreed to pay out the largest sum yet to settle charges of COPPA violations. The claims alleged that Sony Music failed to follow its Privacy Policy and accepted registration of and provided online services to over 30,000 children under age 13. Sony Music maintains a number of web sites promoting its artists, many of which require registration to use the features, such as creating fan pages and profiles to interact with others. Registration often requires various information, including full name, e-mail address, gender, mobile phone number and date of birth. Allegedly, over 30,000 users submitted birth dates making them under 13 and used the sites, despite the Privacy Policy stating that those under 13 would be restricted from participating in Sony Music's online activities. Under the consent decree, Sony Music agreed to pay $1 million, as well as delete all of the children's information, provide specific and somewhat lengthy notices about protecting children's privacy on their sites for the next five years, undertake specific internal educational measures about online privacy, and various other tasks.
Read More
Contested New Hampshire Prescriber Data Bill Upheld in Federal Court
In June of 2006 New Hampshire passed the first state law to restrict the use of prescription data HB 1346, the Prescription Information Confidentiality Act (Ch. 328)[1]. The law regulated any records "relative to prescription information containing patient-identifiable and prescriber-identifiable data" from being licensed, transferred, used or sold for any "commercial purpose", which is broadly defined under the statute to include any activity that could be used to "influence sales or market ...Read More
Collection of Identifying Information for Behavioral Advertising Sparks Class Action Lawsuit
On November 11, 2008, fifteen Internet users filed a class action lawsuit in federal court in San Jose, CA against NebuAd, Inc., its subsidiary Fair Eagle, Inc. and six Internet service providers ("ISPs"), Bresnan Communications, Cable One, CenturyTel, Embarq, Knology and WOW! The allegations include violations of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the California Invasion of Privacy Act, and California's Computer Crime Law.
Read More
New York State Consumer Protection Board's Guide To Managing Personal Information
The New York State Consumer Protection Board ("CPB") released a business guide ("Guide") in October 2008 to help New York businesses understand the significance of safeguarding customer and employee personal information. Specifically, the CPB recommends that businesses abide by "four core principles" to protect personal information: (1) Identify, (2) Secure, (3) Educate and (4) Plan.
Read More
The MySpace Cyberbullying Case: Why This Case Could Matter to Your Company and Its Web Site Practices
Would you be surprised to learn that someone can commit a federal crime just by not following your company's web site documents, such as your web site's terms of use/terms of service? This is the question that is currently at issue in United States of America v. Lori Drew, Case No. CR08-00582 (C.D. Cal. May 15, 2008) that was filed in Federal Court in the Central District of California for Lori Drew's alleged role in a MySpace online hoax on a 13-year-old girl who later committed suicide.
Read More
FTC Delays Enforcement of Red Flag Rule until May 1, 2009
On November 7, 2007 the Federal Trade Commission, the federal bank regulatory agencies, and the National Credit Union Administration published a notice that finalized the Red Flags Rule ("Rule"), 16 C.F.R. Part 681.2, pursuant to authority created by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The Rule came into effect on January 1, 2008, but full compliance was delayed until November 1, 2008.
Read More
Topics
- Advertising, Marketing & Promotions
- Behavioral Marketing
- CAN-SPAM
- Children's Online Privacy Protection Act
- Communications Decency Act
- Data Security
- Electronic Transactions
- False Advertising
- FTC Guidelines on Endorsements and Testimonials
- HIPAA
- Identity Theft
- Privacy
- Security Breach
- Sweepstakes & Promotions
- Text Messaging
- Trademark & Copyright