Header graphic for print

Privacy Law Blog

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

Posted in Data Privacy Laws, European Union, Online Privacy

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € 150,000 http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/. Google has brought an appeal against the CNIL’s decision. Continue Reading

Second Circuit Ruling Opens Door to Telephone Consumer Protection Act Class Actions in New York

Posted in TCPA

Based on a December 3rd decision by the Second Circuit Court of Appeals, class actions under the Telephone Consumer Protection Act (TCPA) can now be brought in New York federal court. This decision marks a reversal of Second Circuit precedent, and will likely increase the number of TCPA class actions being filed in New York. Companies should review their telemarketing practices and procedures in light of the potential statutory penalties under the TCPA.

Continue reading

BBB Warns Advertisers and Web Publishers to Take Responsibility for Behavioral Advertising Disclosures

Posted in Behavioral Marketing

The Better Business Bureau (“BBB”) and the Direct Marketing Association (“DMA”) are in charge of enforcing the ad industry’s Self Regulatory Principles for Online Behavioral Advertising (“OBA Principles”), which regulate the online behavioral advertising activities of both advertisers and publishers (that is, web sites on which behaviorally-targeted ads are displayed or from which user data is collected and used to target ads elsewhere). Among other things, the OBA Principles provide consumers transparency about the collection and use of their Internet usage data for behavioral advertising purposes. Specifically, the “Transparency Principle” requires links to informational disclosures on both: (i) online behaviorally-targeted advertisements themselves, and (ii) webpages that display behaviorally-targeted ads or that collect data for use by non-affiliated third parties for behavioral advertising purposes. The “Consumer Control Principle” requires that consumers be given a means to opt-out of behavioral advertising.

Through its “Online Interest-Based Advertising Accountability Program”, the BBB recently enforced the OBA Principles in a series of actions—some with implications for publishers and some with implications for advertisers. Continue Reading

Jeremy Mittman Quoted by Law360 and Politico on International Privacy Matters

Posted in Articles

An article published by Law360 last week quoted Jeremy Mittman, co-Chair of Proskauer’s International Privacy Group and a member of the firm’s International Labor Group, on the data protection reform legislation recently passed by European Parliament and the difficulties multinational companies face to comply with both EU and U.S. privacy laws.

Jeremy was again solicited to comment on the EU-U.S. Safe Harbor Program in an article published by Politico on November 7.  The article mentions Jeremy’s experience drafting Safe Harbor certifications and EU model contracts.

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

Posted in Data Privacy Laws, European Union, Legislation, Online Privacy

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, especially following the results of the recent vote of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The following is meant to help determine the current state of affairs regarding the issue of the territorial (and extraterritorial) scope of the future EU law following this vote of the European Parliament.  Continue Reading

Article 29 Working Party Provides Guidance on Obtaining Valid Cookie Consent in the EU

Posted in European Union, International, Uncategorized

This past month, the European Union’s Article 29 Data Protection Working Party (the “Working Party”) issued the Working Document 02/2013 providing new guidance on obtaining consent for cookies (“Working Document”). The Working Document sets forth various mechanisms which can be utilized by websites to obtain consent for the use of cookies in compliance with all EU Member State legal requirements.

The amended e-Privacy Directive 2002/58/EC, adopted in 2009 and implemented in all EU Member States, requires website operators to obtain users’ consent for the use of cookies or similar tracking technologies.  The Working Document elaborates on the Working Party’s prior opinion, as explained in the Working Party’s Opinion of July 13, 2011 on the concept of consent in particular.  Specifically if a website operator wants to ensure that a consent mechanism satisfies each EU Member State requirement, such consent mechanism should include each of the main elements: (1) specific information, (2) prior consent, (3) indication of wishes expressed by user’s active behavior and (4) an ability to choose freely.

Specific Information: The Working Party states that websites should implement a mechanism that provides for “for a clear, comprehensive and visible notice on the use of cookies, at the time and place where consent is sought.” Users must be able to access all necessary information about the different types or purposes of cookies being used by the website.

The Working Paper indicates that necessary information includes:

  • identification of all of the types of cookies used;
  • the purpose(s) of the cookies;
  • if relevant, an indication of possible cookies from third parties;
  • if relevant, third party access to data collected by the cookies;
  • the data retention period (i.e. the cookie expiry date); and
  •  typical values and other technical information.

Users must also be informed about the ways that they can accept all, some or no cookies and how to change their cookie settings in the future.

Timing:  Consent must be obtained before data processing begins, i.e. on the entry page.  The Working Party recommends that websites implement a consent solution in which no cookies are set to a user’s device (other than those that fall under an exception and thus do not require the user’s consent) until that user has provided consent.

Active Behavior: The Working Party indicates that valid consent must be through a “positive action or other active behavior”, provided that the user has been fully informed that cookies will be set due to this action. Unfortunately, the passive use of a website containing a link to additional cookie information is not likely to be sufficient.  Examples provided by the Working Party include (i) clicking on a button or link, (ii) ticking a box in or close to the space where information is presented or (iii) any other active behavior from which a website can unambiguously conclude that the user intends specific and informed consent.  The Working Party also confirmed their previously issued view that browser settings may be able to deliver valid and effective consent in certain limited circumstances. Where the website operator is confident that the user has been fully informed and has actively configured their browser or other application to accept cookies, then such a configuration would signify an active behavior.

Real Choice:  The Working Document provides that websites should present users with real and meaningful choice regarding cookies on the entry page. This choice should allow users to decline all or some cookies and to change cookie setting in the future. The Working Document also clarifies that websites should not make general access to the website conditional on the acceptance of all cookies, although it notes that access to “specific content” could in some circumstances be conditional.

Although the Working Document is a welcome source of guidance providing further clarification on this thorny issue, it is clear that compliance with the European Union’s rules governing cookie consent will continue to provide challenges to companies seeking to conform their websites accordingly.

European Union Parliament Makes Progress on Adopting Proposed EU Data Protection Regulation

Posted in European Union

On October 21, a key European parliamentary committee (the Committee on Civil Liberties, Justice and Home Affairs (“Committee”) approved an amended version of the draft EU Data Protection Regulation, paving the way for further negotiations with EU governmental bodies.  The goal, according to a press release by the Committee, is to reach compromise on the draft agreement and a vote prior to the May 2014 EU Parliamentary elections.  The proposed legislation (which passed in a 51-1 vote) contains a number of key concepts, including:

Right to Erasure:

Stronger than the previously worded “Right to be Forgotten”, the proposed legislation contains a “Right to Erasure”, whereby a data subject would have the right to ask any entity holding personal data on that data subject to erase the personal data upon request.  Moreover, if the personal data has been “replicated” with other entities, the data controller to whom the request has been made must forward the request to the other entities it has transferred the data subject’s personal data to.

Increased Sanctions:  

The Committee voted to increase the amount of penalties that could be levied for companies that violate the rules.  Whereas previously the proposal was penalties up to 1 million euros or 2% of worldwide annual turnover revenue of the company, the Committee ratcheted up the proposed penalties to 100 million euros or up to 5% of annual worldwide revenue, whichever is greater—a significant increase that illustrates the potentially expensive consequences of violating the data protection legislation.

Data transfers to non-EU countries:   

Specifically referencing the June 2013 Snowden disclosure of mass surveillance by the U.S. government’s PRISM program, the Committee proposed that if a company in the EU was requested to disclose personal data to a government located outside the EU, the entity would need to seek specific authorization from the data protection authority located in the EU country, before transferring any such personal data outside of the EU.  The new provision reflects the acute concern of the EU over the Snowden revelations of this summer.

Profiling:

The package adopted by the Committee includes a provision limiting the practice of profiling, i.e. “a practice used to analyze or predict a person’s performance at work, economic situation, location, health or behavior.”  Now, individual consent (such as that provided by a contract) would be needed in order to profile, and any individual should possess the right to object to such profiling.

Although the Committee hopes to reach agreement with the other EU legislative bodies (such as the national governments that compose the European Council) by May 2014, it is clear that there is still a long road ahead before the new legislation is finalized and enacted.  The contours of the proposed Regulation may change after further rounds of negotiations.  However, the recent proposals by the Committee help to illuminate the direction that the Regulation is heading.

California Amends Data Breach Notification Law

Posted in California, Data Privacy Laws

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”  Additionally, new notification options have been added to address a breach of this type of information. Continue Reading

New California Law Impacts Use of Information from Minors, Offers Right to Delete

Posted in California, Legislation, Online Privacy

Law Targets Sites and Mobile Apps Directed to Minors, Offers “Online Eraser”     

Likely to Have Nationwide Effect

On July 1st of this year, new amendments to the Children’s Online Privacy Protection Act Rule (COPPA Rule) came into effect, with perhaps the most pronounced changes being the expansion of COPPA to apply to geolocation information and persistent identifiers used in behavioral advertising.  Critics called the amendments jumbled and labeled it a compliance headache, while privacy advocates were buoyed, but thought the changes did not go far enough to protect the online privacy of children.  Still others contended that federal law contains a gap that fails to offer privacy protections for teenage users.

Once again, the California state government has stepped up to fill what it perceives to be a void in federal online privacy protection, this time to address certain restrictions on the use of information collected from minors and to give minors an online “eraser” of sorts. In late September, Gov. Brown signed S.B.568, which expanded the privacy rights for California minors in the digital world.

“Minors”, by the way, are defined under the law as residents of California under age 18 – this definition in itself is an expansion of the protections afforded to children under COPPA, which addresses the collection and use of information from children under 13.  That is not the only expansion of COPPA presented by this new law.  The federal COPPA Rule is primarily concerned with mandating notice and parental consent mechanisms before qualifying sites or mobile apps can engage in certain data collection and data tracking activities with respect to children under 13.  The California statute’s marketing restrictions for minors contain no parental consent procedures  – rather, restrictions for covered web services directed to minors that relate to certain specified categories of activities that are illegal for individuals under 18 years of age.

As a practical matter, compliance with this law will require certain changes in the way website publishers collect and process user information.  For example, it is much easier for online operators to determine whether their websites are directed to children under 13 as opposed to “directed to minors” under 18.  Going forward, sites and apps will have to reevaluate their intended audience, as well as establish procedures for when a minor user self-reports his or her age, triggering the site having actual knowledge of a minor using its service.

S.B.568 has two principal parts:  minor marketing restrictions and the data “eraser.”

Marketing Restrictions: The new California law prohibits an operator of a website, online service or mobile app directed to minors or one with actual knowledge that a minor is using its online site or mobile app from marketing or advertising specified types of products or services to minors. The law also prohibits an operator from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. Moreover, the law makes this prohibition applicable to an advertising service that is notified by a covered operator that the site, service, or application is directed to a minor.  The statute lists 19 categories of prohibited content covered by the law’s marketing restrictions, including, firearms, alcohol, tobacco, drug paraphernalia, vandalism tools and fireworks.  Notably, the law does not require an operator to collect or retain the ages of users, and provides operators with a safe harbor for “reasonable actions in good faith” designed to avoid violations of the marketing restrictions.

Online Eraser: The second part of S.B. 568 requires operators of websites and applications that are directed to minors, or that know that a minor is using its site or application, to allow minors that are registered users, to remove (or to request and obtain removal of) their own posted content. The operators must also provide notice and clear instructions to minors explaining their rights regarding removal of their own content. Notably, SB 568 does not require operators to completely delete the content from its servers; it only requires that the content be no longer visible to other users of the service and the public.  There are certain exceptions to this “online eraser” right, such as circumstances where any other provision of federal or state law requires the operator or third party to maintain the content, the content is stored on or posted to the operator’s site or application by a third party, the operator anonymizes the content, the minor fails to follow the instructions regarding removal, or the minor has received “compensation or other consideration for providing the content.”

Both prongs of the law raise many questions:

  • How does a site or application owner determine whether it is covered by S.B.568? Under the statute, a website, online service, or mobile app “directed to minors” means an “Internet Web site, online service, online application, or mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults.”
  • What will qualify for “reasonable actions in good faith” under the safe harbor?  What are the legal ramifications of an independent online ad network serving unlawful ads to minors without the knowledge of an otherwise compliant site operator?
  • How does a site implement the “eraser” function? With user tools to eliminate UGC, or will the site control the removal process via an online request form?  Will a removal request necessarily cause the removal of other users’ content (e.g. social media postings of other users that comment on a removed comment or submitted photo)?
  • The online eraser right seemingly applies only to minors.  How should a site or app handle requests from adults wishing to remove content they posted when they were minors?  Should sites simply offer the tool to all users to avoid compliance issues?
  • What qualifies as “compensation or other consideration for providing the content” under the exceptions to the online eraser right? Would this include free products, coupon codes, or the right to receive exclusive ‘limited time’ offers?
  • What changes are required in the site’s privacy policies?

The law will come into effect on January 1, 2015. Any company with a website that can be accessed by California residents should assess the impact of these new requirements in the coming year. Considering that most, if not all, major websites and apps necessarily have or will have California-based users, this state law may become a de facto national standard, particularly since technical controls to screen or segregate California users may be unworkable.

[Incidentally, California also recently enacted a new law addressing online tracking, so it appears that the California legislature continues its focus on web privacy].

California Enacts New “Do Not Track” Disclosure Requirement Law for Websites

Posted in Legislation

On September 27, California Governor Jerry Brown signed a new privacy law that has significant repercussions for nearly every business in the United States that operates a commercial website or online service and collects “personally identifiable information” (which means, under the law, “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”)  The new law goes into effect on January 1, 2014.

Under California’s existing Online Privacy Protection Act, a Web site or online service that collects PII about California residents already has the obligation to post a privacy policy, identify its effective date and describe how users are notified about changes to the policy, as well as identify the categories of PII that are collected and with whom such PII is shared.

Now, the new law—which passed both houses of the California Legislature unanimously —requires that all such Web sites must disclose how they “respond to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party Web sites or online services”, if such information is collected. The new law prescribes that operators can comply with this disclosure requirement by “providing a clear and conspicuous hyperlink” contained in the privacy policy that links to a description “of any protocol the operator follows that offers the consumer” the choice to opt-out of internet tracking.

The legislative analysis of the law reveals that its purpose is to “increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps [and] will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal [which] will allow the consumer to make an informed decision about their use of the website or service.”

The analysis noted the rapid rise in online tracking of users’ web-surfing behavior as well as the California Attorney General’s observation that although “all the major browser companies have offered Do Not Track browser headers” that, if selected, can “signal to websites an individual’s choice not to be tracked, [t]here is, however, no legal requirement for sites to honor the headers.” Thus, because Web sites have been free to disregard such Do Not Track selections by consumers, they would not know whether or not their selection is honored unless the Web site provides them with such notice. The new law will mandate providing users with the requisite notice.

In addition to the above “do not track” notice obligations, the law also requires website and online service operators “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

In light of the new obligations, it is imperative that any organization that collects PII concerning California residents (whether or not that organization is based in California) assess its current Web site privacy policies to ensure that they are compliant with California’s new laws requiring additional disclosures.

 

On the Horizon: FCC’s New Telemarketing Rules

Posted in Direct Marketing, TCPA

On October 16, 2013, the Federal Communications Commission’s (“FCC”) new rule implementing the Telephone Consumer Protection Act (“TCPA”) will go into effect. 

These are rules with teeth, as the TCPA allows recovery of anywhere between $500 and $1,500 for each improper communication and does not require a showing of actual injury.  This makes the TCPA a particularly attractive vehicle for class actions.  Accordingly, we highlight some of the more salient changes in the new rule below. Continue Reading

Standing in Data Breach Litigation

Posted in Articles, Data Breaches
In a world full of electronic information (not to mention hackers and identity thieves), data breaches—the loss, theft, or unauthorized access to data—are a reality for companies that collect and store personal information. Breaches can occur in myriad ways: a hacker gains access to a database or an unencrypted laptop is stolen, to name but two prevalent examples. Almost as regular as night follows day, class action lawsuits follow data breaches—and as the volume of data breaches increases, so too does the volume of litigation.  Yet federal standing and pleading requirements have thus far posed significant hurdles for plaintiffs.

Click here to read more in an article by Margaret Dale and David Munkittrick, members of Proskauer’s Privacy and Data Security Group.