Privacy Law Blog : April 2009

Home > April 2009

Feud of the Forms -- The Battle of The GLBA Notices

Posted on April 22, 2009 by Brendon Tavelli

The U.S. Securities and Exchange Commission ("SEC”) announced on April 15, 2009 that it is reopening the period for public comment on proposed amendments to Regulation S-P, the SEC’s Gramm-Leach-Bliley Act (“GLBA”) implementing regulations. The SEC’s announcement follows the release of a report detailing the results of the second phase of the Interagency Notice Project (“INP”). The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.

Tags: Financial Privacy, GLBA, Gramm-Leach-Bliley, Kleimann Communication Group, Levy-Hastak, Regulation S-P, SEC, interagency, model form, privacy notice

Oh, behave: EU cracks down on behavioral targeting in the U.K.

Posted on April 17, 2009 by Proskauer Rose LLP

The European Commission announced this week that it might sue the United Kingdom if that country fails to limit the tracking and collection of users’ Internet browsing habits and personal information without prior consent. The United Kingdom until now has adopted a self-regulatory approach similar to that followed by the Federal Trade Commission (we reported on the FTC’s revised behavioral marketing principles in this blog post). However, the European Commission has suggested that such an approach is insufficient because user consent is not obtained prior to collection.

According to reports, the Commission appears to be concerned that the U.K.’s failure to require that behavioral marketers obtain user consent before tracking Internet behavior violates the European Union’s strict Data Privacy Directive. The Directive prohibits the "processing" (very broadly defined) of EU residents’ personal information (also very broadly defined) without such residents’ consent.

Tags: EU, European Union, UK, behavioral advertising

More on Cloud Compliance

Posted on April 15, 2009 by Proskauer Rose LLP

I recently spoke with Lora Bentley of IT Business Edge regarding privacy, data security, and cloud computing -- There's More Than One Way to Tackle Privacy in the Cloud.

Tags: Cloud Computing, cloud, computing, outsourcing, privacy, security

California District Court Closes the Gap Left by Ruiz

Posted on April 9, 2009 by Proskauer Rose LLP

On Monday, the Northern District of California granted Gap, Inc.'s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz's allegations of an increased risk of identity theft "do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law."

Tags: California, Data Breaches, Identity Theft, Pisciotta, Ruiz, Stollenwerk, appreciable harm, increased risk, litigation, negligence, summary judgment

No Privacy Cause of Action for Od(e)ious Myspace.com Posting

Posted on April 6, 2009 by Proskauer Rose LLP

According to a new, partially-published California Court of Appeal decision, there is no cause of action for invasion of privacy under the California Constitution where a plaintiff’s myspace.com posting is republished in a newspaper. In Moreno et al. v. Hanford Sentinel, Inc., et al., F054138, slip op. (Cal. Ct. App. April 2, 2009), plaintiff Cynthia Moreno published on her myspace.com page “An ode to Coalinga,” in which she excoriated her hometown. She removed the Ode six days after she published it.

Before Ms. Moreno removed the Ode, the principal of Coalinga High passed the Ode on to the Editor of the Coalinga Record, which published the Ode, with Ms. Moreno’s first and last names, as a letter to the editor. The community reacted strongly (sometimes violently) and the Moreno family was forced to move from Coalinga. The Moreno family alleged that it suffered significant damages as a result.

The court held that Ms. Moreno’s publication of the Ode on myspace.com meant that the Ode was not private, and that Ms. Moreno’s expectation of a more limited myspace.com audience was of no consequence. Further, the fact that she removed the Ode prior to publication in the Coalinga Record did not render the Ode private; “[t]he publication was not so obscure or transient that it was not accessed by others.” Slip op. at 6. Finally, the Court held that the Moreno family did not have standing to sue based on alleged invasion of Ms. Moreno’s privacy; “the right of privacy is purely personal.” Id.

It is not clear from the Court's opinion whether Ms. Moreno had protected her myspace.com page with some kind of privacy settings. The outcome might have been different had Ms. Moreno explicitly alleged that she did so. Because the court ruled at the demurrer stage, there was no evidence regarding that issue.

Tags: Online Privacy, litigation, online, social networking

Red Flag Rules Leave Health Care Industry Wondering

Posted on April 1, 2009 by Kristen J. Mathews

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know.

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA.

Tags: Identity Theft, Medical Privacy, american medical association, red flag rules