Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond to so-called identity theft “red flags.”

The FTC’s announcement does not impact the separate timeline of the proceeding we reported on here (in which the U.S. District Court for the District of Columbia ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers) or any possible appeals. Moreover, the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers, saying that the FTC's interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s definition of a creditor. Judge Walton ruled from the bench with a written decision to follow.

The American Bar Association, represented by a Proskauer team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers are not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

The American Bar Association's complaint, prepared on a pro bono basis by Proskauer Rose, said that the application of the Rule to practicing lawyers is “arbitrary, capricious and contrary to law,” and that the FTC has failed “to articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under the FACTA; or any legally supportable basis for application of the Red Flags Rule to lawyers engaged in the practice of law.” 

The FTC has not yet indicated whether it will appeal Judge Walton's ruling.

Here is a link to the court’s order.

Here is a link to the ABA’s press release.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, the FTC announced its latest COPPA enforcement action (http://www.ftc.gov/opa/2009/10/iconix.shtm).  Iconix Brand Group, Inc., the operator of websites featuring its apparel brands, was fined $250,000 for collecting personal information from children without complying with COPPA’s parental consent rubric.

The FTC cited the websites associated with the brands Mudd, Candie’s, Bongo and OP, which are popular with children and teens. The FTC did not characterize Iconix’s websites as ones “directed to children.” According to the FTC's complaint, the websites each have online registration processes that, among other things, collect the birthdate of users; and Iconix violated COPPA by collecting personal information from approximately 1000 users who identified themselves as under 13. The collection occurred both through website and sweepstakes registration, post-registration email marketing, and also through public disclosure at a “Share Your Story” feature on one of the websites.

The FTC also cited Iconix for stating in its privacy policy that it would not collect personal information from children without parental consent, when its practices did not conform to its policy.

General audience websites that collect birthdate or age-related information from their users should employ an FTC-compliant neutral age-screening mechanism to ensure that if a user enters information disclosing that he or she is under 13, the website operator does not collect or disclose personally identifiable information from that user.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 6, 2009, in one fell swoop, the Federal Trade Commission (“FTC”) announced proposed settlements of charges against six companies for violations under the US/EU Safe Harbor Program. Specifically, these companies (World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC) were alleged to have continued to represent in their online privacy policies that they were self-certified under the Safe Harbor Program when in fact they had allowed their certifications to lapse, and thus had engaged in deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link