In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

After initially concluding in May 2011 that the plaintiff’s first amended complaint sufficiently alleged an injury-in-fact with respect to the FCRA claims, U.S. District Judge Otis D. Wright II reversed his prior ruling on September 19, 2011, concluding that the Plaintiff lacked standing for lack of a cognizable injury-in-fact. The Court concluded that “the alleged harm to Plaintiff’s employment prospects is speculative, attenuated and implausible.” The Court added that if complaints such as the plaintiff’s were allowed to proceed, “courts will be inundated by web surfers’ endless complaints.” This case demonstrates that even a strong legal defense will not necessarily prevent costly litigation.

The penalties for violations of these statutes vary. For instance, California’s statute provides for a liability cap of $250 per violation for a first violation of its statute and a $1,000 per violation cap for each subsequent violation. If class action status is sought, potentially crippling liability exposure can accrue overnight. While most states treat improper data collection as a civil matter, Delaware, for instance, treats a violation of its data collection law as a misdemeanor. To our north, the offering of electronic receipts has already caught the attention of Canada’s Office of the Privacy Commissioner, which notes that under Canadian law, customers should be informed about how their email addresses will be used.

Thus, because of the potential liabilities and new technology that is quickly catching the eyes of class action plaintiff lawyers and regulators, retailers considering offering electronic receipts would be well-advised to consider state laws before implementing an electronic receipt option. By taking these laws into consideration in advance, electronic receipt programs can be designed to comply with these laws in at least most states.  Such consideration and appropriate planning may help avoid significant legal and financial liabilities under state laws.

Google recently settled charges by the Federal Trade Commission (FTC) that Google’s social networking service, Buzz, violated the FTC Act.  The FTC-Google settlement prohibits Google from misrepresenting the extent to which it maintains and protects the confidentiality of users’ information and from misrepresenting its compliance with the US-EU Safe Harbor Framework.  In that regard, the settlement represents two important “firsts” in FTC enforcement:

• The first time a comprehensive privacy program (as opposed to a comprehensive security program) was required by an FTC consent decree.
• The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non-compliance.

Unlike prior settlements in response to data security breaches where the FTC required the implementation of a comprehensive information security program as a remedial measure, the Buzz settlement requires Google to enact a comprehensive privacy program, consistent with the Commission’s “privacy by design” approach that we have previously blogged about.  Specifically, the FTC’s proposed settlement requires Google to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

The settlement also requires Google to “clearly and prominently disclose” if a user’s information will be disclosed to third parties, the identity or specific categories of such third parties, and the purposes for sharing; and to obtain affirmative consent from the user regarding the sharing.  In addition, the settlement requires Google to provide a report on the effectiveness of the company’s privacy program biennially to the FTC for the next twenty years.

The FTC’s Complaint that underlies the settlement alleges that Google launched the Buzz social networking service in February 2009 within its Gmail product.  Upon logging into their Gmail accounts, users were presented with the option to “Check out Buzz” or proceed to their Gmail inbox.  The FTC alleged that even if a user opted to go to his or her inbox, that user’s information was still shared with others in the Buzz network.  The FTC claimed that Google therefore did not use the information that users provided to Google only for the purpose of providing them the company’s web-based email service (Gmail) – rather, Google also used this information in connection with the Buzz social networking service.  Moreover, Google did not request users’ consent before using the information collected from Gmail users in connection with Buzz. 

The FTC further alleged that if a user clicked a link to “Turn off Buzz” certain information about that user was still shared with others.  Moreover, the FTC alleged that Buzz did not adequately communicate that certain previously-private information would be shared by default and certain personal information was shared without users’ permission.  The FTC also claimed that the “Turn off Buzz” and options to go to the user’s inbox without signing into Buzz were false or misleading because they represented that a user either would not be enrolled in, or would be removed from, Buzz, when in fact a user was enrolled and not removed from the service consistent with these representations.

The FTC also alleged that Google failed to disclose how a user’s information would be shared.  These allegations also amounted to a substantive violation of the US-EU Safe Harbor Framework, according to the FTC—particularly, the Notice and Choice and limited purpose principles.

These practices also violated Google’s own privacy policy in effect at the time Google Buzz was launched, according to the FTC.  In pertinent part, the policy stated that “Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you” and “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” (Emphasis added.)

In settling the FTC’s charges, Google did not admit the truth of any of the FTC’s substantive allegations.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up.  The settlement’s requirement that Google enact a comprehensive privacy program demonstrates that the FTC is serious about privacy and foreshadows potential future settlement terms.  The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

The two boldest aspects of the Principles are found in the definitions—namely, in how “personal information” is defined and in the broad responsibility of privacy espoused by the Principles.

The Principles also state that “all responsible persons” are accountable for ensuring that the Principles are met – meaning the relevant service and application providers, mobile operators, handset manufacturers, and the operating system and software providers. Although it is commendable that the Principles recommend such broad responsibility for privacy, this approach may encourage a diffusion of responsibility and be ineffective.

In summary, the nine Principles are: 

• Openness, Transparency and Notice – the Principles encourage “responsible persons” to be open and honest with users and to provide clear, prominent and timely data regarding privacy issues.
• Purpose and Use – the access, collection, sharing, disclosure, and further use of personal information should be limited to meeting legitimate business purposes.
• User Choice and Control – users should be given “meaningful choice” and control over their personal information.
• Data Minimization and Retention – only the minimum amount of personal information necessary to meet legitimate business purposes should be collected, and information should not be kept longer than necessary, and thereafter the information should be deleted or rendered anonymous.
• Respect User Rights – users should be provided with information about and an easy means to exercise their rights over the use of their personal information.
• Security – the Principles encourage “reasonable safeguards appropriate to the sensitivity of the information.”
• Education – users should be educated about privacy and security issues and ways to manage and protect their privacy.
• Children & Adolescents – the Principles merely recommend compliance with national law.
• Accountability & Enforcement – Consistent with the “privacy by design” approach, the Principles state that “all responsible persons” are accountable for ensuring compliance with the Principles.

Read the full Mobile Privacy Principles here.

• State or federal law requires bonding or other security covering an individual holding the position.
• The duties of the position include custody of or unsupervised access to cash or marketable assets valued at $2,500 or more.
• The duties of the position include signatory power over business assets of $100 or more per transaction.
• The position is a managerial position which involves setting the direction or control of the business.
• The position involves access to personal or confidential information, financial information, trade secrets, or State or national security information.
• The position meets criteria in administrative rules, if any, that the U.S. Department of Labor or the Illinois Department of Labor has promulgated to establish the circumstances in which a credit history is a bona fide occupational requirement.
• The employee’s or applicant’s credit history is otherwise required by or exempt under federal or State law.

The new Illinois law appears to be aimed at protecting individuals whose credit scores have suffered as a result of the financial downturn. The new law would protect an individual who, for example, lost his or her job and was unable to pay some of his or her bills during the period of unemployment. Although an employer could currently request access to the job applicant’s credit report, see the delinquent accounts, and refuse to hire the individual based on this information, as of January 1, 2011, the employer would be prohibited from even requesting the individual’s credit report—unless one of the many statutory exceptions applies. The legislature’s creation of a private right of action and attorneys’ fees provisions signifies the importance of an employer’s compliance with this new law.

According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:

• Require employees to use hard-to-guess passwords that were not used for other purposes;
• Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
• Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
• Enforce periodic changes of administrative passwords;
• Restrict access to administrative controls to employees whose jobs required it; and
• Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:

• Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
• Implementing reasonable safeguards to address the identified risks.

The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program. 

The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!

The enactment of H.B. 583 in Mississippi means only Alabama, Kentucky, New Mexico, and South Dakota have yet to adopt such a law. But as the saying goes, better late than never!

            The case came to the Florida Supreme Court on a certified question from the U.S. Court of Appeals for the Eleventh Circuit. Id. at *1-2. Essentially, the Eleventh Circuit asked whether the policy provides coverage for a TCPA violation when no private information is revealed in the fax. Id. at *2.

            Answering the certified question in the affirmative, Florida Supreme Court Justice Polston, writing for the court, applied the plain meaning approach to the interpretation of the insurance contract. Id. at *14. The court focused on the three essential elements of the coverage provision, “publication,” “material,” and “right of privacy,” and referred to a dictionary to define the first two terms, which were left undefined in the insurance contract. Id. at *8, 9.

            The court concluded that sending 24,000 unsolicited fax advertisements constitutes “publication” because the faxes disseminated information to the public. Id. at *9. The court concluded that the faxes were “material” because a faxed advertisement “consists of matter” and “may be synthesized or further elaborated or may serve as the basis for arriving at fresh interpretations or judgments or conclusions.” Id. (internal quotations and ellipses omitted).

            Most importantly, the court noted that “the plain meaning of ‘right to privacy’ is the legal claim one may make for privacy, which is to be gleaned from federal or Florida law.” Id. at *10. The court stated that “[i]n this case, the source of the right of privacy is the TCPA.” Id. Citing several federal district and circuit court cases for the proposition, the court stated that the TCPA “provides the privacy right to seclusion.” Id. The court therefore rejected Transportation’s argument to the contrary that the “right to privacy” applies only to the content of the material and should not apply to a TCPA violation where the content of the material disseminated does not violate a person’s right to privacy. Id. at *12.

            Concurring separately in the result, Justices Pariente and Canady both found ambiguity in the coverage provision and stated that they would find that coverage existed by applying the rule that coverage ambiguities are resolved in favor of the insured. Justice Pariente stated that the policy is ambiguous as to whether coverage exists when it is the content of the material that violates a person’s right of privacy, or when it is the act of sending the material that violates a person’s right of privacy. Id. at *16. Similarly, Justice Canady found ambiguity in the words “material” and “publication.” Id. at *18.

            Although Penzer dealt with a privacy violation arising from a fax communication, the Florida Supreme Court’s approach to CGL coverage is not explicitly limited to faxes. It is important to note that the Florida Supreme Court’s approach to addressing CGL coverage for an injury affecting a “person’s right of privacy” appears to be entirely dependent upon an underlying law providing for a right to privacy. The court’s focus on the TCPA protecting the right to seclusion specifically suggests that the court will look to the specific form of privacy protected by the underlying law, rather than vague notions of privacy. If the underlying law providing the right to privacy does not vindicate a particular form of privacy, it is possible that the Florida Supreme Court would find that no CGL coverage exists.

The trial court noted that the meaning of “call” as used in the TCPA was ambiguous, but concluded that the meaning of “call” includes text messages. In reaching its conclusion, the court relied in part on the Ninth Circuit’s decision in Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 954 (9th Cir. 2009), which noted that “text messaging is a form of communication used primarily between telephones,” and in part on the FCC’s own interpretation of the TCPA such that it applies to text messages. The court also held that a person does not need to be charged to receive the text message to maintain a suit under the TCPA. The court rejected Selling Source’s argument that the TCPA could not apply to text messages because the statute was enacted before the advent of text messaging. Although the trial court dismissed the complaint because of the plaintiff’s failure to meet the federal pleading requirements, the court granted the plaintiff leave to amend to correct the pleading deficiencies.