Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule."

We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users.  (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term.  Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users’ personal information, requires Facebook to obtain users’ affirmative consent before enacting changes that override the users’ privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 12, 2011, the FTC announced that it, along with Frostwire LLC and FrostWire’s managing member, Angel Leon, (collectively, “FrostWire”), agreed to a stipulated final order for permanent injunction resulting from the FTC’s complaint alleging that (a) users of FrostWire’s Android mobile file-sharing application were likely to unwittingly share personal files stored on their mobile devices with other P2P users after installing and running the application, and (b) FrostWire misrepresented to users of FrostWire’s desktop file-sharing application that certain files they downloaded would not be shared with other P2P users.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, the Federal Trade Commission (FTC) announced that mobile application developer W3 Innovations, LLC (d/b/a Broken Thumbs Apps), has agreed to pay a fine of $50,000 in order to settle charges that it collected and disclosed personal information from children under the age of 13 without first notifying parents of information-collection policies or obtaining verifiable parental consent, in violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule (16 C.F.R. Part 312). This was the first FTC case involving mobile applications, commonly known as "Apps."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google recently settled charges by the Federal Trade Commission (FTC) that Google’s social networking service, Buzz, violated the FTC Act.  The FTC-Google settlement prohibits Google from misrepresenting the extent to which it maintains and protects the confidentiality of users’ information and from misrepresenting its compliance with the US-EU Safe Harbor Framework.  In that regard, the settlement represents two important “firsts” in FTC enforcement:

• The first time a comprehensive privacy program (as opposed to a comprehensive security program) was required by an FTC consent decree.
• The first time the FTC has enforced the US-EU Safe Harbor Principles for substantive non-compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and the Gramm Leach Bliley Safeguards Rule by failing to take appropriate precautions to protect credit reports and the personal information such reports contain. According to the FTC, the resellers’ information security deficiencies included (1) not having comprehensive information security policies or procedures in place; (2) releasing consumer reports to clients who lacked basic security measures, such as firewalls and updated antivirus software; (3) failing to protect their own internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose for having them; and (4) not making reasonable efforts to protect against future breaches even after becoming aware of the hackers’ illegitimate activities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security.  Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”

The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. and its co-founders, Richard Todd Davis and Robert J. Maynard. The settlement, which will require the identity theft protection services provider to pay $11 million to the FTC and an additional $1 million to the group of participating state attorneys general, resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. Specifically, the FTC alleged that LifeLock promised its customers complete protection against all types of identity theft, but the fraud alerts that LifeLock placed on its customers’ credit files protected only against certain forms of identity theft, which did not include medical identity theft, employment identity theft or the misuse of existing accounts – the most common form of identity theft. Moreover, the FTC alleged that even with respect to new account fraud, the type of identity theft for which fraud alerts are most effective, they do not provide absolute protection. LifeLock therefore deceived consumers by making statements like “LifeLock protects against [identity theft] ever happening to you. Guaranteed.”

In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient.

On June 4, the FTC reported a proposed settlement with Sears Holding Management Corporation of a complaint that Sears had failed to meaningfully disclose to customers the extent of the information it was collecting through its online market research software.  The FTC claimed that this failure to disclose constituted an “unfair or deceptive act” under the Federal Trade Commission Act. 
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We noted in an earlier post that the FTC determined that the Red Flags Rule applies to retailers who pass credit card applications on to lenders. However, there appears to be strong arguments against this interpretation.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively “Life is good”) resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.

American United is the first FTC action taken pursuant to the Disposal Rule, promulgated in 2005, of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The complaint filed in the Northern District of Illinois in mid-December, asserted that the Northbrook, Illinois-based mortgage company disposed of several dozen consumers’ personally identifying information by leaving intact hundreds of documents in a nearby unsecured dumpster, in some cases in open trash bags. Indeed, even after the FTC provided written notice to American United that disposal of documents containing consumers’ personal information in this manner created a risk of unauthorized access, "on at least two occasions, additional intact American United documents containing consumers’ personal information were found in and around the same dumpster adjacent to American United’s office."

• Email This
• Print
• Comments
• Trackbacks
• Share Link