FTC Commissioner Brill Enlightens Audience at Proskauer's Annual Privacy Event

Posted on October 26, 2010 by Brendon Tavelli

On October 19, 2010, speaking at the annual Proskauer on Privacy conference, the Federal Trade Commission's newest Commissioner, Julie Brill, had a lot to say about self-regulation, teen privacy and other FTC privacy initiatives.  Commissioner Brill also commented upon the need to "re-think" privacy in order to keep pace with today's technologically advanced society.  According to Commissioner Brill, both the Notice and Choice model and the Harm model rely on a theoretical distinction between personally identifiable information and non-personally identifiable information that is "increasingly out of touch with technological advances that allow previously non-identifiable data to be 're-identified.'"  In addition, she said, "traditional privacy frameworks have not been sufficient to promote competition based on privacy."  So exactly how do we re-think privacy, and what will that mean for all of us?

Click here to read everything else Commissioner Brill had to say, in her own words.

Tags: , , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,

FTC Provides Last Clear Chance for Industry to Self-Police in a Target-Rich Environment

Posted on February 17, 2009 by Proskauer Rose LLP

On February 12, 2009, the FTC issued its long-anticipated Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The revised Self-Regulatory Principles are the result of a year of study of the more than 60 comments provided by industry, advocacy organizations, academics, and individual consumers in response to the FTC’s proposed self-regulatory principles issued in late 2007. For more on the history, see our prior posts on the history here, here, here, and here.

Not surprisingly, the FTC made clear that “these Principles are guidelines for self-regulation and do not affect the obligation of any company (whether or not covered by the Principles) to comply with all applicable federal and state laws.” And the Principles themselves, set forth below, largely reflect existing FTC law in this area. For example, it is well established that a company may not unilaterally alter its policies and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).

The FTC defines online behavioral advertising as “the tracking of a consumer’s online activities over time– including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.” The newly revised Principles now explicitly carve out “first party” advertising, where no data is shared with third parties, and contextual advertising, where an ad is based on a single visit to a web page or single search query.

Our challenge at the Proskauer Privacy Law Blog is to synthesize a 55 page Staff Report and two concurrences from Commissioners Harbour and Leibowitz into a pithy, easily digestible blog post. Hmmm. Well, we thought we would start with the Principles themselves. But first, a couple of observations. 

 

Observation number one – the Report frequently goes out of its way to note the eroding distinction between traditional personal identifying information (“PII”) such as name, address and Social Security, and non-PII such as IP address. As noted in the Executive Summary, “staff believes that the Principles should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is ‘personally identifiable’ in the traditional sense. Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear. Moreover, this approach is consistent with existing self-regulatory efforts in this area.” Those blurring lines and increasingly complex technology and advertising practices promise to pose considerable challenges for the construction of clear and user-friendly consumer privacy notices.

 

Observation number two -- the Report makes clear that disclosures regarding the collection of PII and non-PII for purposes of behavioral marketing should be made separate from the traditional privacy policy.  “Staff recognizes that it is now customary to include most privacy disclosures in a website’s privacy policy. Unfortunately, as noted by many of the commenters and by many participants at the FTC’s November 2007 Town Hall, privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.”  The Staff Report highlights certain recommendations made by commenters that “appear promising. For example, a disclosure (e.g., 'why did I get this ad?') that is located in close proximity to an advertisement and links to the pertinent section of a privacy policy explaining how data is collected for purposes of delivering targeted advertising, could be an effective way to communicate with consumers. . . . Staff encourages these efforts and notes that they may be most effective if combined with consumer education programs that explain not only what information is collected from consumers and how it is used, but also the tradeoffs involved – that is, what consumers obtain in exchange for allowing the collection and use of their personal information.”

 

So, without further ado, here are the Principles. They provide for: (1) transparency and consumer control; (2) reasonable security, and limited data retention, for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The bolded italicized language below represents the FTC staff’s own annotations showing changes from the first version in late 2007.

 

(1)        Transparency and Consumer Control

 

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Where the data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.)

 

 

(2)               Reasonable Security, and Limited Data Retention, for Consumer Data

 

 

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

 

 

(3)               Affirmative Express Consent for Material Changes to Existing Privacy Promises

 

 

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

 

(4)               Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising

 

Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

 

We will have future occasion to discuss other elements of the FTC’s Report, but it is clear this will not be the last we hear from the FTC on this issue. “Looking forward, the Commission will continue to monitor the marketplace closely so that it can take appropriate action to protect consumers. During the next year, Commission staff will evaluate the development of self-regulatory programs and the extent to which they serve the essential goals set out in the Principles; conduct investigations, where appropriate, of practices in the industry to determine if they violate Section 5 of the FTC Act or other laws; meet with companies, consumer groups, trade associations, and other stakeholders to keep pace with changes; and look for opportunities to use the Commission’s research tools to study developments in this area.”
Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Federal Regulators Propose Federal Privacy Notice and Seek Comments

Posted on March 21, 2007 by Proskauer Rose LLP

On March 21, 2007, eight federal regulatory agencies (“Joint Agencies”) with jurisdiction over Gramm-Leach-Bliley Act (“GLBA”) regulated “financial institutions” issued an interagency proposal for a new model privacy form. The proposal is the result of a lengthy process the Joint Agencies began in 2001 to improve the format of GLBA privacy notices to make them more comprehensible to consumers. In addition to a lack of clarity, the Joint Agencies and consumer and privacy advocates have been concerned about the length of notices and the overuse of legal terms. 

Section 503 of the GLBA, 15 U.S.C. § 1603 and current rules, require financial institutions to provide their customers with a notice that describes, among other things, how they protect nonpublic personal information, the categories of nonpublic personal information collected, the affiliates and the nonaffiliated third parties to whom such information is disclosed, and a description of the customer’s right to prevent certain disclosures to nonaffiliated third parties. These notices must be provided at the outset of the institution’s relationship with a customer and, in the case of long-standing relationships, on an annual basis. Current rules do not mandate a standard format or particular wording for the notices, however, they provide sample clauses that financial institutions can use to satisfy the notice requirements.     

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.   

The Joint Agencies include the Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Treasury; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and the Securities and Exchange Commission.
Tags: , , , , , ,