Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

The complaint identified five specific security failures:

• failure to adequately assess risks to the information stored on the network and in paper files,
• failure to adequately restrict access to personal information to authorized employees only,
• failure to implement a comprehensive information security program,
• failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
• failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.