Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

What information does the Application obtain and how is it used?

• The MMA bifurcates this section into “User Provided Information” (e.g., information provided during registration) and “Automatically Collected Information” (e.g., mobile device’s unique device ID and the IP address of the mobile device).

 Does the Application collect precise real time location information of the device?

• This section is applicable to companies that collect “precise, real-time locational information.” Developers that collect such information should indicate how such information is used and, if applicable, opt-out options. Even if such information is not collected, the MMA recommends including a statement to that effect.

 Do third parties see and/or have access to information obtained by the Application?

• This section will be unique to the developer and application. In addition to disclosing to whom and in what circumstances information is disclosed to third parties, the MMA states that, generally, developers reserve the right to transfer information in the event of a sale of the application. 

 Automatic Data Collection and Advertising

• This section is intended to address applications that are ad supported. The MMA provides model language to address situations where a third party ad network obtains data for the purpose of ad targeting. 

 Where are my opt-out rights?

• This section will be unique to the developer, the application and the ad network utilized by the application, if applicable. The MMA provides an example that gives the user the following opt-out options: (a) opting out from all information collected by uninstalling the application; (b) opting out from the use of information for serving targeted ads; and (c) opting out from locational data collection.  

 Data Retention Policy, Managing Your Information

• This section is intended to communicate how long the developer will retain User Provided Data (the MMA has included “for as long as you use the Application and for a reasonable time thereafter.”) and allow users to contact the developer directly with notice to delete such data. 

Children

• This section is intended to address compliance with the Children’s Online Privacy Protection Act.   Even if the developer doesn’t need to comply with the act because the act is not applicable to the application, the MMA recommends including language that states the developer doesn’t knowingly solicit information or market to children under the age of 13. 

 Security

• This section is intended to provide an overview to the user of the developer’s security procedures and will be unique to the developer. The MMA has stated that “developers should ensure that their security procedures are reasonable.”

 Changes

• This section is intended to afford developers the flexibility to modify their privacy policy. The MMA notes that material changes to privacy practices generally require a user’s prior consent.

 Your Consent

• This section is intended to capture the user’s consent to have his/her data processed, collected and disclosed as set forth in the privacy policy. The MMA’s proposed language also geographically limits where activities related to data collected from users may occur to the United States.

 Contact Us

• This section is meant to provide email access to the developers of the application should a user have privacy questions or concerns.

While the Framework is not meant to set forth rigid parameters for developers to operate within, they do provide valuable guidelines that will assist most developers, with the help of their lawyers, to create a mobile application privacy policy that users will understand. However, it should be noted that the developers mustn’t simply rely on the language provided by the MMA; they must still draft a privacy policy to address their unique, application-specific privacy practices. Inaccurate or deceptive privacy policies are subject to actions by the Federal Trade Commission, state attorneys general and other regulators. 

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5. 

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information.   On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.

The Online Form Builder provides the financial institution with the choice of four form options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.

Some financial institutions will gravitate towards the Model Form because by using it, they will obtain a legal “safe harbor” which confirms their compliance with the GLBA’s disclosure requirements. It remains to be seen, however, whether all financial institutions will adopt the Model Form given the difficulty a financial institution may have in conveying its complex affiliate relationships and the fact that the Model Form rules do not allow the form to be modified in any material respect.

The final model privacy notice form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. It is hailed as a consumer-friendly notice that allows consumers to easily compare the privacy practices of different financial institutions. Financial institutions that choose to use the model form, which will take effect 30 days after publication in the Federal Register, will obtain a “safe harbor” that declares them in compliance with the GLBA’s disclosure requirements. Publication of the final model privacy notice in the Federal Register is expected soon.

With the release of the model form, despite opposition from major industry players, the agencies plan to eliminate the existing sample clauses and accompanying compliance safe harbors, which limited the liability of financial institutions that issued privacy notices containing these sample clauses. Existing safe harbors and sample clauses will be phased out over a one-year period.

In particular, FINRA found that between April 2006 and July 2007, Centaurus failed to safeguard customer information because it maintained an improperly configured firewall and an ineffective user name and password system on its computer facsimile server. These failures resulted in unauthorized persons accessing stored images of faxes that contained confidential information, including social security numbers, account numbers, and dates of birth. Moreover, on July 15, 2007, Centaurus’s fax server was used by an unauthorized third party to host a phishing scam. Phishing is is the fraudulent process of attempting to acquire confidential personal information (like usernames, passwords and account numbers) by masquerading as a trustworthy entity in an electronic communication.

To make matters worse, after Centaurus discovered the phishing scam, it sent some 1,400 customers and their brokers a misleading letter, which indicated that the unauthorized access was limited to one person and that the information on the fax server was not openly available. The letter did not tell the customers and their brokers that other unauthorized log-ins had occurred or that the unauthorized access was possible because of the inadequate security protections on the fax server.

FINRA concluded that Centaurus’s conduct violated 17 C.F.R. Part 248 (Regulation S-P) and FINRA Rules. Regulation S-P “governs the treatment of nonpublic personal information about consumers” by certain covered financial institutions. 17 C.F.R. Part 248.1. Among other things, the Regulation requires brokers, dealers, and investment companies to provide an initial privacy notice to new customers, an annual privacy notice to existing customers, and a revised privacy notice under certain circumstances. See 17 C.F.R. Parts 248.4, 248.5, and 248.8. Further, brokers, dealers, and investment companies “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 17 C.F.R. Part 248.30. 

FINRA is the largest independent regulator for all securities firms doing business in the United States. FINRA performs a broad array of functions, from registering industry participants to examining securities firms to writing and enforcing rules to providing trade reporting and other industry utilities. It also performs market regulation under contract for The NASDAQ Stock Market, the American Stock Exchange, the International Securities Exchange and the Chicago Climate Exchange. FINRA oversees nearly 4,900 brokerage firms, about 172,000 branch offices and approximately 660,000 registered securities representatives. FINRA was created in July 2007 through the consolidation of NASD and the member regulation, enforcement and arbitration functions of the New York Stock Exchange.

Launched in 2004, the INP is directed to evaluating consumer comprehension of GLBA privacy notices and the communication effectiveness of different notice formats. The INP’s ultimate goal is to facilitate the adoption of a model form which may be used by financial institutions to provide GLBA-required notices. In order to assess the relative effectiveness of different GLBA notice formats, researchers distributed one of four alternative notices to mall shoppers in five locations across the United States. These notice recipients were then asked a series of questions designed to test their ability to (a) compare banks’ information collection and sharing practices, (b) evaluate available “opt-out” choices described in the notices, and (c) make informed and reasoned choices between banks. The Levy-Hastak report used the results of this quantitative study to analyze four different notice formats: 

• KCG Table Notice: This notice, the Phase I model form, uses a table on page one to describe (1) the types of sharing engaged in by financial institutions; (2) for each type of sharing, whether a particular institution shares personal information; and (3) whether the institution offers the consumer an opportunity to opt out or limit such sharing.
• KCG Prose Notice: This notice is the prose version of the Phase I model form. This notice differs from the KCG Table notice only in that it replaces the table on page one with a bulleted list that describes the information contained in the table.
• Current Notice: This notice is a composite notice that is generally representative of GLBA notices currently provided by financial institutions to consumers.
• Sample Clause Notice: This notice is comprised solely of Sample Clauses that provide only the specific information that relates to the individual financial institution.

The Levy-Hastak report points out the weakness of the Current Notice, but stops short of declaring a clear winner in the battle of forms. The Sample Clause Notice’s strong performance with respect to tasks that merely required respondents to find information within the notice underscores the importance of short forms. But the KCG Table Notice outperformed the other notice formats across “a diverse set of communication effectiveness measures.” Specifically, the survey results demonstrated that the KCG Table Notice helped respondents better understand the information contained in the notice which enabled them to make informed and logical decisions about financial information sharing.

The complete Levy-Hastak report is available here. The SEC’s public comment period will remain open until May 20, 2009.