Posted on August 12, 2008 by Timothy P. Tobin

"Boring" Couple Want to Stay That Way

Google Inc. (“Google”) has filed a motion to dismiss a complaint by a Pittsburgh couple, Aaron and Christine Boring (“the Borings”), over Google’s alleged invasion of the Borings’ privacy through Google’s Street View service. Launched last May, Street View provides a navigable, 360-degree view from the streets of many U.S. cities, including Pittsburgh. 

The Borings have sued for invasion of privacy, trespass, negligence and unjust enrichment and seek damages from mental suffering and diminished property value. In their complaint, the Borings argue that Google recklessly invaded their reasonable expectation of privacy by trespassing onto their property, passing a sign reading “Private Road, No Trespassing.” From the Borings’ driveway, Google captured exterior images of the Borings’ residence and swimming pool that Google made visible with Street View.

 

In Google’s motion to dismiss, Google argues the invasion of privacy claim is lacking because the Street View service images must be considered in the context of what others can already view from the street. That is, any delivery person, service provider, or guest who turns around in the Borings’ driveway sees the same view as from the Street View point of view. Only if there had been a barrier or closed gate would a reasonable expectation of privacy possibly arise. In introducing this argument, Google quotes commentary from the Restatement (Second) of Torts (relating to invasion of privacy torts) that

           

                [c]omplete privacy does not exist in this world except in a desert, and anyone who is not a hermit must expect and endure the ordinary incidents of the community life of which he [or she] is a part.

 

As to the trespass issue, Google points to the privilege of consent that may be implied from custom. One such custom is driving up to a driveway or approaching the front door of a private home “absent a locked gate or other express notice not to enter.”  

 

Interestingly, the Borings filed a lawsuit rather than using the Street View service’s removal option; similar photos of the Borings’ house were already publically available online; and, the Borings have garnered more attention by proceeding with a lawsuit rather than removing the images. 

 

Proskauer Rose summer associate David Neinstein contributed to this report.
Tags: , , , , ,
Posted on March 27, 2008 by Timothy P. Tobin

Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content

In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.   

Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network. 

The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

In addition to the activity discussed above, industry and consumer interest groups continue to propose new guidelines. The NAI announced late last year it is planning to revise its guidelines while just last month the Interactive Advertising Bureau – an organization comprised of many leading Internet companies – issued self-regulatory guidelines similar to the FTC’s but designed to give companies more flexibility in their approach to notice and choice. Earlier this month, the Center for Democracy and Technology issued its Privacy Principles for the Development of User Controls for Behavioral Targeting, which focuses on allowing consumers to express their preferences for behavioral targeting, having those preferences remain in place until altered by the consumer, and encouraging companies to have readily available and easily understandable policies.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on February 19, 2008 by Scott J. Carpenter

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

http://www2.csoonline.com/exclusives/column.html?CID=33533

 

Tags: , , , , , , , , ,
Posted on January 15, 2008 by Timothy P. Tobin

State Attorneys General Announce Agreement with MySpace to Protect Children Online

Yesterday, attorneys general from 49 states (all but California’s) and the District of Columbia announced a sweeping agreement with MySpace under which the company will adopt new measures to protect children online. This announcement culminates many months of negotiations between a task force of the attorneys generals led by Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General and is reflective of the intense pressure on web 2.0 sites to protect children online. We previously posted about that pressure, reporting on state attorneys general investigations of MySpace and Facebook here and the subsequent New York attorney general settlement with Facebook here. The new agreement with MySpace is available as an attachment to the press release on the North Carolina Attorney General’s website. 

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

  • continuing to dedicate resources to educate parents and educators on child safety online;
  • using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
  • retaining an “Independent Examiner” to evaluate and examine handling of complaints;
  • continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
  • implementing a series of operational changes including:
    • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
    • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
    • an image monitoring policy with technology to hash inappropriate images;
    • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
    • expanded age specific classifications for events;
    • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
    • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
    • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

  • organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
  • designating a senior executive to work with the task force;
  • holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
  • hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
  • blocking access by those under 18 to profiles related to the entertainment industry;
  • increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.
The agreement is set forth as a statement of principles and the parties have agreed to attempt to achieve the foregoing objectives, among others. According to reports, the attorney generals and MySpace continue to differ on the feasibility of new age authentication and verification technologies. The attorneys general have not ruled out legal action in the future if sufficient progress is not achieved.
Tags: , , , , , , , , , , , , , , , ,
Posted on December 20, 2007 by Timothy P. Tobin

FTC Staff Issues Proposed Self Regulatory Principles for Behavioral Advertising and Seeks Comment

FTC staff issued a statement today proposing four “self-regulatory” principles to guide businesses engaged in online behavioral advertising. FTC staff also seeks public comments on these principles as well as additional information on what other uses businesses are making of online tracking data. Interested parties can submit comments by February 22, 2008. 

The statement, titled “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” follows from the FTC’s town hall meeting held in early November 2007. There, FTC considered privacy issues raised by behavioral advertising and heard from consumer interest groups and businesses’ alike.  The agenda and links to material related to the town hall meeting can be found here.    

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.
Tags: , , , , , , , , , , ,
Posted on October 17, 2007 by Timothy P. Tobin

New York Attorney General Settlement with Facebook Creates New Model to Protect Children Online

In follow-up to our earlier blog post regarding recent pressure on social networking sites from law enforcement, New York Attorney General Andrew Cuomo announced yesterday that his office had entered into a settlement with Facebook. The settlement resolves the Attorney General’s investigation of Facebook’s failure to fulfill public claims it made about protecting minors, which the Attorney General believed were deceptive acts and practices and false advertising in violation of New York consumer protection laws. Facebook did not admit to any wrongdoing.  

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

  • Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.
  • Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.
  • Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.
  • Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.
  • Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.
  • Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 
  • Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           
Tags: , , , , , , , , , , , , ,
Posted on October 17, 2007 by Timothy P. Tobin

Social Networking Sites Feel The Heat From Law Enforcement

Kids like social networking sites, most notably MySpace and Facebook. So it is not surpising that law enforcement is scrutinizing how the sites protect children. Recent subpoenas issued to Facebook by New York Attorney General Andrew Cuomo and New Jersey Attorney General Anne Milgram are illustrative.

Both subpoenas sought information about Facebook’s Internet safety and security policies. The New York subpoena, issued last month, also sought information concerning Facebook’s complaint resolution procedures. In its subpoena cover letter to Facebook, Attorney General Cuomo noted Facebook’s public representations concerning how it responds to reports of pornographic material and inappropriate contact with minors.  It also described its undercover investigation of Facebook. According to the letter, the investigation revealed pornographic and other inappropriate content readily available on the site. In addition, after investigators set up profiles as young teenage users, they received inappropriate sexual advances. The investigators filed complaints about these issues through Facebooks’ complaint procedures. The letter notes various instances of non-responsiveness or delayed response to such complaints. The New Jersey subpoena issued earlier this month, described here, sought information from Facebook concerning convicted New Jersey sex offenders that Facebook has identified as site users.  Facebook previously informed the New Jersey Attorney General it had removed sex offenders with profiles matching individuals listed on the New Jersey sex offender registry. Attorney General Milgram also sent letters to eleven other social networking sites requesting they compare their registrants against the state’s sex offender list.     

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.

Businesses developing social networking sites that may attract children should not only comply with the Children’s Online Privacy Protection Act (“COPPA”) and its regulations concerning parental consent when collecting personal information of children, but should also be aware of increased state activity that may require enhanced practices. Companies should consider scrubbing user profiles against sex offender registries and utilizing enhanced tools for age verification. Finally, companies should be sure they are not making any security representations they are not abiding by or with which they cannot comply.  
Tags: , , , , , , , , , , ,
Posted on October 3, 2007 by Christopher Wolf

International Privacy Issues and More Addressed in New International Practice Guide

Proskauer Rose LLP has just released "Proskauer on International Litigation and Arbitration: Managing, Resolving, and Avoiding Cross-Border Business and Regulatory Disputes." The online guide is a practical reference work for businesses and practitioners; it explores best practices and creative yet practical approaches to manage, resolve, and avoid controversies affecting multiple jurisdictions. 

The 28-chapter guide is available free in e-Book format at www.proskauerguide.com. It includes a thorough chapter on international privacy law.

Drawing on the firm's long and extraordinary history in international practice, "Proskauer on International Litigation and Arbitration" is written by the firm's lawyers on the most timely and important topics in international practice, from drafting international agreements to securing/avoiding jurisdiction to judgment enforcement/avoidance, from multi-jurisdictional regulatory proceedings or investigations to protecting witnesses, documents, privacy, and privileges, as well as several additional substantive areas.

"Despite the fact that the explosion in international business and regulatory disputes presents unique challenges, there does not exist for the client or practitioner any comprehensive treatment of the issues arising in international or cross-border litigations, arbitrations, and regulatory investigations or proceedings. We are filling that gap by providing this essential reference guide", said Louis M. Solomon, Co-Chair of Proskauer's Litigation Department and Editor-in-Chief of the Guide. "'Proskauer on International Litigation and Arbitration' would be an extraordinary achievement even if it were limited to being a compendium of the current law in this dynamic and rapidly expanding area. But my colleagues in the Proskauer Litigation Department and International Practice Group have done so much more, producing a resolutely practical guide, emphasizing the concrete and strategic over the theoretical, the lore as well as the law, and the unique opportunities and challenges presented by international litigation and regulatory proceedings."
Tags: , , , , ,
Posted on June 29, 2007 by Timothy P. Tobin

The Sixth Circuit Affirms Individual Expectation of Privacy in Emails

In a decision that will significantly impact the ability of the government to access electronic communications, the United States Court of Appeals for the Sixth Circuit on June 18, 2007, affirmed a district court’s issuance of a preliminary injunction prohibiting governmental entities from obtaining Internet Service Providers’ (“ISP”) subscribers’ e-mail communications unless the subscriber first receives prior notice and an opportunity to be heard.  Warshak v. United States, No. 06-4092 (6th Cir. 2007). The Court found unconstitutional the Stored Communications Act (“SCA”) provisions allowing Government seizure of such communications without prior subscriber notice, because the court order could be issued without a showing of probable cause that the subscriber had committed a crime. The Sixth Circuit found that individuals have an expectation of privacy regarding the contents of emails sent or stored through an Internet Service Provider (ISP).

The SCA, passed in 1986 as an amendment to the Electronic Communications Privacy Act, contains various provisions regarding “stored wire and electronic communications and transactional records” impacting ISPs’ subscribers’ records and communications. The specific provisions of the SCA at issue in Warshak were sections 2703(b) and (d) and 2705(a). Sections 2703(b) and 2705(a), in pertinent part, allow a governmental entity to obtain the contents of electronic communications that have been stored by an ISP for more than 180 days without notice to the subscriber if obtained by a warrant (which is subject to the usual probable cause standard) and with delayed notice to the subscriber if the governmental entity obtains a court order and the court finds there may be an adverse result from providing notice. Section 2703(d) allows the issuance of court orders when the government has “reasonable grounds to believe” that the communications are pertinent to an active criminal investigation, a less rigorous standard then probable cause. 

In Warshak, the U.S. Government directed its order to Plaintiff Steven Warshak’s ISPs to obtain, among other things, his stored e-mail communications in support of its criminal investigation of wire and mail fraud. The Government did not seek e-mails in electronic storage less than 180 days old (which can only be obtained with a warrant). The court order approved delayed notice. After the Government provided the delayed notice, Warshak filed a complaint seeking a preliminary injunction and alleging that the disclosure of his emails without a warrant or notice violated the Fourth Amendment and the SCA. The U.S. District Court for the Southern District of Ohio held that individuals sending emails have an expectation of privacy, and preliminarily enjoined the seizure of emails from an ISP account when an account holder was not given notice and a hearing. The government appealed the district court’s decision.  

On appeal, the Government argued that an SCA court order is akin to a subpoena and therefore  probable cause is unnecessary. The Sixth Circuit acknowledged that, for a subpoena to issue, the Government must meet only the lower “reasonableness standard.” However, in reviewing the case law, the court concluded that individuals may challenge a third party subpoena before disclosure is compelled if they have a “legitimate expectation of privacy” regarding the records at issue. The Warshak court therefore reasoned that, where an email user has an expectation of privacy regarding the email content, the government must meet the more rigorous “probable cause” standard. The court found an expectation of privacy in e-mail communications by analogizing the emails to the surveillance of telephone conversations at issue in Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court of the United States held that the government interception of telephone conversations was a search for Fourth Amendment purposes, and that individuals have a legitimate expectation of privacy regarding the conversations.   

The Sixth Circuit made only one modification to the district court’s injunction, adding that, “if the government can show, based on specific facts, that an e-mail account holder has waived his expectation of privacy via-a-vis the ISP, compelled disclosure of e-mails through notice to the ISP alone would be appropriate.” The Court explained such a waiver requires more than the ISP having some level of monitoring policies in place. For example, an ISP’s terms of use reserving a right of access to e-mail communications for specific, limited purposes or its use of technological monitoring of e-mails to identify child pornography, would not constitute a waiver by the subscriber. Rather, for a subscriber to waive his expectation of privacy in e-mail communications, the ISP would have to have clear terms of service apparent to the user allowing it to regularly audit, inspect, or monitor subscriber e-mails. The Court analogized the recent Ninth Circuit decision in United States v. Heckenkamp, Nos. 05-10322, 10323, 2007 U.S. App. LEXIS 7806 (9th Cir. Apr. 5, 2007), where a student who connected his computer to the university’s network was held to have a legitimate expectation of privacy regarding his computer files because the university’s monitoring policy was limited in scope. See our discussion of Heckenkamp here. The Court distinguished workplace privacy where an employer explicitly notifies employees of its right to monitor and access e-mail.              

The Sixth Circuit’s decision does not effect other provisions of the SCA, including the government’s ability to obtain, without notice, e-mail communications with a warrant and subscriber account information with a warrant, court order or subpoena.
Tags: , , , , , , , , ,
Posted on May 3, 2007 by Tanya Forsheit

California Court of Appeal Reaffirms Adequacy of Opt-Out Notice to Protect Privacy of Individual Identity and Contact Information in Litigation

On April 9, 2007, the California Court of Appeal, Second Appellate District, affirmed a ruling of the Los Angeles Superior Court permitting the disclosure to counsel for a putative class of the names, addresses, and telephone numbers of the defendant’s current and former employees unless, following proper opt-out notice, they objected in writing to the disclosure. Belaire-West Landscape, Inc. v. Superior Court, B194844 (April 9, 2007). The Belaire-West court applied the reasoning of the California Supreme Court's recent decision in Pioneer Electronics (USA), Inc. v. Superior Court, 40 Cal.4th 360 (2007) (discussed in our January 30 post) to employee data to hold that requiring current and former employees to object to disclosure of their identities and contact information “present[ed] no serious invasion of their privacy interests.”

Real parties in interest Sebastian Rodriguez and Jose Luis Mosqueda filed a putative wage and hour class action against their former employer, Belaire-West Landscaping. During precertification discovery, the trial court compelled Belaire-West to provide the names and contact information of all current and former employees and adopted the plaintiffs’ proposed notice to those individuals that required them to opt-out in writing to prevent their information from being disclosed. The court reviewed in detail the analysis applied in Pioneer, and determined that the opt-out notice adequately protected the privacy rights of the current and former employees.

The opt-out notice adopted by the trial court advised current and former employees “of the lawsuit and its core allegations, and explained who may be a member of the proposed class. It described the investigation plaintiffs’ attorneys were performing, and stated that ‘[t]o assist in the investigation, the attorneys for the Plaintiffs wish to gather information regarding the nature of the work you do (or used to do), while employed by Belaire-West, including the amount of any overtime you may have worked. They have sought to obtain your names, addresses and telephone numbers, so that they can communicate with you about the allegations made in the lawsuit.’” The notice further stated as follows:

By order of the Los Angeles Superior Court, Plaintiffs’ counsel has already been provided your names. The Court has ordered that a letter be sent to you to determine if you would object to Plaintiffs’ counsel receiving your address and telephone number. You may elect not to provide your address and/or telephone number to Plaintiffs’ counsel on the grounds of privacy. [] Plaintiffs’ counsel would like to have your address and telephone number to help in their investigation. The Plaintiffs’ lawyers would like to contact you to obtain your input as to whether the Plaintiffs’ allegations in their lawsuit are accurate. [] THEREFORE, IF YOU DO NOT WANT YOUR ADDRESS AND TELEPHONE NUMBER TO BE PROVIDED TO THE PLAINTIFFS’ ATTORNEYS, YOU MUST complete and return THE ENCLOSED POST CARD to the address listed on the postcard.

The notice included the names, addresses, and telephone numbers of plaintiffs’ counsel, with the information that recipients had the right to contact plaintiffs’ counsel and that they speak Spanish. Finally, the notice advised current and former employees that they were “under no obligation to provide information to or discuss this matter with the Plaintiffs’ attorneys or any person representing the former employees,” were “also under no obligation to provide information to or discuss this matter with Belaire-West or any of its agents or attorneys,” and that their “employer[s] may not retaliate against [them] in any way for providing or refusing to provide any information.”

As explained in a previous post, the Court in Pioneer held that, under the privacy provision of the California Constitution, a representative plaintiff in a class action may obtain from defendant company the personal identifying information of other complaining consumers, even when those consumers do not affirmatively grant permission for their personal identifying information to be used.

The Belaire-West court concluded that the opt-out notices in the instant matter sufficed under Pioneer. The court acknowledged that the privacy concerns in the Belaire-West case were more significant than those in Pioneer because the information was provided to Belaire-West as a condition of employment (as opposed to the voluntary disclosures of consumers in Pioneer), and that employees reasonably expected that their employer would not divulge the information except as required to governmental agencies or benefits providers, in light of employers’ usual confidentiality customs and practices. Nonetheless, the court found that this did not mean that current and former employees would wish their contract information to be withheld from a class action plaintiff seeking relief for violations of employment laws.

The court found reasonable the trial court’s implicit finding that “no serious invasion of privacy would result from the release of the [information] to the named plaintiffs in a putative class action filed against their employer following a written notice to each employee giving them the opportunity to object to the disclosure of that information.” As in Pioneer,

the information, while personal, was not particularly sensitive, as it was contact information, not medical or financial details. Disclosure of the contact information with an opt-out notice would not appear to unduly compromise either informational privacy or autonomy privacy in light of the opportunity to object to the disclosure, as the court specifically found that there was no evidence of any actual or threatened misuse of the information.

The court further held that the balance of interests also supported the trial court’s order because the current and former employees were potential percipient witnesses and, as such, their identities and locations were properly discoverable under the California Code of Civil Procedure § 2017.010. Indeed, the court found that the balance tilted even more in favor of disclosure than in Pioneer because the “fundamental public policy underlying California’s employment laws” was at stake.
Tags: , , , , ,
Posted on April 27, 2007 by Clifford Davidson

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.  

Proposed Data Destruction Requirements for Retailers

California currently requires all businesses to comply with several statutory provisions related to data security and destruction.  These provisions are contained in California Civil Code §§ 1798.80 – 1798.84 and concern three major topics: (1) destruction of customer records containing personal information; (2) the safeguarding of personal information; and (3) data breach notification.  A.B. 779 incorporates the data privacy laws by reference and expressly applies them to retailers that “collect[] or maintain[] personal information for any purpose.”

Under the bill, retailers would be required to dispose of records that contain personal information within 90 days.  Existing law, California Civil Code § 1798.81, provides general guidelines for records disposal for all businesses.  Under the current statute, a “record” is anything on or through which information is recorded or preserved, including written or spoken words, graphic depiction or electronic transmission.  “Personal information,” for purposes of this section, is:

any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.  “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

California Civil Code § 1798.80 (emphasis added).

The destruction requirements proposed in A.B. 779 reach far beyond those set forth in § 1798.81.  Existing law requires only that a business

take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.

Section 1 of A.B. 779, however, would require that “a retailer that sells goods or services to any resident of California . . . not retain personal information for longer than 90 days after the date of the original transaction, or the period of time during which goods may be returned for a refund or exchange, whichever is shorter.” (emphasis added).  Thus, should A.B. 779 be passed into law, it will significantly impact retailers’ records retention and disposal policies and procedures with respect to personal information of customers.

Proposed New Data Breach Notification Requirements for All Businesses.

 

California Civil Code § 1798.82, the first-in-the-nation security breach notification law, currently requires all businesses that own or license personal information to notify individuals if their data have been, or may have been, acquired by an unauthorized person.  Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account.

A.B. 779 would amend California Civil Code § 1798.82 in three primary respects.  First, it would require that the following information appear in breach notices:

(A) The date of the notice.

(B) The name of the person or business that maintained the computerized data at the time of the breach.

(C) The date on which the breach occurred.

(D) A description of the categories of personal information that were, or are reasonably believed to have been, acquired by an unauthorized person.

(E) A toll-free telephone number or, if the primary method used by the person or business to communicate with the individual is by electronic means, an electronic mail address that the individual may use to contact the person or business or their agent, so that the individual may learn what types of personal information the person or business maintained about that individual.

(F) The toll-free telephone numbers and addresses for the major credit reporting agencies.

Second, according to the text of the bill, owners or licensees of personal data would be entitled to reimbursement from a third party person or business that maintains the data and that is actually responsible for the breach, for the “reasonable and actual costs” of providing required breach notification.  Data owners would remain responsible for providing notice.  Third, companies providing notice must send a copy of the notice provided to consumers to the California Office of Privacy Protection.  This requirement is similar to the laws of other states, including New York and New Jersey, that require notification to other governmental agencies.

A copy of A.B. 779 can be found here.
Tags: , , , , ,
Posted on March 21, 2007 by Timothy P. Tobin

Federal Regulators Propose Federal Privacy Notice and Seek Comments

On March 21, 2007, eight federal regulatory agencies (“Joint Agencies”) with jurisdiction over Gramm-Leach-Bliley Act (“GLBA”) regulated “financial institutions” issued an interagency proposal for a new model privacy form. The proposal is the result of a lengthy process the Joint Agencies began in 2001 to improve the format of GLBA privacy notices to make them more comprehensible to consumers. In addition to a lack of clarity, the Joint Agencies and consumer and privacy advocates have been concerned about the length of notices and the overuse of legal terms. 

Section 503 of the GLBA, 15 U.S.C. § 1603 and current rules, require financial institutions to provide their customers with a notice that describes, among other things, how they protect nonpublic personal information, the categories of nonpublic personal information collected, the affiliates and the nonaffiliated third parties to whom such information is disclosed, and a description of the customer’s right to prevent certain disclosures to nonaffiliated third parties. These notices must be provided at the outset of the institution’s relationship with a customer and, in the case of long-standing relationships, on an annual basis. Current rules do not mandate a standard format or particular wording for the notices, however, they provide sample clauses that financial institutions can use to satisfy the notice requirements.     

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.   

The Joint Agencies include the Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Treasury; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and the Securities and Exchange Commission.
Tags: , , , , , ,
Posted on March 6, 2007 by Clifford Davidson

110th Congress Proposes Sweeping Federal Data Security Legislation

Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:

            S. 239 (“Notification of Risk to Personal Data Act”);
            H.R. 958 (“Data Accountability and Trust Act”);
            H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and 
            S. 495 (“Personal Data Privacy and Security Act of 2007”).   

S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.

Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.                 

Following are some of the more notable provisions of the proposed bills:

1) Pre-emption

All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications. 

2) Regulatory enforcement and rulemaking

S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority. 

The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.      

3) Breach notification duty belongs to data owner, not licensee or third-party data manager

H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.   

4) No private cause of action

All four bills explicitly state that they do not create new private federal causes of action. Furthermore, they note that violations of their provisions cannot give rise to private actions under state consumer protection laws. Rather, only state Attorneys General may sue for underlying violations of federal data privacy statutes under state consumer protection laws.   The FTC may join or move to stay such proceedings.
Tags: , , , , ,