Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

Pilot Program

OCR has stated that the initial 150 audits will be of covered entities that range in type and size and include: health services providers; health plans providers; and health care clearinghouses. OCR is expected to implement the pilot program in three phases. The first is the development of the audit protocols. Second, OCR will conduct initial audits of 20 covered entities, and that small sample should expect an OCR notification letter by the end of December 2011. An OCR draft notification letter is available here. OCR expects that the initial audits will be completed by April 2012, and that OCR will use the information gathered from these audits to review and adjust audit protocols. Lastly, OCR will conduct the remainder of the 130 audits with expected completion by December 2012.

Audit Process

OCR anticipates that each covered entity will receive a notification letter 30 to 90 days prior to the audit with contact information for the auditor, an explanation of the audit process and an initial request for documents. It is expected that the initial request for documents will include request for copies of the covered entity’s privacy policies and procedures, security policies and procedures, security risk assessment, and the covered entity’s data breach notification policies and procedures. Covered entities will have up to 10 days to respond. Once on site, OCR expects that the audits will take approximately 3 to 10 days, and within 30 days of the completion of the on site audit, OCR will issue an audit report. The report is expected to include a description of any deficiencies and recommendations for best practices for the covered entity. If OCR finds significant deficiencies it may initiate additional proceedings which may lead to civil monetary penalties.
Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Although this initial audit is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.

Rule 5(1) of the Privacy Rules requires a company to obtain prior written consent through letter, fax or email when collecting sensitive personal data or information from the provider of such information. Rule 6 of the Privacy Rules requires companies to obtain prior consent to disclose or share sensitive personal data or information with third parties. These rules would have made it extremely difficult for Indian call center operators and Indian providers of business process outsourcing services to operate as it would mean, for example, that a call center operator providing customer service on behalf of a U.S. bank or insurance company would have to obtain a caller’s prior written consent before it could collect any personal account or health information required to respond to the caller’s questions or to share such information with the bank or insurance company of whom the caller is a customer. However, the ministry has clarified that Rules 5 and 6 do not apply to companies providing services relating to the collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside of India. However, companies collecting sensitive personal data or information from individuals pursuant to a contractual obligation directly with such individuals would still be subject to these Rules. Further, in instances where the prior written consent requirement would still apply, the ministry’s release clarifies that “consent given by any mode of electronic communication” is acceptable. This implies that consent provided by checking a consent box as part of an online account registration process would satisfy the consent requirement of the Privacy Rules and that letter, fax and email are not the only acceptable means of obtaining consent.

Another important clarification made by the ministry relates to the potential extra-jurisdictional application of the Privacy Rules. The Privacy Rules have been promulgated under the Indian Information Technology Act (2000) (the “IT Act”). Section 1(2) of the IT Act states that it applies to “the whole of India and…to any offence or contravention thereunder committed outside India.” However, the ministry’s release clarifies that the Privacy Rules only apply to companies or persons “located within India.” Therefore, concerns that foreign companies not located in India may have to comply with provisions of the Privacy Rules mandating the publication of online privacy policies containing certain required disclosures and the appointment of a grievance officer to address privacy-related issues seem to have been alleviated.

The release also clarifies that the term “provider of information” as used in the Privacy Rules refers to a natural person who provides sensitive personal data or information to an Indian company.

With these clarifications, Indian companies providing outsourcing services, non-Indian customers of such services and multi-national companies doing business in India now have guidance on when compliance with the Privacy Rules is required and how such compliance with the Privacy Rules can be achieved.
 

In this case, the court previously determined that R. Allen Stanford, his associates, and various entities under Stanford's control (collectively “Stanford”) operated “a massive Ponzi scheme that stole approximately $8 billion from an estimated 50,000 investors scattered over more than 100 countries,” and accordingly, the Court appointed a Receiver to identify and take control of Stanford’s assets. Id. at *1. As third-party Société Générale Private Banking (Suisse) S.A. (“SocGen”) was believed to hold accounts belonging to Stanford, the Receiver sought to discover account records under the Federal Rules of Civil Procedure (“FRCP”). Id. at *2. SocGen, opposing discovery under the FRCP, argued that as the sought-after documents were located in Switzerland, compliance with the FRCP discovery request would “subject it and its employees to criminal, civil, and administrative penalties under Swiss law.” Id. Instead, SocGen argued that the Receiver should first utilize the discovery procedures of the Hague Convention, of which Switzerland is a signatory.

To determine under which mechanism discovery should proceed, the court applied the balancing of factors set out in Société Nationale Industrielle Aérospatiale v. U.S. District Court, 482 U.S. 522, 538, 107 S.Ct. 2542, 96 L.Ed.2d 461 (1987) (“Aérospatiale”) and Minpeco, S.A. v. Conticommodity Serv., Inc., 116 F.R.D. 517, 523 (S.D.N.Y. 1987). These factors include: (1) the importance to the litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information, (5) the competing interests of the nations whose laws are in conflict; (6) the hardship of compliance on the party or witnesses from whom discovery is sought; and (7) the good faith of the party resisting discovery under the Federal Rules. See id. at *4.

The court’s application of these factors was initially fairly typical. Factors 1, 2, and 4 were found to favor the Receiver, as the documents were “vital” to the receivership proceedings and not available anywhere else. In particular, the court noted that as it considered the Receiver to essentially be SocGen’s customer, the discovery request “constitutes no more than a bank customer asking for a copy of its own records.” Id. at *5-6, 8, and 11. Counseling the opposite conclusion, factors 3, 6, and 7 were found to favor SocGen, as the documents were only located in Switzerland; this defense was not raised in bad faith; and “comity counsels deference” to SocGen’s “potentially well-founded fear” that compliance with the discovery request under the Federal Rules could lead to prosecution. Id. at *7-8, and 12-13.

Where the Court’s analysis deviates significantly from other opinions is its consideration of the fifth factor, which in this case involves the competing interests of the U.S. and Switzerland. Whereas other courts found that U.S. discovery interests trumped foreign privacy concerns, the Stanford court found this factor to be neutral, after noting that any such balancing of interests would be “political” and “especially inapposite in this case, where the legislative authorities of both nations essentially have spoken by adopting the Convention.” Id. at *9.  Compare id. (“the Convention inherently, and adequately, balances the competing sovereign interests here because its use will benefit U.S. interests by providing the needed evidence, and protect Swiss interests by avoiding intrusions upon Swiss sovereignty.”) with Gucci, 2010 WL at *7 (“[T]he Court concludes that the United States interest in fully and fairly adjudicating matters before its courts . . . outweighs Malaysia’s interest in protecting the confidentiality of its banking customers’ records.”).

On balance, the Stanford court found that the comity factors weighed in SocGen’s favor “at least in the first instance.” Id. at *13. Accordingly, the Receiver was to proceed with discovery under the Hague Convention, but was not precluded from renewing its request for discovery under the FRCP should its efforts be unsuccessful. Id. at *13-14. In so holding, the court acknowledged that others relied on the discretion provided by the Supreme Court in Aérospatiale as a “green light to generally ‘discard[ ] the treaty as an unnecessary hassle.’” Id. at *3 (citing In re Automotive Refinishing, 358 F.3d 288, 306 (3rd Cir. 2004)). However, this approach “ignores Aérospatiale's admonition to ‘exercise special vigilance’ in international discovery disputes . . . and exemplifies courts' intrinsic ‘proforum bias’ warned against by . . . the Aérospatiale minority.” Id.

While it is unclear the extent to which this approach will be followed by other courts in the future, this opinion illustrates that it is possible for litigants and third parties to successfully navigate cross border discovery conflicts even where privacy interests are at stake.

The Principles define “personal information” extremely broadly, encompassing “any data” that is collected directly from a user, indirectly about a user, and about a user’s behavior, and any “user-generated data held on a user’s device.” As the Principles recognize, this definition of “personal information” is much broader than many national laws—including laws and regulations in the United States.

The Principles also state that “all responsible persons” are accountable for ensuring that the Principles are met – meaning the relevant service and application providers, mobile operators, handset manufacturers, and the operating system and software providers. Although it is commendable that the Principles recommend such broad responsibility for privacy, this approach may encourage a diffusion of responsibility and be ineffective.

In summary, the nine Principles are: 

• Openness, Transparency and Notice – the Principles encourage “responsible persons” to be open and honest with users and to provide clear, prominent and timely data regarding privacy issues.
• Purpose and Use – the access, collection, sharing, disclosure, and further use of personal information should be limited to meeting legitimate business purposes.
• User Choice and Control – users should be given “meaningful choice” and control over their personal information.
• Data Minimization and Retention – only the minimum amount of personal information necessary to meet legitimate business purposes should be collected, and information should not be kept longer than necessary, and thereafter the information should be deleted or rendered anonymous.
• Respect User Rights – users should be provided with information about and an easy means to exercise their rights over the use of their personal information.
• Security – the Principles encourage “reasonable safeguards appropriate to the sensitivity of the information.”
• Education – users should be educated about privacy and security issues and ways to manage and protect their privacy.
• Children & Adolescents – the Principles merely recommend compliance with national law.
• Accountability & Enforcement – Consistent with the “privacy by design” approach, the Principles state that “all responsible persons” are accountable for ensuring compliance with the Principles.

Read the full Mobile Privacy Principles here.

In NASA v. Nelson, government contractors at NASA’s Jet Propulsion Laboratory (“JPL”) challenged the constitutionality of certain questions asked on the government’s Standard Form 85 and Form 42. Notably, these JPL contractors were not subject to Government background checks when they were hired, but became subject to them when a shift in federal policy mandated that all contract employees complete a standard background check by October 2007 or risk being denied access to federal facilities. The JPL contractors specifically objected to SF-85’s question about “treatment or counseling received” in connection with any recent illegal drug use and open-ended questions on Form 42 which asked the contractors’ references whether they had any reason to question the JPL contractors’ honesty or trustworthiness or had “adverse information” concerning a variety of other factors.

Writing for the Court, Justice Alito explained the long history and widespread use of employment background investigations in both public and private employment, including those which became mandatory for all government employees in 1953. Justice Alito also explained that such investigations “aid the Government in ensuring the security of its facilities and in employing a competent, reliable workforce.” Recognizing that the Government’s ability to manage its operations should not turn on formalities that separate government employees and government contractors, the Court held that “whatever the scope of [the JPL contractors’ constitutional privacy] interest, it does not prevent the Government from asking reasonable questions of the sort included on SF-85 and Form 42 in an employment background investigation that is subject to the Privacy Act’s safeguards against public disclosure.” To that end, the Court expressly rejected the contractors’ argument that the Government had a responsibility to demonstrate that its job-related questions were “necessary” or the least restrictive means of furthering its interests.

While the Court’s decision addresses only government background investigations, it underscores the legitimacy of background checks conducted by all employers seeking to ensure that their offices are staffed “by reliable, law-abiding persons who will efficiently and effectively discharge their duties.” Moreover, the decision suggests that even if prospective (or current) employees have a reasonable expectation of privacy with respect to their personal information, employers can avoid liability for privacy-related claims where there is a legitimate justification for an investigation and the investigation is conducted in a reasonable manner, which includes having safeguards in place to protect against disclosure of the results to the public.

• ·      They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example in stores, at events, on the phone, via loyalty programs, through registration cards, and the like.   The FTC’s report recommends that companies have privacy policies that apply offline as well.
• ·      They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies’ privacy policies will need to be revised.
• ·      They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than “commonly accepted practices”).   For example, if the company will share the consumer’s data with a third party for the third party’s marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company, and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer, or shared with others for behavioral marketing purposes.
• ·      Consumer choices could no longer be obtained using the good old pre-checked consent box.
• ·      When data collected in a brick-and-mortar store will be used by the company in one of these “non-accepted” ways, the FTC proposes that the sales associate communicate the consumer’s choices to the consumer orally.
• ·      When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)
• ·      FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.
• ·      The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)
• ·      The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about “sensitive” consumers such as children and possibly teens.
• ·      The FTC’s recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.
• ·      The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.
• ·      The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose.  (In other words, don’t collect it or retain it “just in case it comes in handy for something later.”)
• ·      The FTC endorses a universal consumer “Do Not Track” option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)
• ·      The FTC proposes that companies assign personnel to oversee privacy issues.
• ·      The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)
• ·      The FTC proposes “privacy by design.” In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)
• ·      The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the “layered” policy approach, in which each policy layer links to more detail in the next layer. 
• ·      You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before.

This is the first federal appellate court decision to focus on FACTA’s truncation requirements for electronically printed transaction receipts. FACTA’s truncation requirements, 15 U.S.C. § 1681c(g), prohibit the “electronic printing” of any receipt at “the point of the sale or transaction” that contains the expiration date of a consumer’s credit or debit card or more than the last five digits of the credit or debit card account number.

The Seventh Circuit followed the majority view among district courts that “the term ‘electronically printed’ reaches only those receipts that are printed on paper.” The court noted that a printed receipt brings to mind “a tangible document” and “ordinarily connotes recording it on paper.” The court rejected Shlahtichman’s argument that the use of “electronically” in section 1681c(g) evidences a congressional intent to broaden the meaning to include more modern usages. The court instead interpreted that language to suggest an intention to capture receipts that are printed by a machine rather than credit card slips or receipts that are imprinted or handwritten.

Next the court looked to the overall statutory context of FACTA and noted that the truncation requirements apply to receipts “that are printed and ‘provided to the cardholder at the point of the sale or transaction.’” The court concluded that “the statute contemplates transactions where receipts are physically printed using electronic point of sale devices like electronic cash registers or dial-up terminals.”

Finally the court noted that even if email order confirmations were “electronically printed” receipts for FACTA purposes, the dismissal of Shlahtichman’s complaint was appropriate because Shlahtichman sought the statutory damages authorized only for willful violations of the truncation requirement and 1-800 Contacts had not willfully violated the statute.

 We previously posted about the district court’s decision in Shlahtichman v. 1-800 Contacts, Inc., 2009 U.S. Dist. LEXIS 112379 (N.D. Ill. Dec. 2, 2009) here.

This settlement resulted from the first ever attorney general action under the HITECH Act, as a result of the loss by Health Net, a health insurer, of a computer disk drive that contained unencrypted protected health information such as claims forms, health plan appeals information, and other sensitive data relating to approximately 1.5 million health plan participants (approximately one-third of whom resided in Connecticut). The Connecticut AG focused upon the several month delay by Health Net in reporting the loss to law enforcement officials. 

As part of the settlement, Health Net has agreed to pay $250,000 to the state, offer two years of credit monitoring for affected participants, obtain $1 million of identity theft insurance, and reimburse affected individuals for security freezes. An additional contingent payment of $500,000 will need to be paid, under specified circumstances, in the event that the lost information is actually accessed and misused. Further, Health Net has agreed to a corrective action plan that includes various privacy and security measures to heighten protections for health information as well as other sensitive data, regular monitoring, and reporting to the attorney general’s office. Many of the steps that Health Net agreed to undertake relate to the handling of portable media and the encryption of sensitive data, such as encryption of hard drives, including those on desktop computers, as well as to the improvement of security training and awareness for personnel. 

While many commentators have understandably focused on the security breach notification provisions of the HITECH Act, the provision of the Act that authorizes state attorneys general to bring civil actions for violations of HIPAA also warrants attention. The inclusion of this provision adds an additional avenue for enforcement of privacy and security violations by HIPAA-covered entities, although the Connecticut action is the only action that has been brought to date since HITECH Act was enacted in February 2009.

According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint sites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers. 

Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”

The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”

The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)). 

In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)). 

The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.

In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).

The Flash Cookies and Privacy report found that 54 of the top 100 websites utilized Flash cookies. Some of the Flash cookies found by the researchers were used for function-improving purposes, while others were found to store unique identifiers, which could be used to track the user. Moreover, some of the Flash cookies that stored unique identifiers were used to recreate an HTTP cookie after its affirmative removal by the user (so-called “respawning”). Research also revealed that privacy policies of the top 100 websites surveyed generally did not mention the use of Flash as a tracking mechanism – indeed, only 4 polices reviewed by the study included such a disclosure.

The report is already making some waves: QuantCast, a company that measures web destinations and internet use, has said that it stopped its practice of using Flash cookies to respawn HTTP cookies after the report, which specifically named QuantCast, was released. And the timing of the report coincides with Congress and federal regulators examining behavioral advertising. 

Computer users should be aware of the presence of Flash cookies and, if desired, visit Adobe’s website to learn how to disable Flash cookies. Website operators should, as a best practice, disclose their use of Flash cookies in their privacy policies, including information about how Flash cookies are used and how users can opt out or remove them. 

In urging FTC action, the groups’ lengthy 52-page submission focuses primarily on media reports and the marketing literature of a large number of mobile marketing companies that tout the behavioral marketing capabilities of mobile technology.  The document also acknowledges the widespread consumer benefits mobile behavioral advertising offers, including making “rich media, free offers, personalization capabilities, and discounts” more broadly available. Despite its extensive cataloguing of the vast potential for effective targeted mobile marketing, the document is short on specifics as to how these practices currently harm or are likely to harm consumer privacy or constitute unfair or deceptive trade practices under Section 5 of the FTC Act. The group includes very limited specific allegations – against only Bango Analytics, Marchex and AdMob – that relate primarily to insufficient consumer notice.              

 The advocacy groups’ filing follows the FTC’s late 2007 release of draft self-regulatory principles for online behavioral advertising discussed previously at this blog here. At that time, the FTC recognized the benefit to consumers of receiving advertising more tailored to consumers’ interests and the role advertising dollars play in supporting new, innovative and free content. During 2008, the FTC accepted comments on its draft principles and is expected to issue final guidelines in the coming months. Also during 2008, state legislatures and Congress also became involved in the behavioral advertising debate as covered in this blog here and here. Meanwhile, also on January 13, 2009, the American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau jointly announced plans to develop enhanced self-regulatory industry guidelines for online behavioral advertising.

The CDT and U.S. PIRG filing will undoubtedly stir further debate as to whether the current regime consisting of (a) the forthcoming FTC self-regulatory online behavioral marketing principles, (b) case by case enforcement of unfair or deceptive trade practices under existing FTC authority, and (c) industry self-regulatory standards such as those adopted by the CTIA, and Mobile Marketing Association and expected from other industry groups, is sufficient to protect consumers in the vibrant, competitive marketplace of mobile communications where transparency and choice can be a selling point. We will continue to update our readers on these issues as the year unfolds.

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

Some of the significant changes brought about by the Final Rules include the following:

·         Amending several key definitions, including the definition of “directory information,” which expressly excludes therefrom a student’s Social Security number or student identification number (except where a student ID is “used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records” without one or more additional authentication factors, such as a PIN number or password).

·         Revising the definition of “personally identifiable information” to, among other things, add a definition of “biometric record.”

·         Expanding the circumstances under which prior consent is not required to disclose personally identifiable information from education records, including, for example, disclosures to “a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions… .”  

·         Amending the exception that allows educational institutions and agencies to disclose information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institutions for purposes of testing, student aid and improvement of instruction. (Specifically, the Final Rules added a requirement to this exception, that the educational agency or institution enter into a written agreement containing specific provisions with the organization conducting the study.)

·         Clarifying an educational agency or institution’s obligations with respect to the handling of opt-out requests to the disclosure of directory information.

·         Requiring an educational agency or institution that discloses information without consent under the health and safety emergency exception to record “the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and the parties to whom the agency or institution disclosed the information.”

·         Implementing the provisions of the USA Patriot Act that amend FERPA to provide that an educational agency or institution may disclose, without consent, information from education records pursuant to and in accordance with an ex parte court order issued under the USA Patriot Act.

·         Implementing the provisions of the Campus Sex Crimes Prevention Act (CSCPA), which amend FERPA to allow educational agencies or institutions to disclose, without consent, information concerning registered sex offenders provided to the agency or institution under the federal statute, the Violent Crime Control and Law Enforcement Act of 1994.

Additionally, in the preamble to the Final Rule, the DOE republishes, “for the administrative convenience of educational agencies and institutions and other parties,” certain information and recommendations regarding the safeguarding of educational records.  These “Department Recommendations for Safeguarding Education Records” include suggested steps to take in the event of an unauthorized release or disclosure, or other breach or compromise involving, education records.

FERPA seeks to protect the privacy of education records of students, and applies to all educational institutions and agencies that receive federal funding under a federal education program. FERPA provides to parents of children under the age of 18 (and “eligible students” over the age of 18) certain rights with respect to their education records maintained by an educational institution or agency, including the right to access and copy education records.  Additionally, with certain exceptions, FERPA prohibits educational institutions and agencies from disclosing personally identifiable information (not including “directory information,” however) from education records without prior consent.  Under FERPA, “directory information” means “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” FERPA sets forth a non-exhaustive list of data elements that would be considered part of such definition.  Thus, FERPA permits an educational institution or agency to disclose “directory information” without consent, provided that such institution or agency give notice to parents and the ability to opt out of such disclosures.

For a copy of the Federal Register notice containing the Final Rules, click here.  For the Federal Register notice containing the NPRM, click here.

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

National Privacy Law: Major players in the online marketing sphere, such as Microsoft and Google, already have expressed support for a generally-applicable privacy law to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. Whether a federal law emerges governing the collection and use of personal data, including for marketing purposes, is the looming question in the new administration.

Behavioral Advertising: Behavioral advertising -- the practice of tracking of an Internet user’s activities online in order to deliver advertising targeted to an individual consumer’s interests -- which Congress examined extensively over the summer -- should continue to generate interest under an Obama administration. Indeed, the Federal Trade Commission (“FTC”) is expected to announce its final guidance concerning the self-regulation of behavioral advertising even before President-elect Obama takes office in January. We are also likely to see behavioral advertising legislative proposals at the state level, with efforts gaining traction in states like New York, where both Houses are now controlled by the Democrats.

Electronic Health Records: A key component of President-elect Obama’s health care plan is the migration of health care records from paper to more universally accessible forms of electronic media. The incoming president believes strongly that the use of technology will help lower the cost of health care. But as many commentators have suggested, greater accessibility carries greater risk, and the shift toward computerized health records is one area in which President-elect Obama’s aggressive technology and innovation policies may outgrow existing consumer protection safeguards. President-elect Obama’s commitment to providing robust protections against the misuse of this kind of sensitive information likely will require the development of additional, and more broadly-applicable, regulations to shore up existing safeguards provided under the Health Insurance Portability and Accountability Act (“HIPAA”) and other existing legal regimes. 

Data Breach Notification:  Over the past few years, states have been very active passing legislation that requires businesses that retain information about state residents to notify such residents when that information is compromised. Efforts to pass a preemptive national law have stalled largely because of the greater discretion proposed for business regarding the need to notify. That issue will likely continue to impede consensus on a national law, and the state framework is likely to be with us for a while.  

Legislative activity at the state level concerning the protection of personal information, however, is likely to continue as lawmakers try to respond to several high profile information security breaches from previous years. Moreover, as we are seeing in Massachusetts and Connecticut where new data security laws have been passed, we may see a stronger push at the state level toward requiring affirmative steps to protect personal information, rather than just requiring businesses to respond to a breach incident.

More Robust Federal Trade Commission: President-elect Obama plans to enlarge the FTC budget and enforcement power to aid in the implementation of his technology and innovation policies. The FTC’s expanded powers will likely be used to enforce the Commission’s new identity theft Red Flags Rule, which requires financial institutions and creditors to implement comprehensive written identity theft prevention programs by May 1, 2009. The FTC’s decision to extend the original November 1, 2008 compliance deadline for an additional six months portends relatively immediate enforcement activity in Summer 2009 that will help define precisely what is required, and from whom, under the Rule. The push for more enforcement power may also spur the expansion of the FTC’s authority to seek civil penalties and other monetary remedies for violations of the statutes and regulations the Commission enforces.

Location Data & Government Surveillance: President-elect Obama’s desire to develop and better utilize available technologies to create real change in America will likely create some friction in the areas of government surveillance and the collection of location data where the interests of national security and personal privacy diverge. Moreover, the private sector’s collection and use of location data and other “tracking” information to more effectively market to consumers raises concerns on both sides of the aisle since these technologies arguably can be misused to compromise national security or personal privacy. While we expect the Obama administration to back away from the aggressive government surveillance policies and programs implemented by the previous administration in the wake of September 11, 2001, the success of these efforts will require a delicate balance between a strong stance on national security and a shift toward protecting the privacy of Americans at home.

In Google’s motion to dismiss, Google argues the invasion of privacy claim is lacking because the Street View service images must be considered in the context of what others can already view from the street. That is, any delivery person, service provider, or guest who turns around in the Borings’ driveway sees the same view as from the Street View point of view. Only if there had been a barrier or closed gate would a reasonable expectation of privacy possibly arise. In introducing this argument, Google quotes commentary from the Restatement (Second) of Torts (relating to invasion of privacy torts) that

                [c]omplete privacy does not exist in this world except in a desert, and anyone who is not a hermit must expect and endure the ordinary incidents of the community life of which he [or she] is a part.

As to the trespass issue, Google points to the privilege of consent that may be implied from custom. One such custom is driving up to a driveway or approaching the front door of a private home “absent a locked gate or other express notice not to enter.”  

Interestingly, the Borings filed a lawsuit rather than using the Street View service’s removal option; similar photos of the Borings’ house were already publically available online; and, the Borings have garnered more attention by proceeding with a lawsuit rather than removing the images. 

Proskauer Rose summer associate David Neinstein contributed to this report.

The New York Bill

The New York bill, with versions in the Assembly and Senate (A. 9275 and S. 6441) is based on the Network Advertising Initiative (NAI) self-regulatory principles. The NAI is a group of online advertising firms and it adopted its principles in 2002. The bill would create an extensive regime of consumer notice and choice for third party tracking of different types of consumer online activity. Absent obtaining a consumer’s prior affirmative consent or opt-in, third parties would be prohibited from collecting personally identifiable information online in some situations (when merged with certain other previously collected data). Consumers would have the right to opt-out of any online tracking involving non-personally identifiable information. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the types of data they collect, how they use the data, the opt-out process, and the length of time the data is retained. And, it would require third party advertising companies to contractually require the sites to whom they provide services to include notice and opt-out options.  

Notably, the bill would prohibit a third party from tracking information from websites when it does not have a contractual relationship with the website owner. This provision could have major implications for the companies described above that contract with Internet Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because it would effectively create a national law – companies with a national online presence would necessarily be doing business in New York as well.                    

The European Union 

The press has recently reported about controversy in the U.K. concerning reports that the country’s three largest ISPs, BT, Talk Talk, and Virgin Media, had contracted with Phorm for behavioral targeting services. A U.K. think tank, the Foundation for Information Policy Research (FIPR) submitted an open letter to the U.K Information Commissioner charging that Phorm’s activities violate British privacy law and the European Union’s Data Protection Directive by not affording consumers opt-in choice for the tracking. Phorm is claiming that it uses a cookie with a random number assigned to track information so that it does not collect personally identifiable information. 

The issue of online monitoring continues to draw the attention of European Union regulators with more activity expected in the near future. Although the E.U. approved the Google-Doubleclick merger, the E.U. Article 29 Working Party comprised of data privacy regulators from each of the E.U.’s member states has stated that even search engines based outside of the E.U. may fall under the E.U. Data Protection Directive. In addition, the Chairman of the Article 29 Working Party has asserted that IP addresses standing alone constitutes personally identifiable information. This stands in contrast to how IP addresses are viewed in the U.S. The Article 29 Working Party is expected to issue a report in April concerning the privacy implications of Internet search engines, which should further address these issues.     

Industry and Interest Group Guidelines        

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.

The self-regulatory approach taken by FTC staff recognizes the benefits behavioral advertising provides. Specifically, FTC staff recognizes that ad-supported content makes newspapers and other valuable information from around the world more readily available to consumers online and that many consumers value personalized ads. FTC staff is, however, concerned that behavioral advertising and the related data collection “is largely invisible and unknown to consumers.” The four principles FTC staff has proposed to address concerns over transparency and consumer choice state that: 

(1) every website that collects data for behavioral advertising should include “a clear, concise, consumer-friendly and prominent statement” that (a) consumer data is being collected online for behavioral advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, easy-to-use, and accessible method” provided for doing so;  

(2) a company engaged in behavioral targeting should reasonably secure the data collected and only retain it “as long as necessary to fulfill a legitimate business purpose or a law enforcement need”;

(3) a company should obtain consumers' "affirmative express consent" if it is going to use personal data for a materially different purpose than was disclosed when the data was collected; and 

(4) a company should obtain "affirmative express consent" before collecting "sensitive" consumer data (such as health data, sexual orientation, and children's data). FTC staff is seeking further comment on the types of data that constitute "sensitive" information and whether instead of consumer choice, a prohibition on collection of such data would be a better approach; 

FTC staff seeks comments on the four proposed principles generally, including their feasibility and the costs and benefits of offering choices for behavioral advertising. FTC also staff seeks additional information on the secondary uses of tracking data that extend beyond behavioral marketing. Specifically, FTC staff seeks information on what secondary uses of tracking data is occurring, which of those uses raises privacy concerns, whether those concerns extend to non-personally identifiable information in addition to personally identifiable information, and whether some heightened form of protection relating to secondary uses is warranted. 

The FTC vote to approve release of the principles was 5-0. The related FTC press release is available here.

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.

The SCA, passed in 1986 as an amendment to the Electronic Communications Privacy Act, contains various provisions regarding “stored wire and electronic communications and transactional records” impacting ISPs’ subscribers’ records and communications. The specific provisions of the SCA at issue in Warshak were sections 2703(b) and (d) and 2705(a). Sections 2703(b) and 2705(a), in pertinent part, allow a governmental entity to obtain the contents of electronic communications that have been stored by an ISP for more than 180 days without notice to the subscriber if obtained by a warrant (which is subject to the usual probable cause standard) and with delayed notice to the subscriber if the governmental entity obtains a court order and the court finds there may be an adverse result from providing notice. Section 2703(d) allows the issuance of court orders when the government has “reasonable grounds to believe” that the communications are pertinent to an active criminal investigation, a less rigorous standard then probable cause. 

In Warshak, the U.S. Government directed its order to Plaintiff Steven Warshak’s ISPs to obtain, among other things, his stored e-mail communications in support of its criminal investigation of wire and mail fraud. The Government did not seek e-mails in electronic storage less than 180 days old (which can only be obtained with a warrant). The court order approved delayed notice. After the Government provided the delayed notice, Warshak filed a complaint seeking a preliminary injunction and alleging that the disclosure of his emails without a warrant or notice violated the Fourth Amendment and the SCA. The U.S. District Court for the Southern District of Ohio held that individuals sending emails have an expectation of privacy, and preliminarily enjoined the seizure of emails from an ISP account when an account holder was not given notice and a hearing. The government appealed the district court’s decision.  

On appeal, the Government argued that an SCA court order is akin to a subpoena and therefore  probable cause is unnecessary. The Sixth Circuit acknowledged that, for a subpoena to issue, the Government must meet only the lower “reasonableness standard.” However, in reviewing the case law, the court concluded that individuals may challenge a third party subpoena before disclosure is compelled if they have a “legitimate expectation of privacy” regarding the records at issue. The Warshak court therefore reasoned that, where an email user has an expectation of privacy regarding the email content, the government must meet the more rigorous “probable cause” standard. The court found an expectation of privacy in e-mail communications by analogizing the emails to the surveillance of telephone conversations at issue in Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court of the United States held that the government interception of telephone conversations was a search for Fourth Amendment purposes, and that individuals have a legitimate expectation of privacy regarding the conversations.   

The Sixth Circuit made only one modification to the district court’s injunction, adding that, “if the government can show, based on specific facts, that an e-mail account holder has waived his expectation of privacy via-a-vis the ISP, compelled disclosure of e-mails through notice to the ISP alone would be appropriate.” The Court explained such a waiver requires more than the ISP having some level of monitoring policies in place. For example, an ISP’s terms of use reserving a right of access to e-mail communications for specific, limited purposes or its use of technological monitoring of e-mails to identify child pornography, would not constitute a waiver by the subscriber. Rather, for a subscriber to waive his expectation of privacy in e-mail communications, the ISP would have to have clear terms of service apparent to the user allowing it to regularly audit, inspect, or monitor subscriber e-mails. The Court analogized the recent Ninth Circuit decision in United States v. Heckenkamp, Nos. 05-10322, 10323, 2007 U.S. App. LEXIS 7806 (9th Cir. Apr. 5, 2007), where a student who connected his computer to the university’s network was held to have a legitimate expectation of privacy regarding his computer files because the university’s monitoring policy was limited in scope. See our discussion of Heckenkamp here. The Court distinguished workplace privacy where an employer explicitly notifies employees of its right to monitor and access e-mail.              

The Sixth Circuit’s decision does not effect other provisions of the SCA, including the government’s ability to obtain, without notice, e-mail communications with a warrant and subscriber account information with a warrant, court order or subpoena.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

• “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
•  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
• any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

• account numbers retained by businesses be “indecipherable” to unauthorized persons;
• that payment related data sent across a network be encrypted;
• that companies have role-based restrictions for employee access to such data; and
• the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision. 

Real parties in interest Sebastian Rodriguez and Jose Luis Mosqueda filed a putative wage and hour class action against their former employer, Belaire-West Landscaping. During precertification discovery, the trial court compelled Belaire-West to provide the names and contact information of all current and former employees and adopted the plaintiffs’ proposed notice to those individuals that required them to opt-out in writing to prevent their information from being disclosed. The court reviewed in detail the analysis applied in Pioneer, and determined that the opt-out notice adequately protected the privacy rights of the current and former employees.

The opt-out notice adopted by the trial court advised current and former employees “of the lawsuit and its core allegations, and explained who may be a member of the proposed class. It described the investigation plaintiffs’ attorneys were performing, and stated that ‘[t]o assist in the investigation, the attorneys for the Plaintiffs wish to gather information regarding the nature of the work you do (or used to do), while employed by Belaire-West, including the amount of any overtime you may have worked. They have sought to obtain your names, addresses and telephone numbers, so that they can communicate with you about the allegations made in the lawsuit.’” The notice further stated as follows:

By order of the Los Angeles Superior Court, Plaintiffs’ counsel has already been provided your names. The Court has ordered that a letter be sent to you to determine if you would object to Plaintiffs’ counsel receiving your address and telephone number. You may elect not to provide your address and/or telephone number to Plaintiffs’ counsel on the grounds of privacy. [] Plaintiffs’ counsel would like to have your address and telephone number to help in their investigation. The Plaintiffs’ lawyers would like to contact you to obtain your input as to whether the Plaintiffs’ allegations in their lawsuit are accurate. [] THEREFORE, IF YOU DO NOT WANT YOUR ADDRESS AND TELEPHONE NUMBER TO BE PROVIDED TO THE PLAINTIFFS’ ATTORNEYS, YOU MUST complete and return THE ENCLOSED POST CARD to the address listed on the postcard.

The notice included the names, addresses, and telephone numbers of plaintiffs’ counsel, with the information that recipients had the right to contact plaintiffs’ counsel and that they speak Spanish. Finally, the notice advised current and former employees that they were “under no obligation to provide information to or discuss this matter with the Plaintiffs’ attorneys or any person representing the former employees,” were “also under no obligation to provide information to or discuss this matter with Belaire-West or any of its agents or attorneys,” and that their “employer[s] may not retaliate against [them] in any way for providing or refusing to provide any information.”

As explained in a previous post, the Court in Pioneer held that, under the privacy provision of the California Constitution, a representative plaintiff in a class action may obtain from defendant company the personal identifying information of other complaining consumers, even when those consumers do not affirmatively grant permission for their personal identifying information to be used.

The Belaire-West court concluded that the opt-out notices in the instant matter sufficed under Pioneer. The court acknowledged that the privacy concerns in the Belaire-West case were more significant than those in Pioneer because the information was provided to Belaire-West as a condition of employment (as opposed to the voluntary disclosures of consumers in Pioneer), and that employees reasonably expected that their employer would not divulge the information except as required to governmental agencies or benefits providers, in light of employers’ usual confidentiality customs and practices. Nonetheless, the court found that this did not mean that current and former employees would wish their contract information to be withheld from a class action plaintiff seeking relief for violations of employment laws.

The court found reasonable the trial court’s implicit finding that “no serious invasion of privacy would result from the release of the [information] to the named plaintiffs in a putative class action filed against their employer following a written notice to each employee giving them the opportunity to object to the disclosure of that information.” As in Pioneer,

the information, while personal, was not particularly sensitive, as it was contact information, not medical or financial details. Disclosure of the contact information with an opt-out notice would not appear to unduly compromise either informational privacy or autonomy privacy in light of the opportunity to object to the disclosure, as the court specifically found that there was no evidence of any actual or threatened misuse of the information.

Proposed Data Destruction Requirements for Retailers

California currently requires all businesses to comply with several statutory provisions related to data security and destruction.  These provisions are contained in California Civil Code §§ 1798.80 – 1798.84 and concern three major topics: (1) destruction of customer records containing personal information; (2) the safeguarding of personal information; and (3) data breach notification.  A.B. 779 incorporates the data privacy laws by reference and expressly applies them to retailers that “collect[] or maintain[] personal information for any purpose.”

Under the bill, retailers would be required to dispose of records that contain personal information within 90 days.  Existing law, California Civil Code § 1798.81, provides general guidelines for records disposal for all businesses.  Under the current statute, a “record” is anything on or through which information is recorded or preserved, including written or spoken words, graphic depiction or electronic transmission.  “Personal information,” for purposes of this section, is:

any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.  “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

California Civil Code § 1798.80 (emphasis added).

The destruction requirements proposed in A.B. 779 reach far beyond those set forth in § 1798.81.  Existing law requires only that a business

take all reasonable steps to destroy, or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.

Section 1 of A.B. 779, however, would require that “a retailer that sells goods or services to any resident of California . . . not retain personal information for longer than 90 days after the date of the original transaction, or the period of time during which goods may be returned for a refund or exchange, whichever is shorter.” (emphasis added).  Thus, should A.B. 779 be passed into law, it will significantly impact retailers’ records retention and disposal policies and procedures with respect to personal information of customers.

Proposed New Data Breach Notification Requirements for All Businesses.

California Civil Code § 1798.82, the first-in-the-nation security breach notification law, currently requires all businesses that own or license personal information to notify individuals if their data have been, or may have been, acquired by an unauthorized person.  Personal information is defined as the first name or initial and last name of an individual, with one or more of the following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or 4) a financial account number with information such as PINs, passwords or authorization codes that could gain access to the account.

A.B. 779 would amend California Civil Code § 1798.82 in three primary respects.  First, it would require that the following information appear in breach notices:

(A) The date of the notice.

(B) The name of the person or business that maintained the computerized data at the time of the breach.

(C) The date on which the breach occurred.

(D) A description of the categories of personal information that were, or are reasonably believed to have been, acquired by an unauthorized person.

(E) A toll-free telephone number or, if the primary method used by the person or business to communicate with the individual is by electronic means, an electronic mail address that the individual may use to contact the person or business or their agent, so that the individual may learn what types of personal information the person or business maintained about that individual.

(F) The toll-free telephone numbers and addresses for the major credit reporting agencies.

Second, according to the text of the bill, owners or licensees of personal data would be entitled to reimbursement from a third party person or business that maintains the data and that is actually responsible for the breach, for the “reasonable and actual costs” of providing required breach notification.  Data owners would remain responsible for providing notice.  Third, companies providing notice must send a copy of the notice provided to consumers to the California Office of Privacy Protection.  This requirement is similar to the laws of other states, including New York and New Jersey, that require notification to other governmental agencies.

 Jerome Heckenkamp, a student at University of Wisconsin at Madison, was charged under 18 U.S.C. § 1030(b)(5), the Computer Fraud and Abuse Act, in connection with an alleged attempt to hack into protected systems at University of Wisconsin and Broadcom. At trial, Heckenkamp moved to suppress evidence obtained from two searches of his computer. The first search occurred after Broadcom security alerted the University that a University computer was being used in an attack on Broadcom. A University computer investigator, Jeffrey Savoy, identified the IP address of the offending computer, determined that it also posed an immediate threat to the University’s sensitive systems, and performed a remote search of Heckenkamp’s computer to confirm that it was the computer responsible. Later that day, Savoy suspected that Heckenkamp changed his computer’s IP address in an attempt to mask his activities. Notwithstanding the FBI’s recommendation that Savoy wait for a warrant before proceeding, Savoy, with the help of campus police, entered Heckenkamp’s room when the door was ajar and ran a series of commands that confirmed Heckenkamp was responsible for the attacks. Savoy justified the warrantless search on the grounds that the University’s systems could have been critically damaged and that Heckenkamp could gain access to confidential student files. Heckenkamp was a skilled computer programmer and was familiar with University systems; he had been fired from his position at the University computer help desk for attempting to access University systems without authorization.

Heckenkamp reaffirms the importance of establishing and distributing policies regarding the monitoring of computer use. The panel relied heavily on the fact that the University had no such announced policy, and in fact had assured students of data confidentiality:

A person’s reasonable expectation of privacy may be diminished in transmissions over the Internet or e-mail that have already arrived at the recipient. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002) [professor using university computer]; United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) [federal employee using federal computer system].

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that ‘[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the State.’

 Heckenkamp at 3888 (citations and quotations omitted).       

The Ninth Circuit likely will have to clarify in future litigation the scope of reduced privacy expectations where users are advised of monitoring.

A copy of the Heckenkamp opinion is available here.   

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.   

1) Pre-emption

All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications. 

2) Regulatory enforcement and rulemaking

S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority. 

The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.      

3) Breach notification duty belongs to data owner, not licensee or third-party data manager

H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.   

4) No private cause of action