Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

Indeed, the Facebook settlement signals that the FTC is likely to continue requiring comprehensive privacy programs and enforcing the US-EU Safe Harbor Principles in a substantive manner, two things that the FTC had not done before March 2011. Such enforcement is no surprise, given that the FTC has advocated a “privacy by design” approach since at least December 2010. Specifically, the FTC’s proposed settlement requires Facebook to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

In addition, the settlement also requires Facebook, before sharing a user’s nonpublic personal information with a third party in excess of the user’s privacy settings, to “clearly and prominently disclose” (outside of the Facebook privacy policy or other boilerplate) the categories of nonpublic user information that will be disclosed, the identity or specific categories of such third parties, and that such sharing exceeds the restrictions imposed by the users’ privacy settings. Importantly, Facebook must also obtain a user’s affirmative express consent before sharing the user data in the new circumstance. The settlement also imposes a requirement for Facebook to retain an independent third party to biennially assess its privacy practices vis a vis the settlement terms for the next twenty years.

The FTC’s eight-count Complaint that underlies the settlement alleges that numerous Facebook initiatives violated prior representations about the extent to which users’ information was accessible by third parties. For instance, the FTC alleged that Facebook, despite allowing users to restrict access to profile information to specific individuals or groups of people, permitted users’ information to be accessed by third-party applications on the Facebook platform which the users’ friends used. The FTC also alleged that in December 2009, Facebook made public certain information that users had previously designated private and failed to disclose that users could no longer restrict access to certain information or that their existing choices would be overridden.

The FTC also alleged that Facebook’s December 2009 changes were both deceptive (because Facebook failed to adequately disclose the changes) and unfair (because Facebook retroactively applied the changes to personal information that it had previously collected from users, without their informed consent).

According to the FTC, Facebook’s conduct harmed consumers because the alleged violations:

·          Made certain users “subject to the risk of unwelcome contacts;”

·          Exposed “potentially controversial political views or other sensitive information to third parties;”

·          Exposed the user’s list of friends to third parties, “thereby exposing potentially sensitive affiliations;” and

·          Revealed “potentially embarrassing or political images to third parties.”

The FTC’s complaint also alleged other privacy violations by Facebook, including the following:

·          Facebook permitted apps on its platform to access more personal information about the app’s user than was necessary for the app’s purpose

·          Facebook permitted apps to access personal information about a user’s friends even if the friends never granted the app authorization to access their personal information

·          Facebook’s advertising program shared identifiable information with advertisers, contrary to representations it had made to its users

·          A little-used “Facebook Verified App” badge, whereby Facebook, for a fee, would “verify the security of Verified Apps” was deceptive because Facebook did no more to verify applications bearing that badge than it did with any other platform application

·          Facebook retained and continued to make accessible users’ photos and videos, even after users deleted or deactivated their accounts, contrary to Facebook’s prior representations

·          Facebook falsely certified that it had complied with the US-EU Safe Harbor Principles, particularly, the principles of Notice and Choice, when it was not in compliance with them

In settling the FTC’s charges, Facebook did not admit the truth of any of the FTC’s substantive or factual allegations, aside from jurisdictional ones.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up. Any changes to a website or application should respect users’ prior privacy choices and obtain a users’ affirmative consent before altering or overriding those prior choices. The requirement that Facebook enact a comprehensive privacy program (e.g., “privacy-by-design”) - a settlement term that the FTC first included in Google’s March 2011 settlement—demonstrates that this requirement will likely be a staple of future privacy-related settlements. The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

Unlike prior settlements in response to data security breaches where the FTC required the implementation of a comprehensive information security program as a remedial measure, the Buzz settlement requires Google to enact a comprehensive privacy program, consistent with the Commission’s “privacy by design” approach that we have previously blogged about.  Specifically, the FTC’s proposed settlement requires Google to establish and maintain “a comprehensive privacy program” to “address privacy risks related to the development and management of new and existing products and services for consumers” and “protect the privacy and confidentiality of covered information.” 

The settlement also requires Google to “clearly and prominently disclose” if a user’s information will be disclosed to third parties, the identity or specific categories of such third parties, and the purposes for sharing; and to obtain affirmative consent from the user regarding the sharing.  In addition, the settlement requires Google to provide a report on the effectiveness of the company’s privacy program biennially to the FTC for the next twenty years.

The FTC’s Complaint that underlies the settlement alleges that Google launched the Buzz social networking service in February 2009 within its Gmail product.  Upon logging into their Gmail accounts, users were presented with the option to “Check out Buzz” or proceed to their Gmail inbox.  The FTC alleged that even if a user opted to go to his or her inbox, that user’s information was still shared with others in the Buzz network.  The FTC claimed that Google therefore did not use the information that users provided to Google only for the purpose of providing them the company’s web-based email service (Gmail) – rather, Google also used this information in connection with the Buzz social networking service.  Moreover, Google did not request users’ consent before using the information collected from Gmail users in connection with Buzz. 

The FTC further alleged that if a user clicked a link to “Turn off Buzz” certain information about that user was still shared with others.  Moreover, the FTC alleged that Buzz did not adequately communicate that certain previously-private information would be shared by default and certain personal information was shared without users’ permission.  The FTC also claimed that the “Turn off Buzz” and options to go to the user’s inbox without signing into Buzz were false or misleading because they represented that a user either would not be enrolled in, or would be removed from, Buzz, when in fact a user was enrolled and not removed from the service consistent with these representations.

The FTC also alleged that Google failed to disclose how a user’s information would be shared.  These allegations also amounted to a substantive violation of the US-EU Safe Harbor Framework, according to the FTC—particularly, the Notice and Choice and limited purpose principles.

These practices also violated Google’s own privacy policy in effect at the time Google Buzz was launched, according to the FTC.  In pertinent part, the policy stated that “Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you” and “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” (Emphasis added.)

In settling the FTC’s charges, Google did not admit the truth of any of the FTC’s substantive allegations.

This settlement demonstrates the importance of having a comprehensive privacy program in place that ensures that privacy protections are incorporated into web applications from the ground up.  The settlement’s requirement that Google enact a comprehensive privacy program demonstrates that the FTC is serious about privacy and foreshadows potential future settlement terms.  The settlement also reaffirms the importance of compliance with the US-EU Safe Harbor framework for companies that have opted into this program.

Specifically, the report found fault with the current practice of notification of data processing under the Directive. Each EU Member State has its own system of notification procedures, resulting in high costs for organizations who may need to notify several EU jurisdictions. The report did not mince words, finding that the hodge-podge of notification procedures "can have a crippling impact on the effectiveness of the [notification] obligation, as obligations which are perceived as excessive, unnecessary or ineffective are more likely to be ignored in practice."

The Report also criticized one of the most well-known features of the Directive, the international transfer obligation of data controllers. Under the Directive, an organization may only transfer personal data outside the EU if the recipient entity is located in a jurisdiction that ensures "an adequate level of protection" or if the organization adopts a transfer mechanism such as the Safe Harbor self-certification program, model (standard) contractual clauses, or Binding Corporate Rules. The Report observed that stakeholders were of the opinion that "distinguishing between countries inside and outside the EU was unnecessary and counter-productive in the modern world. For multi-national organisations operating across boundaries but applying the same high standards of data protection across all geographical divisions, this mechanism made no sense and was seen as contrary to harmonisation and global trade." The report also found that the enforcement of the various EU member states' data protection authorities was inconsistent.

While the Report outlined a number of criticisms, it was not completely negative. The Report noted that the Directive's "principles-based" framework fostered flexibility and that the legislation had served to improve awareness of privacy concerns, and that it was "technology" neutral. These positive attributes aside, the report is nonetheless a frank assessment of the Directive and should serve as an impartial catalyst for updating the Directive to make it consistent with current practices and modern expectations.

In order to comply with French data protection laws, any company operating a database in France must register its database with CNIL.  In the registration, it must (among other things) specify the nature of the database and whether the information contained in the database will be sent overseas to another country that lacks an adequate level of data protection (such as the United States, according to the EU).

When Tyco Healthcare sought to register the database in question in 2004, it represented to CNIL that its purpose was to assist human resources in processing employee data relating to salary information. CNIL, however, requested further information about transborder data flow, the nature of the data base, its functions, and security features. The company failed to respond to the agency’s repeated requests for clarification, and then finally represented to CNIL that the database had been suspended.  The data protection agency then launched an investigation, and uncovered that not only was the relevant database still active but moreover, its use was much more important and widespread than the company had earlier represented. 

The Tyco Healthcare case should provide a strong wake-up call to US multinationals with operations in Europe (and particularly France) underscoring the importance of compliance with European data protection laws, which may be unfamiliar to U.S. based companies.  Moreover, any multinational with a global HRIS (Human Resources Information System) that transfers data from Europe to countries other than Switzerland, Argentina, and Canada – those countries that have been anointed by the EU as possessing laws that provide an adequate level of data protection -- should ensure that it sends data overseas pursuant to an EU-sanctioned method. 

Currently, the EU recognizes three such transborder data flow vehicles:  a company can self-certify with the U.S. Department of Commerce that it adheres to data protection principles (known as the "safe harbor" system), or it can enter into "model contracts" with its European subsidiaries, agreeing to abide by mandatory data protection provisions.  Additionally, it can develop a set of "binding corporate rules"-- company-drafted data protection regulations that apply throughout the company and which must be ratified by each EU member states' data protection authorities.   Failure to implement at least one of the above three methods could result in significant liability and negative exposure.