Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5. 

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information.   On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.

For those who haven’t been paying attention (or who haven’t logged on to Facebook lately), Facebook’s 350 million users are being asked to refine their privacy settings with a new software tool that allows users to dictate who has access to each category of content the user uploads to the website. Critics have slammed the updated privacy settings in large part because of certain personal information that is deemed public to all Facebook members: your name, city, gender, photograph, your lists of friends and “fan” pages, and networks to which you belong. Facebook is also being criticized for the default privacy settings, which would allow a user’s status updates and other content to be shared with anyone on the internet.  On December 17, 2009, the Electronic Privacy Information Center ("E.P.I.C."), joined by nine other privacy and consumer organizations, filed a complaint with the Federal Trade Commission asking for an investigation into these changes, which the complaint describes as "unfair and deceptive trade practices."

Lost amid this public outcry is Facebook’s recent move to a more user-friendly privacy policy. To comply with California’s Online Privacy Protection Act, operators of websites or online services that gather “personally identifying information” must conspicuously post their privacy policies online. This policy must (1) identify the personally identifying information the site or service collects and with whom it shares that information, (2) describe any available process by which a user may review and/or request changes to the personally identifiable information collected, (3) describe the process by which the site or service notifies users of material changes to its privacy policy, and (4) identify the policy’s effective date.

The problem with most privacy policies designed to comply with California’s law is that, generally speaking, privacy policies are dense and full of legalese. In the context of the federal Gramm-Leach-Bliley Act (“GLBA”), regulators have recognized that hard to read privacy policies are not helpful to consumers, and have taken steps to encourage more user-friendly privacy policies. (See our November 20 post regarding GLBA privacy notices here.) Facebook has responded to these concerns by adopting a completely rewritten privacy policy designed to make its policy more accessible and easier to understand.

For example, Facebook’s new policy includes a bullet point summary of key points at the beginning of the policy followed by section headings that allow users to jump to particular areas of the policy. Complex legal terms have been replaced throughout the policy by more basic language, with hyperlinks to pages containing more detail on key terms or issues. On Facebook’s company blog post detailing the new policy (available here), the company commits to adding additional definitions of key terms, screen shots of important pages, and “learn more” video content.

It isn’t hyperbole to say that Facebook’s privacy policies are subject to more public critique and impassioned criticism than any other in history. Regardless of your position on Facebook’s new default privacy settings, Facebook’s revised privacy policy is a step towards providing its users with clarity regarding how the information its users share is gathered and used. More importantly, the move toward a simpler online privacy policy is likely a sign of things to come in the Internet business community.

The Flash Cookies and Privacy report found that 54 of the top 100 websites utilized Flash cookies. Some of the Flash cookies found by the researchers were used for function-improving purposes, while others were found to store unique identifiers, which could be used to track the user. Moreover, some of the Flash cookies that stored unique identifiers were used to recreate an HTTP cookie after its affirmative removal by the user (so-called “respawning”). Research also revealed that privacy policies of the top 100 websites surveyed generally did not mention the use of Flash as a tracking mechanism – indeed, only 4 polices reviewed by the study included such a disclosure.

The report is already making some waves: QuantCast, a company that measures web destinations and internet use, has said that it stopped its practice of using Flash cookies to respawn HTTP cookies after the report, which specifically named QuantCast, was released. And the timing of the report coincides with Congress and federal regulators examining behavioral advertising. 

Computer users should be aware of the presence of Flash cookies and, if desired, visit Adobe’s website to learn how to disable Flash cookies. Website operators should, as a best practice, disclose their use of Flash cookies in their privacy policies, including information about how Flash cookies are used and how users can opt out or remove them.