Online Privacy

Subscribe to Online Privacy via RSS

The Federal Communication Commission’s (the “FCC”) landmark decision last year to reclassify Internet service providers (“ISPs”) as common carriers under Title II of the Communications Act of 1934 implicates policy issues that extend well beyond net neutrality.  Perhaps chief among them is the treatment of customer proprietary network information (“CPNI”) by broadband access providers.  The CPNI rules, which were adopted as part of the Telecommunications Act of 1996, were originally implemented to facilitate competition in the context of a landline telephone network, rather than address privacy concerns for broadband providers.  Yet as part of the FCC’s Open Internet Order (which is currently under legal challenge), these rules apply to broadband as well.

On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) will go into force, a law that provides strong online privacy protection for its residents.  The new law targets three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users of digital books (“e-books”).  The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violations of the law. This new Delaware law is substantially similar to three existing California laws that regulate the same practices. Given the similarities in language, DOPPA was clearly drafted with the California laws in mind.

The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in an entire lifetime. However, even as the amount of media we create and store has increased, the laws governing its search and seizure have failed to keep up. Under federal law and the laws of most states, the same information may be subject to different levels of protection from government authorities depending on whether that information is in the form of an e-mail stored in the cloud or a letter stored in a desk drawer.

California is attempting to change that equation. On October 8, 2015, Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA, SB 178), a sweeping bill

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide.

We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that control personal data about them (“data controllers”) to delete all such data and abstain from further disseminating it. A data controller is required to act on an individual’s request to delete their personal data without delay unless they have a legitimate reason for not doing so. A series of European Court rulings established that search engines such as Google qualify as “data controllers,” and that search engines can be required to “delist” links to content as a means of preventing that content from being disseminated. Most surprising however, is the suggestion in these rulings that Google can be required to delist links from all Google domains, not just from domains in the E.U. or in specific E.U. countries. 

Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation is pending in a number of other states.

With paywalls and premium subscriptions finding only modest success, paid advertisements remain the primary means of generating revenue from online content. Native advertising has emerged as a leader in the competition for ad impressions and brand engagement. Expected to grow from $7.9 billion in spending this year to $21 billion by 2018, native advertising is lauded as the future of online advertising.