The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company’s server do not constitute “personal data” under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), “personal data” is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes “personal data” is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is “no doubt” IP addresses do in fact constitute “data relating to an identifiable person” under the EU Data Protection Directive.

Effective September 1, 2009, companies subject to FTC jurisdiction will not be able to make interstate prerecorded telemarketing calls to EBR consumers absent the prior express written agreement of the consumer. Effective December 1, 2008, any company that continues to make such calls must comply with new restrictions that will continue even after September 1, 2009 when prior express written consent of the consumer is mandatory.

 The Third Circuit recently ruled that a labor union violated the federal Driver’s Privacy Protection Act (“DPPA”) when it accessed the motor vehicle records of Cintas employees for an improper “labor-organizing” purpose. In Pichler v. UNITE, the divided court affirmed the district court’s grant of summary judgment to the plaintiffs whose home addresses were obtained as part of the Union of Needletrades, Industrial & Textile Employees’ (“UNITE”) drive to organize Cintas employees. In reaching its conclusion, the court held that punitive damages may be awarded for violations of the DPPA. The court also concluded that the union’s assertion that it collected and used personal information from motor vehicle records for litigation — a permissible purpose under the DPPA — did not overcome the lower court’s finding that it collected and used the information for impermissible labor-organizing activities.

Behavioral tracking of consumers online in order to deliver relevant advertising is a privacy issue that is receiving a lot of attention, and one that has been the focus of Federal Trade Commission and consumer group scrutiny. On September 25th, the United States Senate Commerce Committee held a hearing on online privacy and received commitments from the three industry representatives (from AT&T, Verizon and Time Warner Cable) that if they do deploy technologies that are able to track consumer online behavior in order to tailor advertising, that consumers will have clear notice and a full opportunity to provide affirmative consent. None of the companies currently use such technologies in their roles as Internet Service Providers. The broadband providers challenged the rest of the online industry, including web site operators and application providers such as Google, to provide the same protections to consumers. Essentially, the witnesses called for an end to “opt out” when it comes to online advertising.

A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any “business in this State” to encrypt an electronic transmission (other than via facsimile) of “any personal information of a customer” to “a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission.” Id.