On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

In a year when behavioral advertising was already expected to be at the top of the hot button privacy issues list, on January 13, 2008, the Center for Digital Democracy (“CDT”) and U.S. Public Interest Research Group (“US PIRG”) filed a document with the Federal Trade Commission (“FTC”) urging the FTC to investigate online mobile marketing practices, to take new actions to stop mobile marketing activities that “abuse consumer rights,” and to recommend new federal legislation and enhanced enforcement power for the FTC in this area. The document expands on the groups’ concerns about online behavioral advertising generally – the delivery of ads tailored to consumers’ interests based on browsing habits and/or consumer demographics – to the mobile space. In doing so the groups cite the potential for even greater consumer harm because of the additional possibility of location-based targeting linked to a cell phone or other mobile device that is typically tied to a single consumer who uses it for multiple applications, including voice, video and data.

Effective September 1, 2009, companies subject to FTC jurisdiction will not be able to make interstate prerecorded telemarketing calls to EBR consumers absent the prior express written agreement of the consumer. Effective December 1, 2008, any company that continues to make such calls must comply with new restrictions that will continue even after September 1, 2009 when prior express written consent of the consumer is mandatory.

Behavioral tracking of consumers online in order to deliver relevant advertising is a privacy issue that is receiving a lot of attention, and one that has been the focus of Federal Trade Commission and consumer group scrutiny. On September 25th, the United States Senate Commerce Committee held a hearing on online privacy and received commitments from the three industry representatives (from AT&T, Verizon and Time Warner Cable) that if they do deploy technologies that are able to track consumer online behavior in order to tailor advertising, that consumers will have clear notice and a full opportunity to provide affirmative consent. None of the companies currently use such technologies in their roles as Internet Service Providers. The broadband providers challenged the rest of the online industry, including web site operators and application providers such as Google, to provide the same protections to consumers. Essentially, the witnesses called for an end to “opt out” when it comes to online advertising.

On July 17, 2008, the House Telecommunications and Internet Subcommittee examined the practice of deep packet inspection (DPI), a method for networks and third parties to determine what information users (identified by IP addresses or random ID numbers) are searching for and accessing on the Internet in order to tailor more relevant advertising based on an individual’s interests. DPI is often cookie-based and does not link personally identifiable information with user surfer behavior.

The House Subcommittee’s hearing focused on whether the online advertising industry should be required to use opt-in systems, or whether current opt-out systems adequately protect consumers’ privacy. The July 17 hearing is the latest in a series of efforts by regulators and legislators to better understand behavioral targeting.

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.