personally identifiable information

The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 CFR Part 99) (“FERPA”) imposes various requirements on educational institutions regarding the privacy of personally identifiable information contained in education records of students.  On December 9, 2008, the U.S. Department of Education (“DOE”) published final rules amending the regulations that implement FERPA.   

 

Originally proposed on March 28, 2008, the DOE published a notice which proposed various changes to FERPA and its implementing regulations “to implement various statutory changes made to FERPA to implement two recent US Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department’s experience in administering FERPA.”  (73 FR 74806).  According to the DOE, approximately 121 parties submitted comments in response to the March, 2008 NPRM.  The Final Rules become effective January 8, 2009.

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal in the Fourth Appellate District held that zip codes are not “personal identification information” under California’s Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08 (the “Act.”). The Act prohibits a retailer that accepts credit cards from, among other things, “request[ing], or require[ing] as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the [retailer] writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” Id. at § 1748.08(a)(2). Under the Act, “personal identification information” is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b). Subdivision (e) of the statute provides that “[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred.”

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.

FTC staff issued a statement today proposing four “self-regulatory” principles to guide businesses engaged in online behavioral advertising. FTC staff also seeks public comments on these principles as well as additional information on what other uses businesses are making of online tracking data. Interested parties can submit comments by February 22, 2008.

The statement, titled “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” follows from the FTC’s town hall meeting held in early November 2007. There, FTC considered privacy issues raised by behavioral advertising and heard from consumer interest groups and businesses’ alike.