Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers.  The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.”  The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy.  The announcement of a second consultation on cloud computing is anticipated in the near future.

The Office of the Privacy Commissioner has put out a call for participation and written submissions by interested parties are due by March 15, 2010.  For further information on the consultation process, view the Office of the Privacy Commissioner's news release.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement (in German).  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A class action complaint filed on December 9, 2009, in Illinois federal court alleges that WideOpen West, Finance, LLC ("WOW"), an Internet service provider, violated its users' privacy by "installing spyware devices on its broadband networks."  Valentine v. WideOpen West (N.D. Ill., No. 1:09-cv-07653).  This action against WOW follows the October 6, 2009, dismissal by a district court in California of similar claims against six out-of-state ISP defendants (including WOW) filed in November 2008 by the same lead plaintiff.  The court in Valentine v. NebuAd, Inc. et al. (N.D. Cal., No. 3:08-cv-05113) found that the ISP defendants were not subject to personal jurisdiction in California, leaving the now-defunct NebuAd as the only defendant in that case.  Plaintiff Valentine has now brought this action against WOW in the Northern District of Illinois.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy."  The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts.  The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace.  Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company failed to take necessary measures to verify consent.  The claimant was able to obtain injunctive relief against the defendant under Sections 8 (1), (3), 3 (1) and 7 (2) No. 3 of the Unfair Competition Act.  The Court specified that the defendant did not have a duty to verify individual consents by phone, but could conduct verification by reviewing the stored data of each customer.  Since the law requires "explicit" customer consent to use email addresses for marketing, consents must be documented on a regular basis to be considered valid.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”).  Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse.  Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the validity of the Act to Prevent Predatory Marketing Practices Against Minors (the “Act”), which is set to take effect on September 12, 2009.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  In dismissing the claim, the Court acknowledged that the Plaintiffs had successfully established the likelihood of success on the merits that the Act is overbroad and violates the First Amendment.  Although the Plaintiffs met this burden, the Court recognized that the Attorney General has agreed not to enforce the Act, and the Maine Legislature is committed to reconsidering its scope in January 2010.  Accordingly, the Court, with the agreement of the parties, closed the lawsuit in a stipulated order of dismissal.

Click here for details regarding the scope and requirements of the Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice.  The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators.

For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching.  The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor’s name in combination with any information concerning the minor.  In light of the Act’s restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms.  The text of the law is available here.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law provisions.  To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different context or after the call was placed.  Further, those placing commercial phone calls may not suppress their phone number or identity.  Violations of this prohibition may be sanctioned with a fine of up to € 10,000.  The Act will enter into force after publication in the official federal gazette.  The full text of the Act (in German) can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. The full text of Ms. Kuneva’s address is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates.  This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices.  In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes.  The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used.  At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.  These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities.  The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade.  An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007.  In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation.  If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission ("FTC") recently settled complaints against two telemarketing companies that allegedly called numbers listed on the National Do Not Call Registry.  The companies will pay a combined total of nearly $1.2 million dollars in civil penalties to settle charges that their marketing practices ran afoul of the Telemarketing Sales Rule ("TSR").

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 1, 2008, a strict anti-spam law came into effect in Israel. The legislation, enacted as an amendment to the country’s Communications Law, prohibits the delivery of advertisements using mobile text messaging, email, fax or automatic dialing systems without first obtaining the recipient’s explicit written consent. The law contains several exceptions to the prior consent requirement. For example, advertisers may reach out to businesses to inquire whether they wish to receive marketing communications. Advertisers also may send unsolicited marketing communications to individuals with whom they have established a prior business relationship, but the recipients retain the right to opt out of receiving marketing communications in the future. The law also regulates the content of marketing communications. It requires advertisers to include in a commercial message the word "advertisement" and the advertiser's name, address and contact information, including an email address that recipients may use to opt out. The law contains strong enforcement provisions. Recipients of unsolicited communications may sue advertisers to collect up to the equivalent of $250 for every unsolicited communication, without proving actual damages. Violators also may face criminal penalties and fines potentially exceeding the equivalent of $50,000.

A press release from the Israel Ministry of Communications is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).

• Email This
• Print
• Comments
• Trackbacks
• Share Link