Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the latest chapter of the Federal Trade Commission’s ongoing efforts to promote consumer privacy with respect to online behavioral advertising, FTC Chairman Jon Leibowitz has reportedly suggested that the FTC may propose a Do Not Track Registry.  The registry would be similar to the FTC’s popular Do Not Call Registry, which allows consumers to opt-out of many types of telemarketing calls, but registration on the Do Not Track Registry would not stop online advertisements.  Instead, it would prevent those advertisements from being targeted to users based on their prior online activity.  Mr. Leibowitz’s remarks came during a hearing on Consumer Online Privacy held yesterday by the U.S. Senate Committee on Commerce, Science, and Transportation.  Current industry self-regulatory initiatives for providing consumers with choice regarding behavioral advertising include the Network Advertising Initiative’s Opt-Out Tool, which has been criticized for relying on opt-out cookies that consumers may accidentally delete, and a related beta Firefox browser extension designed to remember consumers’ opt-out preferences even after cookies are deleted.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data.  “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement.  Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet.  He indicated that his bill would go beyond the regulation of targeted advertising.  “Protecting the privacy of consumers online involves much more than the targeted advertising to which they are subjected,” Senator Kerry said. “Such advertising is just one result of the information that is routinely collected about us online.”

As we reported last week, Representative Bobby Rush (D-Ill.) introduced a bill regarding online data collection practices, which itself followed a similar bill proposed in May by Congressmen Boucher (D-VA) and Stearns (R-FL).  Also on Tuesday, FTC Chairman Jon Leibowitz testified before the U.S. Senate about FTC efforts to protect consumer privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online.  Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience.  But there are risks too.  A record of our online activity can reveal our most personal interests.  Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 24, 2010, the Article 29 Working Party adopted Opinion 2/2010 (the “Opinion”) providing further clarification on online behavioral advertising.  The Working Party also issued a press release on this topic.  Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies.  We provide a short analysis of the Opinion below.

Opt-in?  Browser setting as opt-in?  Opt-out?  The Opinion clarifies the Working Party’s interpretation of the new Article 5(3) and Recital 66 of the e-Privacy Directive.  According to the Working Party, Article 5(3) and Recital 66, along with the General Data Protection Directive (“Directive 95/46/EC”), require prior opt-in consent since “prior opt-in consent mechanisms are better suited to deliver informed consent.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.

In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling.  In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis.  The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 25, 2010, two privacy-related bills were introduced in the Parliament of Canada: the Fighting Internet and Wireless Spam Act (“FISA” or Bill C-28) and the Safeguarding Canadians’ Personal Information Act (Bill C-29) amending the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Bill C-29 is the long-awaited government response to the five-year mandatory review of PIPEDA.  The centerpiece of the bill is a new disclosure provision for security breaches related to personal information.  Key elements in the security breach notification proposal include:

• Any “material breach of security safeguards involving personal information” would have to be reported to the Privacy Commissioner of Canada.
• A determination of whether the breach is “material” would be made by the entity, based on the sensitivity of the information, the number of individuals affected and whether there is a systemic problem.
• Notification would have to be made “as soon as feasible” individuals affected by the breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
• A determination of whether there is a “real risk” would be made by the entity, based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today three advocacy organizations filed a complaint with the Federal Trade Commission (“FTC”), demanding that it investigate and impose drastic requirements on entities involved in online data analytics and behavioral advertising.  In their complaint, the U.S. Public Interest Research Group (“U.S. PIRG”), the Center for Digital Democracy and the World Privacy Forum target Google, Yahoo!, BlueKai, PubMatic, TARGUSinfo and others for allegedly participating in what the U.S. PIRG terms a “Wild West” of online collection and auctioning of data for marketing purposes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers.  The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.”  The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy.  The announcement of a second consultation on cloud computing is anticipated in the near future.

The Office of the Privacy Commissioner has put out a call for participation and written submissions by interested parties are due by March 15, 2010.  For further information on the consultation process, view the Office of the Privacy Commissioner's news release.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement (in German).  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A class action complaint filed on December 9, 2009, in Illinois federal court alleges that WideOpen West, Finance, LLC ("WOW"), an Internet service provider, violated its users' privacy by "installing spyware devices on its broadband networks."  Valentine v. WideOpen West (N.D. Ill., No. 1:09-cv-07653).  This action against WOW follows the October 6, 2009, dismissal by a district court in California of similar claims against six out-of-state ISP defendants (including WOW) filed in November 2008 by the same lead plaintiff.  The court in Valentine v. NebuAd, Inc. et al. (N.D. Cal., No. 3:08-cv-05113) found that the ISP defendants were not subject to personal jurisdiction in California, leaving the now-defunct NebuAd as the only defendant in that case.  Plaintiff Valentine has now brought this action against WOW in the Northern District of Illinois.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy."  The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts.  The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace.  Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company failed to take necessary measures to verify consent.  The claimant was able to obtain injunctive relief against the defendant under Sections 8 (1), (3), 3 (1) and 7 (2) No. 3 of the Unfair Competition Act.  The Court specified that the defendant did not have a duty to verify individual consents by phone, but could conduct verification by reviewing the stored data of each customer.  Since the law requires "explicit" customer consent to use email addresses for marketing, consents must be documented on a regular basis to be considered valid.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”).  Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse.  Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 15, 2009, the Federal Trade Commission unveiled a series of public roundtables that will focus on the effect of modern technology and business practices on the privacy of consumer information.  The goal of the panels is to explore how to best balance the concerns for consumer privacy, beneficial use of consumer information and technological innovation.  The discussions will address myriad technologies and practices, such as social networking, cloud computing, behavioral marketing, mobile marketing and, generally, the collection of consumer information for various purposes.  The roundtables will also consider the adequacy of existing legal and self-regulatory frameworks.  Participants will include academics, privacy experts, consumer advocates, industry representatives, technology experts, legislators, and experts from outside the United States.  The Commission has asked individuals and organizations to submit requests to participate as panelists and suggest discussion topics.  The Commission also has asked interested parties to submit written comments and research on the issues of (i) risks, concerns and benefits associated with the collection and use of consumer information, (ii) consumer expectations of how their information is used, and (iii) the adequacy of existing legal requirements and self-regulatory regimes in protecting consumer privacy interests.

Click here for more information on the Commission’s news release.

• Email This
• Print
• Trackbacks
• Share Link

On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the validity of the Act to Prevent Predatory Marketing Practices Against Minors (the “Act”), which is set to take effect on September 12, 2009.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  In dismissing the claim, the Court acknowledged that the Plaintiffs had successfully established the likelihood of success on the merits that the Act is overbroad and violates the First Amendment.  Although the Plaintiffs met this burden, the Court recognized that the Attorney General has agreed not to enforce the Act, and the Maine Legislature is committed to reconsidering its scope in January 2010.  Accordingly, the Court, with the agreement of the parties, closed the lawsuit in a stipulated order of dismissal.

Click here for details regarding the scope and requirements of the Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a predatory marketing practice, which may be sanctioned as an unfair trade practice.  The law also allows individuals subject to unlawful data collection or predatory marketing practices to bring a private right of action against violators.

For businesses, the implications of Maine's new data collection and marketing restrictions are far-reaching.  The scope of the law covers both online and off-line marketing activities, and the broad definition of personal information includes a minor’s name in combination with any information concerning the minor.  In light of the Act’s restrictive requirements and considerable scope, businesses would be well-advised to evaluate their current marketing practices and age verification mechanisms.  The text of the law is available here.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law provisions.  To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different context or after the call was placed.  Further, those placing commercial phone calls may not suppress their phone number or identity.  Violations of this prohibition may be sanctioned with a fine of up to € 10,000.  The Act will enter into force after publication in the official federal gazette.  The full text of the Act (in German) can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. The full text of Ms. Kuneva’s address is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates.  This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices.  In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes.  The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used.  At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.  These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities.  The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade.  An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007.  In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation.  If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As part of its ongoing efforts to examine evolving internet marketing practices, earlier today the Federal Trade Commission released a report on self-regulation of online behavioral advertising.  This report analyzes the comments received from interested parties in response to proposed self-regulatory principles issued by the Commission in December 2007.  It covers a wide range of issues including the increasingly blurred line between personally identifiable information and non-personally identifiable information and the applicability of regulations to "first party" versus contextual advertising.
 
Links to the report and the concurring statements of Commissioners Harbour and Leibowitz, as well as FTC Congressional testimony on behavioral advertising, can be found here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission ("FTC") recently settled complaints against two telemarketing companies that allegedly called numbers listed on the National Do Not Call Registry.  The companies will pay a combined total of nearly $1.2 million dollars in civil penalties to settle charges that their marketing practices ran afoul of the Telemarketing Sales Rule ("TSR").

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On December 1, 2008, a strict anti-spam law came into effect in Israel.  The legislation, enacted as an amendment to the country’s Communications Law, prohibits the delivery of advertisements using mobile text messaging, email, fax or automatic dialing systems without first obtaining the recipient’s explicit written consent.  The law contains several exceptions to the prior consent requirement.  For example, advertisers may reach out to businesses to inquire whether they wish to receive marketing communications.  Advertisers also may send unsolicited marketing communications to individuals with whom they have established a prior business relationship, but the recipients retain the right to opt out of receiving marketing communications in the future.  The law also regulates the content of marketing communications. It requires advertisers to include in a commercial message the word "advertisement" and the advertiser's name, address and contact information, including an email address that recipients may use to opt out.  The law contains strong enforcement provisions. Recipients of unsolicited communications may sue advertisers to collect up to the equivalent of $250 for every unsolicited communication, without proving actual damages.  Violators also may face criminal penalties and fines potentially exceeding the equivalent of $50,000.

A press release from the Israel Ministry of Communications is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).

• Email This
• Print
• Comments
• Trackbacks
• Share Link