Online Privacy : Privacy & Information Security Law Blog

Online Ad Network Sued Over Tracking Using Flash Cookies

Posted on August 27, 2010 by Hunton & Williams LLP

On August 18, 2010, a complaint was filed in the U.S. District Court for the Central District of California, alleging that Specific Media, Inc. violated the Computer Fraud and Abuse Act, as well as state privacy and computer security laws, by failing to provide adequate notice regarding its online tracking practices. The suit, brought by six web users, seeks class action status and over $5 million in damages, and cites Specific Media’s use of Flash cookies to re-create deleted browser cookies as one of the offending practices.

Tags: Behavioral Advertising, California, Class Action, Computer Fraud and Abuse Act, Cookies, Internet, Online Privacy, Personally identifiable information, State Law

Bankrupt Magazine Must Destroy Readers' Personal Information

Posted on August 17, 2010 by Hunton & Williams LLP

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act. The magazine, which catered to a young gay audience, had a website privacy policy that asserted “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.” Readers who submitted online profile information were told that their information “will not be published. We keep it secret.” The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

Tags: Consumer Protection, Enforcement, Enforcement, Federal Trade Commission, Marketing, Online Privacy, Privacy policy

Hackers Identify Privacy Vulnerabilities in Photo Sharing Websites

Posted on August 12, 2010 by Hunton & Williams LLP

BBC News is reporting that privacy was a major topic at this year’s Hackers on Planet Earth (“HOPE”) conference that was held in New York in July. Participants spoke to the BBC about privacy vulnerabilities that they have discovered on various Internet sites. For example, one participant discussed how GPS data embedded in digital photos users post online, combined with other information available in the photos and on the Internet, may reveal the exact locations where the users work, live and travel, as well as users’ real-time locations. Participants explained that their goal is to identify the privacy vulnerabilities and provide information to others on how to protect their privacy online. Hear the full interview.

Tags: Hacker, Information Security, Online Privacy

UK Information Commissioner's Office Releases Assessment of Google Street View

Posted on July 30, 2010 by Hunton & Williams LLP

In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person." This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.

Tags: Enforcement, Germany, Google, Information Commissioners Office, Information Security, International, Online Privacy, United Kingdom

FTC Chairman Considers Do Not Track Registry

Posted on July 28, 2010 by Hunton & Williams LLP

In the latest chapter of the Federal Trade Commission’s ongoing efforts to promote consumer privacy with respect to online behavioral advertising, FTC Chairman Jon Leibowitz has reportedly suggested that the FTC may propose a Do Not Track Registry. The registry would be similar to the FTC’s popular Do Not Call Registry, which allows consumers to opt-out of many types of telemarketing calls, but registration on the Do Not Track Registry would not stop online advertisements. Instead, it would prevent those advertisements from being targeted to users based on their prior online activity. Mr. Leibowitz’s remarks came during a hearing on Consumer Online Privacy held yesterday by the U.S. Senate Committee on Commerce, Science, and Transportation. Current industry self-regulatory initiatives for providing consumers with choice regarding behavioral advertising include the Network Advertising Initiative’s Opt-Out Tool, which has been criticized for relying on opt-out cookies that consumers may accidentally delete, and a related beta Firefox browser extension designed to remember consumers’ opt-out preferences even after cookies are deleted.

Tags: Behavioral Advertising, Consumer Protection, Federal Trade Commission, Jon Leibowitz, Marketing, Online Privacy

Kerry Signals Senate Support for Online Privacy Legislation

Posted on July 28, 2010 by Hunton & Williams LLP

On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data. “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement. Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet. He indicated that his bill would go beyond the regulation of targeted advertising. “Protecting the privacy of consumers online involves much more than the targeted advertising to which they are subjected,” Senator Kerry said. “Such advertising is just one result of the information that is routinely collected about us online.”

As we reported last week, Representative Bobby Rush (D-Ill.) introduced a bill regarding online data collection practices, which itself followed a similar bill proposed in May by Congressmen Boucher (D-VA) and Stearns (R-FL). Also on Tuesday, FTC Chairman Jon Leibowitz testified before the U.S. Senate about FTC efforts to protect consumer privacy.

Tags: Behavioral Advertising, Bobby Rush, Cliff Stearns, Consumer Protection, Enforcement, Federal Trade Commission, Internet, John Kerry, Jon Leibowitz, Legislation, Marketing, Online Privacy, Personal information, Rick Boucher

Coalition of States Demands Answers About Google Street View

Posted on July 22, 2010 by Hunton & Williams LLP

On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles. The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices. As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View. Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred. The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.

Tags: Connecticut, Enforcement, Google, Information Security, Online Privacy, Richard Blumenthal, State Law, Wireless Network

Article 29 Working Party Report Highlights Inconsistent, Unlawful Implementation of EU Data Retention Directive

Posted on July 22, 2010 by Hunton & Williams LLP

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC). The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States. Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive. The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

Tags: Article 29 Working Party, European Commission, European Union, International, Internet, Online Privacy, Record retention

Sweeping Privacy Legislation Would Include Private Right of Action

Posted on July 20, 2010 by Hunton & Williams LLP

On July 19, 2010, Representative Bobby Rush (D-Ill.) introduced a bill "to foster transparency about the commercial use of personal information" and "provide consumers with meaningful choice about the collection, use and disclosure of such information." The bill, cleverly nicknamed the "BEST PRACTICES Act", presumably intends to set the standards for the use of consumer personal information by marketers. A similar bill was introduced by Representatives Boucher and Stearns in early May. Although both proposals would require opt-out consent for online behavioral advertising and express, affirmative consent for the collection or sharing of sensitive information, Rush's bill has a broader definition of "sensitive information" and includes several other key differences. Perhaps most notably, unlike the earlier draft legislation, Rush's bill features a private right of action that would allow individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages and costs and attorney's fees. The bill contains a safe harbor from the private right of action for companies that participate in, and comply with, a self-regulatory "Choice Program" approved by the FTC. In addition, the bill excludes from its definition of "covered information" any information collected from or about an employee by an employer "that directly relates to the employee-employer relationship." A hearing on the proposed bill will be held on Thursday July 22, 2010.

Read the text of the bill.

Tags: Behavioral Advertising, Bobby Rush, Cliff Stearns, Congress, Enforcement, Federal Trade Commission, Internet, Legislation, Online Privacy, Personal information, Rick Boucher, Workplace Privacy

FTC's David Vladeck Opposes Bankruptcy Transfer of Personal Information

Posted on July 15, 2010 by Hunton & Williams LLP

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).

Tags: Consumer Protection, David Vladeck, Federal Trade Commission, Lisa Sotto, Marketing, Online Privacy, Privacy policy, Scott Bernstein

French Data Protection Authority Publishes Opinion Regarding New Security Bill

Posted on July 14, 2010 by Hunton & Williams LLP

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.

Tags: Body Scanner, CCTV, CNIL, European Union, France, Identity Theft, International, Internet, Online Privacy, Personal data, Video surveillance

German Court Finds No Right to Immediate Deletion of IP Addresses

Posted on July 13, 2010 by Hunton & Williams LLP

In a recently published decision rendered on June 16, 2010, the Frankfurt am Main Higher Regional Court ruled that an Internet access provider may store IP addresses for seven days, and therefore, customers have no right to demand immediate deletion of their IP addresses. The Court’s ruling upheld a decision originally rendered by the regional court of Darmstadt.

The claimant had requested that Deutsche Telekom AG delete the dynamic IP address assigned and stored for each Internet session immediately upon disconnection by a user. Up to that point, the Internet provider had been retaining IP addresses for 80 days after each billing cycle. In June 2007, the lower court granted the claimant request, imposing a maximum retention period of seven days for IP addresses. The Internet provider reduced its IP address retention period accordingly, based on an agreement with the German federal data protection authority.

Tags: Behavioral Advertising, Data Protection Authority, European Union, Germany, IP address, International, Internet, Online Privacy, Record retention, Telecommunications

UK Information Commissioner's Office Launches New Code of Practice

Posted on July 9, 2010 by Hunton & Williams LLP

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online. Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience. But there are risks too. A record of our online activity can reveal our most personal interests. Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

Tags: Behavioral Advertising, Christopher Graham, Cloud Computing, Enforcement, European Union, International, Internet, Marketing, Online Privacy, Personal data, United Kingdom

Facebook Announces Privacy Changes for Third-Party Applications

Posted on July 1, 2010 by Hunton & Williams LLP

Bret Taylor, the Chief Technology Officer of Facebook, announced this week on the Facebook Blog that the company will enhance privacy protections pertaining to third-party applications. When a Facebook user logs into a third-party application with his or her Facebook account, the application will only be able to access the public parts of the user’s Facebook profile. If the application wants to access private sections of a user’s Facebook profile, the application has to explicitly ask the Facebook user for permission. For example, if a greeting card application wants to access a user’s photos to create a personalized greeting card, the Facebook user will have to click a button to allow such access.

In his announcement, Mr. Taylor stated that the changes “reflect two core Facebook beliefs: first, your data belongs to you; second, it should be easy to control what you share. If at any point you ask a developer to remove the data you’ve granted them access to, we require that they delete this information.” The changes come in the wake of scrutiny by both legislators and privacy organizations regarding privacy protections on the social networking website.

Tags: Bret Taylor, Facebook, Information Security, Internet, Online Privacy, Social networking

Twitter Settles FTC Data Security Charges

Posted on June 24, 2010 by Hunton & Williams LLP

Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information. The charges stem from alleged lapses in the company’s data security that permitted hackers to access tweets that users had designated as private and to issue phony tweets from the accounts of some users, including then-President-elect Barack Obama. According to the FTC’s complaint (main document, exhibits), these attacks on Twitter’s system were possible due to a failure to implement reasonable safeguards, including:

requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites or networks;
prohibiting employees from storing administrative passwords in plain text within their personal email accounts;
suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
restricting access to administrative controls to employees whose jobs required it; and
imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

The proposed settlement agreement contains a consent order requiring Twitter to implement data security safeguards and submit to periodic independent security audits. The FTC’s press release contains more details.

Tags: Consumer Protection, Enforcement, Federal Trade Commission, IP address, Information Security, Internet, Online Privacy, Personal information, Social networking, Twitter, Workplace Privacy

French Data Protection Authority Investigates Google Street View

Posted on June 24, 2010 by Hunton & Williams LLP

On June 17, 2010, the French data protection authority (the “CNIL”) reported that it had conducted an on-site investigation at Google on May 19 to examine activities by Google’s Street View cars. This investigation followed Google’s May 14 announcement that it had inadvertently captured Wi-Fi signals emitted in locations where its vehicles were taking photos.

Tags: CNIL, Data Protection Act, Data Protection Authority, Enforcement, European Union, France, Google, International, Internet, Online Privacy, Personal data

Connecticut Attorney General to Lead Multistate Investigation into Google

Posted on June 22, 2010 by Hunton & Williams LLP

Connecticut Attorney General Richard Blumenthal recently announced that his office will lead a multistate investigation into the “deeply disturbing” unauthorized collection of personal data from wireless computer networks by Google’s Street View cars. Attorney General Blumenthal noted that Google “must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.” A significant number of states are expected to participate in the investigation.

Blumenthal’s press release is available on the Connecticut Attorney General’s website.

Tags: Connecticut, Enforcement, Google, Internet, Online Privacy, Personal data, Richard Blumenthal, State Law

Emerging Privacy Issues in Bankruptcy

Posted on June 16, 2010 by Hunton & Williams LLP

The emergence of information privacy issues over the last decade has led to increased scrutiny of public representations that companies make regarding their information practices. As a result of consumer privacy expectations and legal requirements, these representations are typically found in a company's website privacy notice. Too often, however, companies make commitments regarding their information practices that are difficult to meet and fail to anticipate changes in business circumstances (such as mergers or sales of assets). Such commitments may prove damaging to the company, its investors and creditors. Read more in an article published by GC New York on June 10, 2010, by Lisa J. Sotto, Scott H. Bernstein and Boris Segalis.

Tags: Consumer Protection, Enforcement, Federal Trade Commission, Information Security, Internet, Lisa Sotto, Online Privacy, Personal information, Scott Bernstein

Privacy Settings on Social Networking Sites May Determine Protection Under Stored Communications Act

Posted on June 10, 2010 by Hunton & Williams LLP

On May 26, 2010, the court in Crispin v. Christian Audigier, Inc. quashed portions of subpoenas seeking the disclosure of private messages sent through Facebook and MySpace. The court left open the question of whether Crispin’s wall postings and comments should be disclosed pending a more thorough review of his online privacy settings.

Tags: California, Electronic Communications Privacy Act, Facebook, Litigation, MySpace, Ninth Circuit, Online Privacy, Social networking, Stored Communications Act, Wiretap

Canadian Bills Propose Security Breach Notification Requirements and Anti-Spam Regulations

Posted on June 4, 2010 by Hunton & Williams LLP

On May 25, 2010, two privacy-related bills were introduced in the Parliament of Canada: the Fighting Internet and Wireless Spam Act (“FISA” or Bill C-28) and the Safeguarding Canadians’ Personal Information Act (Bill C-29) amending the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Bill C-29 is the long-awaited government response to the five-year mandatory review of PIPEDA. The centerpiece of the bill is a new disclosure provision for security breaches related to personal information. Key elements in the security breach notification proposal include:

Any “material breach of security safeguards involving personal information” would have to be reported to the Privacy Commissioner of Canada.
A determination of whether the breach is “material” would be made by the entity, based on the sensitivity of the information, the number of individuals affected and whether there is a systemic problem.
Notification would have to be made “as soon as feasible” individuals affected by the breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
A determination of whether there is a “real risk” would be made by the entity, based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused.

Tags: Canada, Email, International, Internet, Marketing, Online Privacy, Personal information, Security Breach, Stephen Harper

Article 29 Working Party Calls on FTC to Investigate Online Retention and Anonymization Policies

Posted on June 1, 2010 by Hunton & Williams LLP

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft. Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

Tags: Anonymization Policy, Article 29 Working Party, EU Data Protection Directive, European Union, Federal Trade Commission, Google, International, Internet, Microsoft, Online Privacy, Personal data, Viviane Reding, Yahoo!

Commerce Department Takes Lead in Developing U.S. Internet Privacy Framework

Posted on May 11, 2010 by Hunton & Williams LLP

“The Department of Commerce is back.” With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions. The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

Tags: Andrew McLaughlin, Cameron Kerry, Centre for Information Policy Leadership, Danny Weitzner, Department of Commerce, Events, Fred Cate, Internet, Marc Berejka, Obama, Online Privacy, Privacy policy, Telecommunications

Congressmen Introduce Draft Privacy Legislation

Posted on May 4, 2010 by Hunton & Williams LLP

On May 4, 2010, Congressmen Rick Boucher (D-VA) and Cliff Stearns (R-FL) introduced draft legislation designed to protect the privacy of personal information both on the Internet and in offline contexts. View drafts of the text of the bill and an executive summary of the proposed bill.

The legislation would apply to any “covered entity,” which is defined as “a person engaged in interstate commerce that collects data containing covered information.” The term “covered information” is very broad and includes, but is not limited to, an individual’s first name or initial and last name, a postal address, a telephone number or an email address. Government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period (and do not collect sensitive information) would not be considered “covered entities” for purposes of the law.

Tags: Behavioral Advertising, Cliff Stearns, Congress, Enforcement, Federal Trade Commission, Internet, Legislation, Online Privacy, Personal information, Rick Boucher

U.S. Legislators Urge Enhanced Privacy Protections for Social Networking Websites

Posted on April 29, 2010 by Hunton & Williams LLP

Legislators at the federal and state levels are urging social networking websites to enhance privacy protections available to their users. On April 27, 2010, four U.S. Senators wrote a letter to Facebook’s CEO expressing “concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites.” The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes, and highlighted default sharing of personal information, third-party advertisers’ data storage and instant personalization features as three areas of concern.

Tags: California, Enforcement, Facebook, Federal Trade Commission, Internet, Online Privacy, Opt-in consent, Personal information, Social networking, State Law

Department of Commerce to Seek Public Comment on Privacy Issues

Posted on April 22, 2010 by Hunton & Williams LLP

On April 20, 2010, the Department of Commerce (“DOC”) issued a Notice of Inquiry to solicit public feedback “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.” The aim is to understand “whether current privacy laws serve consumer interests and fundamental democratic values.” To this end, the DOC poses a number of questions, including:

Is the notice and choice approach to consumer privacy outmoded? Would consumers be better served by a “use-based” model?
How does compliance with myriad state privacy laws affect business activities and online operations?
How do international privacy laws and regulations impact global Internet commerce, compliance costs, product development process and Internet users?
What jurisdictional conflicts do companies and regulators face as a result of privacy laws? What is their impact on trade and foreign investment?
How does the U.S. privacy framework affect business innovation, accountability and compliance related to the use of personal information?
What is the state of the development, use and acceptance of privacy-related technologies?
How do privacy laws impact startup ventures and small and medium-sized entities?

The DOC plans to issue a report based on an analysis of public feedback it receives. According to a DOC spokesperson, the Notice of Inquiry is expected to be published in the Federal Register on April 23, 2010. Hunton & Williams’ Centre for Information Policy Leadership will be submitting comments.

On April 16, we reported that the DOC will be holding a public meeting on May 7, 2010, to listen to stakeholders’ views on privacy policy and innovation in the United States.

Tags: Accountability, Centre for Information Policy Leadership, Department of Commerce, International, Internet, Online Privacy, State Law

International Data Protection Authorities Scold Google Over Privacy Concerns

Posted on April 21, 2010 by Hunton & Williams LLP

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt. The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

Tags: Canada, Data Protection Authority, Enforcement, European Union, France, Germany, Google, International, Ireland, Israel, Italy, Marketing, Netherlands, New Zealand, Online Privacy, Privacy by design, Spain, United Kingdom

The Digital Economy Act 2010: A Step Toward Censorship?

Posted on April 19, 2010 by Hunton & Williams LLP

On April 8, 2010, the Digital Economy Act (the “Act”), containing provisions relating to online copyright infringement, network infrastructure and digital safety, became law in the UK. The Act’s main provisions include:

new duties for the Office of Communications (the UK’s communications regulator), to report every three years on issues such as the UK’s communications infrastructure and Internet domain name registration;
additional obligations on Internet Service Providers (“ISPs”) that seek to reduce online copyright infringement;
increased penalties for online copyright infringement; and
intervention powers with respect to Internet domain registries.

Tags: European Union, IP address, International, Online Privacy, Right to privacy, United Kingdom

Department of Commerce Announces a Public Meeting on "Information Privacy and Innovation in the Internet Economy"

Posted on April 16, 2010 by Hunton & Williams LLP

The Department of Commerce (“DOC”) will be holding a public meeting on May 7, 2010, in Washington, D.C., to listen to stakeholders’ views on privacy policies in the United States. This session is part of a broader inquiry by the DOC’s newly created Internet Policy Task Force “whose mission is to identify leading public policy and operational challenges in the Internet environment.” The DOC’s National Telecommunications and Information Administration and the International Trade Administration will issue a notice of inquiry to look at the nexus between innovation and privacy on the Internet. The Centre for Information Policy Leadership will be participating in these processes.

Tags: Centre for Information Policy Leadership, Department of Commerce, District of Columbia, Events, Internet, Online Privacy, Privacy policy, Telecommunications

Italian Court's Reasoning in Google Case Released

Posted on April 14, 2010 by Hunton & Williams LLP

Following up on our previous post on the sentencing of three Google executives by an Italian court, the New York Times reports that an 111-page explanation of the verdict has been released. Judge Oscar Magi found that Google had an obligation to make users more aware of its EU privacy policies, and cited Google’s active marketing of its Google Video site as indicative of the company’s profit motive for not removing the video sooner.

Tags: Enforcement, European Union, Google, International, Internet, Italy, Online Privacy

German Ministry Releases Key Issues Paper on Upcoming Employee Data Protection Regulation

Posted on April 12, 2010 by Hunton & Williams LLP

In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection. The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009. The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.

Tags: Enforcement, European Union, Federal Data Protection Act, Germany, Health Privacy, Information Security, International, Online Privacy, Video surveillance, Workplace Privacy

Behavioral Advertising Complaint Filed with the FTC

Posted on April 8, 2010 by Hunton & Williams LLP

Today three advocacy organizations filed a complaint with the Federal Trade Commission (“FTC”), demanding that it investigate and impose drastic requirements on entities involved in online data analytics and behavioral advertising. In their complaint, the U.S. Public Interest Research Group (“U.S. PIRG”), the Center for Digital Democracy and the World Privacy Forum target Google, Yahoo!, BlueKai, PubMatic, TARGUSinfo and others for allegedly participating in what the U.S. PIRG terms a “Wild West” of online collection and auctioning of data for marketing purposes.

Tags: Behavioral Advertising, Federal Trade Commission, Google, Internet, Marketing, Online Privacy, Yahoo!

New Report Offers Insight on How the British Public Views Personal Data Use

Posted on April 5, 2010 by Hunton & Williams LLP

Demos, an independent UK-based think tank, has published a report describing the views of a cross-section of British people on how their personal data are used by the public and private sectors. Private Lives: A People’s Inquiry Into Personal Information (the “Report”) was researched in the context of the UK Information Commissioner’s Office’s consultation on the Personal Information Online Code of Practice. The Information Commissioner called for industry and research groups to provide context for the new Code of Practice. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy,” observed UK Information Commissioner Christopher Graham.

Tags: Behavioral Advertising, Centre for Information Policy Leadership, Christopher Graham, European Union, Health Privacy, Information Commissioners Office, International, Online Privacy, Paula Bruening, Personal data, Personal information, United Kingdom

New Jersey Supreme Court's Ruling Advances Employee Privacy

Posted on April 2, 2010 by Hunton & Williams LLP

On March 30, 2010, the New Jersey Supreme Court ruled for the former employee in Stengart v. Loving Care Agency, Inc. on the employee’s claim that state common privacy law protected certain of her emails from review by the employer.

Tags: Email, Employee Monitoring, New Jersey, Online Privacy, State Law, Workplace Privacy

Landmark Israeli Supreme Court Case: Online Anonymity Is a Constitutional Right

Posted on March 31, 2010 by Hunton & Williams LLP

In a landmark holding, the Israeli Supreme Court restricted the unmasking of an anonymous defendant on an online defamation case, holding that online anonymity is a constitutional right derived from the right to privacy and free speech.

Tags: Enforcement, Freedom of Speech, Internet, Israel, Online Privacy, Right to privacy

FTC's Revised Free Credit Reports Rule Becomes Effective April 2, 2010

Posted on March 24, 2010 by Hunton & Williams LLP

Provisions of the FTC’s revised rule that regulate advertisements for free credit reports become effective April 2, 2010. As required by the Credit CARD Act of 2009, the FTC promulgated the revised rule on February 22, 2010, to prevent the deceptive marketing of free credit reports by companies that required consumers to sign up for paid products and services such as credit monitoring in order to receive the reports.

Tags: Credit Report, FCRA, Federal Trade Commission, Financial Privacy, Online Privacy, Telemarketing

French Data Protection Authority Unveils 2010 Inspections Report

Posted on March 22, 2010 by Hunton & Williams LLP

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year. In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
verifying that data controllers comply with the technical recommendations defined in their registration forms; and
assessing the effectiveness of data protection officers within organizations.

Tags: Airport Security, Body Scanner, CCTV, CNIL, Compliance, Data Protection Authority, Enforcement, European Union, France, International, Marketing, Online Privacy, Personal data, Video surveillance

Comments by Outgoing FTC Commissioner Pamela Jones Harbour Suggest Continuing Focus on Consumer Privacy by the Commission

Posted on March 18, 2010 by Hunton & Williams LLP

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products. Ms. Harbour lamented that companies do not take consumer privacy seriously. She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.” Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default. Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data. Soon after the launch, Google changed the defaults to allow users more control. Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

Tags: Consumer Protection, Enforcement, Federal Trade Commission, Google, Information Security, Julie Brill, Online Privacy, Pamela Jones Harbour, Personal data, Social networking

LifeLock to Pay $12 Million Over False Claims of Identity Theft Protection

Posted on March 9, 2010 by Hunton & Williams LLP

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services. The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers. The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity theft, and only limited protection against other types of fraud.

The FTC’s complaint and further details concerning the settlement are available on the FTC’s website. The FTC also has posted a page to provide information on the redress program for current and former LifeLock customers.

Tags: Consumer Protection, Enforcement, Federal Trade Commission, Identity Theft, LifeLock, Online Privacy, Security Breach

German Federal Constitutional Court Declares Implementation of Data Retention Directive Unconstitutional

Posted on March 2, 2010 by Hunton & Williams LLP

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months. This information may be retrieved for law enforcement and safety purposes. Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history.

Tags: Email, Enforcement, European Union, Fundamental Rights, Germany, IP address, Information Security, International, Internet, Online Privacy, Personal information, Telecommunications

Senior Google Executives Sentenced for Violation of Italian Privacy Laws

Posted on February 24, 2010 by Hunton & Williams LLP

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws. The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online. The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

Tags: Data Protection Authority, David Drummond, Enforcement, European Union, Freedom of Information, Freedom of Speech, George De Los Reyes, Google, International, Internet, Italy, Liability, Online Privacy, Peter Fleischer, Richard Thomas, Social networking, YouTube

FTC Warns Organizations of P2P-Related Data Security Breaches

Posted on February 23, 2010 by Hunton & Williams LLP

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud. In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers. The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws. Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.

In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers.

Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today's Technology Live Blog.

Tags: Enforcement, Federal Trade Commission, Identity Theft, Online Privacy, P2P, Personal information, Security Breach, Workplace Privacy

Failure to Secure Wireless Network Defeats ECPA Claims

Posted on February 12, 2010 by Hunton & Williams LLP

A computer user’s failure to secure his wireless network contributed to the defeat of his claim that a neighbor’s unwelcome access to his files violated the Electronic Communications Privacy Act ("ECPA"). The ECPA places restrictions on unauthorized interception of, and access to, electronic communications.

Tags: Electronic Communications Privacy Act, ITunes, Information Security, Online Privacy

Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security. As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments. In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: Bridget Treacy, Cloud Computing, Data Transfer, European Union, Gramm Leach Bliley Act, HIPAA, HITECH Act, Health Privacy, Information Security, International, Lisa Sotto, Melinda McLellan, Online Privacy, Security Breach, State Law, Workplace Privacy

Canadian Privacy Commissioner Investigates Facebook

Posted on February 4, 2010 by Hunton & Williams LLP

Pursuant to a public complaint, on January 27, 2010, the Privacy Commissioner of Canada announced a new investigation into Facebook. The investigation concerns the social networking site’s introduction of a tool that required its users to review their privacy settings in December 2009. According to the complaint, Facebook’s new default settings allegedly made some users’ information more accessible than previously had been the case. Elizabeth Denham, the Assistant Privacy Commissioner, indicated “[s]ome Facebook users are disappointed by certain changes being made to the site – changes that were supposed to strengthen their privacy and the protection of their personal information.”

The new complaint follows the Commissioner’s July 2009 release of findings resulting from an investigation into Facebook’s privacy policies and practices. The findings highlighted concerns regarding Facebook, including a need for increased transparency and clarity. The Office of the Privacy Commissioner will continue to follow up with Facebook as the company implements changes to its site.

For further information, please see the Office of the Privacy Commissioner's News Release.

Tags: Canada, Elizabeth Denham, Facebook, International, Jennifer Stoddart, Online Privacy, Personal information, Privacy policy, Social networking

FTC's Second Exploring Privacy Roundtable

Posted on January 29, 2010 by Hunton & Williams LLP

The Federal Trade Commission’s second “Exploring Privacy” roundtable concluded Thursday, January 28, 2010. The roundtable did not provide many firm conclusions, but it did help further refine some hard issues facing privacy protection.

Although Thursday’s hearing was intended to be devoted to technology issues, the role of regulation appeared to dominate the discussions. “Everyone is dying to talk about regulation,” said Jessica Rich, Deputy Director of the Bureau of Consumer Protection, moderating a panel on Technology and Policy.

Tags: Behavioral Advertising, Centre for Information Policy Leadership, Cloud Computing, Consumer Protection, Danny Weitzner, David Vladeck, Enforcement, Events, Exploring Privacy, Federal Trade Commission, Fred Cate, Jessica Rich, Online Privacy, Pamela Jones Harbour, Peter Cullen

FINRA Issues Guidance on the Use of Blogs and Social Networking

Posted on January 27, 2010 by Hunton & Williams LLP

On January 25, 2010, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites (the “Guidance”) for securities firms, investment advisors and brokers. FINRA, which is the largest non-governmental financial regulator, previously had issued guidance on other issues pertaining to interactive web sites, such as participation by securities firms and their employees in Internet chat rooms discussing stocks or investments. The goals of the Guidance are to “ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations” as well as “to interpret [the] rules in a flexible manner to allow firms to communicate with clients and investors using” blogs and social networking.

Tags: Compliance, Enforcement, Financial Industry Regulatory Authority, Information Security, Internet, Online Privacy, Social networking, Workplace Privacy

Microsoft Calls for Legislative Action to Set Rules for Cloud Computing

Posted on January 22, 2010 by Hunton & Williams LLP

Microsoft is urging Congress and the information technology industry to act now to ensure that cloud computing is guided by an international commitment to privacy, security and transparency for consumers, businesses and government. A survey commissioned by Microsoft found that while the general population and senior business leaders are excited about the potential of cloud computing, most are concerned about the security, access and privacy of their information in the cloud and believe the government should establish laws, rules and policies for cloud computing. Microsoft also has called for an international dialogue on data sovereignty to address users' desire that rules and regulations governing their data remain uniform regardless of the physical location of the information.

Microsoft’s proposal includes reforming and strengthening the Electronic Communications Privacy Act to provide stronger protections for consumers and businesses; modernizing the Computer Fraud and Abuse Act to give law enforcement the tools to prosecute malicious hackers and deter online-based crimes; enacting legislation to ensure that consumers and businesses know whether and how their information is accessed and used by service providers and how it will be protected online; and pursuing a new multilateral framework to address data access issues globally.

View more information on Microsoft’s proposal.

Tags: Cloud Computing, Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Information Security, Microsoft, Online Privacy

Privacy Commissioner of Canada Announces Public Consultations on Emerging Technologies

Posted on January 20, 2010 by Hunton & Williams LLP

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers. The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.” The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy. The announcement of a second consultation on cloud computing is anticipated in the near future.

The Office of the Privacy Commissioner has put out a call for participation and written submissions by interested parties are due by March 15, 2010. For further information on the consultation process, view the Office of the Privacy Commissioner's news release.

Tags: Behavioral Advertising, Canada, Cloud Computing, Consumer Protection, Events, International, Jennifer Stoddart, Marketing, Online Privacy, Social networking

Federal Trade Commission: Is Privacy Moving to a Post-Disclosure Era?

Posted on January 12, 2010 by Hunton & Williams LLP

In a discussion with The New York Times, Federal Trade Commission (“FTC”) Chairman Jon Leibowitz, and chief of the FTC’s Bureau of Consumer Protection, David Vladeck, indicated that Internet publishers and advertisers can expect the FTC to play a more active role in safeguarding consumer privacy. Chairman Leibowitz highlighted that, in the past, the FTC’s approach to privacy has focused on consumer notice and consent, and whether consumers were harmed. From the FTC’s perspective, however, the present model is problematic because companies have failed to provide consumers with meaningful notice that would allow them to make effective choices regarding their privacy. This “advise-and-consent” model is broken, as it “depended on the fiction that people were meaningfully giving consent.” In reality, few consumers take the time to inform themselves about the notices and choices outlined in privacy policies.

Tags: David Vladeck, Enforcement, Federal Trade Commission, Jon Leibowitz, Online Privacy, Privacy policy

New Chinese Tort Liability Law Contains Provisions Affecting Personal Data

Posted on January 11, 2010 by Hunton & Williams LLP

On December 26, 2009, the Standing Committee of China’s National People’s Congress passed a landmark new law that contains provisions affecting personal data. The new law will go into effect on July 1, 2010.

The P.R.C. Tort Liability Law is a wide-ranging law that imposes tort liability for matters ranging from environmental damage to product liability to animal bites. Certain of its provisions relate, expressly or in a general sense, to personal information. These provisions can cause data users to incur liability to data subjects for the mishandling of personal information.

Privacy Group Files FTC Complaint Against Facebook

Posted on December 18, 2009 by Hunton & Williams LLP

On December 17, 2009, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the FTC claiming that Facebook is engaging “unfair and deceptive trade practices” by changing its privacy policies. Notably, the changes allow anyone who browses the Internet to view a Facebook user’s name, profile picture, gender, geographic region and list of friends. Facebook has stated that it implemented these changes to make it easier to find individual users among the estimated 350 million Facebook users.

Tags: Electronic Privacy Information Center, Facebook, Federal Trade Commission, Online Privacy, Personal information, Privacy policy

New Class Action Complaint Alleges Privacy Violations by ISP Using NebuAd Device

Posted on December 15, 2009 by Hunton & Williams LLP

A class action complaint filed on December 9, 2009, in Illinois federal court alleges that WideOpen West, Finance, LLC ("WOW"), an Internet service provider, violated its users' privacy by "installing spyware devices on its broadband networks." Valentine v. WideOpen West (N.D. Ill., No. 1:09-cv-07653). This action against WOW follows the October 6, 2009, dismissal by a district court in California of similar claims against six out-of-state ISP defendants (including WOW) filed in November 2008 by the same lead plaintiff. The court in Valentine v. NebuAd, Inc. et al. (N.D. Cal., No. 3:08-cv-05113) found that the ISP defendants were not subject to personal jurisdiction in California, leaving the now-defunct NebuAd as the only defendant in that case. Plaintiff Valentine has now brought this action against WOW in the Northern District of Illinois.

Tags: Advertisement, Behavioral Advertising, Class Action, Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Illinois, Marketing, NebuAd, Online Privacy, Personal information

FTC Kicks Off Privacy Roundtable Series

Posted on December 10, 2009 by Hunton & Williams LLP

On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy." The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts. The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace. Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.

Tags: Barbara Lawler, Behavioral Advertising, Centre for Information Policy Leadership, Consumer Protection, Events, Exploring Privacy, Federal Trade Commission, Fred Cate, Marc Rotenberg, Marketing, Online Privacy, Personal information, Richard Smith

German Court Rules on Consent Verification Requirement for Email Marketing

Posted on December 8, 2009 by Hunton & Williams LLP

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company failed to take necessary measures to verify consent. The claimant was able to obtain injunctive relief against the defendant under Sections 8 (1), (3), 3 (1) and 7 (2) No. 3 of the Unfair Competition Act. The Court specified that the defendant did not have a duty to verify individual consents by phone, but could conduct verification by reviewing the stored data of each customer. Since the law requires "explicit" customer consent to use email addresses for marketing, consents must be documented on a regular basis to be considered valid.

Tags: Email, European Union, Germany, International, Marketing, Online Privacy

Viviane Reding Appointed New EU Commissioner for Fundamental Rights

Posted on December 1, 2009 by Hunton & Williams LLP

Commissioner Viviane Reding has been chosen as Commissioner for Justice, Fundamental Rights, and Citizenship in the new European Commission that is set to take office in early 2010 (assuming approval by the European Parliament). Ms. Reding's responsibilities will thus include data protection, including the Commission's ongoing review of the EU framework for data protection. She is currently EU Commissioner for Information Society & Media, where she oversaw review of the e-Privacy Directive and the EU legislative framework for telecommunications. Commission President Barroso appointed a separate commissioner for fundamental rights as part of a commitment he made to the European Parliament to give greater profile to such issues. Commissioner Reding will share a Directorate-General with Commissioner Cecilia Malmström, who is in charge of Home Affairs (i.e., law enforcement). It remains to be seen how appointing a separate commissioner in charge of fundamental rights (rather than having a single commissioner in charge of both law enforcement and fundamental rights, as is the case in the current DG Justice, Liberty and Security) will affect the data protection portfolio.

Tags: Data Protection, E-Privacy Directive, European Commission, European Union, Fundamental Rights, International, Online Privacy, Viviane Reding

Federation of German Consumer Organisations Successful against Social Networks - Providers Intend to Discontinue Use of Certain Data Protection Provisions

Posted on November 25, 2009 by Hunton & Williams LLP

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions. The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to general terms and conditions and data protection provisions that disadvantaged users and gave wide-ranging rights to the providers. The provisions regarding comprehensive use of data and data processing have been a primary subject of the proceedings. These uses and processing often took place without the user’s consent and exceeded the original purpose for which the data were collected. These practices are supposed to be changed in the future. The providers promised to implement amendments to the provisions by January 2010 the latest.

The vzbv also has published a position paper that outlines what providers need to be doing from a user perspective. This guidance includes for example, that the providers should ensure restrictive pre-settings for user profiles to more fully protect new users. In addition, the providers should assess implications for data protection and consumer protection in case of new technical developments.

For more information please see the press release by vzbv (in German).

Tags: Consumer Protection, Data Protection, European Union, Facebook, Germany, International, Internet, Online Privacy, Social networking

European Commission Pursues Infringement Proceedings Against UK

Posted on November 18, 2009 by Hunton & Williams LLP

On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws. EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent. The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:

The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;

Tags: EU Member States, Enforcement, European Commission, European Union, International, Internet, Online Privacy, United Kingdom

Federal Trade Commission Comes out Swinging: Two-Day Enforcement Haul Totals More than $18.5 Million

Posted on October 20, 2009 by Hunton & Williams LLP

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists. The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule. MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada. The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions. The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

Tags: COPPA, Consumer Protection, Enforcement, Federal Trade Commission, Information Security, Online Privacy, Personal information, Security Breach

New FTC Blog Guidelines Affect Companies Without Blogs

Posted on October 12, 2009 by Hunton & Williams LLP

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”). Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse. Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

Tags: Advertisement, Enforcement, Federal Trade Commission, Internet, Marketing, Online Privacy, Social networking

End to End Trust and the Need for Widespread Collaboration

Posted on October 8, 2009 by Hunton & Williams LLP

Lisa J. Sotto, Partner and Chair of Hunton & Williams' Privacy and Information Management practice, discusses the roles individuals, companies, service providers and governments play in helping to create a safer, more trusted Internet. End to End Trust is Microsoft's broad and all encompassing vision for creating a "safer, more trusted Internet," which is achieved by focusing on three areas: security and privacy fundamentals, technology innovations and social, economic, political and IT alignment. Microsoft believes these combined elements will help people make better choices and have more control about whom and what to trust online.

Tags: End to End Trust, Information Security, Internet, Lisa Sotto, Microsoft, Online Privacy

Boxing and Concepts of Harm: Are Consumers Suffering a TKO on Content?

Posted on October 5, 2009 by Hunton & Williams LLP

Maybe, but it's not that kind of "boxing"...think walls and a lid instead of a ring. "Boxing is where a consumer’s vision and choices are limited by his or her digital history and the analytics that make judgments based on that digital history." Government agencies are concerned with outcome-based analytics and its impact on consumer choice. Read more on "Boxing and Concepts of Harm," written by Marty Abrams of the Centre for Information Policy Leadership, published in the September 2009 issue of Privacy and Data Security Law Journal.

Tags: Behavioral Advertising, Centre for Information Policy Leadership, Consumer Protection, Marty Abrams, Online Privacy

Report Finds America Rejects Targeting Setting-Up Policy Debate

Posted on October 1, 2009 by Hunton & Williams LLP

In its announcement that it would convene a series of public roundtables to address developing privacy issues, the Federal Trade Commission requested empirical data on consumer privacy expectations. In response to that request, researchers at the University of California at Berkeley and the University of Pennsylvania have released a study entitled "Americans Reject Tailored Advertising." Survey data reported in the study found that 66% of Americans reject targeted advertising online; 86% reject such ads when told they are made possible through online data collection. The study also makes the case that Americans would like much stricter laws governing the data collected online and higher penalties for failures to comply.

The study did not explore consumers' perceptions of the role played by targeted advertising in providing free content to users or their willingness to pay for content in the absence of that advertising support. The House Energy and Commerce Committee has announced its intent to address these issues in the current session of Congress. In the absence of alternative empirical data, this study will feature prominently in the policy debate about regulating behavioral targeting in the U.S. and Europe.

Tags: Advertisement, Behavioral Advertising, Consumer Protection, Federal Trade Commission, Internet, Online Privacy

Privacy and the Protection of Personal Information in China

Posted on August 12, 2009 by Hunton & Williams LLP

Privacy laws in China are still evolving, and at this time there is no coordinated legal framework addressing data protection. There are, however, a number of Chinese laws that are applicable to the processing and protection of personal information. Navigating the indirect, piecemeal Chinese approach to regulation in this area may prove challenging for foreign counsel accustomed to practicing in jurisdictions with explicit privacy protection legislation and data security laws. To shed some light on these issues, we have prepared an overview of various Chinese laws that bear on privacy and information security. Click here for the full article.

The article was originally published on the DataGuidance website at www.dataguidance.com.

Tags: China, Information Security, International, Online Privacy, Personal data, Personal information

Washington Court Rules that IP Addresses Are Not Personally Identifiable Information

Posted on July 10, 2009 by Hunton & Williams LLP

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

Tags: Article 29 Working Party, Consumer Protection, Internet, Microsoft, Online Privacy, Personal information, Personally identifiable information, Privacy policy

Marketing Industry Groups Propose Behavioral Advertising Guidelines

Posted on July 2, 2009 by Hunton & Williams LLP

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

Tags: Behavioral Advertising, Consumer Protection, Federal Trade Commission, Internet, Marketing, Online Privacy

UK Information Commissioner Initiates Dialogue on Online Privacy

Posted on June 12, 2009 by Hunton & Williams LLP

The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:

Operating a privacy-friendly website
Rights and protections for individuals
Privacy choices and default settings
Cyberspace and territoriality

The UK Information Commissioner's Office has requested that interested parties host discussion sessions. Hunton & Williams' London office, together with the firm's Centre for Information Policy Leadership, will be involved. Companies that are interested in participating should contact Bridget Treacy at btreacy@hunton.com or Paula Bruening at pbruening@hunton.com.

Tags: European Union, Information Commissioners Office, International, Internet, Online Privacy, United Kingdom

Sears Settles FTC Enforcement Action Regarding Consumer Tracking

Posted on June 11, 2009 by Hunton & Williams LLP

On June 4, 2009, the Federal Trade Commission (“FTC”) reported that Sears Holdings Management Corporation (“Sears”) agreed to enter into a settlement regarding the Commission’s allegations that the company violated Section 5 of the FTC Act in connection with a new online community application it had developed. Participation in the community allowed Sears to track consumers’ online and, to some extent, offline activities. The FTC’s action is notable as a potential precursor to future enforcement by the FTC in the areas of both transparency and tracking online behavior, the latter having been previously highlighted as an area of interest for the agency. The settlement, discussed in more detail below, is notable in that its requirements make clear that substantial tracking of consumer behavior must be sufficiently transparent (not disclosed only in a lengthy privacy policy or agreement), consumers’ opt-in consent to such tracking must be obtained and, disclosures regarding the nature of the tracking must be made at a meaningfully early stage of the transaction.

Tags: Behavioral Advertising, Consumer Protection, Enforcement, Federal Trade Commission, Online Privacy, Opt-in consent

Online Behavioral Advertising: European Commission launches infringement proceedings against the UK

Posted on April 17, 2009 by Hunton & Williams LLP

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

Tags: Behavioral Advertising, Data Protection Act, EU Data Protection Directive, Enforcement, European Commission, European Union, Information Commissioners Office, International, Online Privacy, Telecommunications, United Kingdom

Online Behavioral Advertising Attracts Attention in Europe

Posted on April 7, 2009 by Hunton & Williams LLP

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. The full text of Ms. Kuneva’s address is available here.

Tags: Behavioral Advertising, CNIL, Consumer Protection, Data Protection, European Union, France, International, Internet, Marketing, Online Privacy, Personal data

Proposed Bills Target Google Earth and Google Street View

Posted on March 26, 2009 by Hunton & Williams LLP

Google Earth and Google Street View, two popular applications offered by Google that enable users to view detailed satellite images of buildings or street-level panoramas of major roads and neighborhoods, have recently engendered controversy. In the United States, legislators in California and Texas have introduced bills directed at Google Earth and other similar applications. The proposed California bill prohibits operators of commercial Internet websites that make a “virtual globe browser available to members of the public” from providing “aerial or satellite photographs or imagery” of schools, religious facilities or government buildings, unless those images have been blurred. Violators could be fined at least $250,000 and natural persons who knowingly violate the provisions could face imprisonment between one to three years. The proposed Texas bill prohibits any person from publishing on the Internet “an image capable of zooming into greater detail than that of an aerial photograph taken without a magnifying lens 300 feet or higher of private property not visible from the public right-of-way,” and classifies the offense as a Class B misdemeanor, which is punishable by a fine up to $2,000 or 180 days in prison.

Tags: California, Google, Internet, Online Privacy, State Law, Texas

Draft Bill to Require Disclosure of Online Behavioral Tracking

Posted on March 24, 2009 by Hunton & Williams LLP

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates. This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices. In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes. The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used. At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities. The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade. An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007. In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation. If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

Tags: Behavioral Advertising, Facebook, Federal Trade Commission, Google, Internet, Marketing, Online Privacy

German Social Networks Signed Code of Conduct

Posted on March 17, 2009 by Hunton & Williams LLP

On March 11, 2009, the operators of Germany's leading social networks, which include "schuelerVZ," "studiVZ," "lokalisten" and "wer-kennt-wen," signed a 17-page Code of Conduct by the Association for Voluntary Self-Regulation of Multimedia Service Providers (the “Code”) in order to protect children and young people. The Code of Conduct aims to improve data protection and consumer protection in social networks and, in particular, to protect young people against harassment. The Code requires that a privacy notice be displayed directly after the registration process and that restrictive default settings be enabled for users under the age of 14. In addition, it must be possible to lock user profiles from search engines, and to block communication with other users. At prominent locations of the sites, features should be implemented to allow users to report irregular behavior and illegal content. The Code also states that sites may only use personal data for marketing and behavioral advertising if the user has been informed of this use of their data and has consented. Furthermore, any advertising material has to be clearly marked as such in accordance with the principle of separation of advertisement and content. The Code also contains a rule on blacklists and provisions regarding disclosure of data in response to law enforcement requests. The companies operating the aforementioned sites, studiVZ Ltd., Lokalisten Media GmbH and lemon line media Ltd. (wer-kennt-wen.de), have agreed to comply with the Code by the end of July 2009. The Code calls upon other social networks to sign it as well. The full text of the Code (in German) can be found here

Tags: Behavioral Advertising, European Union, Germany, International, Internet, Online Privacy, Social networking

Belgian Criminal Court Fines Yahoo for Non-Disclosure of Personal Data to Public Prosecutor

Posted on March 16, 2009 by Hunton & Williams LLP

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment. This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

Tags: Belgium, Criminal Law, Data Protection, Enforcement, European Union, International, Online Privacy, Personal data

"Bot Herder" Slapped With Federal Prison Sentence

Posted on March 6, 2009 by Hunton & Williams LLP

A former computer security consultant was sentenced Wednesday to four years in federal prison for fraud stemming from his involvement with a cyber-crime ring that used botnets to infect an estimated 250,000 computers. He has also been ordered to pay $20,000 in restitution to companies defrauded by the scheme. The 27 year-old California man made history last year when he became the first "bot herder" in the United States to plead guilty to wiretapping charges in connection with the use of botnets. His guilty plea included admissions of accessing protected computers to conduct fraud and disclosing illegally intercepted electronic communications, as well as wire and bank fraud. He faced up to 60 years in prison and $1.75 million in fines.

Tags: Information Security, Online Privacy, Personal information, Wiretap

Is User-Generated Content on Trial? Google Executives Face Criminal Proceedings

Posted on February 13, 2009 by Hunton & Williams LLP

The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations. The proceedings mark the culmination of a two-year investigation conducted by Italian authorities. The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates. As result of the video footage, Google executives face charges of defamation and privacy infringement.

For purposes of the criminal proceedings, Google is considered an internet content provider. Under the Italian penal code, internet content providers are distinct from internet service providers and bear responsibility for the content they make available online. As such, the Italian Prosecutor in the Google case has argued that companies are responsible for all content on their site. These charges raise questions about potential criminal liability for other online companies that allow user-generated content, such as providers of social networking sites.

The Criminal Court proceedings are expected to begin in Milan on February 18, 2009.

Tags: Enforcement, European Union, Google, International, Internet, Milan, Online Privacy

Federal Trade Commission Issues Behavioral Advertising Report

Posted on February 12, 2009 by Hunton & Williams LLP

As part of its ongoing efforts to examine evolving internet marketing practices, earlier today the Federal Trade Commission released a report on self-regulation of online behavioral advertising. This report analyzes the comments received from interested parties in response to proposed self-regulatory principles issued by the Commission in December 2007. It covers a wide range of issues including the increasingly blurred line between personally identifiable information and non-personally identifiable information and the applicability of regulations to "first party" versus contextual advertising.

Links to the report and the concurring statements of Commissioners Harbour and Leibowitz, as well as FTC Congressional testimony on behavioral advertising, can be found here.

Tags: Behavioral Advertising, Federal Trade Commission, Internet, Jon Leibowitz, Marketing, Online Privacy, Pamela Jones Harbour, Personally identifiable information

ECHR Rules on Disclosure of Web Users' Identity

Posted on February 10, 2009 by Hunton & Williams LLP

On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge. To read more on this and for additional EU data protection updates, please click here.

Tags: Data Protection, European Union, International, Online Privacy, Safe harbor, Security Breach, Whistleblowing

China to Consider Measure to Increase Protection of Personal Information

Posted on January 14, 2009 by Hunton & Williams LLP

A law that could increase the level of protection of personal information is circulating among legislative bodies in China. The proposed PRC Tort Liability Law would include clauses providing protections for personal information, by giving a person whose rights are infringed by the use of Internet services a right to demand deletion of the infringing materials. Another clause imposes liability on an Internet service provider that fails to take timely measures after receiving such a demand. Read more...

Tags: China, International, Internet, Online Privacy

New York Makes Internet Impersonation a Crime

Posted on December 1, 2008 by Hunton & Williams LLP

In a continuing effort to combat identity theft, New York recently enacted an amendment to the Penal Law making it a crime to impersonate another person or pretend to be a public servant by means of online communication.

Specifically, New York’s Internet impersonation law amends section 190.25 of the Penal Law by adding Subdivision 4, making it a crime to impersonate another person by electronic means, including through use of a website, with the intent to obtain a benefit or injure or defraud another person. It also prohibits using such electronic means to pretend to be a public servant in order to induce another person to submit to false authority or to act in reliance on that false pretense. To read more, click here.

Tags: Articles, Identity Theft, Internet, Online Privacy, State Law