Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices.  The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability.  The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal).  The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event.  In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment.  Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use.  The use-and-obligations model will likely serve as an important contribution to that discussion.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.

The FTC also announced today a settlement with Iconix Brand Group, Inc., which owns, licenses and markets apparel brands including Candie's, Mudd, Bongo and OP.  The FTC alleged violations of the Children’s Online Privacy Protection Act ("COPPA") and Section 5 of the FTC Act.  As to the COPPA violations, the FTC noted that several of the brands' websites collected full dates of birth, presumably putting the company on notice that it had collected information from individuals under the age of 13 although it did not notify parents in advance or seek their consent.  In addition, the brands' privacy statements included a representation that the company does not "seek to collect" personal information from individuals under the age of 13, which the FTC charged was a deceptive trade practice in violation of Section 5 of the FTC Act.  Iconix agreed to pay $250,000 in civil money penalties and to delete all information collected and maintained in violation of COPPA, in addition to other equitable measures such as training employees.

Yesterday, the FTC announced that ChoicePoint, Inc. agreed to strengthen its data security in order to settle charges that it failed to implement a comprehensive information security program as required by the earlier consent order it entered into with the agency following its well-publicized 2005 security breach.  This agreement, which expands the company's obligations under the original consent order, follows a security breach that occurred in 2008.  ChoicePoint allegedly turned off a security feature used to monitor access to one of its databases and failed to detect that the feature was disabled for four months.  During that period, the FTC alleged that the personal information of 13,750 people was compromised, putting them at risk of identity theft.  In addition to paying $275,000 to be used for consumer redress, the modified court order requires ChoicePoint to report to the FTC every two months for the next two years, providing "detailed information about how it is protecting the breached database and certain other databases and records containing personal information."

The three cases, following closely on the heels of seven Safe-Harbor-related settlements, demonstrate the FTC's resolve to enforce more aggressively and levy larger fines when settling cases.

The final rules and guidelines include provisions allowing consumers to dispute inaccuracies in their credit files directly with entities that furnish information to credit reporting agencies, including financial institutions and other organizations.  The Agencies’ guidelines specify the steps credit information furnishers should take to ensure the accuracy and integrity of the information they provide to credit reporting agencies, including suggestions such as when it may be necessary to provide supplemental information in order to avoid creating misleading impressions about creditworthiness.  The accuracy and integrity of information contained in credit reports is critical to individual consumers, as this information is used to assess eligibility for credit, employment, insurance and housing, and consumers with errors in their credit reports may be denied access to benefits.    

A copy of the final rules and guidelines is available here.

Behavioral advertising involves collecting and analyzing information about consumer online behavior for marketing-related purposes, such as serving targeted ads, or developing purchase propensity models. In the U.S., the practice has come under scrutiny by consumer groups, legislators and the FTC. The FTC published a second report on its own proposed self-regulatory principles on February 12, 2009.

The new self-regulatory guidelines are based on seven principles: Education, Transparency, Consumer Control, Data Security, Consent to Material Changes, Sensitive Data and Accountability. The principles call on participating organizations to (i) conduct outreach campaigns to educate consumers about behavioral advertising, (ii) provide clear disclosures about their online behavioral advertising practices (including notices at data collection points), (iii) allow consumers to choose whether their data is used for behavioral advertising, (iv) provide security for consumer information and limit its retention, (v) obtain consumer consent to material changes regarding the use of their information, and (vi) require parental consent for the use of information collected from children under the age of 13. The principles also call for establishing an accountability program for monitoring compliance with the guidelines and reporting non-compliance to appropriate government agencies. The Better Business Bureau and the Direct Marketing Association are currently working together to develop accountability mechanisms, which are intended to be in place by early 2010.

The publication detailing the Self-Regulatory Principles is available at www.iab.net/behavioral-advertisingprinciples.

The enforcement action began after Sears disseminated a “research” software application for consumers to download and install on their home computers in connection with the “My SHC Community” program.  According to the FTC, Sears represented to consumers that this software application, if downloaded and installed, would track consumers’ “online browsing” activities.  The FTC alleged that Sears failed to disclose to consumers that the application would (i) track nearly all of the consumers’ online behavior (including information provided in secure sessions with third-party websites, shopping carts and online accounts), (ii) track certain offline activity on the computer, and (iii) transmit most of the tracked information to Sears’ remote computer servers.  In its complaint, the FTC argued that these facts would be material to consumers when deciding whether to install the software, and Sears’ failure to disclose the information constituted a deceptive act in violation of Section 5 of the FTC Act.  The FTC acknowledged the application “functioned and transmitted information substantially as described in the [Privacy Statement and User License Agreement],” but noted that this disclosure was available only in the lengthy agreement provided near the end of the multi-step registration process.

As part of the proposed settlement, Sears has agreed to do the following:

• Disclose to consumers all of the types of data that will be tracked by any software program or application disseminated by or on behalf of Sears, its subsidiaries or affiliates, that is capable of being installed on consumers’ computers and is used to monitor, record or transmit information about activities occurring on those computers or data that may be stored on, created on, or transmitted to or from those computers.  Disclose how data collected by such an application may be used, and whether the data may be used by a third party.  In accordance with the settlement, this information must be provided to the consumer on a distinct page prior to the display of any privacy policy, terms of use or end user license agreement.
• Obtain express, opt-in consent from consumers to the download of any such application and the collection of data through use of a button or link that is not pre-selected and is clearly labeled.
• Provide notification within thirty days of approval of the settlement to consumers who previously installed such an application.  This notification must explain (i) that they installed a Sears’ tracking application, (ii) that the application collects and transmits data as described in the company’s “Privacy Statement & User License Agreement,” and (iii) how they may uninstall the application.  The notification must be prominently posted on the My SHC Community website for two years from approval of the settlement.
• Within three days of the approval of the settlement, discontinue collecting any data transmitted by such applications installed prior to approval of the settlement.
• Within five days of the approval of the settlement, destroy any information collected about consumers by Sears through the use of the application in all cases where the application was installed prior to approval of the settlement.

Richard A. Feinstein, who was appointed Director of the Bureau of Competition, is rejoining the agency from a partnership at Boies, Schiller & Flexner LLP, where he focused on antitrust litigation and counseling. He was formerly an Assistant Director in the Bureau of Competition’s Health Care Services and Products Division, focusing on antitrust enforcement, including anticompetitive practices and mergers involving health care providers and payers, and anticompetitive conduct in the pharmaceutical industry. Feinstein worked previously at McKenna & Cuneo, LLP, and he was a trial attorney and supervisor in the Antitrust Division of the U.S. Department of Justice.

David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director. He has argued a number of First Amendment and civil rights cases before the U.S. Supreme Court, and more than 60 cases before the federal courts of appeal and state courts of last resort.

Joseph Farrell, who was named Director of the Bureau of Economics, has been a Professor of Economics at the University of California, Berkeley, where he has been Chair of the Competition Policy Center and an Affiliated Professor in the Haas School of Business. He also has served as Deputy Assistant Attorney General and Chief Economist for the Antitrust Division of the U.S. Department of Justice, and as Chief Economist for the Federal Communications Commission. His research has centered on competition policy, compatibility standards, and innovation. Farrell is a Fellow of the Econometric Society.

Susan S. DeSanti, who will be Director of Policy Planning, joins the Commission from Sonnenschein Nath & Rosenthal, where her practice has focused on antitrust counseling and litigation in a variety of industries. She previously spent 15 years at the Commission, during which she helped develop federal antitrust policy in standard setting, intellectual property licensing, antitrust and patent issues, generic drug entry, mergers, and joint ventures among competitors. During that time, she served in a variety of positions, including Director of Policy Planning, Deputy General Counsel for Policy Studies, senior attorney advisor to Chairman Robert Pitofsky, and attorney advisor to Commissioner Dennis Yao. In addition to several years in private practice before she joined the Commission, DeSanti recently served as Senior Counsel to the Antitrust Modernization Commission.

Jeanne Bumpus, who was re-appointed as Director of the Office of Congressional Relations, has served in that position since June 2006. She was a principal advisor to Senator John McCain and served as Staff Director and Chief Counsel for the U.S. Senate Committee on Commerce, Science, and Transportation. Bumpus began her work on Capitol Hill in the office of Washington State Senator Slade Gorton, where she served as Legislative Counsel. Earlier, she worked as an associate in the law firm of Davis Wright Tremaine in Seattle, Washington.

Joni Lupovitz, who will serve as Chief of Staff to the Chairman, joined the FTC in 1999 as an attorney in the Bureau of Consumer Protection’s Division of Enforcement and was promoted to Assistant Director for Enforcement the following year. Since 2005, she has served as an attorney advisor in the Office of Commissioner (now Chairman) Leibowitz, focusing on consumer protection matters. Before joining the FTC, Lupovitz was a partner with McDermott, Will & Emery, where she had a diverse civil litigation and administrative practice.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

MEDIA CONTACT:

Office of Public Affairs
202-326-2180