The following blog post was first published on April 22, 2014, in the IAPP Privacy Tracker.
Do you watch The Good Wife? The show follows Alicia Florrick, a lawyer in Chicago and the wife of Gov. Peter Florrick. In an episode that aired on March 16, the characters were attending an American Bar Association (ABA) meeting in New York City. Alicia’s former partner Will Gardner retained another lawyer, Elsbeth Tascioni, to represent him in an investigation by the Office of Public Integrity (OPI) into his purported involvement with alleged voter fraud by Gov. Florrick. During a confrontation at the ABA meeting, Tascioni secretly records a conversation she has with an OPI agent, Nelson Dubeck, in which she gets him to admit that he does not currently have any proof of voter fraud and that he believes Florrick is guilty simply by virtue of being a governor of Illinois.
When Tascioni reveals that she has recorded their conversation, Dubeck insists that Tascioni is subject to prosecution because she did not have his permission to make that recording. In a line that only a privacy litigator could love, Tascioni reminds him that that is not true in New York, a one-party consent state: “Two-party consent is the law in Illinois, but this is New York – one-party consent is enough here, and I am one party, and I give my consent.”
Only four days after this episode aired, Tascioni’s clever maneuver would have been legal in Illinois, too, when the Illinois Supreme Court struck down as unconstitutional the Illinois two-party consent law.People v. Clark, 2014 IL 115776 (March 20, 2014).
What happened in Clark, and how will that impact the other two-party consent laws? After all, California, Connecticut, Florida, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania and Washington also require the consent of all parties to the communication. But, in particular, what does Clark mean for California’s infamous two-party consent law?
A new California statute, which originated as SB 568 and will be codified as § 22580 et seq. of the Cal. Bus. & Prof Code, takes effect January 1, 2015. Given the time it may take some sites, applications and online services to determine and implement appropriate compliance steps, now is the time to start considering the impact and preparing for the January 1 deadline. The law has two key provisions: one addressing a minor’s right to delete posted content (which has become known, affectionately or not, as the “Eraser Button Law”), which this post addresses, and one addressing online advertising in connection with minors, which will be the subject of a later post.
Here are key points to note about this new regulation, which applies to minors (those younger than the age of 18):
(Contributors to this post include: Scott Koller, David Navetta, Mark Paulding and Boris Segalis)
By now, most of the world is aware of the massive security vulnerability known as Heartbleed (it even comes with a slick logo and its own website created by the organization that discovered the vulnerability). According to reports this vulnerability has been present for two years with respect to approximately two-thirds of the servers on the Internet (those that utilize OpenSSL version numbers 1.0.1 through 1.0.1f and 1.0.2-beta1). Mashable is keeping a list of some prominent affected sites, including a status on their remediation efforts. As discussed further below, this vulnerability, if exploited, could lead to the compromise of authentication credentials (e.g. usernames, passwords, encryption keys), and in some cases the unauthorized access or acquisition of information contained in communications sent over the Internet from, or stored on, compromised sites. In short, the security of millions of organizations is likely affected by Heartbleed in three ways:
- Communications to the Organization’s Servers. The communications to and from the systems of organizations that utilize certain versions of OpenSSL may be at risk of interception.
- Communications by an Organization’s Employees to Third Party Organizations Affected by Heartbleed. The authentication credentials of personnel and information sent by an organization’s employees to business-related websites subject to Heartbleed (e.g. Dropbox) may be at risk. If an employee logged into such a site his or her password could have been compromised, and hackers could also have obtained access to information sent by the employees over encrypted SSL channels and information on the business site itself.
- Communications by Employees to Organizations Affected by Heartbleed During their Personal Use of the Internet. An employee visiting a website affected by Heartbleed (e.g. Google and thousands of other common consumer sites) during their personal Internet use (at the home, office or offsite) could have had his or her username and password compromised. If that employee uses the same username and password to log into his employer’s systems, those systems could also be at risk.
In addition to the serious security concerns implicated by Heartbleed, there may be legal consequences associated with this vulnerability, especially with respect to the potential unauthorized access or acquisition of personal information. At this juncture it is imperative that affected organizations remediate the Heartbleed vulnerability, communicate with their customers, employees and other system users, and consider potential legal risks and obligations associated with Heartbleed.
In this blogpost we present some key FAQs concerning the security and resulting legal implications of Heartbleed. Specifically, we address remediation efforts necessary to reduce security and legal risk associated with Heartbleed, password reset and communications to affected individuals, the applicability of breach notification laws, and potential investigation obligations under HIPAA’s Security Rule.
The FCC recently issued a Declaratory Ruling and an Order that provide some clarity in the TCPA arena and create a new exemption for certain types of text messages and calls. In sum, the FCC clarified that a company may obtain “prior express consent” through an intermediary for the purpose of sending administrative text messages. In addition, the FCC created an exemption for package delivery companies to send delivery notification text messages and make autodialed calls to mobile numbers in the absence of prior express consent. Even for companies not directly affected by these changes, the ruling and a concurring statement by a new FCC commissioner may provide some guidance for marketing messages and foreshadow the direction of future FCC action. Read our full analysis below.
The Federal Trade Commission (“FTC”) recently investigated Cole Haan, Inc. to determine whether a contest that it conducted on https://www.pinterest.com violated Section 5 of the FTC Act, which, in part, requires the disclosure of a material connection between a marketer and an endorser when their relationship is not otherwise apparent from the context of the endorsement. The FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising and the FTC’s updated .com Disclosure Guides explain the “material connection” principle in more detail, but neither guideline document mentions sweepstakes or contest entries as the type of incentive that creates a material connection between the sponsor and entrants.
Cole Haan’s contest asked each entrant to create a “Wandering Sole” board, to pin 5 shoe images from Cole Haan’s own “Wandering Sole” board, and to pin 5 images of the entrant’s “favorite places to wander”—all for the chance to win a $1000 shopping spree.[i] Each pin was to include the hashtag #wanderingsole. In a letter closing its investigation, the FTC found that:
- The pins featuring Cole Haan products were endorsements;
- Consumers who saw the pins and boards would not reasonably be aware that the pinners were incentivized by the chance to win the contest;
- The pins and boards were not adequately labeled to show the material connection between Cole Haan and the entrants (i.e., that the pinners were incentivized with an entry in a contest); and
- Cole Haan had failed to instruct entrants to disclose such material connection.
The FTC did not pursue further enforcement against Cole Haan in part because this is the first time the FTC has publicly addressed whether entry into a contest is a form of material connection and whether a pin on Pinterest may constitute an endorsement. In addition, Cole Haan subsequently adopted a social media policy to address the FTC’s concerns with respect to disclosure of material connections by Cole Haan endorsers.
We note that the position taken by the FTC that pins can be endorsements is not inconsistent with the position taken by the National Advertising Division of the Better Business Bureau (“NAD”) nearly two years ago in its report on Nutrisystem Inc.’s “Real Consumers. Real Success.” board on Pinterest. The NAD found that consumer pins such as “Christine B. lost 46lbs on Nutrisystem” were testimonials.
Key Takeaways: The Cole Haan FTC letter reinforces our recommendation that advertisers must tread carefully when conducting promotions on Pinterest and all other social media outlets (including, without limitation, Twitter, Vine, Tumblr and Instagram). Yes, the principles discussed in the Cole Haan FTC letter apply across social media outlets; not just on Pinterest. Specifically, when advertisers ask consumers to post on social media as a means of obtaining an entry in a promotion where the entry promotes the brand or includes branded material (whether the brand is promoted in the text, a hashtag, a photo or a video), the entry post must include some clear and conspicuous indicator that the consumer has received an entry in a promotion (e.g., sponsors can require the unique hashtag for the entry post to include the word “entry”, “contest”, or “sweepstakes”).
[i] We note that the Cole Haan contest, as described in the FTC’s letter, seemingly violates the Pinterest policy that prohibits asking consumers to pin from a selection (see Pinterest Brand Guidelines). As we have explained in a recent post, advertisers must also always remember to review the applicable platform’s guidelines before running a promotion on that social media platform.
By Jamie Rubin & Andrew L. Hoffman
The FTC amended the Textile Labeling Rules on March 14, 2014. These amendments do not impose new obligations on textile manufacturers or retailers, and at least one of the changes will likely benefit manufacturers. Namely, a hang-tag is no longer required to include a full fiber content disclosure, thereby enabling the creation of a single hang-tag for a variety of garments that share the advertised fiber, but which otherwise have different fiber compositions. This change will also enable manufacturers to create hang-tags before the final garment fiber content is known. In addition, the FTC declined to implement its proposed changes to the continuing guarantee requirement in the face of industry objections. See below for a summary of the other changes and our analysis.
Just last week, the United States Supreme Court provided much-needed clarification on the issue of who has standing to bring a false advertising claim under the Lanham Act, 15 U.S.C. § 1152(a). The decision, Lexmark Int’l v. Static control Components, US Supreme Court slip opinion (March 25, 2014), provides a national standard that remedies a three-way split among the circuit courts.
The plaintiff in the case, Lexmark, manufactures laser printers and toner cartridges. Remanufacturers buy used cartridges from Lexmark customers, refill them and sell them back to owners of Lexmark printers. The defendant, Static Control, makes microchips and other parts used by these cartridge remanufacturers. A microchip Lexmark manufactured disabled certain discounted printer cartridges once they had been used, rendering them useless to other remanufacturers. Static Control manufactures its own microchip that allows Lexmark printer cartridges to be used with Lexmark printers, even in the presence of Lexmark’s disabling microchip.
Administering a sweepstakes or contest online can be a great way to attract traffic and engage with consumers. Not surprisingly, many companies routinely utilize sweepstakes and contests (which are referenced collectively in this article as “promotions”) as part of their overall online marketing push. Administering promotions, however, can get complicated when operating them on third-party platforms, such as social media sites. Many of you are no doubt familiar with the basic laws applicable to running an online promotion. This article does not discuss those laws, but rather describes some of the more detailed or latent issues and complications that need to be considered and addressed when running a promotion on certain social-media platforms.
(1) Know Your Limitations When Operating on Social Media, Part I – Contractual Restrictions
Each of the major social-media platforms comes with its own distinct considerations when using the platform to run a promotion. These services often use their respective terms of service and related agreements to restrict whether and how a business can use the service to administer a promotion.
The California Attorney General’s Office has announced the release of a new cybersecurity guide designed to help California businesses better protect against and respond to cybersecurity threats. The guide provides a simple and easy to understand overview of basic security threats and outlines some practical steps for minimizing cyber vulnerabilities, including guidance on how to respond to cyber incidents.
“California is at the center of the digital revolution that is changing the world. Because of work done by companies right here in our home state, we are more connected – and empowered – than ever before” said Attorney General Kamala D. Harris. “But we are also increasingly vulnerable, a fact underscored by the recent holiday–period data breaches that impacted millions across the country.”
California has long been at forefront of cyber security advocacy and was the first state to pass a law mandating data breach notification. In 2011, California established the eCrime Unit to prosecute identity theft, data intrusions, and crimes involving the use of technology. In 2012, California established the Privacy Enforcement and Protection Unit in the Department of Justice, whose mission is to help to regulate and enforce laws addressing the collection, retention, disclosure, and destruction of private or sensitive information. Continuing that tradition, Attorney General Harris, in collaboration with the California Chamber of Commerce and a mobile security company called Lookout, developed the guide titled, “Cybersecurity in the Golden State” (the “Guide”).
The purpose of the Guide is to specify ways that small and medium-size businesses can reduce cybersecurity risks. To accommodate individuals who may not be tech-savvy, the Guide uses plain language to describe steps that any business can take to help protect itself, even if it lacks the resources to hire full-time cybersecurity personnel.
Key recommendations include:
- Assume you’re a target and develop an incident response plan now;
- Map your data and review where your business stores or shares information with third parties including backup storage and cloud computing;
- Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and is generally easy to use;
- Educate employees about cyber threats, as they are often the first line of defense;
- Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, and avoiding downloading software from unknown sources;
The issue of cyber security is increasingly important as the recent security breaches at Target and Niemen Marcus help to demonstrate. According to data cited by the Attorney General’s Office, there were more than one billion cyberattacks in the first three months of 2013, a number that is likely to keep growing as hackers become more sophisticated and organized. While the recommendations contained in the Guide are not legally mandated, they do reflect security best practices that, if followed, have the potential to help mitigate the risk of cybersecurity attacks.
To obtain a copy of the “Cybersecurity in the Golden State” guide, click here.
On March 6, 2014, the Department of Justice (“DOJ”) issued a press release announcing a proposed consent decree against H&R Block to resolve claims that the H&R Block website, mobile applications, and online tax preparation products were not appropriately accessible to the disabled. DOJ alleged that failing to make these online services accessible to the disabled violated Title III of the Americans with Disabilities Act (“ADA”), 42 U.S.C. §§ 12181 – 12189, and its implementing regulations, 28 C.F.R. Part 36.
This consent decree is noteworthy since DOJ has not yet published guidance on web accessibility. Therefore, the consent decree may provide insight into the content of the forthcoming guidance. Among the key questions about the upcoming guidance is how it may differ from the W3C Web Content Accessibility Guidelines 2.0 (“WCAG 2.0”). The consent decree requires H&R Block to adopt accessibility measures conforming to WCAG 2.0. Therefore, it appears that WCAG 2.0 remains the best framework to rely upon in the absence of substantive federal guidance.
There are several additional points of note in the consent decree.