Archives: PII

Subscribe to PII RSS Feed

Businesses Take Heed: FTC’s Recent Report, Conference Signal Big Data’s the Big Deal in 2016

FTC Kicks Off New Year with New Report on Growing Use of Big Data Analytics Across All Industries Without so much as a week of 2016 having lapsed, the Federal Trade Commission (“FTC” or “Commission”) released a new report with recommendations to businesses on the growing use of big data. The report, “Big Data: A … Continue Reading

Privacy and Ed-tech in 2016

There was a lot of legislative movement for the educational technology (ed-tech) industry in 2015 with states placing additional privacy regulations on the industry, and the effects of those new acts should be felt this year. The states that passed this type of legislation in 2015 were following California’s lead. California’s governor signed the Student … Continue Reading

RadioShack Bankruptcy Case Highlights Value of Consumer Data

On Thursday, a bankruptcy judge granted final approval of the sale of RadioShack Corporation (“RadioShack”) assets to General Wireless Operations Inc. (“General Wireless”), which included customers’ personal information. In the order, the Delaware bankruptcy judge stated “ . . . no showing was made that the sale of personally identifiable information (the “PII”)(as defined in … Continue Reading

ALERT: Google’s Plan to Open Its Services to Children Could Spur Changes to COPPA Enforcement

Recent reports indicate that Google is developing a program that would allow children under the age of 13 to obtain accounts on Google services such as Gmail and YouTube.  The Wall Street Journal  recently reported that “Google is trying to establish a new system that lets parents set up accounts for their kids, control how … Continue Reading

Mobile Apps: FTC Says Vague Privacy Policies and Lack of Terms a Problem

Last week, the FTC released a study it conducted in connection with price-comparison apps, deal apps and apps that allow people to pay for purchases using their mobile device while shopping in brick-and-mortar stores.  The newly released study is the latest commentary from the FTC in a long line of workshops and reports that started in 2012 … Continue Reading

Say What You Do and Do What You Say: Guidance for Privacy Policies, and for Life

Last Wednesday, California Attorney General Kamala Harris issued much anticipated guidance on public-facing privacy statements – “Making Your Privacy Practices Public” (the “Guidance”). The result of months of discussions with stakeholders, the recommendations are largely common sense.  They are “intended to encourage companies to craft privacy policy statements that address significant data collection and use … Continue Reading

Point of Sale Data Collection Litigation – An Overview and Future Directions

California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the … Continue Reading

COPPA AND RECENT AMENDMENTS TO THE COPPA RULE: A COMPREHENSIVE OVERVIEW

By Justine Young Gottshall And Damien Wint As we approach six months since the Federal Trade Commission’s (FTC) amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, 16 C.F.R. Part 312 (the “Rule” or, as amended, the “Amended Rule”) became effective, it is essential that any website or online service that is not in … Continue Reading

Governor Brown Ushers in a New Privacy Era in California and Beyond

Late Friday, Governor Jerry Brown of California signed into law the already infamous AB 370 as well as significant amendments to California’s existing breach notification laws via SB 46 and AB 1149.  These laws break new ground in the privacy legal landscape – and it will be interesting to see if other states follow suit, as they … Continue Reading

NIST Issues Final Draft of Security Controls for Comment

Over three previous drafts of its Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication 800-53, the National Institute of Standards and Technology (“NIST”) has honed focus while expanding the reach of infosec controls, all culminating in this latest 455-page “Revision 4” released for public comment last week. Dubbed the “Final Public … Continue Reading

New Ponemon Study Lists Top Privacy Features Consumers View As Important, Ranks Most Trusted Companies for Privacy

The Ponemon Institute released the 2012 results of its annual “Most Trusted Companies for Privacy Study,” which was quite the present on Data Privacy Day. The study has been conducted annually since 2006. While the rankings themselves certainly are interesting, other tidbits in the study about consumers’ attitudes toward privacy are more interesting. Some particularly … Continue Reading

FTC’s Amended COPPA Rule Seeks to Keep Up with the Internet Revolution

The FTC announced that it had finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, which the FTC originally enacted in 2000.  The original Rule was created with the goal of protecting the online privacy of Children younger than the age of 13 (“Children”) by requiring that websites: 1) obtain parental consent before … Continue Reading

FTC Report: Mobile Apps For Kids Not Making The Grade (NOTE: Not Just A Privacy Report)

On December 10, 2012, the FTC released a follow-up to its February 2012 report on mobile apps for kids.  The February 2012 report found that little or no information was available to parents about the privacy practices of the mobile apps the FTC surveyed on Apple’s App Store and Google’s Android Market.  The FTC’s follow-up report finds … Continue Reading

Class Certification Ruling Suggests that a Plaintiff’s Membership in a Retailer’s Pre-Existing Rewards Program May Not Excuse a Retailer’s Request for Personal Information at the Register

The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program. … Continue Reading

Privacy in Principle (As California Goes, So Goes the Nation? Part Four)

What happened in the privacy world last week? On Thursday, just before the release of the White House Paper, California Attorney General Kamala Harris announced an agreement with the leading operators of mobile application platforms to privacy principles designed to bring the mobile app industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law. … Continue Reading

Capitalizing on Privacy Practices – Study Indicates Consumers Will Pay for Privacy

Consumers are more likely to purchase products from online retailers who are protective of consumer privacy, according to researchers at Carnegie Mellon University. The study, entitled “The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study” found that the availability and accessibility of information regarding online retailers’ privacy practices can affect consumers’ decisions … Continue Reading

Legal Implications of Cloud Computing — Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)

So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think. … Continue Reading

Reactions to the Boucher Bill, Part Two

This post is Part Two in my review and discussion of some of the comments submitted in the response to the Boucher Bill privacy and data security legislation discussion draft. As in Part One, Part Two will describe and summarize at a high level some (but not all) of the issues identified by the commenters. Part Two covers comments submitted by American Business Media (ABM), which focuses on the Business-to-Business online information market; the Association of National Advertisers (ANA); the Marketing Research Association (MRA), an association of the survey and opinion research profession; the National Retail Federation and Shop.org (collectively, NRF); and the U.S. Chamber of Commerce. … Continue Reading

Do the New EU Processing Clauses Apply to You?

A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations. … Continue Reading

Reactions to the Boucher Bill, Part One

As previously reported, in early May Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a discussion draft of proposed federal privacy and data security legislation. Reps. Boucher and Stearns sought comments on the discussion draft, setting a deadline of last Friday, June 4, 2010. Numerous organizations have submitted comments. This multi-part post will describe and summarize, at a high level, some (but not all) of the issues identified by the commenters. … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

My Notes from the IAPP Global Privacy Summit 2010

As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions. … Continue Reading

Data Integrity and Evidence in the Cloud

Data integrity is a potential challenge in cloud computing, with implications for both operational efficiency and legal evidence. Vendors should consider a standards-based approach to assuring data integrity, and customers should address the issue in due diligence and in contracting. … Continue Reading
LexBlog