Nowadays, a news story on privacy is out of place if it doesn’t mention Do-Not-Track (known as “DNT”) or Big Data. While these hot topics represent key concerns for privacy professionals, advocates and regulators, there is no clear agreement on what they mean or how to address the privacy issues they raise. In this post, we consider recent developments on these topics, including how the Federal Trade Commission has sought to focus on and connect these new issues.

DNT or DNC

DNT is in the midst of a multifaceted identity crisis, starting with a disagreement over the definition of DNT. Self-regulatory organizations and the advertising industry assert that DNT stands for “Do Not Target,” referring to the use of consumer data for the purposes of targeted advertising. The FTC, buoyed by privacy advocates, appears to take the view that DNT means not only “Do Not Target” but also “Do Not Collect” (DNC). FTC Commissioner Brill elaborated at the 2012 IAPP Summit that she doesn’t view the current DNT efforts as entirely sufficient because the choice DNT offers does not give consumers appropriate protection against what Brill characterized as “limitless, unmitigated” data collection. But Brill does not argue for wholesale implementation of DNC, and has indicated that the details of the implementation of DNT/DNC will continue to remain a key focus for the FTC.

First Party v. Third Party

Another disagreement affecting DNT is the line between so called “first party” data collection and tracking and “third party” activities. Broadly, “first party” data collectors collect information from users with whom they have a direct relationship (e.g., information CNN collects during a user’s visit to its site). A “third party” data collector collects data about users with whom it does not have a direct relationship (e.g., information collected on the CNN site by advertising networks). For example, a social media platform may act as both a “first party” and “third party” collector. When a user inputs her birthday and name into Google+, the user should reasonably expect Google+ to use that information as part of the service. This is “first party” data processing. However, when Google places a “+1” button on a different website, a user may not understand that Google is collecting other information about that user in conjunction with that “+1” button. This is “third party” processing.

At the IAPP Summit, Commissioner Brill was challenged on the notion that there is great significance to the relationship between the party collecting data and the consumer. Some of her co-panelists suggested, for example, that data protection should be driven by the nature of the information, not the relationship with the consumer. But it appears that the FTC will continue to focus on the “first party” and “third party” distinction. The FTC sees a greater threat to consumers in third-party data collection because of perceived lack of notice, choice and transparency in the practices of data collectors and data aggregators (including deep packet inspection and affiliate marketing) that do not have a direct relationship with consumers. But the real challenge is understanding where to draw the line between “first party” and “third party” practices.

Big Data

In the FTC’s view, concerns about third-party data processing activities have been exacerbated by the changing character of data collection and use. While DNT efforts were initially driven by the desire to offer consumers some protection from behavioral advertising, Brill now also sees DNT as a component of oversight of what has become known as “Big Data.”

Without necessarily referring to the practice as “Big Data,” the media has with some consistency attempted to understand it. For example, a 2010 Wall Street Journal study found that websites had an average of 64 different tracking tools collecting information about site users. With so many data points in hand, many data aggregation companies, a.k.a. data brokers, are able to pinpoint a user’s identity and specific preferences without having any information traditionally considered as personally identifiable information. Notably, Commissioner Brill has lamented that common de-identifying techniques involve no more than removing any references to name and address from collected data. Websites store the unique identifier of the computer or mobile device used to access a website, devices that, Brill notes, are “for all intents and purposes, linked to individuals.”
Most recently, The New York Times reported that companies have engaged in the practice of collecting vast amounts of innocuous data on an individual in order to collect sensitive information about customers. For instance, Target began tracking purchases from consumers to establish that they were pregnant, often within just two purchase cycles. Subsequently, the company would include pregnancy-related advertisements in interactions with that consumer.

And thus Big Data can best be characterized as a state of mind, a realization of the enormous analytical potential to use data that has been and continues to be amassed about individuals to gain new levels of insight into consumer behavior. Whether a prospective restaurateur wants to know whether to open a sushi bar in an upscale neighborhood and how to price the menu, or a store wants to know if a customer might be pregnant, Big Data is there to provide solutions.
The FTC does not appear to view Big Data negatively (and it would be unwise to do so), but it wants the industry to play by the rules, including the rules the White House has articulated in its privacy report. Brill suggested that the government may need to provide heightened consumer protections against certain types of Big Data practices, particularly the aggregation of ostensibly innocuous data to determine sensitive information, such as health status, sexual orientation and financial status.

The FTC believes it has several tools at its disposal to attempt to reign-in Big Data. First, Brill has made it clear that she believes that collection or use of information for purposes articulated in the Fair Credit Reporting Act may well deem the party engaging in the practices a consumer reporting agency under the FCRA, subjecting it to myriad restrictions on data use, disclosure, accuracy and security. Brill has suggested that, for example, FCRA should apply to data scraped from social media if the data is used for FCRA purposes.

In addition, Brill wants Big Data to join in on a one stop shop DNT portal. Brill does not suggest that consumers should have an opportunity to opt out of uses of their data covered by the FCRA (provided there is compliance), but she views as essential consumers’ ability to access and correct the data. She would like all DNT technologies to work together to offer consumers a one stop shop to understand what information has been collected about them and the option to correct their information. Brill also would like to see the portal offer a universal DNC option for the collection and use of consumer data for non-FCRA purposes that are not necessary to process transactions (i.e., marketing).

There has been enforcement activity that can fairly be characterized as an attempt to rein in Big Data. For example, the FTC successfully pressed Social Intelligence, a company that collected and sold social media data for employment eligibility purposes, to admit that it is a consumer reporting agency subject to the FCRA. In addition, the Equal Employment Opportunity Commission has taken steps to seek to preclude companies from using credit report data in the employment process. Further, a number of states have passed laws that, with some exceptions, prohibit the use of credit reports in the employment process. Consumer reporting is the precursor of modern Big Data and offers a preview of the regulatory climate that may impact this new industry.

What’s Next?

Big Data is poised to expand. The advent of the Smart Grid (which includes smart meters, smart appliances, electric/hybrid car charging stations and other elements of the utility infrastructure) will enable the collection of ever more precise and powerful information about consumer behavior. Again, the Smart Grid has the potential to boost the U.S. economy, but as the consumer information flows into Big Data, regulators will want the industry to play by the rules.

While Big Data is in flux, there are things data companies can do: understand how the company processes data, contractual and legal limitations on the data processing, best practices (including those gleaned from FTC guidance and White House and FTC reports) and enforcement risks, and implement privacy controls that are consistent with the organization’s business needs and risk comfort levels. We know that the departure point for FTC’s enforcement is privacy violations that the Commission perceives to be egregious. This should give some comfort to Big Data companies that strive to process personal data in a fair and transparent manner that they would not be the first door on which the FTC knocks.

Finally, while the DNT debate is raging, companies have at their disposal many existing options to be proactive in ensuring that their online privacy practices are fair and transparent in the eyes of regulators and consumer advocacy groups (e.g., BBB and NAI advertising opt-out programs, website analytics opt-outs and other tools). However the debate on DNT ultimately settles, companies can use these tools today to demonstrate their commitment to respecting consumers’ privacy choices.
 

In the complaint and the accompanying memorandum, EPIC alleges that the manner in which Google changed its privacy practices violated the FTC Google Buzz consent order, and that the FTC has failed to take action to hold Google to the privacy commitments the company made in that settlement agreement.

EPIC has identified several core mandates of the Google Buzz consent order that it alleges Google has violated:

• Prohibition against misrepresenting the extent to which Google (1) maintains and protects the privacy and confidentiality of the information that the company collects about individuals, and (2) complies with privacy and security programs, such as the U.S.-EU Safe Harbor Framework;

• Requirement that any deviations from Google’s then current third party data sharing practices that result from a change or addition to a service must be subject to user notice and consent; and

• Requirement to implement a privacy program reasonably designed to protect the privacy and confidentiality of the information that Google collects about individuals.

EPIC alleges that Google has violated the Google Buzz consent order by:

• Misrepresenting the extent to which the company maintains and protects the privacy and confidentiality of user information. Specifically, EPIC alleges that Google’s announcement fails to disclose or adequately explain that user data will be consolidated for the purposes of benefiting advertisers through improved targeting of users. EPIC appears to allege that the alleged expansion of behavioral advertising activities should be subject to users’ express affirmative consent.

• Failing to obtain affirmative consent from users prior to sharing their information with third parties. Specifically, EPIC has alleged that changes in Google’s privacy practices will make it possible for advertisers to access personal information which was previously unavailable to them. Thus, according, to EPIC, Google will share new or additional information with third party advertisers without first obtaining express affirmative consent from Google users, in violation of the Google Buzz consent order.

• Misrepresenting the extent to which Google complies with the U.S.-EU Safe Harbor Framework. EPIC makes this allegation based on the assertion that European regulators have strongly questioned Google’s compliance with European data protection laws. It appears that EPIC implies that Google cannot be in compliance with the Safe Harbor if the company's compliance with European data protection laws is being questioned by regulators.

• Failing to comply with the consent order’s requirement to maintain a comprehensive privacy program. Specifically, EPIC alleged that in the Google Buzz consent order the FTC required Google to maintain a privacy program in response to Google's improper combining of user data from different company services. EPIC argues that Google’ present plans are inconsistent with the mandated comprehensive privacy program, which should have prevented precisely the type of data combination Google seeks to accomplish now.

To demonstrate the harm, EPIC uses Google email (Gmail) as an example, alleging that Gmail users will not be able to keep separate from other Google services the personal information they provided to Google for the sole purpose of using the email service. EPIC supports this allegation by quoting from Google's official blog: “In short, we’ll treat you as a single user across all our products . . . .”

Google’s Response

Google has responded to EPIC’s allegations through various news outlets. For example, WebproNews reports that, when asked to comment on EPIC's complaint, Google has taken the position that the company:

• Takes privacy very seriously and is open to engaging in constructive conversations about its updated privacy policy;

• Is keeping users’ private information private;

• Is not changing how any personal information is shared outside of Google;

• Has undertaken the most extensive notification effort in Google’s history to ensure that users have many opportunities and ample time to learn about privacy policy changes;

• Is continuing to offer choice and control over how people use Google services; and

• Has created a world-class privacy compliance program.

InfoLawGroup Says

The reaction to Google's announcement suggests that the society's level of awareness of privacy issues continues to increase. The result of this awareness is the pressure on businesses to maintain fair and transparent privacy practices. This pressure can take various forms, such as "shaming" by the media and consumer advocates, hearings and negative statements by legislators, new guidance or enforcement by regulators, or, as is the case here, private efforts to compel the FTC to act. 

Despite these developments, in-house data protection counsel continue to face challenges convincing their internal clients that privacy matters.  More and more, however, they are able to point to the enforcement actions, negative publicity avalanches, and unwelcome attention from legislators and regulators to bring home the risks associated with mismanaging privacy.  We are also noticing that business customers are compelling their service providers and business partners to ensure that the privacy practices relevant to the business relationship are appropriate.

Our law clerk, Michael Murray, assisted in the preparation of this post.

As explained by Wired, unlike traditional browser cookies, Flash cookies are not controlled by privacy controls in a Web browser. That means that even if a user adjusts browser settings to clear the computer of tracking objects, Flash cookies most likely will remain.

According to the FTC, ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout engages in behavioral advertising – it collects information about consumers’ online activities and then serves video ads targeted to their interests.

The FTC alleged that ScanScout deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer’s Web browser settings to block cookies. Specifically, ScanScout's privacy policy stated that:

General user data, such as your computer’s Internet Protocol (IP) address, operating system and browser type, pages you visited, and the date and time of your visit, is automatically collected through the use of “cookies”. Cookies are small files that are stored on your computer by a website to give you a unique identification. Cookies also keep track of services you have used, record registration information regarding your login name and password, record your preferences and keep you logged into the Site. You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies. Since each web browser is different, we recommend that you please look through your browser “Help” file to learn the correct way to modify your cookies set-up. . . We may use automatically collected information and cookies information for a number of purposes, including but not limited to. . . provide custom, personalized content, and information; monitor the effectiveness of our marketing campaigns. . . (emphasis added)

According to the FTC, however, ScanScout actually used Flash cookies that users could not block by adjusting their Web browser settings. The FTC alleged that ScanScout's representations that consumers could prevent ScanScout from collecting data about their online activities by changing their browser settings were false or misleading and constituted deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

Settlement

The settlement imposes a number of requirements on ScanScout. Specifically, the settlement:

• Prohibits the company from misrepresenting (1) the extent to which it collects, uses or discloses data about users or their online activities, (2) the extent to which users may exercise control over the collection, use or disclosure of data collected from or about them, their computers or devices or their online activities.

• Requires the company to take a number of steps to improve the transparency of, and users’ ability to control, its collection of user data for online behavioral advertising, including by implementing a mechanism that allows users to prevent ScanScout from: (1) collecting information that can be associated with users or contains a unique identifier, (2) redirecting users' browsers to third parties that collect data, absent a user's affirmative action, and (3) associating any previously collected data with them. Users' preferences must remain in effect for a minimum of five years.

• Requires the company to disclose: (1) that it collects information about users’ activities on certain websites to deliver targeted ads, (2) that, when users opt out, the company will not collect this information to deliver such ads, (3) users’ current preference, and (4) any circumstances that, if initiated by the user, would disable the mechanism or require the user to implement the mechanism again to maintain the preference (i.e., if a user switches browsers or devices, or deletes cookies, the user will have to opt out again).

• Requires the company, within or immediately adjacent to any behaviorally targeted display advertisement that the company serves, to include a hyperlink that takes users directly to the required choice mechanism.

• Because technical limitations currently prevent ScanScout from embedding a hyperlink in all of its video ads, the order requires the company to undertake reasonable efforts to develop and implement a hyperlink in its video ads and to report regularly to the FTC on its progress.

The settlement also requires ScanScout to retain documents relating to its compliance with the consent order and to disseminate the order to all current and future principals, officers, directors, managers, employees, agents, and representatives having supervisory responsibilities relating to the subject matter of the order. As typical for FTC enforcement actions, the order will remain in force for 20 years.

Our Take

The FTC is proving to be an increasingly nimble privacy enforcer, with ever shorter news story-to-enforcement action cycles. This approach is consistent with the FTC's stated commitment to take enforcement actions in the areas where the agency believes there is significant non-compliance.

On September 28, 2011, in the second “Facebook” case to reach an NLRB administrative judge, an employer was found to have been justified in terminating an employee car salesman for Facebook postings that mocked the employer and did not concern working conditions.

In this proceeding, the NLRB alleged that the employer – a car dealership – fired a salesman in violation of the National Labor Relations Act (NLRA) for criticizing on Facebook the quality of a dealership sales event. According to the NLRB complaint, the dealership held a sales event to promote a new vehicle model. After the event, the salesman posted photos and commentary on his Facebook page mocking the dealership for serving hot dogs and bottled water at a sales event for a luxury car. Other employees had access to and commented on the Facebook page. The NRLB alleged the dealership managers fired the salesman after they learned of his critical Facebook posts. The NLRB argued that the firing violated Section 8(a)(1) of the NLRA, which deems an unfair labor practice for an employer to interfere with, restrain, or coerce an employee in the exercise of the employee’s NLRA Section 7 right to engage “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”

The dealership argued, however, that it terminated the salesman not for criticizing the sales event, but rather for posting on Facebook pictures of “bloopers” from another dealership owned by the salesman’s employer. The pictures showed a customer’s 13-year old son driving a brand new luxury SUV from the dealership into a pond, which the salesman captioned as “This is your car: This is your car on drugs.”

Decision

Dealership Sales Event

The judge agreed with the NLRB that the salesman’s Facebook posts criticizing the sales event were protected by Section 7 of the NLRA in part because the employees expressed their concerns before the salesman posted the event-related photos and commentary on Facebook. The judge reasoned that “[t]he lone act of a single employee is concerted if it ‘stems from’ or ‘logically grew’ out of prior concerted activity.” The judge also found that the inadequate refreshments offered at the sales event, “could have had an effect on [the salesman’s] compensation,” deeming them an appropriate object of discussion. In finding the activity protected, the judge was undeterred by the posts’ “mocking and sarcastic tone,” noting that the NLRB’s general position is that “unpleasantries uttered in the course of otherwise protected concerted activity do not strip away the [NLRA’s] protection.”

SUV in the Pond

The judge, however, ruled that the firing was nevertheless justified because the salesman’s Facebook posts depicting the luxury SUV in a pond were not entitled to NLRA protection. The judge found that the salesman posted about the accident “as a lark” without any discussion with other employees and, more importantly, the posts had no connection to any of the terms and conditions of the salesman’s employment. Based on testimony from both parties, the judge determined that the dealership fired the employee solely for the accident-related posts and, therefore, did not violate the NLRA.

Employee Policy

The judge also ruled on the NLRB’s allegation that the dealership’s employee policy provisions were overly broad in violation of the NLRA. The NLRB challenged the policy’s statements that: (a) “[a] bad attitude creates a difficult working environment and prevents the [d]ealership from providing quality service to our customers” and (b) “[n]o one should be disrespectful or use profanity or any other language which injures the image or reputation of the [d]ealership.” Paragraphs (c) and (d) broadly prohibited employees from participating in interviews or responding to inquiries concerning employees.

The judge held that paragraph (a) was lawful, as it “would reasonably be read to protect the relationship between [the dealership] and its customers, rather than to restrict the employees’ [NLRA] Section 7 rights.” Noting that the dealership sold luxury cars, the judge held that “a dealer in that situation … has the right to demand that its employees not display a bad attitude toward its customers.”

The judge agreed with the NLRB that paragraph (b) was unlawful because it could reasonably be interpret as curtailing Section 7 rights. The judge cited NLRB precedent finding unlawful a similar employer-created rule that prohibited “insubordination … or other disrespectful conduct” because it chilled employee rights.

As for paragraphs (c) and (d), the judge stated that if employees complied with these restrictions, “they would not be able to discuss their working conditions with union representatives, lawyers, or Board agents.” The judge held that paragraphs (c) and (d) were clearly unlawful as they explicitly restricted activities protected by Section 7 of the NLRA.

Although the dealership had rescinded paragraphs (a) through (d) of their employee policy prior to the hearing, the judge held that simply rescinding the provisions was insufficient to relieve the dealership of liability. Accordingly, the dealership was ordered to post a notice informing employees of their right to engage in protected concerted activity.

Our Take

While ultimately favorable for the employer, the decision in this second Facebook firing case is consistent with the positions on employee rights that the NRLB has articulated in its recent enforcement actions. Another important takeaway from the decision is the judge’s finding that the policies that chill employees’ rights under Section 7 of the NRLA are unlawful on their face, regardless of whether an employer actually enforces the policy or the manner in which the policy is enforced. This ruling further emphasizes the importance of reviewing and, as appropriate, revising employee policies to ensure consistency with the NLRB social media guidance.

The law prohibits employers, with the exception of certain financial institutions, from obtaining a consumer credit report on the candidate or employee unless the position that the individual is seeking is:

• A position in the California Department of Justice;
• A managerial position, as defined in the statue;
• That of a sworn peace officer or other law enforcement position;
• A position for which the information contained in the report is required by law to be disclosed or obtained;
• A position that involves regular access to certain personal information for any purpose other than the routine solicitation and processing of credit card applications in a retail establishment;
• A position in which the individual is or would be a named signatory on the employer's bank or credit card account, or authorized to transfer money or enter into financial contracts on the employer's behalf;
• A position that involves access to confidential or proprietary information; or
• A position that involves regular access to $10,000 or more of cash.

The law also required employers to provide individuals with a written notice identifying the specific exception in the statute that permits the employer to obtain a report.

Assembly member Mendoza, who sponsored the bill, stated that "a credit report is not a good indicator of a person’s trustworthiness or work ethic.” “Many Californians are still experiencing financial hardships from the economic downturn including layoffs, increasing unemployment rates, and the continuing foreclosure crisis. All of these things make it harder for people to pay their bills,” added Mendoza. The Assembly member's statement echoes the view expressed by the Equal Employment Opportunity Commission (EEOC), which signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job.

California follows Illinois and Oregon, which enacted in 2010 legislation that limits the use of credit reports for employment purposes. Maryland and Connecticut enacted similar legislation in April and July 2010, respectively. Similar laws are in place in Hawaii and Washington and are being considered in Illinois, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, in December 2010, the EEOC filed an action accusing an employer of discriminating against minority job applicants in the hiring process on the basis of using the applicants’ credit histories.  The EEOC has sought injunctive relief in its lawsuit, as well as lost wages and benefits and offers of employment for people who EEOC alleges were not hired because of the employer's use of job applicants’ credit history.

InfoLawGroup Takeaway

With the wind blowing on state and federal level against use of consumer reports for employment purposes, employers should review their HR policies to ensure that they collect consumer report information only in accordance with state and federal requirements.  Employers also are well-advised to obtain consumer reports only when necessary to evaluate the fitness of a candidate or existing employee for the position the individual is seeking.

In a highly important decision, the Tel Aviv District Court annulled a forum selection clause in a clickwrap contract, holding the user was not sufficiently aware of the choice of foreign forum or of the fact he was contracting with a foreign company; and had not clearly consented to such choice.

Plaintiff argued that the forum selection clause was “hidden” in an online contract whose terms he never read. In addition, he argued that such choice constitutes an “unfair term” in a contract of adhesion under the Standard Form Contract Act, 1982. Israeli Courts have broad powers to uphold, strike out, or amend unfair clauses in standard contracts (“blue pencil rule”). The Standard Form Contract Act enumerates a list of contractual provisions which are presumptively unfair, including unreasonable or unilateral forum selection (but not choice of law).

The court rejected the defendants’ reliance on the forum selection clause, effectively establishing Israeli jurisdiction over the case. An important factual holding is that plaintiff did not personally set up his online account on the defendants’ platform, but rather had it set up by an agent of the defendants. Consequently, plaintiff’s assertion of lack of knowledge of or consent to the forum selection clause held sway.

Regardless of the fact-specific holding, certain statements of the court are extremely important for non-Israeli companies entering into clickwrap or browsewrap agreements with Israeli customers. The court (Judge Ruth Ronen) stated that while "non est factum" arguments with respect to signed agreements must be interpreted restrictively, a party relying on a contract must produce a signed document evidencing the counterparty’s agreement. In an online setting, a party’s intent to enter into a contract can be established by showing that such party was informed of (i.e., read) the terms of the agreement and actively expressed his consent to be bound by them.

The court held that clickwrap agreements better evidence a consumer’s consent than browsewrap agreements. If clicking on a link is required to view the terms of the contract, such link must be featured prominently for consumers to see. (The court even states that in the online environment, viewing additional linked documents is easier than in the offline world).

The court held that a foreign forum selection clause is acceptable only where one of the parties to the agreement is non-Israeli (i.e., a contract between strictly Israeli parties should not point to a foreign forum). In this case, the court held (based on its factual holding above), that the plaintiff was not informed of and did not intend to agree to selection of a foreign forum. The court added that had the plaintiff agreed to such selection, defendants would still need to cross the hurdle of the Standard Contract Act; yet given the English choice of law clause, they would have been able to try to prove that under English law, a mechanism similar to Israel’s Standard Contract Act did not exist. Reading between the lines, it is evident that the court is readier to heed a foreign choice of law clause (the court assumes it would be enforceable in the present case) than a foreign forum selection provision.

This is an interesting case – another in a long line of jurisprudence, in Israel and abroad, discussing the enforceability of clickwrap contracts generally, and foreign choice of law and forum selection clauses in particular.

The Biometric Data Act is far-reaching. Following a two year trial period, every citizen will be compelled to provide two fingerprint samples and a facial photograph, to be digitally stored in a national database and on chips embedded in passports and national IDs (National IDs are mandatory in Israel for citizens over the age of 16). The digital ID will also carry a certified electronic signature to be used as a substitute for regular signatures in execution of transactions.

The biometric database is not made solely to manage the identification of ID and passports applications. It will also serve as a valuable source of information for law enforcement agencies, under the supervision of a new authority that the Ministry of Home Affairs established specifically for that purpose.

The act as a whole and specifically the biometric database, raise significant concerns. Privacy advocates urged the Home Office to reevaluate the potentially grave risks to information security and privacy that the database poses, including the irreversibility of biometric data loss and the public's general mistrust in the government's ability to secure the database. A proposal to transform the database into a blurred set-base that will enhance security and privacy was recently offered by Prof. Adi Shamir, a well-known cryptographer. The Law Information and Technology Authority (ILITA) backed Prof. Shamir's proposition, however the government eventually rejected it.

The new regulations under the biometric data act include a set of procedures for issuing a biometric ID, taking fingerprints and facial images from applicants, encrypting and securing the data and transferring data between authorities.

A governmental order accompanies the regulations and sets specific rules for the two-year trial period. During this period that starts in November 2011, biometric IDs will be issued to Israeli citizens, subject to their written and signed consent. At the end of the trial period, professional auditors will evaluate the extent of the trial's success under a set of predetermined parameters and feedback from applicants. Unless the Ministry of Home Affairs decides otherwise in light of the trials results and public debate, the Biometric Data Act will come into full effect at the end of the trial period, and all citizens will have to provide their biometric data at that time for inclusion in their IDs and passports.

This is at least the second in a recent string of high profile data breaches in Russia. We previously reported about a data breach that resulted in public disclosure (including on Yandex) of personal information and text messages of the customers of Megafon, a major Russian mobile provider. On August 30, a Moscow court determined that the breach violated the country’s communications laws and ordered Megafon to pay a fine of 30,000 rubles.

Although the fine levied against Megafon is relatively small (approximately $1,000 in US dollars), the string of data breach actions appears to mark a new era in data protection enforcement in Russia.  While the country's data protection law continues to face criticism at home as unworkable, federal agencies appear to move forward aggressively to enforce the law.
 

The report suggests that the NLRB views as protected a broad scope of social media activity that addresses working conditions. It also suggest that the Board sets a low threshold for finding that such activity is “concerted” – i.e., “undertaken with or on the authority of other employees, and not solely by and on behalf of the employee himself.” While each enforcement action represents a unique set of circumstances, generally, the NRLB has found employees’ social media activity to be protected when the statements expressed employees’ sentiment about working conditions, whether or not the actual postings involved one or more employees. Examples of activities the Board deemed protected include discussions on social media that implicated working conditions and that were initiated by one coworker in an appeal to other coworkers for assistance; postings provoked by a supervisor’s allegedly unlawful activity; and postings that vocalized employees' sentiment about working conditions that the employees expressed in off-line conversations, even where coworkers did not post comments to the initial post by one of the employees.

The report also sets out various employee social media policy provisions that the NLRB found to infringe on employees’ Section 7 rights. According to the report, the NLRB may view as unlawful (often because the Board viewed them as overly broad) social media policies that:

• Prohibit employees from posting pictures of themselves in any media, including the Internet, which depict the company in any way, including posting featuring a company uniform or corporate logo;

• Prohibit employees from making disparaging comments when discussing the company or the employees' superiors, coworkers or competitors;

• Generally prohibit, in the application to social media, offensive conduct and rude or discourteous behavior;

• Prohibit inappropriate discussions about the company, management or coworkers;

• Prohibit any use of social media that may violate, compromise or disrtegard the rights and reasonable expectations as to privacy and confidentiality of any person or entity;

• Prohibit any communications or posts that constitute embarrassment, harassment or defamation of the employer or its employees, officers, board members, representatives or staff members;

• Prohibit statements that lack truthfulness or might damage the reputation or goodwill of the employer, its staff or employees;

• Prohibit employees on their own time from using social media to talk about company business, from posting anything that they would not want their manager or supervisor to see or that would put their job in jeopardy, from disclosing inappropriate or sensitive information about employer, or from posting any pictures or comments involving the company or its employees that could be construed as inappropriate;

• Prohibit employees from using the company name, address or other information on their personal profiles;

• Prohibit employees from revealing personal information regarding coworkers, company clients, partners or customers without their consent; or

• Prohibit the use of employer’s logos and photographs or of the employer’s store, brand or product without written authorization.

As we have previously noted in the context of discussing the NLRB’s social media enforcement actions, the Board’s view of employees’ Section 7 rights in the context of social media requires employers to carefully review and adjust their communications and social media policies and practices. The Board's report further suggests that employers need to tailor their social media policies narrowly to protect company interests without infringing on employees’ rights.

Existing state breach laws typically require notification when an individual's first name or initial and last name are compromised in conjunction with a Social Security number, driver’s license number, government-issued ID number or a financial account number. In practice, the gap between state breach laws and the Safe Data Act is even wider. This is because companies operating nationwide affected by a multi-state breach often follow the broadest notification requirements among the various state laws. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, taxpayer ID or biometric data alone (without the individual’s name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act. Committee members expect the bill to evolve to address this and other concerns as it moves through Congress.

InfoLawGroup Says:

While there are disagreements regarding the specifics, the Trade Subcommittee’s approval of the Safe Data Act (especially while Congress is paralyzed by the debt ceiling negotiations) suggests strong support for federal information security legislation. For businesses, perhaps the most significant aspect of the Act is the preemption of over 45 existing state information security and breach notification laws. The preemption provision would provide much needed certainty for businesses in addressing information security breaches that currently are subject to the multitude of state requirements.

Russia originally enacted a comprehensive federal data protection law in 2006, but the statute has faced major headwind. While the law is similar in its approach to the EU Data Protection Directive 95/46/EC, it is much more restrictive regarding personal data processing. After several delays, the law came into effect on July 1, 2011. Commentators, however, continue to view the law unfavorably, arguing that it's unworkable. 

The amended security provisions include the requirements to:

• Conduct an assessment of threats to the safety of personal data and the effectiveness of the measures that the business has in place to safeguard personal data;
• Employ only verified methods of protecting personal data;
• Implement controls for access to personal data;
• Log all actions takes with respect to personal data;
• Detect and record incidents of unauthorized access to personal data; and
• Implement measures to restore information that is lost, destroyed or damages as a result of an information security breach.

The amended law directs the government to develop regulations that will set forth appropriate levels of information security protections. The regulations will also establish the security requirements for processing biometric data.

The federal law's privacy provisions were amended to allow individuals to consent to the processing of their personal data through a representative. When this occurs, the recipient of the consent will need to verify the consent. Similarly, businesses will be able to obtain personal data from third parties on the condition that they verify that the third party had a valid basis for obtaining and sharing the information.

While the privacy enforcement picture in Russia has been at most oblique, the country's data protection authority -- the federal agency for oversight of communications, information technology and mass media (in Russian, "Роскомнадзор") -- has shown strong interest in privacy enforcement. It is being reported this week that the agency is investigating the circumstances surrounding the exposure on the web of mobile text messages from the customers of the Russian carrier Megafon. Initial investigation suggests that an error on the carrier's website made the messages publicly accessible. The data protection agency stated that it's investigating whether the incident violated the federal data protection law.

InfoLawGroup Says:

With privacy enforcement in on the rise throughout the world, businesses should be prepared to review and adjust as necessary their privacy and data security practices in the markets in which they operate. In the past, some of the strict foreign data protection laws have not been rigorously enforced, giving businesses breathing room. The enforcement landscape is likely to tighten in the near future, however, increasing the risk of investigations and sanctions for privacy violations.

The FTC Alleged that Teletrack created a marketing database of information that it gathered through its credit reporting business. The company allegedly sold the information to marketers. For example, Teletrack is alleged to have sold lists of consumers who previously sought pay day loans. The buyers sought to use the information to target potential customers. The FTC alleged that these marketing lists were credit reports subject to the FCRA because the reports contained information about consumers' creditworthiness. The FCRA generally prohibits furnishing of credit reports for purposes other than the specific "permissible purposes" set out in the law (e.g., employment or credit eligibility). The FTC charged that in disclosing the information for marketing purposes -- which are not "permissible"  under the statute -- Teletrack violated the FCRA.

The FTC Bureau of Consumer Protection Director David Vladeck commented that “the fact that a consumer has applied for a pay day loan is credit report information protected by the FCRA.” “The FCRA says a credit reporting agency like Teletrack can’t sell a consumer’s sensitive credit report information for mere sales pitches,” added Vladeck.

The settlement order requires Teletrack to furnish credit reports only to customers that the company has reason to believe have a permissible FCRA purpose to receive the reports, or as otherwise allowed by the statute. The order also requires Teletrack to pay a civil penalty of $1.8 million and contains reporting and record-keeping requirements to verify the company’s compliance with the decree.

InfoLawGroup Says

We have documented on our blog the rigorous privacy enforcement that the FTC and other federal agencies (EEOC, HHS, NLRB and SEC) have championed this year. It is fair to say that the FTC has opened yet another front in its privacy enforcement push, seeking to address FCRA compliance. We expect this push to extend beyond traditional consumer reporting agencies. In May of this year, for example, the FTC issued a letter to Social Intelligence Corporation -- an Internet and social media background screening service used by employers in pre-employment background screening -- finding that the company is a consumer reporting agency subject to the FCRA. For companies whose business involves data brokerage, the time is right to consider FCRA compliance.

Rubin's practice covers the spectrum of traditional and emerging advertising, promotions and entertainment issues, including social media campaigns and marketing through new technologies. Rubin is recognized in Chambers USA as a Leader in the Field in Illinois in the area of Media and Entertainment. He is a graduate of the John Marshall School of Law.

Gottshall is a seasoned privacy and digital media attorney, whose broad practice includes privacy, data security, technology, digital marketing and advertising issues. She is recognized in Chambers USA as a national Leader in the Field for her work in the area of Privacy & Data Security and in Illinois in the area of Media and Entertainment. Justine was named in 2007 to Chicago Lawyer and Chicago Daily Law Bulletin’s prestigious “40 Under Forty.” She is a graduate of Stanford Law School.

Both Rubin and Gottshall are frequent lecturers in their field and have each authored numerous publications. Justine is a Certified Information Privacy Professional through the International Association of Privacy Professionals and is a member of their Educational Advisory Board. Both are members of the Promotion Marketing Association. Jamie is an active member of the Legal and Government Affairs Committee of the PMA and was the co-chair of the 2010 Annual Marketing Law Conference.
 

The NLRB announced today that it took yet another "Facebook firing" enforcement action on May 20, 2011.  In this latest action, the NLRB alleged that a Chicago area BMW dealership fired an employee for posting critical photos and comments on Facebook.

The car salesman and coworkers were concerned about the quality of food and beverages at a dealership event promoting a new BMW model. The salesmen complained that their sales commissions could suffer as a result. Following the event, one salesman posted photos and commentary on his Facebook page criticizing the employer for serving only hot dogs and bottled water to customers at the event. Other employees had access to the Facebook page.

The following week, the dealership’s management asked the salesman to remove the posts, and he immediately complied. Nevertheless, shortly after a meeting with managers, the employee was terminated for posting the images and comments on Facebook.

The NLRB alleged that the employee’s Facebook posting was protected concerted activity within the meaning of Section 7 of the National Labor Relations Act, because it involved a discussion among employees about their terms and conditions of employment, and did not lose protection based on the nature of the comments.

The case is scheduled to be heard by an administrative law judge on July 21, 2011 in the Chicago Regional office of the NLRB.

InfoLawGroup Says:

The NLRB's third enforcement action makes a strong statement about the agency's view on the scope of employee social media protections, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance.

On May 18, 2011 NLRB announced that it filed similar allegations against Hispanics United of Buffalo, a nonprofit organization that provides social services to low income clients. The NLRB alleged that the nonprofit unlawfully discharged five employees after they criticized working conditions, including work load and staffing issues, on Facebook.

According to the NLRB, one employee, in advance of a meeting with management about working conditions, posted to her Facebook page a coworker’s allegation that the organization's employees did not do enough to help clients. Other employees responded on Facebook, defending their job performance and criticizing working conditions, including work load and staffing. After learning of the posts, the employer discharged the five employees who participated in the Facebook exchange. The organization claimed that the employees' comments constituted harassment of the employee originally mentioned in the post.

The NLRB alleged that the Facebook discussion was protected concerted activity within the meaning of Section 7 of the National Labor Relations Act because it involved a conversation among coworkers about their terms and conditions of employment, including their job performance and staffing levels.

The complaint will be the subject of a hearing before an administrative law judge on June 22, 2011, in the Buffalo office of the NLRB.

InfoLawGroup Says:

The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure that the policies balance business needs and employees' rights consistently with federal law and NLRB guidance.

WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs.

Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion.

• With the help of geolocation technologies smart mobile devices can be tracked for purposes ranging from behavioral advertising to monitoring of children

• Because mobile devices are inextricably linked to their users, the travel patterns of the device provide a very intimate insight into the private life of the user, rendering the location data personal; specifically, "the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data."

• One of the main risks of location data processing is that the user is unaware that the device transmits the location data and to whom the information is provided

• There risk that the consent for certain applications to use location data is invalid because the information about the key elements of the processing is incomprehensible to the user, outdated or otherwise inadequate

• Because location data from smart mobile devices reveal intimate details about the private life of their users, the main applicable legitimate ground is prior informed consent

• Consent cannot be obtained through general terms and conditions; rather, consent must be specific for the different purposes that location data is collected, used or otherwise processed (e.g., profiling or behavioral targeting)

• If the purposes of the processing change in a material way, the data controller (i.e., the entity that determines the purposes and means of collecting, using or processing the data) must seek renewed specific consent of the individual

• By default, location services must be switched off

• An opt-out mechanism does not constitute an adequate mechanism to obtain informed user consent

• With respect to employees, employers may only adopt this technology when it is demonstrably necessary for a legitimate business purpose and the same purpose cannot be achieved with less intrusive means

• With respect to children, parents must judge whether the use of location data is justified in specific circumstances

• The consent should be limited in time; users should be asked for consent at least once a year

• Users must be able to withdraw their consent in a very easy way, without any negative consequences for the use of their device

• With regard to the mapping of WiFi access points, companies can have a legitimate interest in the necessary collection and processing of the MAC addresses and calculated locations of WiFi access points for the specific purpose of offering geolocation services; the balance of interests between the rights of the data controller and the rights of the user requires an opportunity for the user to easily and permanently opt out from the database, without providing additional personal data

• Users must be provided with clear, comprehensive and understandable for a broad, non-technical audience notice of the collection, use or other processing of geolocation data; the notice must be permanently and easily accessible; the validity of the user's consent is inextricably linked to the quality of the information about the data collection

• Third parties, such as browsers and social networking sites, have a key role to fulfill when it comes to the visibility and quality of the information about the processing of geolocation data

• Users have the right to access their location data in a human-readable format and to rectify and erase the data; users also have the right to access, rectify and erase profiles compiled based on their geolocation data

• Providers of geolocation applications or services should implement retention policies which ensure that geolocation data or profiles derived from such data are deleted after a justified period of time

• If the developer of the device's operating system or a data controller of the geolocation infrastructure processes a unique number such as a MAC address or a UDID in relation to location data, the unique identification number may only be stored for a maximum period of 24 hours, for operational purposes

InfoLawGroup Says:

While the debate about mobile location data is in its infancy in the U.S. (see our blog post and Fox News interview), Europe has served up guidance that, it is fair to say, brings to life every nightmare of U.S. businesses working and innovating in this industry. It  is important to keep in mind that WP29 recommendations are not the law. As with any WP29 opinion, businesses need to monitor how the DPA will implement the guidance, if at all. I suspect that Apple and Google will be the first to face pressure from European data protection authorities to comply with the guidance. We will monitor how any enforcement action will play out. For now, U.S. business entering mobile location marketplace in Europe should strive to implement the opinion's requirements to the extent the requirements are feasible.

Generally, PIPA requires the individual’s informed consent for any collection, use or disclosure of personal information. The law, however, provides for a number of exceptions to the consent requirement. The new law also puts limits on the amount of personal data that individuals may be required to provide.

PIPA applies broadly to "personal information" processed by any entity deemed to be a “handler” of personal information.” PIPA defines “personal information” as any information from which, by itself or combined with other information, an individual can be identified, whether from the individual’s name, identification number, image or other attributes. A “handler” of personal information is any entity, company, government organization, individual or other person that, directly or through a third party, handles personal information for business purposes. PIPA applies to both electronically and manually recorded information.

Remedies for data protection violations include the right to seek class action mediation and litigation.

For detailed analysis of PIPA’s provisions, please refer to Mr. Ryoo’s article.

InfoLawGroup Says:

As more and more countries adopt comprehensive data protection laws that often incorporate EU-like provisions, the compliance equation gets more complicated for companies operating worldwide. Many of these laws share common elements, such as notice, consent, choice, access and data security. You also can find these elements articulated in the Federal Trade Commission's Fair Information Practice Principles. Structuring your company's personal information practices around these elements should help in achieving compliance in the U.S. as well as in foreign jurisdictions.

Specifically, the FTC alleged that Playdom and Marks operated 20 virtual world websites where users could access online games and other activities, including 2 Moons, 9 Dragons and My Diva Doll. The FTC alleged that at least one of these virtual worlds, Pony Stars, was a website specifically directed to children. According to the FTC, the company’s other sites intended for a general audience also attracted a significant number of children. The FTC alleged that between 2006 and 2010, approximately 403,000 children registered on the defendants’ general audience sites, and 821,000 more users registered in the Pony Stars children’s site.

The FTC complaint alleges that the sites collected children’s information, including ages and email addresses, during registration and then enabled children to publicly post their full names, email addresses, instant messenger IDs, geographic location and other information on personal profile pages and in online community forums. The FTC charged that the sites' failure to provide proper notice of these practices or obtain parents’ prior verifiable consent before collecting or disclosing children’s personal information violated the COPPA Rule.

The FTC further alleged that Playdom and Marks engaged in deceptive or unfair trade practices in violation of Section 5 of the FTC Act because the sites' privacy policies misrepresented that the sites would prohibit children under 13 from posting personal information online.

In addition to the $3 million civil penalty, the settlement order permanently bars Playdom and Marks from violating the COPPA Rule and from misrepresenting their information practices regarding children.

Takeway

The FTC continues privacy enforcement onslaught and gets serious about COPPA. Expect more to come; the FTC announced on May 10, 2011 that it has mobile privacy enforcement settlements in the pipeline.

The clip from the interview is available on Fox.