Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

MAIL OR TELEPHONE ORDER MERCHANDISE RULE (notice of proposed rule making) – ecommerce sites; pay attention

The Mail or Telephone Order Merchandise Rule (16 CFR 435) generally requires sellers of goods (whether via mail, facsimile or certain internet connections) to be able to ship an item once ordered within the time frame advertised by the seller. If the seller does not provide the customer with a shipping date, the seller must ship the goods within 30 days of order receipt. If the seller learns that it cannot ship within the time stated or 30 days (if no time was stated), the seller must seek the customer’s consent to a delayed shipment and provide the customer with an option to cancel the order (using the mechanisms allowed by the Rule). If the customer does not consent, the seller must quickly cancel the order and return the customer’s money. Note that the time period on a seller’s obligation to ship begins as soon as the seller received enough information to fulfill the order and process full or partial payment. The time when the seller actually processes payment is irrelevant. The FTC amended the Rule in 1993 to clarify that the Rule applied to order placed with facsimile machines or computers with telephone modems.

Now the FTC wants to:

(i) clarify that the Rule covers all internet merchandise orders regardless of how the customer accesses the internet (note that the FTC already takes this position and no commenters appear to take issue with the interpretation),  It is now time for all ecommerce sites to establish a policy and procedure with respect to shipping dates, shipments, shipment delays, refunds and cancellations.

(ii) allow sellers to provide refunds and refund notices by any means at least fast and reliable as 1st Class mail (e.g., electronic transfer);

(iii) clarify sellers’ obligations with respect to sales made using payment methods not specifically enumerated in the Rule (such as debit card, prepaid gift card, or payroll card payments); and 

(iv) clarify that sellers must process any third party credit card refund within 7 working days of a buyer’s refund right.

Note that the FTC has actively enforced this Rule, and not just in connection with the direct sale of merchandise. In fact, in 2005, the FTC enforced the Rule against CompUSA for its alleged failure to fulfill rebate checks in a timely manner.

Go here for the notice of proposed rule making (comment period closes December 14, 2011).

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (notice of proposed rule making)

Please see InfoLawGroup’s prior post here about the FTC’s notice of proposed rule making with respect to COPPA. And here on how the FTC is already enforcing COPPA against mobile app developers. The comment period closes November 28, 2011.

DOT COM DISCLOSURE (not really a rule or guide, but rather a “business guidance publication”)

This publication was originally issued in 2000 by the FTC to provide marketers guidance on how to provide clear and conspicuous disclosures to consumers associated with goods and services offered on the internet. Possibly one of the most important elements in this publication is the FTC’s statement that all of the laws applicable to consumer protection offline apply online too. The FTC advised that we should use the same factors we use to determine if a disclosure is conspicuous in the offline world to determine if it is conspicuous in the online world, namely:

(i) the placement of the disclosure and its proximity to the claim;
(ii) the prominence of the disclosure;
(iii) whether there are distracting elements;
(iv) whether the ad is so long that the disclosure needs to be repeated;
(v) whether audio disclosures are loud and slow enough;
(vi) whether visual disclosures appear long enough; and
(vii) whether the disclosure is generally uncomplicated.

The original publication is a lengthy document that goes into much more detail than above and ends with a series of example internet advertisements and FTC commentary associated with the same. The publication even answers the question (from a year 2000 perspective): “Can I link to the disclosure?” The FTC recognizes, however, that times have changed dramatically over the past 11 years, and therefore, the guidance needs to change to account for viewing the internet on mobile devices, apps and app stores, social networking, etc. The FTC issued a notice requesting answers to a list of 11 questions (check out the list of questions here). I expect that if the FTC issues an updated version of the publication, new examples and commentary will be included. Some commenters request that the FTC not rush to revise the publication, but rather take time to understand all the ways the “online” world has changed in the past 11 years, including how internet users are more savvy than ever. The Promotion Marketing Association, an association that this firm is a member of, submitted comments requesting the FTC to hold workshops to gain that full understanding and to approach any revisions with flexibility in mind rather than offering a prescriptive approach.

WARRANTIES AND GUARANTEES (request for comment)

The FTC has published a request for comment with respect to its warranty-related interpretations, rules and guides – namely:

(i) its interpretations of the Magnuson-Moss Warranty Act, which governs written warranties on consumer products;

(ii) the Rule Governing Disclosure of Written Consumer Product Warranty Terms and Conditions, which establishes disclosure requirements for written warranties on consumer products that cost more than $15.00, including:

a. language that must be used pursuant to certain state laws on the duration of implied warranties and the availability of consequential and incidental damages; and
 

b. what needs to be disclosed by sellers who use warranty registration or owner registration cards.

(iii) its Rule Governing Pre-Sale Availability of Written Warranty Terms, which, as you might expect, requires the terms of any written warranty on a consumer product to be made available to the purchaser prior the sale of the product. This Rule allows doing so by displaying the warranty document in close proximity to the product or furnishing the warranty document on request and posting signs in prominent locations advising consumers that warranties are available. The Rule also provides guidance on how to comply with the pre-sale available requirements for products sold through catalogs, mail order or door-to-door sales;

(iv) its Rule Governing Informal Dispute Resolution Procedures, which requires a seller to follow specific protocols if it wants to require a consumer to first resort to informal dispute resolution prior to filing a lawsuit associated with a warranty; and

(v) its Guides for the Advertising of Warranties and Guarantees, which recommend that the actual warranty document be made available to consumers to read prior to purchase and makes recommendations about how to offer satisfaction and lifetime guarantees.

The FTC, in its request for comments, asks a number of questions, including on the continued need for its interpretations, rules and guides, their benefits, recommended changes, whether the interpretation, rules or guides should be amended to cover service contracts and whether warranty documents should be allowed to be made available online for purposes of compliance. Go here for the request for comments (comment period closes October 24, 2011).

GREEN GUIDES (ENVIRONMENTAL MARKETING CLAIMS) (notice of proposed rule making)

The comment period has long since closed on the FTC’s proposed changes to its Green Guides. The proposed changes were issued in October of 2010 and the comment period ended on December 10, 2010. We await the publication of the revised guides. While we do so, let’s refresh just a few of the important issues in play here:

(i) The FTC does not want marketers to make general environmental benefit claims. The FTC uses “green” and “eco-friendly” as examples of claims that are difficult, if not impossible, to substantiate.

(ii) Certifications and seals should be viewed as endorsements covered by the FTC’s Endorsement Guides and should be expressly limited to the claim(s) for which the advertiser has substantiation.

(iii) No unqualified degradable claims for items destined for landfills, incinerators or recycling facilities. And other solid waste products should only be advertised as “degradable” if they completely breakdown and return to nature in no more than one year after disposal.

(iv) Clarification on when and how a “recyclable” claim can be made and when an unqualified recyclable claim can be made.

(v) “Free-of” claims should not be used in associated with a substance never associated with the product category (this one seems obvious to me)
 

(vi) No unqualified “renewable materials” claims unless the item is made entirely out of renewable materials. Generally, renewable claims should explain why a product or element of a product is renewable.

Notably, the FTC declined to provide guidance on the terms “sustainable,” “natural,” and “organic” in the proposed Guides. You can read the current Green Guides here and the notice of proposed rule making here.

MORE & INTO THE FUTURE

Some other important guides that are currently under review: Fuel Economy Advertising, Negative Option Plans and the Unavailability Rule. And the following Guides or Rules are set to go under review in 2012/2013: Deceptive Pricing, Bait Advertising, Use of the Word “Free”, Advertising Allowances and the Telemarketing Sales Rule.

So, needless to say, we will have much more to write about soon….
 

Factual Allegations

The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.

The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz.. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.

The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.

The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.

Violations of the FTC Act

The FTC alleged that that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:

• By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;

• By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and

• By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public  in connection with Buzz – engaged in deceptive acts or practices.

U.S.-EU Safe Harbor Framework Violations

The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.

The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.

Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:

• Notice of how the company uses their personal information (the Notice principle);

• Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and

• The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).

In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.

The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.  

Settlement

The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.

Prohibition Against Misrepresentations

The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.

Notice and Consent

The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices. 

Comprehensive Privacy Program

The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.

The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.

Specifically, the settlement requires Google to:

• Designate staff responsible for the privacy program;

• Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;

• Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;

• Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;

• Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;

• Require relevant service providers by contract to implement and maintain appropriate privacy protections; and

• Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.

Compliance Requirements

In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:

• Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and

• Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment. 

The settlement also requires Google to:

• Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;

• Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;

• Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;

• Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and

• Notify the FTC of changes in the company’s corporate status.

Action Item

As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.

U.S. Department of Health and Human Services -- $4.3M fine, $105,000 per record

On February 22, 2011, the HHS issued a Notice of Final Determination finding that a health plan, Cignet Health of Prince George’s County, Md., violated the HIPAA Privacy Rule, and imposing a fine of $4.3 million on company. This marks the first time the HHS has imposed a civil monetary penalty for an entity’s violation of the HIPAA Privacy Rule. The HHS determined that Cignet violated 41 patients’ rights by denying the patients' requests for access to their medical records between September 2008 and October 2009. The HHS took action as a result of the patients’ individual complaints. The HHS has alleged that, during its investigation, Cignet refused to respond to the agency’s demands to produce the records. Additionally, Cignet is alleged to have failed to cooperate with the agency’s investigation of the complaints or produce the records in response to a subpoena. The HHS has found that Cignet failed to cooperate with the agency’s investigations on a continuing basis due to the company’s willful neglect to comply with the HIPAA Privacy Rule. The investigation was conducted by the HHS Office for Civil Rights.

Federal Trade Commission – 20-year consent order, over 1,800 records

On February 3, 2011, the FTC announced that three companies in the business of reselling consumers’ credit reports agreed to settle charges that they did not take reasonable steps to protect consumers’ personal information. According to the FTC’s complaint, the three resellers bought credit reports from the three nationwide consumer reporting agencies and combined them into special reports sold to clients such as mortgage brokers and others to determine consumers’ eligibility for credit. The FTC alleged that the resellers lacked information security policies and procedures and allowed clients that did not have basic security measures in place (such as firewalls or current antivirus software) to access their reports. According to the FTC, hackers exploited these vulnerabilities to access more than 1,800 credit reports without authorization through the resellers’ clients’ networks. In addition, the FTC alleged that after becoming aware of the data breaches, the companies did not make reasonable efforts to protect against future breaches.

The settlements require the resellers to strengthen their data security procedures and submit to audits for 20 years. David Vladeck, Director of the FTC’s Bureau of Consumer Protection noted that this enforcement action “should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it.” “Had these three companies taken adequate steps to ensure the use of basic computer security measures, they might have foiled the hackers who wound up gaining access to extensive personal information in the consumer reporting system,” added Vladeck.

FINRA -- $600,000 fine for failure to secure over 1M records

On February 17, 2011, the Financial Industry Regulatory Authority (FINRA) -- the largest independent regulator for all securities firms doing business in the United States -- imposed fines of $600,000 against  a securities firm, Lincoln Financial Securities, Inc. and its affiliate, Lincoln Financial Advisors Corporation. FINRA alleged that the firms failed to adequately protect customer information, including by failing to require brokers working remotely to install security software on personal computers used to conduct securities business. FINRA found that for extended periods of time (between two and seven years) the firms’ employees were able to access customer account records through any Internet browser by using shared login credentials. According to FINRA, between 2002 and 2009, more than one million customer records were accessed through the use of shared user names and passwords. FINRA found that the firms did not have policies or procedures to monitor the distribution of the shared credentials, and were unable to track how many or which employees gained access to the customer information during this extended period security vulnerability. FINRA determined that these failures put at risk confidential customer information, including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details. FINRA also found that the firms did not have procedures to disable or change the shared user names and passwords on a recurring basis even after an employee had been terminated. This prevented the firms from determining whether former employees continued to access confidential customer information using the shared credentials.

In assessing sanctions, FINRA took into consideration the firms’ efforts to notify all customers whose account information was or may have been exposed and the firms' offer to the customers of credit monitoring and restoration services for a period of one year.

With privacy enforcement on the rise, it is not worth the financial and reputational risk to wait for a breach, an enforcement action or a critical media report before establishing a robust privacy and information security governance program. If your organization does not have such a program in place, now is the time to act. Legal compliance function, vendor management and appropriate privacy and information security provisions in vendor and customer agreements are just a few of the hallmarks of a program that could have helped avoid these enforcement actions.

The Report’s “proposed new framework for consumer privacy” is designed to reflect and balance (i) the realities of new online practices and business models, (ii) while comporting with existing FTC and applicable federal and state law, (iii) encouraging new products and services to meet consumers’ needs and wants, and (iv) finally to provide “common assumptions and bedrock protections” that consumers and businesses alike can rely upon and plan around.

 To these ends, the Report's proposed framework contains three major elements:

• Integration of privacy by companies into “regular business operations and at every stage of product development” with a goal of reducing consumer burdens in choosing from among “privacy protective data practices;” and
• Streamlining privacy options for consumers, while “preserving beneficial uses of data” by agreeing upon “commonly accepted practices” and providing “clear and prominently disclosed choices for all other data practices;” and a
• Increased transparency of data practices by both consumer-facing and backend online businesses.

 The Report makes clear that the framework is not cut from whole cloth, but built “upon the FTC’s notice-and-choice and harm-based privacy models while also addressing some of their limitations,” and calls upon, what the FTC dubs four “basic building blocks” of the framework, detailed in brief here and in further detail below, including:

• Universal scope, where the proposed framework would, in a departure from existing applicable state data privacy regimes, apply to any and all commercial entities that “collect or use consumer data that can be reasonably linked to a specified consumer, computer, or other device.”
• Privacy by Design, where, as noted above, the FTC recommends privacy be baked into the mix from the get go in any product or services development, along with maintenance of “comprehensive data management procedures throughout the life cycle” of the products and services.
• Simplifying consumer choice as to the collection and use of data by providing “commonly accepted practices” and appropriate choices at other applicable times and contexts designed to simplify consumer decision making.
• Greater transparency by companies of their existing data practices, with “clearer, shorter and more standardized” privacy notices, to achieve a goal of enhancing understanding and comparison between companies, along with concomitant “reasonable access” by consumers to the data companies hold about them.

Once the framework is finalized, the FTC has stated its staff may conduct surveys and conduct “other benchmarks” to evaluate industry implementation and use its existing authority under Section 5 of the FTC Act, 15 U.S.C. § 45, and other applicable statutes in investigative and enforcement actions.

 "Building Blocks" in Detail

1. Universal Scope

The Report notes that the newly proposed framework’s scope contains two main points, namely, that: (a) the framework “would apply to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers” and (b) the proposed framework applies to data “that can be reasonably linked to a specific consumer, computer, or other device” and not just traditional personally identifiable information (“PII”).

The rationale underlying the FTC’s proposed universal scope is that consumers are significantly unaware of the breadth and depth of data and sharing thereafter, and that the traditional break between PII and non-PII info has lost significance because of technology advancements and the scope of data aggregation that could allow “to re-identify consumers from supposedly anonymous data.”

The Department of Health and Human Services (HHS) earlier this year proposed expanding the reach of the Health Insurance Portability and Accountability Act of 1996's (HIPAA) Security, Privacy and Enforcement Rules, pursuant to the HITECH Act, to require  “business associates” secure Protected Health Information (PHI) of covered entities (see InfolawGroup's earlier posts detailing the proposed modifications to the various HIPAA Rules, Part One and Part Two), the FTC’s newly proposed framework approaches privacy from the angle of whether any “consumer data” can be tied back to a specified individual, computer or "other device," rather than adopting a straight definition of what qualifies as date that garners protection or on the form and format of the date.

To date many states breach and privacy statutes have typically focused, as a threshold matter, on whether applicable data contains "personally indentifiable information" (PII), as defined under the applicable rubric.  Similarly under HIPAA whether data qualifies as PHI requires consulting a list of eighteen identifiers. The framework's contrasting universal scope is actually fairfly consistent with the FTC’s previous Health Breach Notification Rule, 16 C.F.R. § 318 (2009), (HBNR), issued pursuant to the American Recovery and Reinvestment Act of 2009, which requires “vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.” However, to avoid conflicts with HIPAA's separate framework the FTC's HBNR expressly provides, with caveats, that “the rule ‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.'’’

This universal scope has, as the FTC acknowledges, raised numerous material questions, which the FTC seeks comment on over the next nearly two months (e.g., what are the practical considerations that weigh in favor of excluding certain entities; is it feasible to cover all data that can be “reasonably linked to a specific consumer, computer, or other device,” and should the framework be applicable to data that, “while not currently considered ‘linkable,’ may become so in the future"? Etc.). The FTC also seeks feedback as to whether any existing technical means may “more effectively ‘anonymize’ data, and whether industry norms are emerging in this area” which dovetails with the point made during FTC's presentation of the Report that any laws and rules enacted can only go so far in the privacy area without a steady applicable of technology.

2. Privacy by Design

The new framework proposes that privacy be considered and incorporated throughout organizations at each stage of the design and development of products and services that may interact with consumer data, rather than as is more common, being bolted on as an afterthought. As part of the framework, the FTC proposes limited data collection, a baseline of “reasonable security for consumer data” (see InfoLaw Group partner, David Navetta's article, The Legal Defensibility Era), and, as possible methods to ensuring privacy by design, additional employee training, regular privacy reviews, and assigning specific individual to oversee privacy issues (which is interestingly a requirement in many FTC breach related enforcement action settlements - e.g., Eli Lilly settlement with FTC regarding security breach, here).

The rationale for adoption of this building block is that it would place the onus of providing privacy and security on those companies working with the consumer data rather than forcing consumers to “read long notices to determine whether basic privacy protections are offered.”

In providing privacy by design into practices, the FTC framework highlights four critically important protections:

• Reasonable Safeguards – which are dependent on the sensitivity of the data at issue, the size and nature of the business operation and the type of risks faced, and should include physical, technical, and administrative efforts. The Report does note that various federal and state laws, including various existing FTC standards, already require such efforts (providing as example, the Disposal of Consumer Report Information and Records, 16 C.F.R. § 682 (2005); FTC Standards for Safeguarding Customer Information Rule, 16 C.F.R. § 314 (2002); HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. §§ 160, 162, 164 (2003); Mass. Gen. Laws ch. 93H, § 2(2007); and Cal. Civil Code § 1798.81.5 (2010)). 
• Limited data collection – whereby a company should collect only the “the information needed to fulfill a specific, legitimate business need.” The reasoning in support of this protection is that doing so is “important in light of companies’ increased ability to collect, aggregate, and match consumer data and to develop new ways of profiting from it.”
• Reasonable data retention periods – the yin to the yang of limiting data collected is retaining such data “only as long as [entities] [] have a specific and legitimate business need to do so.” The Report notes that the massive drop in data storage costs have enabled and indeed encouraged companies to retain all data in near perpetuity, leading to the companies seeking to mine such data by developing future secondary uses for it that neither the consumer nor the company envisioned at the time of collection. The FTC here further stresses that secure disposal is a must (e.g., FTC cases against DSW Shoe Warehouse, BJ’s Wholesale Club and Card Systems).
• Accurate data collection – the last point in the FTC’s four point schema is an insistence that companies take reasonable steps to ensure the accuracy of the data collected, “particularly if such data could be used to deny consumers benefits or cause significant harm.”

In connection with these four protections the FTC seeks comment and feedback on other substantive protections that should possibly be provided and "how to balance the costs and benefits of such protections."  Other express areas the FTC seeks comment on is: "whether the concept of 'specific business purpose' or 'need' should be defined further, and if so, how?"; prescription of setting reasonable retention periods based upon "the type or the sensitivity of the data at issue"; and application of the protections to legacy systems.

In Part 2, I'll look at the remaining two building blocks and the Report's focus on potential Do Not Track solutions.

• Implementation of privacy by design; building privacy choices and technology into products and services as they are developed

• Transparency of privacy practices and consumer privacy notices; providing short, precise notices at the data collection point

• Simplification of consumer choices; making the choices meaningful

• Simplification of consumer choices through a one stop shop for opting out of marketing or tracking (the FTC distinguishes between tracking and targeting); Mr. Vladeck believes there are technological means to implement this option, but the FTC does not have the authority to mandate such a system without Congressional action

• Respect for consumers' choices; the FTC will not tolerate use of technological means to circumvent consumer choice

• Encouraging competition on privacy by enabling consumers to compare privacy practices of competing websites

• Strong protection for sensitive data, such as children's information, geo-location data and other information

• Giving consumers access to their data; access is an important ingredient in privacy accountability

• Focus on consumer and business education about privacy

Mr. Vladeck encouraged privacy stakeholders to answer questions that the FTC’s report will pose and provide other comments. The deadline for comments will be January 31, 2011.

Check back with us later today for a detailed analysis of the FTC’s report.

When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.

Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.

Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media.  In several developed countries, a third or more of the population uses Facebook, many on a daily basis.

Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.

Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.

So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.

It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.

It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.

It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.

It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.