Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

The rules grant utilities unfettered use of customer data for regulated utility purposes. However, utilities will generally be permitted to share a customer’s data with third parties only after the customer provides informed consent. Utilities may obtain customer consent under the rules if a customer submits a consent form – which will be prescribed and supplied the PUC – electronically or by postal mail. The PUC granted an exception to the rule which will also allow customers to provide consent in person, provided that the customer produces appropriate identification. Customer consent will have no expiration date. The PUC rejected the Administrative Law Judge’s proposal that consent forms must be notarized, as the commissioners agreed that the notarization process is burdensome and unnecessary for authenticating customer consent. Utilities must also obtain the customer’s consent before using customer data for unregulated services.

The rules permit a utility to disclose customer data to a contracted agent, as long as the agent uses the data solely for the purpose of the contract between the agent and the utility. Several interested parties filed an exception to the rule, asking that contracted agents be granted unlimited secondary use of customer data. The PUC denied the exception, noting that this proposed exception was contrary to the purpose and spirit of the regulations. The regulations will continue to prohibit contracted agents from using customer data for a secondary commercial purpose unrelated to the purpose of the contract without first obtaining the customer’s consent.

While a number of the filed exceptions were denied by the PUC, the commissioners did agree to strike proposed Rule 3032, which would have given customers the option to place a data freeze on their utility account. The data freeze provisions provided customers with an opt-in opportunity to prevent utilities from disclosing customer data to third parties. However, since the proposed rules operate under the basic assumption that customer data will not be disclosed to third parties without customer consent, the commissioners agreed that the Rule 3032 was redundant and unnecessary.

Another notable decision of the PUC was the commissioners’ affirmation of the penalties as set forth in proposed Rule 3036. Interested parties argued that, without a cap on total liability, penalties issued under the Rule would be excessive. However, the PUC denied the exceptions to Rule 3036. Although the Rule provides for penalties that have the potential to be rather large, the PUC indicated that penalties will only apply for “intentional” violations of the rules.

The rules also require utilities to provide annual written notice to customers explaining their privacy and security policies governing access to and disclosure of customer data and aggregated data to third parties. During the hearing, the PUC agreed to allow utilities to deliver this notice to customers electronically. The PUC also agreed to give electric utilities until March 1, 2012 to file their compliance tariffs.

Colorado joins several other states that are seeking to regulate utilities’ use and disclosure of customer data. While some issues remain unresolved after the hearing, PUC staff will be circulating an updated draft of the rules that reflects the PUC’s recent decisions. We will continue to discuss this and other utility-related privacy initiatives on our blog as they develop, so check back often.

According to the NLRB decision, the employer Hispanics United of Buffalo fired five employees for criticizing work conditions on a Facebook comment thread. After one of the employees notified the NLRB regional office, NLRB Regional Director Rhonda Ley issued a complaint alleging that Hispanics United conducted unfair labor practices in violation of the National Labor Relations Act by “interfering with, restraining, and coercing employees in the exercise of rights” guaranteed in Section 7 of the NLRA. Section 7 provides in part that employees have the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” The NLRB has interpreted Section 7 rights to apply to both unionized and non-unionized personnel.

Judge Arthur Amchan found that the employees’ were illegally discharged because the Facebook discussion was concerted activity protected under Section 7 of the NLRA. The discussion was protected because it involved a conversation among coworkers about their terms and conditions of employment. Although Hispanics United argued (in part) that the Facebook comments were not protected because persons other than Hispanics United employees may have seen them, Judge Amchan found that “irrelevant” as the first comment in the thread specifically “asked for responses from co-workers.” Furthermore, “just as the protection of Sections 7 and 8 of the Act does not depend on whether organizing activity was ongoing” Judge Amchan noted, “it does not depend on whether the employees herein had brought their concerns to management before they were fired, or that there is no express evidence that they intended to take further action, or that they were not attempting to change any of their working conditions.” The judge determined that the employees had not engaged in any conduct that could have forfeited their Section 7 rights. According to the decision, the comments were related to subject matter the employees had a protected right to discuss, there were no “outbursts,” and the employees had not violated any Hispanic United policies or rules. Although Hispanics United asserted that the employees’ conduct constituted harassment of an employee named on the Facebook comment thread in violation of its “zero tolerance” harassment policy, Judge Amchan found no evidence in the record supporting Hispanics United’s position.

In a first for a case involving employees' rights in the context of social media, the NLRB judge ordered Hispanics United to reinstate the five employees and awarded the employees back pay. Hispanics United was also ordered to “cease and desist from discharging its employees due to their engaging in protected concerted activities” and to post a notice at its Buffalo facility concerning employee rights under the NLRA and the organization's violations of those rights.

On the heels of the NLRB report on social media enforcement, this ruling provides further guidance to employers regarding the NLRB's application of Section 7 to social media and the growing number of NLRB's social media enforcement actions. As we noted both in the context of discussing the NLRB’s recent enforcement actions and the agency's social media report, employers should carefully review and adjust their communications and social media practices and policies to comply with the NLRB's guidance on employees' Section 7 rights.
 

Changing Opinions

This is not the first time the FTC has issued a comprehensive FCRA report. Given the large volume of guidance materials it has amassed over time, the FTC released “Commentary on the FCRA ” in 1990 – a compilation of statements regarding how the FTC would interpret and enforce the FCRA. Much has changed since the FTC issued the 1990 Commentary: the FCRA has been significantly amended, the FTC has issued numerous new interpretive guidance documents, and developments in technology and industry practices have rendered parts of the Commentary obsolete or outdated. As a result, the FTC withdrew the 1990 Commentary when it issued the new staff report. The new staff report provides an overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the FTC’s interpretations of the Act. The interpretations in the staff report differ from the 1990 Commentary in five significant areas, described below.

Commercial Transactions. The FCRA applies to written, oral, or other communications of information by consumer reporting agencies (CRAs) that fit the definition of “consumer reports.” To be considered a consumer report, information communicated by a CRA must bear on a consumer’s credit worthiness, standing, or capacity, character, general reputation, personal characteristics, or mode of living. Additionally, the information must be used or expected to be used to establish the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment, or other purposes specifically identified in the FCRA. One point of contention has been whether and how the FCRA applies in the context of an application for business credit as opposed to personal credit. Creditors will often obtain a credit report on the sole proprietor or other principal of a business and use the report to determine whether to extend credit to the business. It was the FTC’s position in the 1990 Commentary that “a report on a consumer for credit or insurance in connection with a business operated by the consumer is not a consumer report.” Courts have held that the purpose of the FCRA “is to protect consumers from inaccurate or arbitrary information in a consumer report which is used as a factor in determining an individual's eligibility for credit, insurance or employment” and the FCRA “does not apply to reports used for business, commercial or professional purposes.” For example, in Wrigley v. Dun & Bradstreet, Inc. a commercial reporting service issued credit reports to subscribers who used the information when deciding whether to extend commercial credit to a construction company. The reports contained the personal financial information of the construction company’s president. The court held that the credit reports were for the extension of commercial credit – even though the reports contained personal credit information – therefore the FCRA did not apply.

The staff report details how the FTC currently interprets the FCRA’s application to commercial transactions. To be sure, “a report that concerns the consumer’s business history (as opposed to personal credit or employment history) that is collected and provided by a commercial reporting service solely for use in business transactions is not a ‘consumer report’” and the report provider is not a CRA. However, “a report from a CRA on the personal credit of a consumer to a business credit grantor is a ‘consumer report’ regardless of the purpose for which the information may in fact be used.” This means that reports to business credit grantors by commercial reporting services that compile data and provide reports only for commercial purposes are not “consumer reports” subject to the FCRA. On the other hand, a report on an individual based on information that was collected for the purpose of reporting on that individual is a consumer report and the FCRA applies, even if the report is furnished in connection with a commercial transaction.

Joint Users. Does an entity become a CRA by virtue of sharing a consumer report with another party? According to the FTC’s prior interpretation, a user could share a consumer report with another user without becoming a CRA under certain circumstances. An agent could share with its principal, an employee with employer, and two users could share a consumer report for the same permissible purpose with the consumer’s consent. In these scenarios, the entity sharing the report and the recipient were deemed “joint users” and the sharing entity escaped CRA status. The FTC has now abandoned the “joint user” terminology, focusing instead on whether an entity meets the statutory definition of a CRA. If a user shares a consumer report “for the purpose of providing consumer reports to third parties,” the user may be deemed a CRA. However, a user who obtains a consumer report and shares it with another simply to effectuate a particular transaction initiated by the consumer "is not providing consumer reports to third parties” and, therefore, is not a CRA.

Departments of Motor Vehicles. The FTC no longer takes the position a DMV is a CRA when it provides motor vehicle reports for insurance underwriting purposes – even if it does so for a fee. Although a DMV or other government agency that supplies public records to third parties might be considered a CRA based on a literal reading of the FCRA, the staff report notes that such an interpretation would “lead to absurd results.” If government sources of public record information were CRAs, “government agencies would be required to suppress accurate public record information more than seven years old” and “those who provide information for use in public records – such as police officers – would be deemed furnishers, subject to a host of responsibilities under the FCRA.”

Identified Information. The FTC generally considers “credit guides” – listings that rate how well consumers pay their bills – to be consumer reports subject to the FCRA. However, the FTC previously did not consider credit guides to be consumer reports if they were coded to prevent the disclosure of a consumer’s identity. The FTC now takes the position that that credit guides (as well as other information) that do not identify consumers by name may constitute consumer reports if such guides can “otherwise reasonably be linked to the consumer.” The FTC voiced its concern that coding (particularly by Social Security number or other sensitive data) could readily lead to the disclosure of a consumer’s identity due to advancements in technology and the increasing availability of consumer data.

New Interpretations

The staff report addresses several issues not covered by the 1990 Commentary in an attempt to provide clarity regarding FCRA provisions that have generated a significant number of questions from the public. Importantly, the staff report delves into detail regarding when it is permissible for CRAs to issue (and users to obtain) consumer reports under the FCRA. One permissible purpose to obtain a consumer report is “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the … review or collection of an account of the consumer.” The staff report states that the “review” permissible purpose applies only when a creditor has an existing account relationship with a consumer and uses a consumer report solely to decide whether to modify the terms of the account. This means that even if a creditor has a permissible “review” purpose to obtain a consumer report, it may not exploit the report to market other products or services to the consumer. CRAs are also permitted to furnish a consumer report according to the written instructions of the consumer to whom the report relates. The staff report states that written consent only qualifies as an “instruction” if it clearly authorizes the issuance of a consumer report on that consumer. For example, “I authorize you to procure a consumer report on me” is sufficient if it is in writing, but the consumer’s signature on a form stating “I understand that where appropriate, credit bureau reports may be obtained” is not. The FTC highlights a consumer’s electronic signature may be an acceptable method of providing written instructions under FCRA. To be valid under the ESIGN Act, electronic authorization must be in a form that can be retained and retrieved in a perceivable form. The FTC notes “whether an e-mail, a mouse click ‘yes,’ or other electronic means clearly conveys the consumer’s instructions depends on the specific facts.”

The staff report also reflects the statutory modifications made to the FCRA over the years. Recently, the Dodd-Frank Act amended the FCRA to impose new requirements on users of consumer reports. The FCRA requires a person taking adverse action based in whole or in part on a consumer report to provide adverse-action notice to the affected consumer. Under new rules that took effect July 21, 2011, users of credit scores must include those scores (and related information) in adverse-action notices. This requirement also applies to adverse-action decisions not related to credit. Consequently, when a user takes an adverse action based on consumer report information, regardless of the weight the credit score plays in the decision, the user must provide the consumer with a host of new information. Additionally, the FCRA requires creditors to provide risk-based pricing notice to consumers when, based on the report, the creditors grant credit or amend existing credit on terms that are “materially less favorable” than the most favorable terms obtained by a substantial portion of consumers. The Federal Reserve Board and the FTC recently amended their respective adverse action and risk-based pricing rules to reflect the recent FCRA amendments. The new rules raise a host of questions, many of which are addressed in the staff report. As the new rules apply when a credit score is used in the evaluation of a consumer, the staff report squarely addresses what constitutes a credit score and when a credit score is considered “used” under the rules. The staff report clarifies that a score that is not used to predict creditworthiness, such as an insurance score, is not a credit score and need not be disclosed. The staff report also makes clear that “use” occurs at a very low threshold - if a credit score plays any role in a user’s decision regarding a consumer then it must be disclosed.

Future of FCRA Interpretation and Enforcement

The newly created CFPB is now the primary agency responsible for interpreting the FCRA. The CFPB is vested with exclusive rulemaking authority over all federal consumer financial law – this includes the authority to issue rules under existing consumer protection statutes such as the FCRA (with limited exceptions) as well as new rules to prohibit unfair, deceptive or abusive acts or practices. The primary role of the CFPB will be supervision in order to “prevent harm to consumers from unlawful financial practices and ensure that markets for consumer financial products and services are fair, transparent, and competitive.” To accomplish this, CFPB is assembling a team of examiners that will directly observe the business practices of entities subject to CFPB jurisdiction. Examiners will assess institutions’ compliance with the FCRA and other federal consumer protection laws. According to the CFPB website, the agency will require businesses to change their practices to comply with the law and may also “require improved employee training, implementation of better policies and procedures or quality controls, and in more serious cases, monetary compensation to consumers.”

Since the adoption of the FCRA, the FTC has enforced the Act at the federal level by bringing enforcement actions against CRAs, entities that furnish information to CRAs, and users of consumer reports such as creditors and employers. The CFPB and FTC now have joint FCRA enforcement authority over a host of industries. As we noted in a previous post, the FTC is actively addressing FCRA compliance and we expect its efforts to extend beyond traditional CRAs. Earlier this year the FTC found that Social Intelligence Corporation - an Internet and social media background screening service - is a CRA subject to the FCRA. Like the FTC, we expect the CFPB will broadly interpret and actively enforce the FCRA. In so doing, the CFPB may give heavy weight to the FTC’s interpretations of the FCRA, making the staff report invaluable to businesses handling consumer report information. With new FCRA rules in place and an additional agency tasked with FCRA enforcement, businesses are wise to determine whether they are subject to the FCRA and to consider FCRA compliance.

The Experiment

Many websites use machine-readable codes that tell a browser their privacy policies - such as whether a website sends cookies and with whom the website shares personal information gained from those cookies. Websites commonly use Platform for Privacy Preferences (P3P) compact policy “tokens” such as “NID” (no identified user information collected), which represent a standardized privacy expression defined in P3P specifications. The authors of the study used a modified version of Privacy Finder, a search engine that annotates a user’s Google or Yahoo! search results with “privacy meter” icons. Privacy Finder generates these icons through an automated analysis of the P3P policies of the websites a user visits. These icons graphically represent how well a website’s privacy policy matches preferences specified by the user. The authors configured their search engine to calculate privacy warnings based on a website’s sharing of personal financial information, purchase information, or personally identifying information; a website’s refusal to allow a user to remove the user’s personal information from marketing lists; and a user’s inability to view her personal information on a website.

Three groups of participants (two control groups and one test group) using the modified search engine were told to search for products online and purchase those products using their own credit cards. All participants were instructed to purchase both an eight-pack of Duracell AA batteries and the “Pocket Rocket Jr.,” a vibrating sex toy. Both products average about $15 including the cost of shipping and are widely available online. One control group did not see any privacy meter icons when they searched for the products to purchase. The other control group saw the icons, but was told that the icons merely indicated websites’ “handicap accessibility” - a characteristic chosen as a control condition because it’s considered to be generally irrelevant to most online consumers. The test group saw the icons and was told that the icons indicated the degree of websites’ privacy protections. All participants in the study could access merchants’ privacy policies by clicking on privacy policy links displayed on the websites they visited.

The results of the study offer new insight into consumers’ valuations of personal data and online behavior. Control group participants generally purchased their products from the websites offering the lowest prices. In contrast, test group participants - who saw the privacy meter icons and knew that the icons represented the level of privacy protections utilized by the websites - were more likely to make purchases from websites offering medium or high levels of privacy, even if those sites charged higher prices for identical products. Additionally, participants demonstrated that they would spend an average of 59 to 62 cents more to buy the same product from websites offering stronger privacy protections.

The Take Away

How can businesses capitalize on these findings? The study suggests that businesses that incorporate "privacy by design"  into their online business models help promote greater consumer awareness of and control over personal information, attracting privacy-conscious consumers. Developing and implementing a website privacy policy is one aspect of the “privacy by design” framework – how a business collects and handles data online is more transparent with a privacy policy in place. While displaying a privacy policy is a good first step toward transparency, 70% of people surveyed by the Annenberg Public Policy Center of the University of Pennsylvania disagreed with the statement that “privacy policies are easy to understand.” Accordingly, if a merchant seeks to promote its online privacy practices in order to boost sales, consumers must be able to identify and understand the merchant’s privacy practices for those practices to affect consumer behavior. Typically, however, online merchants display only small links to their privacy policies at the bottom of their websites. As such, privacy policies are often overlooked by consumers. Recently, the Federal Trade Commission and consumer advocacy groups have been advocating just-in-time notice as a means of making information about privacy practices more transparent and accessible to consumers. The results of the Carnegie Mellon study seem to confirm the benefits of this approach. The study indicates that purchasing decisions may be affected when privacy practices are presented to consumers in a user-friendly fashion when they are browsing online.

The study also suggests that businesses “may use technological means to showcase their privacy-friendly privacy policies and thereby gain a competitive advantage” and “maximize profits.” Specifically, “if the adoption of P3P increases, businesses protective of customer privacy may be able to attract consumers by posting their P3P policies and signaling good privacy practices.”
 

The right to an access report would apply only to health information that is maintained using an electronic system, as tracking access to paper records is not automated and would be unduly burdensome according to HHS. The proposed regulations would require covered entities to generate, upon request, an access report from access log data, which is collected by electronic record systems each time a user accesses protected health information. Access reports would detail the access by covered entities as well as business associates –entities that create, receive, maintain, or transmit certain health-related information on behalf of covered entities. The proposed rule requires covered entities and business to retain access logs for no less than three years so that an access reports can document access to the individual’s health information for the three years prior to the individual’s request for the report.

Covered entities and business associates are already required to comply with the HIPAA Security Rule, which obligates them to track access to protected health information. As such, HHS believes that the proposed rule will not be unduly burdensome. According to HHS, many electronic systems are already configured to log the activities that the proposed access reports would reference.

Under the proposed rule, access reports would include the date and time of access, and the name of the individual or entity accessing an individual’s health information. Additionally, if available, an access report would include a description of the information that was accessed and of the action taken by the user (e.g., whether they created, modified or deleted the information). Access reports also must include a statement informing individuals of their right to request access reports in their notices of privacy practices. Additionally, while individuals would be entitled to receive their first access report free of charge, the proposed rule would allow covered entities to charge reasonable, cost-based amounts for any subsequent reports requested within a 12-month period.

To minimize the volume of data in an access report, covered entities could give individuals the option to limit the coverage of the report by a specific date, time period, or person. For example, the individual requesting a report could elect to limit an access report to disclose only whether a particular family member accessed the individual’s health records within the last six months. Additionally, HHS is recommending – although not requiring in the proposed rule – that covered entities offer individuals the option to limit access reports to specific organizations. For example, if an individual does not wish to learn whether his or her health records were accessed by business associates, the covered entity would not need to obtain access logs from the relevant business associate to include in the access report the covered entity provides to the individual.

The proposed rule would require covered entities and business associates that implemented electronic record systems after January 1, 2009 to produce access reports beginning January 1, 2013. Entities that have implemented electronic record systems acquired on or before January 1, 2009 would be required to comply with the proposed rule beginning January 1, 2014. HHS has requested comments regarding a variety of issues the proposed rule has raised, and will receive comment submissions until August 1, 2011 (to submit a comment, click HERE ).

InfoLawGroup’s Nicole Friess and Boris Segalis collaborated on this blog post.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use or disclose children’s personal information. The Rule also requires that website operators post a privacy policy that is clear, understandable and complete. The FTC alleged that Playdom, Inc., a leading developer of online multi-player games, and a company executive, Howard Marks, failed to meet these requirements in violation of the Rule.

Specifically, the FTC alleged that Playdom and Marks operated 20 virtual world websites where users could access online games and other activities, including 2 Moons, 9 Dragons and My Diva Doll. The FTC alleged that at least one of these virtual worlds, Pony Stars, was a website specifically directed to children. According to the FTC, the company’s other sites intended for a general audience also attracted a significant number of children. The FTC alleged that between 2006 and 2010, approximately 403,000 children registered on the defendants’ general audience sites, and 821,000 more users registered in the Pony Stars children’s site.

The FTC complaint alleges that the sites collected children’s information, including ages and email addresses, during registration and then enabled children to publicly post their full names, email addresses, instant messenger IDs, geographic location and other information on personal profile pages and in online community forums. The FTC charged that the sites' failure to provide proper notice of these practices or obtain parents’ prior verifiable consent before collecting or disclosing children’s personal information violated the COPPA Rule.

The FTC further alleged that Playdom and Marks engaged in deceptive or unfair trade practices in violation of Section 5 of the FTC Act because the sites' privacy policies misrepresented that the sites would prohibit children under 13 from posting personal information online.

In addition to the $3 million civil penalty, the settlement order permanently bars Playdom and Marks from violating the COPPA Rule and from misrepresenting their information practices regarding children.

Takeway

The FTC continues privacy enforcement onslaught and gets serious about COPPA. Expect more to come; the FTC announced on May 10, 2011 that it has mobile privacy enforcement settlements in the pipeline.

Senator Leahy opened the hearing, reflecting on the benefits of mobile devices, apps, and social networks, as well as the risks these new technologies pose to consumer privacy. Leahy expressed that he is “deeply concerned” that smartphones may be tracking and storing data without users’ consent, that sensitive user data may be maintained by providers in unencrypted formats, and that companies are involved in the sale of location data without consumer knowledge resulting in the receipt of unsolicited ads by third parties.

Subcommittee Chairman Al Franken’s opening remarks focused on the increasing number of entities whose business model is to collect and maintain information on consumers under consumers’ radar. Franken noted the many benefits of location-based services, making a point to emphasize that “the existence of this business model is not a bad thing.” “The answer is not ending location-based services,” Franken said, “what today is about is trying to find a balance” between the benefits of these services and the public’s right to privacy.

The first panel of testifying witnesses consisted of two government representatives from their respective agencies. Here are some highlights from their testimony:

Jessica Rich, Deputy Director, Bureau of Consumer Protection, FTC

• The rapid growth of mobile products and services raises several concerns: mobile devices are always on and always with the consumer, mobile devices contain information that is highly personal in nature, and companies have the ability to track consumers who use mobile devices, including children and teens.
• The FTC has called on the industry to develop simplified disclosures embedded in each mobile interaction so that consumers know when and how their data is being used, rather than rely on privacy policies that are difficult to access using a mobile device.
• Companies should implement privacy by design principles in the development of their products and services, making it easier for consumers understand and choose how their data is used.

Jason Weinstein, Deputy Assistant Attorney General, Criminal Division, DOJ

• Three major threats mobile devices pose to consumers include (1) cyber criminals such as identity thieves, stalkers, and hackers who access and exploit information without authorization; (2) the collection and disclosure of location data by service providers themselves - including app providers; and (3) the use of mobile devices by criminals to facilitate their own crimes.
• While the ECPA restricts providers from sharing location data with the government, it does not restrict them from sharing such information with other private entities.
• Companies are not currently required to retain the data they collect, which impedes the DOJ’s ability to investigate and prosecute crimes.

The second panel consisted of five non-government witnesses – from privacy advocates to representatives from major mobile market players. Here are some highlights from their testimony:

Ashkan Soltani, Independent Researcher and Consultant

• The most serious threat mobile devices pose today is that consumers are repeatedly surprised by the information mobile device platforms and apps are accessing.
• Mobile devices and apps don’t only collect location data - they also transmit consumers’ phone numbers and information from their address books, text messages, contact lists, etc.

Justin Brookman, Director of the Project on Consumer Privacy, Center for Democracy and Technology

• Only a patchwork of outdated and insufficient laws applies to mobile service providers, leaving consumers inadequately protected.
• While companies can’t affirmatively lie about how they protect consumer data, they can decline to make any representations to consumers regarding their data privacy and security practices, thereby avoiding FTC enforcement.
• The default rule for service providers is that they can disclose location data without notifying consumers and obtaining their consent. They only things providers can’t do are things the providers have promised they won’t do.

Guy L. "Bud" Tribble, Vice President of Software Technology, Apple Inc.

• Apple does not track users’ locations and “has never done so,” nor do Apple devices transmit data back to Apple that is unique to any particular consumer.
• Apple controls the apps available to consumers by contract – if apps don’t meet Apple’s privacy requirements then those apps are not made available in Apple’s app store.
• Apple conducts “random audits” and “examines network traffic produced by applications” to ensure that available apps are properly protecting the privacy of Apple consumers.

Alan Davidson, Director of Public Policy, Americas, Google Inc.

• Google makes location-based services opt-in only. If a consumer doesn’t opt-in, his or her mobile device will not transmit any location data back to Google.
• Every third party app must notify users that the app will access location data and the user consent before the app is installed on the user’s device.
• Google believes in providing users with highly transparent information regarding its information practices, requiring opt-in consent before location data is collected, and implementing high security standards to anonymize data once it’s collected.

Jonathan Zuck, President, Association for Competitive Technology

• Mobile apps are made predominantly by small businesses - to protect consumer privacy without unduly burdening innovation, concerns about privacy must be dealt with holistically rather than from a technology-specific perspective.

Chairman Franken closed the hearing by noting that current laws don’t provide consumers with sufficient privacy protections - legislation and agency enforcement hasn’t kept up with the pace of technology. Franken restated his belief that consumers have a “fundamental right” to know what personal information is collected about them, and when and with whom their information is shared. Franken noted that these rights are particularly important when sensitive information – data from mobile devices – is involved.

To view the hearing on the U.S. Senate Committee on the Judiciary website, click HERE.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

• First name (or initial) and last name;
• Residential address;
• E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
• Telephone or mobile device numbers other than those considered work contact numbers;
• Social security numbers and other government-issued identification numbers
• Credit card numbers;
• Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
• Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

• Birth date, birth or adoption certificate number, or place of birth;
• Unique persistent identifiers (not limited to those used to identify a specific individual);
• Precise geographic location; and
• Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

• The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
• The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
• The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

• To process a transaction or service requested by that individual;
• To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
• To prevent or detect fraud or to provide for a secure environment;
• To investigate a possible crime or that is required by law or legal process;
• To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
• Necessary for the improvement of the transaction or service through research and development; or
• Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

The company displays ads to consumers based on their online activities. Chitika’s privacy policy said that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. According to the FTC, however, Chitika’s opt-out lasted only 10 days. After that time, Chitika placed tracking cookies on browsers of consumers who had opted out and displayed targeted ads to them again.

The FTC charged that Chitika engaged in a deceptive practice in violation of Section 5 of the FTC Act by tracking consumers’ online activities even after they used Chitika’s opt out mechanism to direct the company to stop tracking them online and serving targeted ads.

The settlement bars Chitika from making misleading statements about the company’s data collection practices and the extent to which consumers can control the collection, use or sharing of their data. The settlement also requires that every targeted ad Chitika displays include a link to a clear opt-out mechanism that allows a consumer to opt out for a period of at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt out was in place. Finally, Chitika must alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid receiving targeted ads through the company.

Twitter – FTC Alleges Failure to Safeguard Personal Information

On March 11, 2011, the FTC announced final settlement with Twitter over allegations that the company deceived consumers and put their privacy at risk by failing to safeguard the security of their personal information. The FTC alleged that serious lapses in the company’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter and access users’ personal information and tweets that users designated as private. The hackers also gained the ability to send tweets from any account. The FTC complaint alleged that hackers were able to gain administrative control of Twitter on at least two occasions.

According to the FTC, Twitter’s website privacy notice stated that the company “employ[s] administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private. The FTC alleged that Twitter’s representations that the company (i) used reasonable and appropriate security measures to prevent unauthorized access to nonpublic user information, and (ii) honored users’ privacy choice were deceptive and violated Section 5 of the FTC Act.

The settlement prohibits Twitter from misleading consumers about the extent to which the company protects the security, privacy and confidentiality of nonpublic consumer information, including the extent of the measures the company takes to prevent unauthorized access to the information. Twitter also must honor the privacy choices made by consumers and establish and maintain a comprehensive information security program. The program must be assessed by an independent auditor every other year for 10 years.

Lessons Learned

With privacy enforcement on the rise, companies are well advised to take proactive approach to compliance with privacy and information security laws, regulations, guidelines and best practices. The FTC expects businesses to collect, use, disclose and process personal information in a fair and transparent way, and to accurately represent their privacy and security practices to consumers. Take a look at these Fair Information Practice Principles and think how your business can apply them to its personal information practices.

Tanya Forsheit.  Litigation is my first professional love, and privacy and data security are a close second. Prior to founding the InformationLawGroup, I was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where I launched the firm’s Privacy Law Blog in 2007. I work with clients to address legal requirements and best practices for protecting customer and employee information. I also have extensive experience handling complex commercial and appellate litigation for corporate and individual clients before federal and state courts. In 2009, I was honored to be named one of the Daily Journal’s Top 100 women litigators in California. I am First Vice President of the Women Lawyers Association of Los Angeles, I sit on the Executive Committee of the Los Angeles County Bar Association Entertainment and Intellectual Property Section, and I am co-chair of the American Bar Association’s Information Security Committee Cloud Computing Law Working Group.

David Navetta.  Dave has over 12 years of legal experience, including in the areas of information security and privacy contract and policy drafting, breach notice legal services, risk management consulting and regulatory compliance. Prior to starting his own firm, InfoSecCompliance LLC in 2005, he worked as an assistant general counsel for a major insurer’s eBusiness risk group, where he analyzed and forecasted information security, privacy and technology risks and drafted policies to cover such risks. He was a litigator at the Chicago office of an international law firm prior to going in-house. He currently serves as a Co-Chair of the ABA’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Dave is now working on a book concerning PCI contracting.

Scott Blackmer.  Scott has practiced information technology law since 1982. He has been listed in several peer-reviewed directories of prominent IT lawyers, including the Legal Media Group’s Guide to the World’s Leading Technology, Media & Telecommunications Lawyers. Formerly a partner in the Washington, D.C., and Brussels offices of WilmerHale, Scott serves on the executive management team of the First Law International legal network in Brussels. He also consults on privacy, data protection and security issues in association with HR Privacy Solutions in New York and Jeitosa Group International in San Francisco. He also serves as general counsel to the Trusted Computing Group, XDI.org, and OpenID Foundation, and he counsels other industry associations, corporations and entrepreneurs. He has advised federal and state agencies as well as the European Commission on privacy and security issues, and he currently serves as a privacy advisor to the U.S. Social Security Administration. Scott also arbitrates Internet domain name disputes brought before the World Intellectual Property Organization (WIPO) in Geneva. Over his long career, he has worked on transactions and licensing, compliance issues, litigation, and arbitration matters in over 100 countries.

All three of us frequently speak and write on privacy and data security issues. Dave and I are both Certified Information Privacy Professionals through the International Association of Privacy Professionals.

We have successfully served a diverse range of clients: from large Fortune 500 multinationals and name-brand traditional brick-and-mortar companies, to small start-ups and technology service providers.  Our law practice uses an integrated approach combining technology and administrative controls, legal compliance, contractual vendor management and risk.

We look forward to meeting you soon!