In re-launching the inquiry into carriers' data privacy and security practices, the FCC argues that not informing customers about the software or its data practices may have violated the carriers' responsibility pursuant to Section 222 of the Communications Act of 1934 to protect customer data "that is made available to a carrier solely by virtue of the carrier-customer relationship." The law allows such data to be used only in "limited circumstances," a term which is not defined in Section 222. It appears that one of the goals of the renewed inquiry is for the FCC to define the scope of the "limited circumstances."
In the last month both Vermont and Connecticut updated their existing breach notification statutes, highlighting the need to closely monitor state legislatures, particularly end of session happenings. Each modification highlights the growing trend of states requiring notification to the state's attorney general, under often new compressed timeframes.
Last week, a plaintiff's putative class action alleging a violation of California's Shine the Light law, Cal. Civ. Code § 1798.83, was dismissed without prejudice. See Boorstein v. Men's Journal LLC, No. 12-cv-00771-DSF-E, 2012 WL 2152815 (C.D. Cal. June 14, 2012). The suit, one of several other similar pending suits, is the first reported decision applying the Shine the Light Law.
InfoLawGroup is very pleased to congratulate our partners Justine Gottshall and Jamie Rubin on their inclusion in the Chambers USA's top ranking of Media & Entertainment: Transactional practices in Illinois. As noted in Chambers, Ms. Gottshall and Mr. Rubin represent major studios and retail companies involved in advertising, as well as publishers and other media companies. We are also thrilled to announce that our partner Boris Segalis has been selected to serve as one of the co-chairs of IAPP KnowledgeNet for New York City.
In our last "bring your own device" post we explored some of the key security, privacy and incident response issues related to BYOD. These issues are often important drivers in a company's decision to pursue a BYOD strategy and set the scope of personal device use within their organization. If the risks and costs associated with BYOD outstrip the benefits, a BYOD strategy may be abandoned altogether. One of the primary tools (if not the most important tool) for addressing such risks are BYOD-related policies. Sometimes these policies are embedded within an organization's existing security and privacy policy framework. More frequently, however, companies are creating separate personal device use policies that stand alone or work with/cross-reference existing company security, privacy and incident response polices. This post lays out the key considerations company lawyers and compliance personnel should take into account when creating personal device use policies and outlines some of the important provisions that are often found in such policies.
The buzz words in privacy over the last few months (really longer than that) have been "Do Not Track." Twitter is just the latest company to adopt the DNT browser option, indicating in a blast email to all Twitter users that the setting is now available for implementation if a user so chooses. Interestingly, however, a much less publicized setting was also presented in that same email blast: Twitter's new "tailored suggestion feature." Applications and widgets created by Twitter will begin to collect data about Twitter users from third party websites that feature those products. This is an entirely new feature from Twitter, and is being implemented as a default option for both new and existing Twitter users.
The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program.