& INFORMATION LAW UPDATE
Adopting New COPPA Rule; Issues Notice of Supplemental Rulemaking
The Supplemental Notice proposes the following definitions:
The Supplemental Notice & Request for Comment presents an important opportunity for businesses to educate the FTC about how to protect childrens privacy as new and emerging technologies continue to be integrated by childrens online sites and services. This is especially the case for newer companies or organizations that may not have been in a position to comment when the initial rule was proposed last September. The accelerated rollout of apps and devices, and the launch of child directed websites, social media, interactive games and learning destinations underscores the need for a carefully tailored rule that achieves the goals of COPPA without imposing undue compliance burdens, particularly for early stage businesses. Companies that are subject to COPPA, or that will be under the new rule, should consider taking advantage of this opportunity.
Start to NTIA Multistakeholder Process
Transparency was identified as a chief priority, one on which NTIA officials stated consensus could be easily reached. Related discussion included the need to catalog personal data collection and use practices by apps for core (as opposed to secondary) purposes, and the importance of providing contextual consumer notifications, as a means for promoting transparency.
On August 3, NTIA published a report by John Verdi, Director of Privacy Initiatives and the meetings principal facilitator, in which Verdi announced the agencys intent to convene two meetings this month, one on August 22, and another on August 29. Verdi also indicated that some participants have established a public mailing list for discussion.
Attorney General Creates Privacy Enforcement and Protection Unit
California is frequently at the forefront of privacy regulation and its new privacy unit should be seen, at a minimum, as an effort to align the states regulatory and enforcement activities. Other states can be expected to follow suit. In addition to being one of the first states to guarantee an inalienable right to privacy in its constitution,2 California was the first state to enact a data breach notification law. California is also a leader in considering the privacy implications of smart grid technology, passing a law protecting certain information gleaned from smart meters in 2010. Even before passage of that law, though, the California Public Utilities Commission had begun the process of considering rules to protect Smart Grid information, ultimately adopting regulations in 2011.
The states leadership on privacy issues also extends to its state and federal courts. For example, the federal courts in California have ruled on important cases involving social media privacy and workplace privacy, as well as hearing numerous class action lawsuits arising under both federal and California privacy laws. The state courts in California have likewise taken an active role in enforcing and interpreting privacy laws. Last year the Supreme Court of California ruled that zip codes are personal identification information and their collection during credit card transactions could subject retailers to fines under Californias Song-Beverly Credit Card Act of 1971. (The state subsequently enacted the California Business Protection Act of 2011 which carved out an exemption from Song-Beverly for gas stations that collect customer zip codes).
The creation of this unit comes on the heels of the Attorney Generals February announcement that platform providers including Apple, Microsoft, and Google agreed to a Joint Statement of Principles to protect consumer privacy in apps. This enforcement unit will be responsible for policing that agreement and developing best practices with those signing on to the agreement. It also occurs as state Attorneys General are paying close attention to digital privacy. For example, in June the National Association of Attorneys General announced a national initiative, Privacy in the Digital Age. Last month, New Jerseys Attorney General settled an enforcement action against several app developers for COPPA violations.
The creation of this unit is a clear indication that the California attorney general intends to step up privacy enforcement. Businesses that collect, use, share and retain consumer data should undertake a comprehensive review of their privacy and data security practices for compliance with applicable California law.
1 Press release, Attorney General Kamala D. Harris Announces
Privacy Enforcement and Protection Unit, State of
California, Office of the Attorney General ( July 19, 2012).
Files Data Breach Action against Wyndham Corporation
June 27, 2012 the Federal Trade Commission (FTC)
it sued Wyndham Worldwide Corporation, and three subsidiaries, for alleged
data security failures that led to three data breaches at Wyndham hotels
in less than two years. The Complaint
was filed in federal district Court in Arizona. The FTC seeks injunctive
relief to prevent future breaches and fines. Businesses should implement
and update robust security practices, and review privacy policies to ensure
that relevant promises are aligned with those practices. In addition,
businesses should adopt strong incident procedures, including processes
for notifying consumers and authorities of a data breach in order to mitigate
harm and minimize the potential for future incidents.
The first breach occurred in April 2008, when intruders gained access to a Phoenix, Arizona Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. The intruders were then able to access to the corporate network of Wyndhams Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels. This access enabled the intruders to:
As a result, more than 500,000 payment card accounts were compromised, and hundreds of thousands of consumers payment card account numbers were exported to a domain registered in Russia.
As a result, more than 500,000 payment card accounts were compromised, and hundreds of thousands of consumers payment card account numbers were exported to a domain registered in Russia.
Wyndhams systems were breached twice more in 2009 when intruders employed measures that were similar to the earlier breaches. During these breaches 119,000 payment card accounts were accessed and intruders made fraudulent purchases on those accounts.
Adopts Student Social Media Privacy Law Signaling Emerging Risk for Educational
On July 20, 2012, the Governor of Delaware signed into law a measure that prohibits colleges and universities from requesting or requiring a student to disclose password or other account information in order to gain access to the students social networking profile or account by way of an electronic communication device. It is the first state to enact such a law. Specifically, educational institutions are prohibited from:
The law shields school officials in instances where they would be otherwise prohibited access to student social media information is undertaken for the safety and protection of other students. California and Maryland have considered similar measures that would prohibit educational institutions from requiring or requesting access to password protected social media content or account information.
The current focus on social media privacy by lawmakers should alert educational institutions (and, as we reported previously, employers) to an issue that will require familiarity with an emerging area of law resulting from the ubiquity of social media. Schools should cease requesting access to student or applicant password protected content in jurisdictions that have prohibited the practice (currently Delaware) or where similar legislation is pending. Accessing publicly available content would not violate such laws; however, accessing such content could impose unforeseen liability. Educational institutions should develop, review and update comprehensive social media policies that address student social media privacy, and provide proper employee training to ensure compliance.
Settles with Federal Trade Commission over FCRA and FTC Act Charges
The FTC described Spokeos business as assembling consumer profiles and then selling the profiles to human resources professionals and recruiters for use in employment considerations. The profiles were culled from information found in "hundreds of online and offline sources, such as social networking sites, data brokers, and other sources. In the profiles, Spokeo identified specific individuals and disclosed their personal information including physical address, phone number, marital status, age range, or email address hobbies, ethnicity, religion, participation on social networking sites, and may [have included] photos or other information, such as economic health graphics. Spokeo then marketed to and sold recruiters access to the profiles, highlighting the profiles utility for Explor[ing] Beyond the Resume.
Though Spokeo changed its terms of service in 2010 to claim that it was not a consumer reporting agency and to prohibit use of its profiles for FCRA-covered purposes, the FTC alleged that the profiles created by Spokeo and Spokeos assembling and sale of those profiles to recruiters fit the FCRAs respective definitions of consumer reports and consumer reporting agencies. The FCRA violations that the FTC alleged included failure to maintain reasonable procedures for (1) certifying that their customers only used the profiles for permissible purposes and (2) assuring maximum possible accuracy of the information. The FTC also alleged that Spokeo failed to provide certain notices required under the FCRA.
Each of the violations of the FCRA was also charged as a violation of the FTC Acts ban on unfair or deceptive acts or practices, as was an additional charge of violating the agencys Endorsement Guides by faking endorsements of their products. Specifically, the complaint lays out a scheme in which Spokeo employees pretended to be independent consumers or customers and posted comments endorsing Spokeos products on news and technology websites and blogs.
As part of the settlement, Spokeo agreed to pay an $800,000 civil penalty. The settlement also requires that Spokeo abide by the FCRA in the future as well as disclose any relationships it has with those endorsing its products. And, like the privacy settlements that the FTC has engineered over the last several years, under the terms of the settlement Spokeo is subject to rigorous recordkeeping and reporting requirements for 20 years.
Jersey Settles COPPA Action Filed against Kids' Education Apps
The lawsuit, Jeffrey S. Chiesa v. 24x7 Digital, LLC, was filed against the developer and the operator of the educational TeachMe series of apps for the iPhone, iPad and iPod Touch. The series includes TeachMe: Toddler, TeachMe: Kindergarten, TeachMe: 1st Grade, and TeachMe: 2nd Grade, educational games targeted to children of those age groups.
The initiation of this action against an out-of-state corporation occurs as state legislatures and federal policymakers are taking aggressive measures to protect childrens mobile (and online) privacy. (Publication of the FTCs updated COPPA rule was delayed by the agencys request for supplemental comment on revisions to the proposed rule.) Operators of childrens online games, apps and developers that are subject to the COPPA rule should review their data collection, retention and use practices and policies for COPPA compliance and for compliance with other applicable laws. This lawsuit should be seen as an important reminder to monitor all COPPA enforcement actions, including those that are brought by state authorities.
The Complaint alleged that children using the TeachMe apps are encouraged to provide information that includes their first and last names and a picture of themselves when creating player profiles. The Complaint further alleges that this information was used to entice children to want to purchase a range of products. According to the Complaint, the apps transmit personal information, including the unique device identifiers (UDID) that identifies a specific mobile device a player is using, to the analytics company without first providing required notice and obtaining verifiable parental consent.
The Complaint sought injunctive relief to prevent future violations of the COPPA rule, including ordering that the defendants permanently destroy all information collected from children in violation of COPPA. Under the terms of the Consent Decree, 24x7digital agreed to:
State and federal policymakers are engaging in heightened scrutiny of childrens privacy with rapid adoption of mobile apps and social media by even very young children. Similar actions can be expected in the future brought by either state or federal enforcement authorities, as well as potentially coordinated state and federal actions to protect childrens privacy.
|INTERNATIONAL PRIVACY NOTES|
Approved to Participate in APEC's Cross Border
Privacy Rules System
U.S. companies participating in the system will be able to submit their privacy practices for APEC approval with the baseline privacy practices.
29 Working Group Issues Opinion on Cookie Consent Exemption
The Cookie Directive includes the following exemptions to the prior consent requirement:
The Working Partys opinion offers guidance on these exemptions to prior consent, including opining that cookies, even multi-function cookies, must have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once [such purpose] is not needed, taking into account the reasonable expectations of the average user or subscriber. If multiple cookies are used for differing purposes, multiple notifications and consents may not required. Companies that chose to employ a single notice and opportunity for consent for all such purposes should be able do so provided the notice is clearly explained.
The opinion also identifies cookies that might be exempt from the consent requirement in limited instances, including: 1) authentication cookies; 2) session cookies; 3) user preference cookies; social media session plug-in cookies; and 4) multi-media player session cookies, to name a few.
The Article 29 Working Partys opinions are currently advisory in nature, and lack the effect of binding regulations. As previously reported, however, the European Unions draft privacy framework regulation will create a new Data Protection Board that will replace the Working Party and oversee pan-European enforceable privacy rules. Nevertheless, the Working Party remains an influential body that EU member states frequently defer to. Accordingly, its Cookie Consent Exemption opinion offers useful guidance for U.S. companies that are subject to EU privacy law assess their compliance obligations under the Cookie Directive.
Court Rules in Favor of Retrospective Application of California Zip Code
The Plaintiffs in Dardarian filed a class action alleging against Officemax in connection with its collection of zip code information at the point of sale during credit card transactions. Officemax filed a motion asking the Court to determine that Pineda should only apply prospectively to it. The Court ruled that Pineda applies retrospectively.
It was learned through discovery that Officemax had an information capture policy in effect until February 10, 2011, when Pineda was decided. Pursuant to this policy, Officemaxs cashiers requested and recorded the ZIP codes of customers using credit cards at the point of sale. Indeed, the Plaintiffs alleged that when they purchased merchandise at one of Officemax's California stores with a credit card, the store clerk asked them for personal identification information, including their ZIP code. In response to the request, each Plaintiff provided their personal identification information to the clerk, and the clerk recorded their information into OfficeMax's electronic database. OfficeMax argued that it used the information to analyze media markets and decide where to place advertisements, as opposed to locating the customer's full address by reverse engineering.
Officemax also argued that Pineda failed to follow California precedent, in which a lower court3 ruled that a zip code does not constitute personal information. The Court rejected this argument, in part because Officemax started collecting zip codes well before the lower court decision which it cited in its motion, and therefore did not rely on it. The Court also ruled that as a matter of public policy retrospective application of Pineda was appropriate because doing so furthers the intent of Song-Beverly, which is to prevent retailers from collecting personal information from consumers during credit card transactions.
As a result of this decision, the action against Officemax can go forward.
1 11-CV-0947-YGR (N.D. Cal. June 25, 2012)
Tracking Lawsuit Against Apple Allowed to Go Forward
Plaintiffs filed an amended complaint shortly thereafter, which was subsequently dismissed with regard to most defendants (including Google, Flurry, and Admob). However, Apples Motion to Dismiss was denied in part and so two of the claims in the lawsuit against Apple will go forward. In the amended complaint, plaintiffs more clearly stated the injury that resulted from the tracking and collection of their personal information by iPhone and iPad apps, specifically citing the devices and apps used for tracking, the types of information collected (including addresses, age, gender, and search terms), and argued that this was a violation of the Wiretap Act, which is itself a cognizable injury. Finding that the alleged injury can be traced to the actions of all defendants, the Court ruled that the requirements of Article III of the Constitution are satisfied and permitted the action to go forward. However, the Court went on to dismiss much of the case for failure to state many of the specific claims.
First, the court found that iOS devices are not facilities through which an electronic communications service is provided and that the information stored on the device is not in electronic storage as defined in the Stored Communications Act (SCA). Therefore, the alleged tracking cannot be a violation of that law. The Court also dismissed all of the Wiretap Act, right to privacy in the California Constitution, Computer Fraud and Abuse Act, Conversion, Unjust Enrichment, Trespass, and Negligence counts. The Court allowed only two claims under California law to proceed against Apple. Those claims were brought under Californias Consumer Legal Remedies Act (which, like the FTC Act, bars unfair or deceptive acts or practices) and Unfair Competition Law. The Court reasoned that the plaintiffs stated a claim under California law by alleging that Apples promises to protect user privacy led to the plaintiffs buying their iDevices at a higher price than they would have if it was clear that Apple was tracking certain data. The Court has not yet ruled on whether these allegations are true and declined to find that Apples user agreement absolutely bars these claims from proceeding.
|NEWS & ANNOUNCEMENTS|
Moskowitz Earns CIPP/US Certification
|Copyright © 2012 St. Ledger-Roty & Olson, LLP.|