St. Ledger-Roty & Olson LLP
 
Telecommunications . Internet . Media . Privacy . Data Security
1250 Connecticut Avenue NW Suite 200 Washington DC 202.454.9401 202.261.3508
News and Information

FTC Seeks Comment on Proposed Amendments to COPPA Rule

On September 15, 2011 the Federal Trade Commission (FTC) released proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. The proposed amendments could impose additional compliance burdens on businesses that operate children’s websites or online services -- as well as general audience sites subject to its requirements. The FTC is accepting comments on the proposed changes until November 28, 2011.

Changes would include:

  • expanding the definition of “personal information”;
  • changing the “collection;” parental notice and parental consent mechanisms;
  • updating confidentiality and security requirements; and
  • strengthening FTC oversight of self-regulatory “safe harbor” programs.

The COPPA Rule requires that “operators of websites” or online services directed to children under 13, or general audience sites that have actual knowledge that they collect personal information from children under 13, obtain verifiable parental consent before collecting, using, or disclosing such information from children.

In 2010 the FTC accelerated scheduled review of the rule to address mounting concerns about threats to children’s privacy posed by their adoption of rapidly evolving technologies, including accessing, viewing and interacting with content over mobile devices. During the review period the FTC expanded enforcement including applying the rule to such new technologies as mobile apps.

The FTC proposes the following changes:

  • Updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising, and identifiers that track a child across websites or online services for targeted advertising. Also included would be information that permits direct online contact with a child, including screen or user names that are not used solely to support internal operations.
  • Modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, as long as operators take “reasonable measures” to delete all or virtually all children’s personal information before it is made public, a change that is intended in part to address the iterative nature of certain filtering technologies.
  • Adding new methods for obtaining “verifiable parental consent”, including electronic scans of signed parental consent forms, video-conferencing, and use of government- issued ID checked against a database, provided that the parent’s ID is deleted promptly after verification is done. In addition the FTC proposes eliminating what it views as the less- reliable “e-mail plus” method of obtaining verifiable parental consent.
  • Establishing a voluntary 180-day notice and comment process to encourage new consent mechanisms whereby parties may seek FTC approval of a particular mechanism or permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.
  • Adding to the rule’s confidentiality and security provisions a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it; requiring operators to retain the information for only as long as is reasonably necessary; and take reasonable measures to protect against unauthorized access to, or use in connection with its disposal.
  • Strengthening FTC oversight of self-regulatory “safe harbor programs” by requiring these programs to audit their members at least annually and report periodically to the FTC the results of those audits.

Operators of children’s websites and other online services, including those operating over emerging platforms such as mobile apps, as well as general audience sites subject to COPPA, should closely monitor developments in this proceeding to anticipate how the proposed changes could affect their business and regulatory strategies.

Please contact Karen Neuman at if you would like addition information or wish to discuss your business or regulatory strategy in light of the proposed changes.

print this article Print all articles

border

California Updates its Data Breach Notification Law

On August 31, 2011, California Governor Jerry Brown signed SB 24 into law, a measure that amends the state’s landmark data breach notification statute (Cal. Civ. Code §§ 1798.29 & 1798.82), by mandating the inclusion of certain information in notifications that are already required under existing law to be sent to California residents who may have been affected by a data breach.

SB 24, which will take effect January 1, 2012, also requires that the notifying entity send an electronic version of the notice to the state Attorney General (AG) in instances where a breach affects more than 500 California residents. According to SB 24’s sponsor, Joe Simitian (D-Palo Alto), this requirement is intended to enable law enforcement to see the “big picture” and better understand statewide patterns of identity theft. Businesses, agencies and individuals subject to the law and who use substitute notice provisions permitted under the current statute must also provide an electronic version of the notice to the state’s Office of Information Security or the Office of Privacy Protection. Organizations that are subject to HIPAA’s HITECH breach notification requirements will be deemed to be in compliance with law’s breach notice content requirements but must still comply with the AG notification requirement.

Since 2003, California law required covered entities and individuals to notify affected persons of a data breach. However, unlike other state data breach laws, California’s statute did not mandate what information the breach notices should contain or require that state authorities be notified of the breach. Previous bills that addressed these gaps were vetoed by Governor Brown’s predecessor.

SB 24 addresses these gaps by establishing the following standard content requirements, which must be written in “plain language” for required breach notices:

  • The name and contact information of the notifying entity or person;
  • a list of the types of personal information that were or reasonably believed to have been breached;
  • toll-free telephone numbers and addresses of the major credit reporting agencies if the breach discloses Social Security, Driver’s license or a California ID card number;
  • the actual, estimated date or date range of the breach if it is possible to ascertain;
  • general description of the breach, if it is possible to determine; and
  • whether notice was delayed due to a law enforcement investigation.

SB 24 also authorizes covered entities and individuals to include in the notices, if they wish to do so, information about measures taken to protect persons whose information has been compromised as well as steps affected persons may take to protect themselves.

Please contact Karen Neuman at if you would like additional information about California’s breach notification law, as amended by SB 24.

print this article Print all articles

border

Reports Highlight New "Supercookies" Used to Track Web Activity for Social Advertising

Privacy researchers from Worcester Polytechnic Institute, University of Wyoming, University of California, Berkeley, and Good Research recently released their second report on tracking technologies used by websites and online advertisers, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (“2011 Report”).1 The report highlights the need for website operators and online service providers to be familiar with the information collection and disclosure practices of third party service contractors, including social advertisers and analytics companies. Periodic due diligence should be conducted to ensure that these service providers aren’t using tracking technologies that contravene users’ express privacy preferences and that websites are in compliance with their own privacy policies.

Background.

The first report, Flash Cookies and Privacy, released in August 2009, examined the use of persistent Local Stored Objects (LSOs), more commonly known as “Flash cookies”, to track users despite the users’ attempts to protect their online privacy by taking such steps as deleting cookies. The findings in this report were the linchpin in class actions against some of the advertisers and websites that the report found to be using Flash cookies.

Clearspring, whose Addthis tool allows website visitors to share a website’s content on social media and used Flash cookies to track people who visited websites with Addthis installed, was a named defendant in one of the actions. That lawsuit, along with a similar action against Quantcast, was settled this year, with the companies agreeing to not use LSOs in their products.2

The 2011 Report, along with additional work by Jonathan Meyer at Stanford,3 has similarly formed the basis for allegations in lawsuits against websites and advertisers who use the new “supercookies” and other forms of persistent trackers highlighted in the report. The report reviews how Flash cookie use has changed in the last year and identifies two additional supercookies, Cache-Cookies and HTML5 Local Storage. KISSMetrics, a web analytics company, and their now former client Hulu.com, were sued for privacy violations after the report noted their use of ETags, a type of cache-cookie.4

The common thread between the supercookies discussed in the 2011 Report5 is that each is more persistent and allows for greater data storage than standard HTTP cookies. Flash cookies and ETags respawn HTTP cookies after a user has deleted them or gone into “private browsing mode” to prevent cookie creation. (Private browsing is an option available in many Internet browsers, such as Internet Explorer and Firefox, which prevents websites from downloading cookies or storing new information in the cache after the browsing session ends). HTML5 storage does not respawn HTTP cookies, but where HTTP cookies automatically expire after some period of time, HTML5 storage does not expire and so it must be affirmatively deleted by the user to disable tracking. Flash cookies and ETags can be used to respawn HTML5 cookies, in addition to HTTP cookies.

Flash Local Storage Objects.

Flash LSOs, like other supercookies, are resistant to deletion as they are not deleted through the browser as one would do for standard HTTP cookies. The user is required to take additional steps to prevent tracking. Flash LSOs hold more data than HTTP cookies, enabling better tracking and can be used to respawn or recreate HTTP cookies that a user has deleted. Flash LSOs, the subject of the prior report, have decreased in use since the release of that report. Of the 100 sites investigated by the authors, 100 flash cookies were found, down from 281. Only two sites used flash cookies to respawn HTTP cookies.

Cache-Cookies and ETags.

Cache-cookies are not actually cookies. This method of tracking involves using the web browser’s cache to associate information between a deleted cookie and a new cookie. ETags are generally used by websites to tell a browser whether the site has changed, and if not, to use the copy of the website stored in the browser’s cache rather than downloading new data.

The report discusses how an ETag in a cached copy of a website can include a unique identifier. Even if a user deletes her cookies, when she returns to the website and downloads a new cookie, the ETag in the cached copy still exists and can give the website enough information to associate the new cookie with whatever data was collected via the old cookie. In this way, the old cookie is said to respawn. Also, if a user visits websites via his or her Internet browser’s “private browsing” mode, this type of tracking is not prevented. Specifically, if a user visits a website while not in private browsing, information is stored in the cache and may then still be retrieved when later visiting the website in private browsing mode. The only way to prevent this tracking is to manually clear the cache prior to revisiting the website.

HTML5 Local Storage.

The Report concluded that HTML5 cookies raise privacy concerns because they never expire. Instead, the user is required to affirmatively delete the cookie. The storage capacity is also significantly greater than any of the other cookies mentioned here, as well as standard HTTP cookies. A number of sites also respawned HTML5 cookies using either ETAGs or Flash cookies and others used matching values for their HTML5 and HTTP cookies, which makes respawning and association between the cookies easier.

CONCLUSION.

Companies wishing to take advantage of social advertising tools should take a close look at the tracking technologies employed by businesses offering those tools to make sure that the technology does not override consumer privacy preferences. One way to obtain assurance is to determine if these businesses comply with pertinent industry best practices and standards. As the lawsuits that rely on the findings of the researchers’ reports make clear, the plaintiffs’ bar does not distinguish between the companies that develop persistent tracking technologies and the businesses that use those technologies for legitimate business purposes.

Please contact Karen Neuman at if you would like to discuss this report and the potential impact of its findings on your business.


1 Ayenson, et.al., Flash Cookies And Privacy II: Now With HTML5 And ETag Respawning, 2011 (“2011 Report”)
2 In Re Quantcast Advertising Cookie Litigation, 2:10-cv-05484-GW–JCG, (Cal. C.D. 2011)(Settlement Agreement at §4.19).
3 A recent report out of Stanford reviewed Microsoft’s use of ETags, a cache-cookie. Jonathan Meyer, Tracking the Trackers: Microsoft Advertising (Aug. 18, 2011), http://cyberlaw.stanford.edu/node/6715
4 Wendy Davis, KISSmetrics, Hulu Sued Over New Tracking Technology, MEDIAPOST, Aug. 1, 2011, http://www.mediapost.com/publicationsfa=Articles.showArticle&art_aid=155032
5 Ayenson, supra note 1.

print this article Print all articles

border

U.S. Department of Commerce Releases Privacy Report

On December 16, 2010, two weeks after the FTC released its report on consumer privacy, the U.S. Department of Commerce released its privacy “Green Paper” -- Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report was drafted by the Agency’s Internet Policy Task Force. It seeks comment on a number of policy recommendations intended to promote online consumer privacy while ensuring that the Internet remains a platform that spurs innovation, job creation, and economic growth. This balance would be achieved by the adoption of a “baseline” commercial data privacy framework built on expanded Fair Information Practice Principles (“FIPPs”) that act “in concert” with strong protections embodied in existing sector-specific laws. The FTC would remain the lead privacy enforcement authority for the U.S. Government.

Formal comment will be sought through a separate Federal Register Notice on several other key policy recommendations. They include: 1) Creation of a national privacy policy office (PPO) within the Commerce Department to coordinate the development of “voluntary, enforceable privacy codes of conduct in specific industries”. (Compliance with these codes of conduct would operate as safe harbors); and 2) national data breach legislation for electronic records that contemplates a role, including enforcement, for state authorities. In a nod to the strength of state legislative data breach laws, the report recommends that any federal data breach legislation “track” state regulatory approaches that have proven effective.

Unlike the FTC report, the Green Paper does not recommend implementing a do-not- track (DNT) mechanism. Instead, the role of the Commerce Department in developing DNT and similar technologies and will be addressed through the Federal Register notice.

The Agency also intends to use the formal comment period to examine the circumstances under which expanded FTC rulemaking authority may be warranted.

In addition, the report calls for Administration review of the Electronic Communications Privacy Act (ECPA) in order to ensure strong privacy protection in cloud-based computing environments and location-based services, while preserving the ability of law enforcement to engage in “legitimate” information gathering. This recommendation comes amidst ongoing Congressional ECPA reform efforts and in the wake of recent court decisions that have acknowledged the difficulty of applying the law, enacted in the mid-1980s, to the continually evolving technologies and communications platforms.

TThe report also notes that different approaches to “commercial” data privacy, both in the U.S. and abroad, can pose challenges for business (and potential consumer harm), and interfere with the promotion of trade and commerce of cross-border compliance obligations. It recommends that the U.S. continue work with the EU and other trading partners to promote “increased global interoperability of privacy frameworks”. It also recommends that the U.S. support the APEC Data Privacy Pathfinder Project as a model framework for countries with “common values” but “divergent privacy legal frameworks.”

The Green Paper can be viewed by clicking: http://www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf. Comments are due on due January 28, 2011. The filing period provides a useful opportunity for business to potentially shape the regulatory outcome of this proceeding.

For additional information, please contact at .

show more/less print this article Print all articles

border

Karen Neuman discusses Privacy Legal Risks Associated with the use of Biometrics in Higher Education

On November 18, 2010 Karen Neuman discussed legal risks associated with the use of biometric systems for identity management by higher education institutions during an Educause Live! Web seminar. Noting that the emergence of biometrics technologies offers colleges and universities potential new tools for confirming identity for campus security and managing access to facilities, the same technologies create legal and reputational risks that must be considered before implementation. Karen provided a framework for evaluating these risks – taking into account key federal, state, and European privacy laws, as well as common law. She concluded her remarks by offering some strategies for minimizing legal risk based on existing laws and regulations.

border

Karen Neuman discusses Legal Risks Associated with Local Government Use of Social Media

On September 30, 2010, Karen Neuman shared her perspective about legal risks associated with local government use of social media at the 30th Annual Conference of the National Association of Telecommunications Officers & Advisors in Washington, D.C. In addition to addressing first amendment issues raised by use of social media tools to engage the public, Karen outlined how these tools can trigger state open meetings and public records laws. She also focused on emerging law involving employee use of social media in the workplace and the privacy of constituents who access and interact with government social media sites, particularly when using mobile devices. Observing that the legal landscape is still evolving, Karen offered some strategies for minimizing risk.

border

Flash Cookie Lawsuits Sound Warning for Industry

A pair of federal court lawsuits filed this summer should sound a warning for website operators using tracking technologies that can override consumer privacy preferences.

The cases, Valdez v. Quantcast Corp., et al, CV10-5484 GW JCG (C.D. Cal, July 23, 2010) and White v. Clearspring Technologies, 2:10-cv-05948-UA (C.D. Cal., August 10, 2010), allege that a number of well known websites violated federal and state privacy and consumer protection laws -- including the Federal Electronic Communications Privacy Act, Computer Fraud and Abuse Act and California's Computer Crime Law and Invasion of Privacy Act -- by depositing "Flash" cookies on users' websites to track their online activities. The Plaintiffs in each suit seek unspecified monetary damages and injunctive relief.

Flash cookies, more accurately known as "locally stored objects", can be used by websites to collect cookie like information on a user's computer. They can be used for such diverse purposes as remembering preferences, watching online video, setting default volume levels on video players or assigning a unique ID to users for tracking across the web, regardless of browser. Most users are unaware that when a Flash cookie is deposited on a computer the steps they take to prevent online tracking by deleting traditional browser cookies typically do not remove Flash cookies.

The Plaintiffs in Quantcast brought suit against MTV, ESPN, Hulu, MySpace & Scribd, among other websites, alleging that their use of LSOs (or Flash cookies) secretly stored user data on Adobe's Flash Player to recreate information contained in browser cookies that had been deleted by users. Also named as a defendant was San Francisco-based advertising technology company Quantcast creator of the LSO used by the websites.

Clearspring was filed on behalf of parents and their children against one of Quantcast's competitors, Clearspring Technologies, as well as several websites including Disney, Warner Bros. Records, SodaHead and Demand Media. The Plaintiffs claim that Clearspring simultaneously deposited http cookies and a Flash cookie in users' Flash media payers when users visited the defendants' websites. When users deleted the http cookies from their browsers, unbeknownst to them, the Flash cookie restored and/or recreated history and other information, including the user's name and IP address, which in turn, was used by the defendants and others for online tracking and ad serving. The Plaintiffs also claim that the defendants' privacy policies failed to disclose that users' activities were being tracked online through the use of Flash cookies.

While some of the factual allegations in each action may differ somewhat the fundamental grievance is the same: that the defendants used a technology to track the plaintiffs' online activities without notice or consent.

Although the lawyers are, for the most part targeting high-profile, "deep pocket" defendants, at least one of the defendants, SodaHead, is a small online polling company; no website should be considered under the radar. It would not be surprising to see this effort expanded to other websites that rely on Flash or similar tracking technology, including social media sites, particularly as those sites add location based features.

We expect that this suit will be closely watched by the Plaintiffs'bar, privacy advocates and policymakers. The larger issue appears to be one of consumer knowledge about and control over the collection and use of their information and less about specific technology. That said, the use of technologies like Flash cookies should be viewed as risky because they enable tracking online activities without a user's knowledge, including when consumers believe they have taken the necessary steps to prevent tracking.

Companies that employ Flash cookies or similar tracking technologies that can be used to override consumer privacy preferences should monitor developments in these proceedings. In the process, they should consider taking measures to try to minimize the potential for becoming a target for this type of lawsuit. At a minimum, companies should firmly understand the capabilities of the tracking technologies they employ and the extent of information collected; they should provide clear notice of the use of these technologies in their privacy policies. If Flash cookies are employed, companies should prominently disclose their use and provide a link to Adobe's site for instructions for deleting these cookies. Companies may also want to consider alerting customers to other tools that can delete flash cookies or prevent them from being used altogether.

Please contact at if you would like more information about this litigation or guidance about the use of online tracking technologies.

show more/less print this article Print all articles

border

Federal Court Rules that Certain Postings on Social Network Sites are not Discoverable Under Stored Communications Act

A federal judge in California recently determined that private messages transmitted over social network sites are protected from discovery under the Stored Communications Act (“SCA”), 18 U.S.C. §2701, which restricts the government’s ability to require Internet Service Providers to “knowingly disclose information in their possession about their customers and subscribers.” The Court also ruled that wall postings and comments, such as those posted by users on Facebook and MySpace, may also be protected the SCA, but only to the extent that access to these communications is restricted by users’ privacy settings rendering them not “public”.

In reaching its decision in Crispin v. Audigier, Inc., 2010 WL 2293238, (C.D. Cal. 2010), the Court undertook an extensive analysis of the SCA noting, in the process, the difficulty of applying a statute that was enacted over 2 decades ago to today’s communications technologies and users’ practices. That said, this case could alter the way content posted on social networks is managed by organizations in anticipation of potential litigation. It could also affect the legality of access to social network communications in other contexts, affecting, for example, the ability of employers to obtain information about employees or potential hires.

The plaintiff, an artist, initiated a copyright infringement action against a clothing designer alleging breach of an oral license for the limited use of the Plaintiff’s artwork in the manufacture of certain types of garments. The Complaint included allegations that the Defendant violated the terms of the license by failing to include the Plaintiff’s logo on various garments displaying the Plaintiff’s designs and also sublicensed the Plaintiff’s design work without the Plaintiff’s consent. During discovery the Defendants served subpoenas on various third parties, including Facebook, MySpace and other social networking websites. The Defendants claimed that the Plaintiff’s social media communications revealed the nature and terms of the agreement between the parties. The Court granted the Plaintiff’s motion to quash the subpoenas granted by a Magistrate on grounds that 1) the social network sites’ private messaging and e- mail webmail services constituted “electronic communications services “(ECS) under the SCA and 2) the web hosting websites and social networking websites were ECS providers under the SCA, which protects unopened private messages transmitted via an ECS provider as temporary storage. 18 U.S.C. § 2510(17) (A). In so ruling, the Court concluded that a private, undeleted message opened by a user renders the communication “stored” for backup purposes as defined in the statute.

The Court noted that other aspects of social networking sites, Facebook “wall” postings and “comments” and MySpace comments presented a distinct and more difficult question requiring an analysis of the SCA, including understanding the distinction between an RCS provider and an ECS provider. Analyzing the statute, the Court first noted observed that the SCA defines an ECS provider as “any service which provides to users… the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510 (15). The Court next observed that the SCA defines an RCS provider as an entity “providing the public computer storage or processing services by means of an electronic communications system”, and that an electronic communications system is defined as any wire, radio electromagnetic, photo-optical or photo electronic facilities for the transmission of wire or electronic communications and any computer facilities or related electronic equipment for the electronic storage of such communications. Id. §2510(14); §2702(a)(2).

The Court construed these provisions to conclude that social networking services are RCS providers with respect to wall postings and comments since the posts, once made, are stored by the provider within the meaning of the SCA. Accordingly, the Court held that wall postings and comments are protected under the SCA either as restricted access electronic bulletin boards or because social networks are RCS providers that store comments for limited use by a restricted number of users.

The case was remanded to the Magistrate to ascertain whether the Plaintiff’s privacy settings rendered the wall postings public and beyond the protection of the SCA.

This case illustrates the challenge courts face when applying a law enacted over two decades ago to rapidly evolving electronic communications technologies. This dilemma is ongoing as regulators and policy makers struggle to keep pace with innovation resulting in a platform specific approach to protecting privacy – an approach that poses challenges to users and business alike as each tries to discern a predictable framework for ascertaining privacy protection for user generated content.

This case should also be seen as a cautionary tale for employers who may now find themselves running afoul of the law if they obtain access without consent to their employees' social networking sites communications when the employees have opted to restrict access. This decision also calls into question whether an employer can use legal processes such as a subpoena to obtain information from the private social networking accounts of employees.

Please contact at if you would like additional information about this case or if you would like guidance about the application of privacy law to social media communications.

show more/less print this article Print all articles

border

Supreme Court Ducks Broad Privacy Ruling but Provides Guidance on Employer Access to Employee Communications over Workplace Communications Devices

On June 17, 2010 the Supreme Court issued its much-anticipated decision in City of Ontario, California v. Quon, 1 in which it ruled unanimously that a Police Department’s search of an employee’s Department-provided mobile communications device was reasonable under the Fourth Amendment. The case was decided much more narrowly than anticipated; the Court stopped short of addressing the broader question of an employee’s claim to privacy in his or her electronic communications, and the content of those communications, while at work. Instead, the Court appeared to invite further litigation on this issue in order to better understand changes in “information transmission” technology and what “society accepts as proper behavior.” Nevertheless, the opinion provides some practical guidance for public and private sector employers about employer regulation of and access to employee communications transmitted over employer-issued devices, and underscores the need for comprehensive policies.

The case arose when the City of Ontario initiated an investigation into an exchange of text messages originating from the lead Plaintiff, Quon, a city SWAT team officer, to his wife and two other SWAT team members, including one with whom he was romantically involved. The City’s service plan had a monthly character limit for outgoing messages tied to each device and the City was charged a fee for exceeding the limit. The City had a policy that warned employees that they should have no privacy expectation in communications sent over their Department-provided devices. Despite the policy, Quon’s superior told him that his text messages would not be audited as long as he personally paid for any overages.

Quon exceeded the monthly character limit, prompting the Police Chief to investigate whether 1) the character limit was too low for the City’s law enforcement needs and, if so, 2) whether police officers were being required to pay for sending work-related messages. At the City’s request, its service provider, Arch Wireless, searched the text messages on Quon’s pager and provided the City with a transcript of his messages. The City then conducted an audit of Quon’s on-duty messages. The audit revealed that the majority of the messages Quon sent during work hours were personal, many of which were sexually explicit. Quon, his wife, and the two other colleagues brought suit against the City and Arch Wireless claiming in part that the audit violated their Fourth Amendment rights. The district court concluded that the City’s audit was reasonable because its purpose was to determine whether the service plan was appropriate and not simply to investigate Quon’s use of his government- issued pager. The Ninth Circuit reversed. It ruled that although conducted for a legitimate purpose, the search was unreasonable because there were less intrusive means the City could have utilized to determine whether the service plan was inadequate for the police department’s needs. The Supreme Court reversed the Ninth Circuit. Writing for the majority, Justice Kennedy concluded the search was reasonable, noting that the City’s policy reserved the right to monitor employee communications and therefore limited employee expectations of privacy in them. The Court rejected Quon’s argument that the policy was informally modified by his superior’s assurance that his text messages would not be audited as long as he paid for overages. Although narrowly decided on Fourth Amendment grounds, this opinion seems to recognize that the Court will ultimately be asked to decide the appropriate framework for determining the respective rights of employers and employees with respect privacy in the workplace when it comes to employee communications and employee privacy regarding those communications. Nevertheless, this case strongly suggests that employers can take the following measures to minimize the risk of litigation initiated by employees, as well as by non- employees involved in a questionable exchange:

  • Public employers will want to pay particular attention to the impact of state public records laws when assessing public employees’ privacy interests in workplace communications. The majority surmised that Quon should have known that, as a law enforcement officer, his on-the-job communications were likely subject to disclosure under California’s Public Disclosure Act.
  • The Court noted that employers increasingly (if reluctantly) tolerate personal use of employer equipment for private use. Increased employee access of personal e-mail accounts, social media and texts using employer-issued devices requires a thoughtful, holistic evaluation of the workplace technology and communications “ecosystem”, and a realistic assessment of employee practices. This evaluation should result in carefully written use and privacy policies that put employees on unambiguous notice about the circumstances under which the employer can monitor and access employee communications.
    • Use and privacy policies should be comprehensive and address all media, platforms, devices and technologies, including social media.
    • Use and privacy policies should ensure that access to the contents of employee communications is obtained pursuant to a clearly articulated, legitimate business or work-related purpose, such as the investigative purpose asserted by the City in this case. Employer activities that are performed for a legitimate business purpose will be less likely to be found unreasonable.
    • Develop employee training materials and conduct employee training programs to minimize the potential that a supervisor will unintentionally create an expectation of privacy, like appears to have happened in Quon, verbally or through other means. Training materials and programs should be periodically updated to reflect changes in the law and communications technologies or practices.

Please contact at if you would like more information about this case or guidance about privacy in the workplace.

12010 WL 2400087, No. 08-1332 (U.S., Jun. 17, 2010).

show more/less print this article Print all articles

border

FTC Again Postpones Enforcement of the Red Flag Rule

The FTC announced on May 28, 2010 that it is again postponing enforcement of the Red Flag Rule until December 31, 2010. Enforcement has been postponed several times since the Rule was promulgated last year in order to clarify the scope of its coverage and give businesses time to comply with the requirement that they develop and implement programs to detect indicia of potential identity theft. As noted previously several entities protested application of the Rule as to their members, including the ABA and AMA. The current delay is in response to pending house and senate legislation.

border

FCC SEEKS COMMENT ON RECLASSIFYING BROADBAND

On June 17, 2010, the Federal Communications Commission approved a Notice of Inquiry (NOI) seeking public comment on the appropriate legal framework to address certain aspects, the provision of broadband Internet service by broadband Internet Service Providers (ISPs). As expected, a key proposal would involve reclassifying broadband Internet service from the agency’s 2002 designation as a largely unregulated “information” service to a “telecommunications” service subject to regulation under Title II of the Communications Act.

The NOI also seeks comment on the appropriate classification of terrestrial wireless and satellite broadband Internet services, as well other issues.

As expected, this proceeding follows the D.C. Circuit’s recent decision in Comcast Corp. v. Federal Communications Commission, No. 08-1291 (D.C. Cir., Apr. 6, 2010)., which called into question the FCC’s authority to issue rules governing Broadband Internet access and services provided by ISPs.

The NOI specifically asks for information about the following approaches that are intended to respond to the Comcast Court’s concerns:

  • Whether the Commission’s “information service” classification of broadband Internet service remains legally sound and adequate to support effective performance of the Commission’s responsibilities;
  • The legal and practical consequences of classifying broadband Internet connectivity as a “telecommunications service” to which all the requirements of Title II of the Communications Act would apply; and
  • A “third way” under which the Commission would reaffirm that Internet content and applications remain generally unregulated under Title I of the Communications Act; identify the Internet connectivity service that is offered as part of wired broadband Internet service as a telecommunications service; and forbear under Section 10 of the Act from applying all provisions of Title II other than the small number that are needed to implement fundamental universal service, competition and market entry, and consumer protection policies.

Comments are due on July 15, 2010; reply comments are due on August 12, 2010.

If you would like more information about this proceeding and the proposed changes, please contact or at 202-454-9401.

print this article Print all articles

border

Karen Neuman discusses Local Government Use of Social Media

shared her perspective on several legal issues associated with local government use of social media at a regional meeting of telecommunications officers and advisors in Long Beach, California June 3, 2010. In addition to focusing on first amendment issues associated with government use of social media, Karen outlined how use of these tools can trigger state open meetings and public records laws, as well as privacy issues. Observing that the legal landscape is still evolving, Karen offered some strategies for minimizing risk.

border

Karen Neuman to Moderate May 19, 2010 FCBA Privacy & Data Security Committee Brown Bag Program About Privacy and Data Security Issues Involving Marketing to Minors.

Marketing to minors is under increased scrutiny by the FTC, FCC, State Attorneys General, and legislators across the country. will moderate a panel discussion among experts that will address the complex regulatory and enforcement landscape that faces media, communications companies and other businesses wishing to reach children, “tweens” and teens via email, social media, text messages and other emerging technologies. Speakers including Phyllis Marcus, Division of Advertising Practices, FTC; Dana Rosenfeld, Kelley Drye, and Andra Dallas, Staff Attorney, CARU.

border

D.C. Circuit Decides Comcast Case; Implications for FCC Net Neutrality Proceeding

The recent decision by the D.C. Circuit Court of Appeals in the Comcast case1, overturning the FCC’s decision finding Comcast to be in violation of the Commission’s Net Neutrality Policy (“NNP”), has caused quite a stir. Among other things, the decision calls into question those portions of the National Broadband Plan (“NBP”) that assume that the agency will be able to regulate at least certain aspects of the provision of broadband services via the Internet.

The good news for the Commission is that the court concluded that the agency has some measure of “ancillary” jurisdiction over Internet-based services, based on the Communications Act’s grant of general regulatory authority over communication by wire and radio under Title I of the Act. The problem in the Comcast case was that, in the court’s view, the Commission had failed to articulate a nexus between that general, Title I regulatory authority, and a specific statutory mandate in one of the “operational” titles in the Act, such as Title II’s very specific grant of regulatory authority over certain activities of common carriers, and how the NNP was tied to the latter. One of the more interesting aspects of the decision is the extent to which the court seemed to go out of its way to draw the agency a roadmap as to how it might better construct the missing nexus.

Particularly in light of the Commission’s pending Net Neutrality rulemaking, the agency has several options for addressing the D.C. Circuit’s concerns. Obviously, it could seek rehearing (and suggest rehearing en banc), but the odds of success are not high. Similarly, Supreme Court review could be sought, and while that court might agree to consider the case given the potential importance of the issue, the likelihood of a favorable outcome seems problematic. Historically, the Supreme Court has not been very expansive in its interpretation of the scope of the FCC’s powers under Title I ancillary jurisdiction.

The agency can always seek a congressional fix, but pursuing that course can prove uncertain as well, in terms of both substance and timing. The Commission’s best option - - both on the merits and from a timing perspective as well - - seems to be to address the D.C. Circuit’s decision head on in the context of the ongoing Net Neutrality rulemaking. There, two general approaches are available. The first is to parse the jurisdictional issues a bit more finely than was done in the NNP, using the guidance provided by the court to establish the necessary substantive nexus that was found lacking in Comcast. The record assembled in the rulemaking should provide the Commission with ample evidence for such an approach. However, this course still leaves the agency relying on Title I ancillary jurisdiction, which is always something of a weak reed upon which to base a significant regulatory regime.

The better approach is to jettison the Title I jurisdictional predicate and, instead, recognize what now is obvious and declare that Internet service providers (“ISPs”) are in fact carriers, directly subject to Title II jurisdiction. While this would represent a reversal of longstanding Commission policy, the agency has full statutory authority to reverse a prior policy course based upon, e.g., changed circumstances. Clearly, the record assembled in the Net Neutrality rulemaking, coupled with the lengthy proceedings that led up to the adoption of the NBP, provide a more than adequate basis for the Commission to conclude that its old policy of categorizing ISPs as non-carriers no longer serves the public interest and that, as a factual matter, ISPs now conduct themselves - - particularly from a consumer’s perspective - - in a manner indistinguishable from traditional common carriers.

For example, when the FCC first decided that ISPs should not be subject to Title II regulation, it did so in part because: (1) the then-nascent ISPs had no market power; (2) their services were distinguishable from traditional communications services; and (3) the agency did not want to stifle the new industry’s development through unnecessary regulation. As with any similar Commission policy judgment, there would be adequate opportunity to revisit the issue as the industry evolved. Today, the ubiquity of the Internet, its central role in commerce, and the ISPs’ growing head-to-head competition with traditional telephony-based services (e.g., VOIP), provide an unassailable basis for revisiting the Title II question. The Commission can reasonably conclude that in a marketplace in which traditional wireline and mobile carriers are subject to Title II (and the agency’s statutory forbearance authority), it is irrational to leave one - - now mature - - competitor operating essentially unregulated. Articulated properly - - and backed by record evidence - - such a policy reversal should be sustained on the inevitable appellate review.

The above scenario has been dubbed the “nuclear option,” mainly by the ISPs and their financial backers, because it arguably would subject the ISPs to a host of new regulations and, most importantly, financial burdens, mostly in the form of having to contribute to the Universal Service Fund (“USF”) for the first time. However, it does not necessarily follow that exercising the nuclear option will inexorably lead to “nuclear winter” for the ISPs.

First, the bulk of Title II requirements that might otherwise be imposed on the ISPs can be eliminated under the Commission’s forbearance authority, just as those burdens have been eliminated for the traditional carriers. Second, it makes no sense to continue to exempt the ISPs from USF obligations when it is generally agreed that a critical national goal for the next decade is to ensure universal broadband access to the Internet, just as universal access to the telephone network was a national goal of the last century. While this no doubt would subject the ISPs to new financial obligations - - and perhaps skew their near-term financial projections - - such a result would hardly signal the devastation of this industry segment. To the contrary, there is no reason to believe that the ISPs will find that, simply by virtue of having become subject to Title II, the entrepreneurial acumen that drove them to their current level of success suddenly will desert them.

In short, whatever basis previously existed to support the regulatory fiction that the ISPs were not really acting as common carriers, the facts on the ground today no longer sustain that position. In a sense, the Comcast court did the FCC a favor by forcing it to at least consider revisiting the matter. Particularly given the centrality of the Internet-based economy to the nation’s future well-being, it would be irrational for the agency to continue to rely on a patently out-dated rationale to maintain this regulatory fiction.

Moreover, the courts historically have accorded the FCC considerable deference when it has reversed course based on substantial record evidence and a reasoned explanation for its actions. This is so, even when the Commission’s action has the effect of “overturning” a prior adverse court decision. The Commission clearly has the statutory authority to take such action in the context of the ongoing Net Neutrality rulemaking, and the evidentiary basis for doing so.
1 Comcast Corp. v. Federal Communications Commission, No. 08-1291 (D.C. Cir., Apr. 6, 2010).

show more/less print this article Print all articles

border

FTC Announces Review of COPPA Rule

On March 24, 2010 the Federal Trade Commission initiated a long anticipated review of the Children’s Online Privacy Protection Act Rule1 (COPPA Rule) to consider expanding current provisions intended to protect the online privacy of children. The announcement comes at a time when the agency is undertaking a wholesale examination of privacy in a wide range of contexts, including mobile communications, social networking and online gaming. The focus of this proceeding involves the impact of location based services and mobile devices on children’s privacy.

The COPPA Rule currently prohibits operators of commercial websites and online services from collecting personal information from children under the age of 13 without first seeking the consent of a parent or legal guardian. Covered entities must also employ reasonable measures to protect the confidentiality, security and integrity of the information they collect.

In the notice published in the Federal Register, the FTC emphasized that changes to the online environment, including the increasing use of mobile technology by children to access the Internet warrant accelerated review of the rule. The notice specifically seeks comment on how the use of this technology, interactive television and gaming or other interactive media impact COPPA enforcement.

The outcome of this proceeding could have a significant impact on businesses that are subject to its requirements. Expansion of the definitions of such key terms and “personal information” and the “Internet” could impose additional burdens on operators of children’s and general audience websites alike, which could, in turn, make it more difficult for businesses to engage young people and even adults online. The interest in age verification and filtering technologies should be seen as an indication that the FTC may not be satisfied with the current framework for protecting children’s privacy.

The FTC is specifically interested in:

  • the use of automated systems to filter technology prior to posting as a means for effectively reviewing content generated by children;
  • whether operators have the ability to contact specific individuals using information collected from children online, such as persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising, and whether the rule’s definition of “personal information” should be expanded accordingly;
  • whether there are additional technological methods for obtaining verifiable parental consent that should be added to the rule, and whether any of the methods currently included should be removed;
  • Whether parents are exercising their right under the rule to review or delete personal information collected from their children, and what challenges operators face in authenticating parents; and
  • Whether the rule’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way.

Comments are due June 30, 2010. A public “roundtable” meeting has been scheduled for June 2, 2010, during which interested parties may share their views with agency staff, scholars, privacy advocates and businesses. Click here to view the text of the request for comment.

If you would like more information about the rule and the proposed changes, please contact at .

show more/less print this article Print all articles

border

The National Broadband Plan

In response to a congressional mandate, the Federal Communications Commission (“FCC”) sent to Congress on March 16, 2010, the National Broadband Plan (“NBP”), in which it evaluated the current state of broadband deployment and made specific recommendations for the future, to encourage economic growth, job creation, global competitiveness and the like.

The FCC proposed that the government act in four specific ways to achieve these objectives:

  • Designing policies that promote robust competition and that maximize innovation, investment and consumer welfare;
  • Ensuring efficient allocation and management of government-owned and government-influenced assets (such as spectrum, infrastructure, and rights-of-way) in a manner that encourages network upgrades and competitive entry;
  • Reforming current universal service mechanisms to support both the deployment of broadband and voice in high-cost areas (e.g., primarily rural) and efforts to boost adoption and utilization by making broadband more affordable; and
  • Reforming laws, policies, standards and incentives to maximize the benefits of broadband in highly government-controlled or influenced sectors such as public education, health care, energy, homeland security, economic opportunity and government operations.

The NBP outlines six specific goals to be adopted by 2020:

  • At least 100 million homes should have affordable access to broadband at actual download speeds of at least 100 megabits per second, and actual upload speeds of at least 50 megabits per second;
  • The U.S. should lead the world in mobile innovation, with the fastest and most extensive wireless networks of any nation;
  • Every American should have affordable access to robust broadband service and the means and skills to subscribe to it if they so choose;
  • Every American community should have affordable access to at least 1 gigabit per second broadband service for anchor institutions, such as schools, hospitals, and government buildings;
  • Every first responder should have access to a nationwide, wireless, interoperable broadband public safety network; and
  • Every American should be able to use broadband to track and manage their real-time energy consumption.

One of the most interesting provisions of the NBP is the identified need for some 500 MHz of additional spectrum to support mobile broadband, a substantial portion of which is proposed to be reallocated from television broadcasting. The broadcast and mobile services industries have been engaged in a running battle over spectrum for decades. In the late-1970s through early-1980s the FCC reallocated the then-generally fallow 800 MHz segment of the UHF TV band for the development of the first cellular networks. Twenty-some years later, the broadcasters surrendered another hefty slice of their upper-UHF allocation, the 700 MHz band (the bulk of which was auctioned off 3 years ago for Advanced Wireless Services), in return for which they were authorized to provide digital television, as well as multichannel video and information services. Now, having completed that not-inexpensive transition to digital operation a year ago, the FCC is proposing that television licensees “voluntarily” surrender their licenses for reallocation and auction for mobile services, in return for a portion of the auction revenue.

While the FCC clearly has the legal authority under the Communications Act to reallocate the subject spectrum today (setting aside whether it has the political will to exercise that authority), granting the broadcasters a piece of the auction pie is not within the agency’s gift. That part of the proposed “deal” will require congressional approval, which, if granted, will also provide the Commission with the necessary political cover for the reallocation.

Another component of this deal that that has been mentioned is granting those broadcasters who surrender their licenses the opportunity to become (for lack of a better characterization) local cable channels, with guaranteed access to the local cable systems (the ex-broadcast signal presumably would be distributed directly to cable head-ends via fiber). Here, too, congressional action would be required to create this new “broadcast”/cable relationship. How this might fare in the face of the inevitable constitutional challenge is problematic at best, given the fairly thin constitutional reed that presently upholds the current must-carry regime.

The obvious battle lines have been drawn on the Hill, and, as always, the devil will be in the details, while the law of unintended consequences - - the most pervasive law in Washington, DC - - will be fully in play. It will be fascinating - - if not necessarily an inspiring civics lesson - - to watch this process play itself out.

Additional spectrum-related issues also will be addressed in the various inquiry and rulemaking proceedings that will be initiated or reactivated by the FCC during the following months. These will involve, among others, examining ways to accelerate the deployment of spectrum-based smart-grid systems, low-power patient-monitoring technologies, and networks designed to operate in the “white spaces.” Particularly with respect white-space technologies, the Commission faces a potential dilemma. Its recent opening of the TV white spaces for various “smart” low power technologies has generated considerable investment in the development and deployment of such systems. However, the goal announced in the NBP, to reallocate a substantial portion of the TV band, may negatively impact the development of these new white space systems. The Commission must take considerable care to not inadvertently undermine these valuable new technologies, which can greatly increase the efficiency of use of many spectrum bands.

To read the full text of the National Broadband Plan, please click here.

For additional information on this or other matters, please contact Jeff Olson at jolson@stlro.com, 202-454-9401 or 703-628-2142.

show more/less print this article Print all articles

border

The mobile frontier: Karen Neuman’s article on recent legal developments in mobile advertising in the Electronic Retailer magazine

"The accelerated growth of mobile commerce, combined with the acuity of location-based applications makes it possible for direct response retailers to use the mobile channel for locally targeted mass marketing. One estimate, according to Mobile Marketer, puts worldwide mobile phone connections at 4 billion; while another by Neustar and SMS Mobile Marketing predicts that mobile revenue in the United States will reach $3.3 billion by 2013. SMS text messages dominates mobile advertising in markets like the U.S."

Read more: http://www.electronicretailermag.com/er0310_frontier

border

border