St. Ledger-Roty & Olson LLP
Proud sponsor of 1410 Q Street: DC’s Innovation Hot Spot!

PRIVACY & INFORMATION LAW UPDATE
August 2010
Prepared by Karen L. Neuman

  • You are receiving this Update because of your interest in privacy, information management & security issues.
  • Not interested? Click here to unsubscribe
  • Know someone who might be interested in this Update? Please forward.
  • To learn more about our firm click here or about our privacy practice click here
  • This update is for informational, including advertising, purposes only and is not intended to be nor should it be considered to be legal advice.

In this Issue:
FEATURED ARTICLE: SUPREME COURT DUCKS MAJOR PRIVACY RULING
FTC FLOATS "DO NOT TRACK" CONCEPT
PRIVACY & THE DODD-FRANK FINANCIAL REFORM ACT
INDUSTRY REACTS TO FTC COPPA RULE REVIEW
FLASH COOKIE LAWSUITS SOUND WARNING FOR INDUSTRY
FEDERAL COURT RULES THAT CERTAIN POSTINGS ON SOCIAL NETWORK SITES ARE NOT DISCOVERABLE UNDER STORED COMMUNICATIONS ACT
RUSH INTRODUCES PRIVACY BILL
RED FLAGS RULE POSTPONEMENT REDUX
PROPOSED HITECH RULES
KAREN NEUMAN TO DISCUSS EMERGING RISKS AND LEGAL ISSUES INVOLVING LOCAL GOVERNMENT USE OF SOCIAL MEDIA

 

 

 

 

 

Supreme Court Ducks Broad Privacy Ruling but Provides Guidance on Employer Access to Employee Communications using Workplace Communications Devices
On June 17, 2010 the Supreme Court issued its much-anticipated decision in City of Ontario, California v. Quon, 2010 WL 2400087, No. 08-1332 (U.S., Jun. 17, 2010) in which it ruled unanimously that a Police Department’s search of an employee’s Department-provided mobile communications device was reasonable under the Fourth Amendment. The case was decided much more narrowly than anticipated; the Court stopped short of addressing the broader question of an employee’s claim to privacy in his or her electronic communications, and the content of those communications, while at work. Instead, the Court appeared to invite further litigation on this issue in order to better understand changes in “information transmission” technology and what “society accepts as proper behavior.”
Read more...


FTC Floats "Do Not Track” Concept
In July 27, 2010 testimony to the Senate Commerce Committee FTC Chairman Jon Liebowitz revealed that the FTC is leaning toward a "Do Not Track" registry to address concerns about online privacy. The registry would be similar to the FTC’s Do Not Call registry which allows consumers to opt-out of most telemarketing calls.
Read more...


Privacy and the Dodd-Frank Wall Street Reform & Consumer Protection Act
On July 21, 2010 President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act into law. The Act is intended to address many of the perceived causes of the financial services industry crisis to avert a future risk of similar debacles. Intense public scrutiny has focused on restructuring how the industry will be regulated. Less attention has been paid to the law’s impact on how consumer privacy and data will be protected under the law.
Read more...


Industry reacts to FTC's COPPA Rule Review
Following a brief extension of the comment deadline in the FTC’s proceeding to review the Children’s Online Privacy & Protection Act (COPPA) Rule and an apparent dearth of initial filings, industry responded by urging the FTC to refrain from making significant changes and instead increase enforcement and public education initiatives to better inform parents and children about online.
Read more...


Flash Cookie Lawsuits Sound Warning for Industry
A pair of federal court lawsuits filed this summer should sound a warning for website operators using tracking technologies that can override consumer privacy preferences.
Read more...


Federal Court Rules that Certain Postings on Social Network Sites are not Discoverable Under Stored Communications Act
A federal judge in California recently determined that private messages transmitted over social network sites are protected from discovery under the Stored Communications Act (“SCA”), 18 U.S.C. §2701, which restricts the government’s ability to require Internet Service Providers to “knowingly disclose information in their possession about their customers and subscribers.” The Court also ruled that wall postings and comments, such as those posted by users on Facebook and MySpace, may also be protected the SCA, but only to the extent that access to these communications is restricted by users’ privacy settings.
Read more...


Rush Introduces Privacy Bill
On July 19, 2010, Rep. Bobby Rush, (D-Illinois) introduced H.R. 5777, the Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (“Best Practices Act”) intended to address how websites and other online businesses collect and use consumer information. The bill follows the previous release of a draft privacy bill by Rep. Rick Boucher (D-VA). If enacted, the Rush measure would apply to any person or entity engaged in interstate commerce over which the FTC has jurisdiction and that collects or stores data containing “covered” or “sensitive” information. “Opt-out” consent would be required for the collection of most types of information, and express affirmative consent would be required to share that information with unaffiliated third parties.
Read more...


Red Flags Rule Postponement Redux
On May 28, 2010 the FTC postponed enforcement of the Red Flag Rule until December 31, 2010. This is the fifth time the agency has delayed enforcement of the rule since it was promulgated in 2009. Those delays were intended to clarify the scope of coverage and give businesses time to comply with the requirement to develop and implement programs to detect indicia of potential identify theft. The current delay is in response to pending legislation intended to clarify who is a “creditor” under the statute in light of ongoing protests by numerous sectors concerning the Rule’s application. It is conceivable that recent enactment of Wall Street Reform legislation could have an impact on enforcement of the Rule as promulgated.
Read more...


HHS Proposes changes to HIPPA Privacy Rules
On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The proposed amendments implement changes made by the 2009 Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act). They are intended to strengthen patient privacy and data protection.
Read more...


Karen Neuman to Discuss Risks & Best Practices for Local Government Use of Social Media
SLRN&O founding Partner Karen L. Neuman will share her perspectives on emerging legal issues and risks associated with local government use of social media at the national NATOA meeting September 29-October 1, 2010 in Washington, D.C. In addition to focusing on key first amendment issues, Karen will discuss how use of social media tools can trigger state open meetings and public records laws, and raise privacy concerns. Karen will also offer some strategies for minimizing risk in the evolving legal environment.

Back to Top


Featured Article:
Supreme Court Ducks Broad Privacy Ruling but Provides Guidance on Employer Access to Employee Communications using Workplace Communications Devices
By Karen L. Neuman

On June 17, 2010 the Supreme Court issued its much-anticipated decision in City of Ontario, California v. Quon, 2010 WL 2400087, No. 08-1332 (U.S., Jun. 17, 2010) in which it ruled unanimously that a Police Department’s search of an employee’s Department-provided mobile communications device was reasonable under the Fourth Amendment. The case was decided much more narrowly than anticipated; the Court stopped short of addressing the broader question of an employee’s claim to privacy in his or her electronic communications, and the content of those communications, while at work. Instead, the Court appeared to invite further litigation on this issue in order to better understand changes in “information transmission” technology and what “society accepts as proper behavior.”

The case arose when the City of Ontario initiated an investigation into an exchange of text messages originating from the lead Plaintiff, Quon, a city SWAT team officer, to his wife and two other SWAT team members, including one with whom he was romantically involved. The City’s service plan had a monthly character limit for outgoing messages tied to each device and the City was charged a fee for exceeding the limit. The City had a policy that warned employees that they should have no privacy expectation in communications sent over their Department-provided devices. Despite the policy, Quon’s superior told him that his text messages would not be audited as long as he personally paid for any overages.

Quon exceeded the monthly character limit, prompting the Police Chief to investigate whether 1) the character limit was too low for the City’s law enforcement needs and, if so, 2) whether police officers were being required to pay for sending work-related messages. At the City’s request, its service provider, Arch Wireless, searched the text messages on Quon’s pager and provided the City with a transcript of his messages. The City then conducted an audit of Quon’s on-duty messages. The audit revealed that the majority of the messages Quon sent during work hours were personal, many of which were sexually explicit. Quon, his wife, and the two other colleagues brought suit against the City and Arch Wireless claiming in part that the audit violated their Fourth Amendment rights. The district court concluded that the City’s audit was reasonable because its purpose was to determine whether the service plan was appropriate and not simply to investigate Quon’s use of his government- issued pager. The Ninth Circuit reversed. It ruled that although conducted for a legitimate purpose, the search was unreasonable because there were less intrusive means the City could have utilized to determine whether the service plan was inadequate for the police department’s needs. The Supreme Court reversed the Ninth Circuit. Writing for the majority, Justice Kennedy concluded the search was reasonable, noting that the City’s policy reserved the right to monitor employee communications and therefore limited employee expectations of privacy in them. The Court rejected Quon’s argument that the policy was informally modified by his superior’s assurance that his text messages would not be audited as long as he paid for overages. Although narrowly decided on Fourth Amendment grounds, this opinion seems to recognize that the Court will ultimately be asked to decide the appropriate framework for determining the respective rights of employers and employees with respect privacy in the workplace when it comes to employee communications and employee privacy regarding those communications. Nevertheless, this case strongly suggests that employers can take the following measures to minimize the risk of litigation initiated by employees, as well as by non- employees involved in a questionable exchange:

  • Public employers will want to pay particular attention to the impact of state public records laws when assessing public employees’ privacy interests in workplace communications. The majority surmised that Quon should have known that, as a law enforcement officer, his on-the-job communications were likely subject to disclosure under California’s Public Disclosure Act.
  • The Court noted that employers increasingly (if reluctantly) tolerate personal use of employer equipment for private use. Increased employee access of personal e-mail accounts, social media and texts using employer-issued devices requires a thoughtful, holistic evaluation of the workplace technology and communications “ecosystem”, and a realistic assessment of employee practices. This evaluation should result in carefully written use and privacy policies that put employees on unambiguous notice about the circumstances under which the employer can monitor and access employee communications.
    • Use and privacy policies should be comprehensive and address all media, platforms, devices and technologies, including social media.
    • Use and privacy policies should ensure that access to the contents of employee communications is obtained pursuant to a clearly articulated, legitimate business or work-related purpose, such as the investigative purpose asserted by the City in this case. Employer activities that are performed for a legitimate business purpose will be less likely to be found unreasonable.
    • Develop employee training materials and conduct employee training programs to minimize the potential that a supervisor will unintentionally create an expectation of privacy, like appears to have happened in Quon, verbally or through other means. Training materials and programs should be periodically updated to reflect changes in the law and communications technologies or practices.

Back to Top


FTC Floats "Do Not Track” Concept
In July 27, 2010 testimony to the Senate Commerce Committee FTC Chairman Jon Liebowitz revealed that the FTC is leaning toward a "Do Not Track" registry to address concerns about online privacy. The registry would be similar to the FTC’s Do Not Call registry which allows consumers to opt-out of most telemarketing calls.The agency is considering the feasibility of a Do Not Track system through a tool like a browser plug-in that would retain consumers’ tracking preferences. Unlike the Do Not Call Registry, users would still receive online ads, (as opposed to having blocked them altogether) but the ads would not be based on individual browsing or other history. This approach would differ from current industry methods that utilize opt-out cookie tools – an approach that has been criticized because it relies on opt-out cookies that may be deleted by consumers.

The FTC is expected to issue a report this fall that could contain this recommendation, as well as other approaches for protecting online privacy. For example, Liebowitz indicated that the FTC is considering recommending that businesses prominently display their privacy policies’ most "material terms" in a small box so that questionable or confusing practices aren’t buried in small print.

A Do Not Track registry would be a clear departure from the FTC’s past emphasis on industry self-regulation, triggering concerns about the impact on the data driven and supported Internet. The impetus for a Do Not Track approach should be viewed in the broader context of the pace of innovation and the broad outcry about the impact of innovation (including increasingly invasive tracking technologies, such as geolocation tracking, application-embedded advertising, and the convergence of offline and online tracking), on privacy. The day after the Senate Commerce Committee hearing Senator Kerry indicated his intent to introduce privacy legislation, adding to other pending initiatives including proposals recently introduced by Representatives Boucher and Rush.

The challenge appears to continue to be one of balancing the benefits of a data driven Internet while protecting individual privacy. An approach that integrates self-regulation, transparency, technology accessible consumer tools as well as clear industry guidance from policymakers may be more effective in achieving this balance than stringent regulation that reflects a snapshot in time.

Businesses of all sizes that depend on consumer data will have to stay abreast of developments at the FTC, including the anticipated release this fall of the agency’s privacy report, as well as the status of pending privacy legislation.

Back to Top


Privacy and the Dodd-Frank Wall Street Reform & Consumer Protection Act
On July 21, 2010 President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act into law. The Act is intended to address many of the perceived causes of the financial services industry crisis to avert a future risk of similar debacles. Intense public scrutiny has focused on restructuring how the industry will be regulated. Less attention has been paid to the law’s impact on how consumer privacy and data will be protected under the law.
The Act creates an independent Consumer Financial Protection Board with significant consumer protection rulemaking authority governing a broad array of businesses that offer consumer financial products and services. Covered businesses include banks, credit reporting agencies, credit institutions, thrift institutions. The Board will be headed by a Director who will be appointed by the President and confirmed by the Senate. The Director will have sole responsibility for developing policy, promulgating rules and enforcement. The President’s choice of a Director will likely indicate his intent to ensure a strong, proactive consumer protection authority.

Many consumer protection responsibilities currently handled by other federal agencies, including FDIC, Office of Thrift Supervision, HUD and the FTC will be consolidated in the Board. Even where existing agencies retain authority over other functions, including primary financial examination authority, responsibility for interpreting virtually all financial consumer laws and promulgating rules will lie with the Board.

The Board has significant authority to regulate privacy, data disclosure, storage and access. In addition, the Board has rulemaking authority under specified statutes that address consumer privacy protections, including the Fair Credit and Reporting Act and Gramm-Leach-Bliley. Some of these protections include requiring covered entities or persons to indentify indicia of identity theft or practices that can affect data transfer, including information provided to consumer credit reporting agencies. At the same time it appears that other agencies will retain jurisdiction over similar consumer protection functions, like the FTC and its recently promulgated Red Flags Rule (enforcement of which has been delayed until December 31, 2010) and the Document Disposal Rule. Other laws, including the Privacy Act of 1974 and the Right to Financial Privacy Act of1978 have been or will be amended to authorize CFPB jurisdiction and oversight.

With over 200 anticipated rulemaking proceedings, many of which will be initiated by the Board, much uncertainty remains about how existing rules will be construed and perhaps modified and how new statutory provisions will be implemented. The Director’s Senate confirmation process may provide a useful opportunity to potentially impact the regulatory environment.

Back to Top


Industry reacts to FTC's COPPA Rule Review
Following a brief extension of the comment deadline in the FTC’s proceeding to review the Children’s Online Privacy & Protection Act (COPPA) Rule and an apparent dearth of initial filings, industry responded by urging the FTC to refrain from making significant changes and instead increase enforcement and public education initiatives to better inform parents and children about online.
This proceeding occurs at a time when the FTC is already engaged in a wholesale examination of privacy in a wide range of contexts, including mobile communications, social networking, and online advertising.

The COPPA Rule currently prohibits operators of commercial websites and online services from collecting personal information from children under the age of 13 without first seeking the consent of a parent or legal guardian. These entities must also employ reasonable measures to protect the confidentiality, security and integrity of the information they collect.

Earlier this year, the FTC explained that it had decided to accelerate review of the COPPA Rule in light of changes to the online environment since the Rule was issued some 15 years ago. Instead of proposing a new rule, the FTC issued a request for public comment about the ability of the current Rule to protect children’s’ online privacy in light of rapid developments in technology. Some of these developments, including increased use of mobile technology by children to access the Internet and the impact of corresponding location based services on children’s privacy, interactive gaming and social media. The FTC specifically sought information about the availability of new technologies that can be used to filter content generated by children prior to posting; whether operators have the ability to contact specific individuals using information collected from children online, including persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising; whether the rule’s definition of “personal information” should be expanded accordingly; whether there are new tools for obtaining verifiable parental consent that should be added to the rule, and whether any of the current enumerate methods should be removed.

There was general consensus among industry that the COPPA Rule is a familiar and appropriate scheme for achieving the important objective of protecting children online. At the same time, commenters urged the FTC to refrain from making changes that could interfere with innovation in children’s online services. For example, expanding the definition of ”personal information” or the “Internet”, or raising the Rule’s current age trigger could pose numerous administrative and compliance challenges to website operators which could, in turn, make it more difficult for businesses to engage young people, and in some instances even adults online.

The outcome of this proceeding could have a significant impact on businesses that are subject to its requirements. Children’s website operators and any online service that knowingly collects information from children under 13 should be familiar with the current COPPA Rule. These businesses should review their privacy policies and information practices for compliance. Businesses should also monitor related developments at the FTC, including the anticipated release of a report seeking statutory changes, and, possibly, a proposed rule. Businesses should also keep abreast of ongoing enforcement actions brought under the current Rule.

Back to Top


Flash Cookie Lawsuits Sound Warning for Industry
A pair of federal court lawsuits filed this summer should sound a warning for website operators using tracking technologies that can override consumer privacy preferences.
The cases, Valdez v. Quantcast Corp., et al, CV10-5484 GW JCG (C.D. Cal, July 23, 2010) and White v. Clearspring Technologies, 2:10-cv-05948-UA (C.D. Cal., August 10, 2010), allege that a number of well known websites violated federal and state privacy and consumer protection laws -- including the Federal Electronic Communications Privacy Act, Computer Fraud and Abuse Act and California’s Computer Crime Law and Invasion of Privacy Act -- by depositing “Flash” cookies on users’ websites to track their online activities. The Plaintiffs in each suit seek unspecified monetary damages and injunctive relief.

Flash cookies, more accurately known as “locally stored objects”, can be used by websites to collect cookie like information on a user’s computer. They can be used for such diverse purposes as remembering preferences, watching online video, setting default volume levels on video players or assigning a unique ID to users for tracking across the web, regardless of browser. Most users are unaware that when a Flash cookie is deposited on a computer the steps they take to prevent online tracking by deleting traditional browser cookies typically do not remove Flash cookies.

The Plaintiffs in Quantcast brought suit against MTV, ESPN, Hulu, MySpace & Scribd, among other websites, alleging that their use of LSOs (or Flash cookies) secretly stored user data on Adobe’s Flash Player to recreate information contained in browser cookies that had been deleted by users. Also named as a defendant was San Francisco-based advertising technology company Quantcast – creator of the LSO used by the websites.

Clearspring was filed on behalf of parents and their children against one of Quantcast’s competitors, Clearpsring Technologies, as well as several websites including Disney, Warner Bros. Records, SodaHead and Demand Media. The Plaintiffs claim that Clearspring simultaneously deposited http cookies and a Flash cookie in users’ Flash media payers when users visited the defendants’ websites. When users deleted the http cookies from their browsers, unbeknownst to them, the Flash cookie restored and/or recreated history and other information, including the user’s name and IP address, which in turn, was used by the defendants and others for online tracking and ad serving. The Plaintiffs also claim that the defendants’ privacy policies failed to disclose that users’ activities were being tracked online through the use of Flash cookies.

While some of the factual allegations in each action may differ somewhat the fundamental grievance is the same: that the defendants used a technology to track the plaintiffs’ online activities without notice or consent.

Although the lawyers are, for the most part targeting high-profile, “deep pocket” defendants, at least one of the defendants, SodaHead, is a small online polling company; no website should be considered under the radar. It would not be surprising to see this effort expanded to other websites that rely on Flash or similar tracking technology, including social media sites, particularly as those sites add location based features.

We expect that this suit will be closely watched by the Plaintiffs’ bar, privacy advocates and policymakers. The larger issue appears to be one of consumer knowledge about and control over the collection and use of their information and less about specific technology. That said, the use of technologies like Flash cookies should be viewed as risky because they enable tracking online activities without a user’s knowledge, including when consumers believe they have taken the necessary steps to prevent tracking.

Companies that employ Flash cookies or similar tracking technologies that can be used to override consumer privacy preferences should monitor developments in these proceedings. In the process, they should consider taking measures to try to minimize the potential for becoming a target for this type of lawsuit. At a minimum, companies should firmly understand the capabilities of the tracking technologies they employ and the extent of information collected; they should provide clear notice of the use of these technologies in their privacy policies. If Flash cookies are employed, companies should prominently disclose their use and provide a link to Adobe’s site for instructions for deleting these cookies. Companies may also want to consider alerting customers to other tools that can delete flash cookies or prevent them from being used altogether.

Back to Top


Federal Court Rules that Certain Postings on Social Network Sites are not Discoverable Under Stored Communications Act
A federal judge in California recently determined that private messages transmitted over social network sites are protected from discovery under the Stored Communications Act (“SCA”), 18 U.S.C. §2701, which restricts the government’s ability to require Internet Service Providers to “knowingly disclose information in their possession about their customers and subscribers.” The Court also ruled that wall postings and comments, such as those posted by users on Facebook and MySpace, may also be protected the SCA, but only to the extent that access to these communications is restricted by users’ privacy settings.

In reaching its decision in Crispin v. Audigier, Inc., 2010 WL 2293238, (C.D. Cal. 2010), the Court undertook an extensive analysis of the SCA noting, in the process, the difficulty of applying a statute that was enacted over 2 decades ago to today’s communications technologies and users’ practices. That said, this case could alter the way content posted on social networks is managed by organizations in anticipation of potential litigation. This case could also create legal risk for organizations seeking access to social network communications in other contexts -- affecting, for example, the ability of employers to lawfully obtain information about employees or potential hires by viewing social network communications.

The plaintiff, an artist, initiated a copyright infringement action against a clothing designer, alleging breach of an oral license for the limited use of the Plaintiff’s artwork in the manufacture of certain types of garments. The Complaint included allegations that the Defendant violated the terms of the license by failing to include the Plaintiff’s logo on various garments displaying the Plaintiff’s designs and also sublicensed the Plaintiff’s design work without the Plaintiff’s consent. During discovery the Defendants served subpoenas on various third parties, including Facebook, MySpace and other social networking websites. The Defendants claimed that the Plaintiff’s social media communications revealed the nature and terms of the agreement between the parties. The Court granted the Plaintiff’s motion to quash the subpoenas granted by a Magistrate on grounds that 1) the social network sites’ private messaging and e- mail webmail services constituted “electronic communications services “(ECS) under the SCA and 2) the web hosting websites and social networking websites were ECS providers under the SCA, which protects unopened private messages transmitted via an ECS provider as temporary storage. 18 U.S.C. § 2510(17) (A). In so ruling, the Court concluded that a private, undeleted message opened by a user renders the communication “stored” for backup purposes as defined in the statute.

The Court noted that other aspects of social networking sites, Facebook “wall” postings and “comments” and MySpace comments presented a distinct and more difficult question requiring an analysis of the SCA, including understanding the distinction between an RCS provider and an ECS provider. Analyzing the statute, the Court first noted observed that the SCA defines an ECS provider as “any service which provides to users… the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510 (15). The Court next observed that the SCA defines an RCS provider as an entity “providing the public computer storage or processing services by means of an electronic communications system”, and that an electronic communications system is defined as any wire, radio electromagnetic, photoptical or photo electronic facilities for the transmission of wire or electronic communications and any computer facilities or related electronic equipment for the electronic storage of such communications. Id. §2510(14); §2702(a)(2).

The Court construed these provisions to conclude that social networking services are RCS providers with respect to wall postings and comments since the posts, once made, are stored by the provider within the meaning of the SCA. Accordingly, the Court held that wall postings and comments are protected under the SCA either as restricted access electronic bulletin boards or because social networks are RCS providers that store comments for limited use by a restricted number of users.

The case was remanded to the Magistrate to ascertain whether the Plaintiff’s privacy settings rendered the wall postings public and beyond the protection of the SCA.

This case illustrates the challenge courts face when applying a law enacted over two decades ago to rapidly evolving electronic communications technologies. This dilemma is ongoing as regulators and policy makers struggle to keep pace with innovation resulting in a platform specific approach to protecting privacy – an approach that poses challenges to users and business alike as each tries to discern a predictable framework for ascertaining privacy protection for user generated content.

This case should also be seen as a cautionary tale for employers who may now find themselves running afoul of the law if they obtain access without consent to their employees' social networking sites communications when the employees have opted to restrict access. This decision also calls into question whether an employer can use legal processes such as a subpoena to obtain information from the private social networking accounts of employees.

Back to Top


Rush Introduces Privacy Bill
On July 19, 2010, Rep. Bobby Rush, (D-Illinois) introduced H.R. 5777, the Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (“Best Practices Act”) intended to address how websites and other online businesses collect and use consumer information. The bill follows the previous release of a draft privacy bill by Rep. Rick Boucher (D-VA). If enacted, the Rush measure would apply to any person or entity engaged in interstate commerce over which the FTC has jurisdiction and that collects or stores data containing “covered” or “sensitive” information. “Opt-out” consent would be required for the collection of most types of information, and express affirmative consent would be required to share that information with unaffiliated third parties.

Covered entities or persons would be required to provide notice of information collection practices, including:

  • the identity of the website or online service
  • the effective date of the privacy notice. covered entity
  • description of covered/sensitive information collected or stored by covered entity
  • the specific purposes for which the covered entity collects and used the covered information, including how the covered entity customizes products/services/prices based on such information
  • the specific purposes for which covered/sensitive information may be disclosed to third parties and the categories of third parties who may receive such information the choice and means for limiting the collection, use and disclosure of covered/sensitive information
  • a description of the information any individual may request access to and the means for making such a request
  • how the covered entity may merge, link or combine covered/sensitive information
  • the retention schedule for covered/sensitive information including whether the entity will retain information permanently
  • whether the individual can direct the deletion of information collected from or about the individual
  • a reasonable means for individuals to contact the covered entities regarding their handing of covered/sensitive information
  • the process by which the covered entity notifies individuals of material changes to its practices or policies
  • a hyperlink to the FTC Commissioner’s online consumer complaint form or the FTC’s toll-free number for the Commissions Consumer

Covered entities would also be required to establish, implement and maintain “reasonable and appropriate” administrative, technical and physical safeguards to ensure the security, integrity, and confidentiality of the covered information or sensitive information it collects, assembles, or maintains; protect against any anticipated threats, reasonably foreseeable vulnerabilities, or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information and loss, misuse, alteration, or destruction of such information.

The measure contains a private right of action that enables aggrieved parties to seek actual plus punitive damages, costs and attorney's fees for violations. A safe harbor provision would shield companies from private litigation provided they participate in and comply with an FTC-approved self-regulatory program.

The bill also distinguishes between “sensitive” and other types of personal information.

“Sensitive” information includes information that relates directly to an individual’s medical history or health, race or ethnicity, religious beliefs/affiliations, sexual orientation/behavior, financial information (income, assets, liabilities, etc.), individual geolocation, unique biometric information or social security number.

“Covered” information includes first name or initial and last name, postal address, email address, telephone/fax number, government issued identification numbers (e.g. tax ID, driver’s license number, etc.), financial account numbers, credit/debit card number, access codes/passwords, “unique persistent identifiers” used to collect, store or identify information about a specific individual or create a profile (e.g. customer numbers, IP addresses, unique pseudonym), and any information collected, stored, used or disclosed in connection with the foregoing information. The definition excludes certain enumerated business-related information.

The combined effect of these definitions is to move U.S. privacy law closer to the EU Privacy Directive and other similar approaches.

The bill contains an exemption for small businesses that retain less than 15,000 names, e-mail addresses, or other personal information in their records. The language appears to be broad enough to apply to small enterprises like local retailers, “mom & pop” services like plumbers and “handymen”, and even individuals who retain e-mail addresses on computing equipment. The bill requires the FTC to promulgate a number of regulations, and businesses that violate those regulations could face fines of up to $5 million.

Although the measure is unlikely to be enacted prior to the mid-term elections similar efforts could gain momentum in subsequent sessions if high profile incidents like those involving confusion over Facebook’s privacy settings and Google’s unauthorized data collection associated with its Street View tool. Even then, a likely outcome could be a law that focuses more on website transparency than on restricting how they collect information.

Commercial entities that collect and retain personal information online should monitor the status of this measure for possible amendments that could expand its reach. Businesses should also review their privacy policies and data protection practices to make sure they reflect current practices and comply with applicable existing laws.

Back to Top


Red Flags Rule Postponement Redux
On May 28, 2010 the FTC postponed enforcement of the Red Flag Rule until December 31, 2010. This is the fifth time the agency has delayed enforcement of the rule since it was promulgated in 2009. Those delays were intended to clarify the scope of coverage and give businesses time to comply with the requirement to develop and implement programs to detect indicia of potential identify theft. The current delay is in response to pending legislation intended to clarify who is a “creditor” under the statute in light of ongoing protests by numerous sectors concerning the Rule’s application. It is conceivable that recent enactment of Wall Street Reform legislation could have an impact on enforcement of the Rule as promulgated.
The Rule requires businesses and organizations that act as "creditors" within the meaning of the Fair and Accurate Credits Transactions Act to establish policies and procedures for detecting signs of potential identity theft, or “red flags” and responding accordingly, including notifying affected individuals.

“Creditor" is currently broadly defined to include "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of any original creditor who participates in the decision to extend, renew, or continue credit."2

Accordingly, the Rule applies to businesses as diverse as newspapers, lawyers, medical professionals, retailers that offer financing or process credit applications as well as “mom and pop” retailers that routinely bill in arrears for goods and services. Many entities that do not consider themselves creditors may be surprised to discover that they are covered under the rule. Companies should assess their business practices -- including their billing practices -- carefully to determine whether they are covered by the broad "creditor" definition.

Following numerous requests for exemption, the FTC initially delayed enforcement until May 1, 2009 as it sought to clarify which entities would be covered. The American Bar Association subsequently filed suit in U.S. District Court for the District of Columbia to block enforcement as to lawyers, arguing in part that the act of billing a client is not an extension of credit that turns every lawyer and law firm into a creditor. The ABA also contended that in applying the rule to lawyers the FTC failed to articulate a rational connection between the practice of law and identify theft.

Despite the FTC’s decision to delay enforcement of the Rule and the pending litigation, businesses that provide services to their customers for which those customers are later billed should assess their current programs for detecting and responding to potential identity theft. While it is possible that some types of businesses may obtain an exemption, the majority of businesses that bill in arrears will likely be required to comply.

Back to Top


HHS Proposes changes to HIPPA Privacy Rules
On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The proposed amendments implement changes made by the 2009 Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act). They are intended to strengthen patient privacy and data protection.
Proposed privacy enhancements include:

  • Adding “subcontractors” to the definition of “business associate” to provide that subcontractors that perform functions for or provide services to a business associate are also business associates to the extent they require access to protected health information (“PHI”);
  • Requiring business associates to enter into written contracts with those subcontractors (previously, business associates were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI);
  • Applying the “Security Rule” and the “Enforcement Rule” penalty provisions directly to business associates;
  • Revising the definition of “marketing” in the Privacy Rule to specify activities that constitute PHI marketing;
  • Clarifying that a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the “minimum amount necessary” standard, where appropriate; and
  • Requiring covered entities to obtain authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration, subject to exception, including exchanges for public health activities.

In addition to the changes to the HIPAA Rules, HHS announced changes to its breach notification website that are intended to provide consumers with more information regarding breaches involving PHI and ongoing breach investigations.

The Federal Register Notice was published on July 14, 2010. Comments can be filed with HHS through September 13, 2010.

Back to Top


Karen Neuman to Discuss Risks & Best Practices for Local Government Use of Social Media
SLRN&O founding Partner Karen L. Neuman will share her perspectives on emerging legal issues and risks associated with local government use of social media at the national NATOA meeting September 29-October 1, 2010 in Washington, D.C. In addition to focusing on key first amendment issues, Karen will discuss how use of social media tools can trigger state open meetings and public records laws, and raise privacy concerns. Karen will also offer some strategies for minimizing risk in the evolving legal environment.

Back to Top


Copyright © 2010 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036