• You are receiving this publication because of your interest in privacy and data security. It is for informational including advertising purposes only and not a substitute for legal advice.
• Not interested? Unsubscribe or forward to someone who might be.
• Did someone send you this Update? Subscribe to receive your own or view past issues.

FEATURE ARTICLE:

“Don’t Stop Thinking About Tomorrow”
2013 Privacy Law Trends                
By Karen Neuman

The body of global law that governs the handling and securing of personal information continued to expand in 2012, topping the list of concerns for general counsel and senior management. This trend will continue in 2013, posing complex challenges for early-stage ventures with limited budgets as well as established companies with greater resources.

Now is the time to anticipate and plan for the following trends:

Mobile Privacy. In 2012 mobile apps faced heightened scrutiny by authorities, privacy advocates and class action lawyers. Earlier this year California Attorney General Kamala Harris announced the adoption of a Joint Statement of Principles that will, at a minimum, require apps to adopt and adhere to privacy policies. In August Harris created privacy and e-crimes unit within the state’s Justice Department. It is widely anticipated that other states will follow California’s lead. This month Harris filed suit against Delta Air Lines for its failure to include a privacy policy within its mobile app that complies with the state’s online privacy law. The National Telecommunications and Information Administration launched proceedings to develop industry self- regulatory privacy codes for mobile apps as part of the Administration’s broader consumer privacy plan to develop similar codes for other sectors. While the process has been contentious it appears that the codes, which will be subject to FTC enforcement, will build on the recommendations in the FTC’s Privacy Report for improved consumer disclosures and greater privacy choices and controls for users of mobile services. Together, the Privacy Report and self-regulatory codes can be expected to provide a useful roadmap for the privacy class action bar. Meanwhile, the Federal Communications Commission issued a Public Notice soliciting comments about how wireless service providers store user data on their mobile devices and the application of existing privacy and security requirements to that information. Such notices are typically the first step in a process that culminates in new regulations. In the waning days of the 112th Congress the Senate approved a location tracking measure that would impose stringent obligations on mobile apps and the platforms on which they are made available. This measure is likely to be the starting point for the new Congress when it takes up location privacy in the new session. In light of these developments, companies should be prepared for heightened scrutiny of mobile privacy practices in 2013, particularly in the following contexts:

• Children. 2012 saw numerous enforcement and other actions involving children’s mobile privacy. This past summer, the New Jersey Attorney General sent a vivid reminder to businesses that the FTC is not the only sheriff in town when it comes to COPPA enforcement when it settled charges against an operator of a children’s mobile education app for unlawfully collecting children’s personal information, including location data. The recently released FTC report on children’s privacy and mobile apps reveals that the agency is investigating whether to initiate additional actions against children’s apps and the platforms over which they are made available. The agency’s settlement of a COPPA action against the developer of a children’s mobile app that collected personal information, including location data, seems to be an opening salvo. In addition to initiating its own investigations of children’s apps, the FTC has been responsive to privacy advocates’ petitions to launch inquiries into children’s apps for alleged COPPA violations.
  
  All of the foregoing activity occurred in the broader context of FTC proceedings to update the COPPA rule. On December 19, the FTC approved long anticipated amendments to the Rule, which are intended to address perceived privacy threats arising from new ways that children access and interact with new and emerging digital products and services, particularly over mobile devices. Businesses that were already subject to COPPA will now face more stringent requirements in order to remain compliant, and organizations that may have been beyond COPPA’s reach may be surprised to discover that they are subject to its regime. Child directed sites will no longer be able to escape liability for the collection of children’s data by third-party service providers. Moreover, these providers will be held strictly liable for knowingly collecting children’s data, through or on behalf of operators of sites, apps or online services directed to children, whether or not these providers themselves target children. All of these developments should be seen as the beginning of a coordinated enforcement strategy that will broadly target developers, platforms and service providers that integrate apps into their products and services, irrespective of whether these sites and services are directed to children.
  
  
• Mobile Payments. The growing use of smartphones for payments and related transactions attracted the attention of state and federal regulators and raised questions about potential gaps in data privacy and security laws and regulations governing the collection of personal information during these transactions. During the summer a Federal Reserve Bank Working Group issued a summary of findings about legal and regulatory gaps in U.S. law governing mobile payments. Action items include educating key regulators to assist in creating an appropriate regulatory framework. This month The Federal Deposit Insurance Corporation issued a report that highlights unique risks involving the adequacy of consumer disclosures, privacy legal protections and related risks associated with the interactions of various entities in the mobile payments ecosystem. These entities include app developers, handset manufacturers, network operators and nonbank entities. The potential for nonbank entities to infringe market share of banks and other traditional financial services institutions raises questions about whether and to what extent the new entities are subject to existing data protection laws and regulations. The Consumer Financial Protection Board may address these questions; banks that may be unwilling to cede direct access to customer data that can be used to market new products and services may well support any resulting initiatives. Accordingly, entities in the mobile payments ecosystem that may be unfamiliar with the regulatory environment in which financial institutions operate should plan for previously unanticipated compliance costs and obligations, as well as more vigorous oversight of their contractual relationships with banks and other traditional payment providers.
  
  At the same time, all stakeholders in the mobile payments ecosystem will have to ensure that third-party service provider agreements include appropriate confidentiality and data security provisions, clarify data ownership, and contain strong prohibitions against using customer data for purposes other than those for which it was collected.
  
  
• Connected Environments. Connected environments are fully integrated platforms that use communications technologies and networks to provide digital products and services within those environments through various devices and applications. Examples include management of home energy consumption through smart grid applications and devices embedded in appliances, utility meters and that are connected to customers’ mobile devices; cloud and software-enabled infotainment, diagnostics and payment systems in automobiles paired with smartphones; automation, security and entertainment connectivity in dwellings and offices; and -- in light of recent FCC action to ease restrictions on in-flight Internet access – potentially commercial aircraft. Embedded geolocation technologies in apps that reside on connected consumer devices, or on the platforms themselves, expose all providers in these environments to a patchwork of state and federal privacy laws, investigative tools, and industry self-regulatory enforcement programs. In light of perceptions that these existing regimes do not adequately address evolving privacy and data security issues, authorities are considering whether new laws or regulations are required. For example, the Department of Energy’s Smart Grid Privacy Task Force announced a multi-stakeholder process to develop a voluntary industry code for utilities and third parties who provide consumer energy services. The outcome of the FCC Public Notice and NTIA privacy multistakeholder process discussed above will impact platforms and providers in connected environment ecosystems. Further, the corresponding use of cloud computing to store and access user data collected in these environments will require privacy and data protection terms that reflect their unique attributes.
  
  
• Remote Health Care. Companies continue to develop and offer innovative health care solutions, including remote health monitoring that can be used in such diverse settings as the home or automobile. While not subject to HIPPA, these companies may be surprised to find that they are subject to the patchwork of state and federal law that generally protects sensitive data. Once triggered, these laws can result in unwanted attention from the media, privacy advocates and privacy lawyers, as well as investigations by federal authorities. Recent actions by state and federal regulators involving app developers and peer-2-peer file sharing over mobile devices demonstrates that authorities are acting to promote these services while aggressively ensuring that they are provided within a robust legal framework that protects health data. A comprehensive understanding of applicable law will be essential to formulating risk management strategies in this evolving sector.

Cloud Computing. As data storage continues to migrate to the cloud, new types of cloud computing services will be offered, including hybrid public/private clouds and “personal” cloud storage solutions. These developments will require a thoughtful approach to negotiating contract terms that adequately address data ownership and control, cross-border legal frameworks, quality of service commitments, meaningful recourse for catastrophic loss, outages and security lapses, and physical location of servers. Many cloud storage service agreements favor the service provider while lacking important protections for the businesses that use these services. Organizations should be fully prepared to negotiate for something other than a “take it or leave it” arrangement with their provider. Doing so will require a comprehensive understanding of how the global body of applicable law imposes and allocates risk.

Cybersecurity. Increasingly sophisticated tactics are being used by cybercriminals and organized state actors to pose threats to critical infrastructure and capture and misuse consumer data. These tactics are partially enabled by certain behavioral and technological changes, including the move from company- issued to bring your own device (BYOD) workplace practices (although many companies lack adequate BYOD policies); employee use of social networks in the workplace; the digital, interconnected economy; and the use of cloud computing for off-shore data processing. It is widely anticipated that President Obama will issue an Executive Order modeled after the Cybersecurity Act of 2012 that was defeated by Senate Republicans. The measure would have incentivized operators of critical infrastructure to adhere to data security best practices and granted the Department of Homeland Security oversight powers to implement the bill’s recommendations. Congress’s failure to pass cybersecurity legislation does not mitigate business’ exposure to civil liability and enforcement of state and federal data security and breach laws.

Absent a modern, unified cybersecurity law framework, companies will have to manage cybersecurity risks by implementing such measures as negotiating for appropriate provisions in commercial agreements; and developing incident response plans that comply with U.S. and international law -- including, in some jurisdictions, implementing plans in the event of suspected, as opposed to actual incidents. General Counsel and senior management will need to monitor ongoing policy developments and be thoroughly familiar with existing U.S. and International laws and regulations.

Cross Border. 2012 saw the adoption of comprehensive privacy and data security laws across the globe. This trend was driven in part by the pervasiveness of digital technology in commerce and daily life, and the fact that countries are vying to attract investment by becoming trusted destinations for data storage and processing services. While the effect has been the elimination of borders for users of technology, the response has been an explosion of global privacy and data security laws. Inconsistencies in these laws, and their application, will pose challenges for companies that collect and transfer data in and among multiple jurisdictions. In addition, proposed amendments to the EU Privacy Directive will require businesses to prepare for the eventual adoption of the new regime. Although the law will result in greater legal certainty for U.S. businesses, the proposed framework will create new rights and obligations, and includes a number of changes that could significantly impact how US companies collect, retain and use EU citizens’ data. More power will be granted to local data protection authorities, including the power to impose significant fines for noncompliance. It appears that the amendments may not take effect until 2014. Meanwhile, member states continue to update and enforce their data privacy laws, including against U.S. based companies.

Forward Article Back to Top

FTC Approves Amendments to COPPA Rule
By Karen Neuman

On December 19, 2012 the FTC announced that it approved final amendments to the Children’s Online Privacy Protection Act (COPPA) Rule. The final rule becomes effective July 1, 2013. It will significantly expand COPPA’s reach, subject many businesses to its notice, consent and other requirements and create unique challenges for new ventures, including app developers. The FTC’s announcement concludes a lengthy process during which it sought multiple rounds of comments and issued numerous proposed changes to the current version of the rule.¹

There are no surprises -- with the following notable exceptions: 1) it retains the “email plus” method of obtaining parental consent, and 2) as explained more fully below, it imposes “actual” instead of the proposed “constructive” knowledge on operators of general audience sites, apps and online services that collect information from users who are under 13.

Key changes include:

• Expanding the definition of personal information to include:
  • Geolocation data if it is “sufficient to identify a child’s street name and name of a city or town”.
  • Videos, photos and audio files that contain images or voices.
  • Persistent identifiers, including IP addresses, if they “can be used to recognize a user over time and across different websites or other online services” or to create user profiles for behavioral targeting. The rule excludes persistent identifiers used solely to support internal operations. The definition of “support for internal operations” is limited to certain specified uses.
  • Screen names that function in the same manner as other online contact information.
• Expanding the definition of “Operator” to include third parties, such as ad networks or plug-ins that collect personal information from children who are under 13 through child directed sites and services if they have actual knowledge that the site is directed to children.
  • Operators of child-directed sites and online services that integrate these third party services are strictly liable for COPPA compliance as a result of the activities of these third parties even if these sites do not collect personal information from children who are under 13.
• Expanding the test used to determine whether a website or online service is “directed to children” to include the presence of musical content, child celebrities or celebrities who appeal to children. The new test appears to be in line with the recent COPPA enforcement actions, including one involving Artists Arena, an operator of several children’s fan websites.
• Recognizing “mixed audience” or “family” sites. Where these sites do not target children as a primary audience an operator may implement COPPA compliant age screening and obtain parental consent where a child self- identifies as being under 13. Operators of these sites will have to determine if they want to implement age screening, which will require an informed understanding of permissible methods and accompanying risk.
• Requiring enhanced direct parent notices that contain specified information, and encouraging more streamlined privacy notices.
• Imposing new data security requirements that only permit covered operators and services to share or disclose children’s personal information to third parties after taking “reasonable steps” to ascertain that third parties are capable of keeping it secure and confidential.
• Requiring covered sites and services to adopt “reasonable” data retention and deletion procedures.
• Implementing a process for companies that wish to use “innovative” methods for obtaining parental consent that take advantage of emerging technology, including digital signatures and “common consent”. These methods will be subject to the FTC’s review and approval process, which will include a public comment period.
  • Existing methods of obtaining parental consent appear to have been clarified. For example, the credit card method must provide “notification of each discrete transaction to the primary account holder.” This method has been expanded to include other online payment methods.

What it means for Business:

The rule’s amendments are already being criticized as adding new ambiguities to a regulatory framework that has long been regarded as unnecessarily complex and a barrier to entry for many new ventures. Some of these ambiguities may be addressed by the FTC in the form of updated FAQs. In announcing the final rule, however, the FTC chairman made clear that the agency intends to educate both consumers and business through vigorous enforcement actions with remedies that will include fines.

Child directed sites and services that don’t collect personal information from children who are under 13 but rely on third party service providers that collect under-13 data through these sites will now have to comply with COPPA’s notice and consent requirements.

In addition, a principle focus of the FTC in this proceeding involved mobile devices and how children use those devices to access and interact with online sites and services, including mobile apps, games and social media. Developers who incorporate software from multiple sources will now be subject to new COPPA obligations that may require modifying existing agreements.

The new rule applies to specific categories of operators of online websites, apps and services identified above. If your site or service potentially falls into one of these categories, you should, at a minimum, undertake a thorough and informed review of the new rule to determine its potential impact on your business (including your current COPPA compliance strategy), and devise and implement appropriate measures.

¹ The agency accelerated its statutorily required review of the rule in 2009 to address the rapid adoption of and access to interactive – particular mobile and social network technologies. The FTC sought comments on proposed changes and, in response to them issued a Notice of Supplemental Rulemaking on a further revised rule.

Forward Article Back to Top

FTC Seeks Information from Data Brokerage Companies About Data Collection & Use Practices
By Karen Neuman

On December 18, 2012 the Federal Trade Commission announced that it is studying the data collection and use practices of nine data brokers. The agency issued orders to the companies asking them to provide information about:

• the nature and sources of the consumer information the data brokers collect;
• how they use, maintain, and disseminate the information; and
• the extent to which the data brokers allow consumers to access and correct their information or opt out of having their personal information sold.

Earlier this year the FTC called on the data broker industry to improve the transparency of its practices as part of the FTC's report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The Report establishes a voluntary framework to protect consumer data for businesses engaged in behavioral advertising. The framework recommends best practices that include adopting “privacy by design” design, consumer control, and increased transparency for the collection and use of consumer data. The Report noted that while data brokers collect, maintain, and sell “a wealth” of information about consumers, they often do not interact directly with consumers. Rather, they get information from a wide variety of public records and purchase information from other companies that is sold (or used to create profiles) for marketing and other purposes.

The FTC’s inquiry occurs as the industry is being closely scrutinized for how it compiles and discloses personal information. In June, the FTC fined Spokeo, Inc., a data broker, for compiling and selling people’s personal information for use by potential employers in screening job applicants in violation of the Fair Credit Reporting Act.¹ Earlier this year the House Privacy Caucus and Senate Commerce Committee sent separate letters to data broker companies seeking information similar to that being sought by the FTC.

Responses to the FTC’s orders are due February 1, 2013. According to the press release, they will be used to make recommendations on whether and how the data broker industry could improve its privacy practices.

¹ 15 U.S.C. § 1681 et seq.

Forward Article Back to Top

FTC Asked to Investigate Children’s Apps
By Karen Neuman

A pair of recently filed complaints with the FTC alleging violations of the Children’s Online Privacy Protection Act (COPPA) Rule demonstrates that companies that create and serve digital content to children must be familiar with the Rule’s requirements and remain vigilant about ensuring that their privacy policy representations are consistent with their actual data collection, sharing and use practices.

On December 17, 2012 the Center for Democracy and Technology (CDT) filed a complaint with the Federal Trade Commission asking it to investigate the privacy practices of the children’s cable network Nickelodeon and Playfirst, a San Francisco-based game developer. The complaint alleges that Nickelodeon and Playfirst violated the Children’s Online Privacy Protection Act (COPPA) Rule and engaged in deceptive practices in violation of the Federal Trade Commission Act.

Playfirst developed an app for Nickelodeon that integrates characters from Nickelodeon’s SpongeBob Square Pants program into Playfirst’s “Diner Dash” app. The app was launched in 2012 and was available in the i-tunes store until Nickelodeon it pulled it following the filing of the complaint. According to the Complaint, the app asks children who are under 13 years old to provide their full name, email address and other online contact information without first seeking and obtaining verifiable parental consent in violation of the COPPA Rule. The app also allegedly fails to provide a COPPA compliant privacy notice informing parents about what information is collected from their children and how the information is used. In addition, although the app is free to download and the game can be played for free, players are encouraged to buy virtual coins that can be used to purchase certain items, or pay for a premium version of the game. The complaint also alleges that the app uses unique device identifiers (UDIDs) and device “tokens” that permit companies to unlawfully send custom messages to individual children. UDIDs are personal information under the just-revised COPPA rule.

Just one week earlier, the Center for Digital Democracy (CDD) filed a similar complaint against Mobbles Corporation, operator of the children’s game “Mobbles”, which involves capturing, collecting, trading and caring for virtual pets. The game is available in the i-tunes and Google Play stores. The complaint alleges that Mobbles is directed at children who are under 13 and collects personal information from them without first obtaining parental consent. That information includes physical address and online contact data as well as location based data that is used to determine and share the physical location of children who play the game.

The filing of these Complaints coincides with the FTC’s heightened and well publicized focus on children’s mobile privacy. As we reported here and here, the agency has made good on its promise to vigorously enforce COPPA, including against apps and their developers. Moreover, the FTC’s report, Mobile Apps for Kids: Disclosures Still Not Making the Grade, indicates that the agency remains troubled by the privacy practices of apps since it issued a report in 2011 that examined the same issues. The report signaled that additional enforcement actions involving children’s mobile privacy may be coming. In this context, it should come as no surprised that the recently amended COPPA Rule seems to provide the agency with tools to enforce COPPA as even very young children access and interact with ever- evolving technology. Accordingly, companies can expect children’s mobile privacy to be a priority in the new year.

Forward Article Back to Top

Senate Judiciary Committee Approves Revised Version of Location Privacy Protection Act
By Karen Neuman

On December 13, the Senate Judiciary Committee approved a revised version of S. 1223, the Location Privacy Protection Act of 2011, introduced by Al Franken (D-MN), Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. While fiscal cliff concerns have effectively paralyzed Congress, this measure should be seen as a framework for addressing mobile privacy in the new Congress.

An earlier version of the bill would have imposed civil penalties on businesses for the nonconsensual collection of personal information from mobile devices, including smartphones, tablets, laptops and in-vehicle navigation devices on. The measure approved by the Senate includes a requirement that companies to obtain a user’s consent prior to collecting or sharing mobile location data. It also bans mobile apps that secretly monitor a user’s location. Franken had pushed for inclusion of the ban to address so-called “stalking apps” and their use by abusers in domestic violence cases. The revised measure contains some exceptions, including for law enforcement and to help parents locate a missing child and receive certain notifications. And, in apparent recognition that users interact with multiple mobile devices, the bill authorizes a one-time opt-in for the collection and sharing of location based data to avoid having users consent each time their data is collected and shared.

The Act contains a private right of action and would also be enforced by the Department of Justice, State Attorneys General. It would not preempt more stringent state laws.

Forward Article Back to Top

Fifth Circuit Rules that Personal Cell Phone is not a 'Facility' Under Stored Communication Act
By Karen Neuman
     Seth Williams*

On December 12, 2012, the United States Court of Appeals for the Fifth Circuit ruled in Garcia v. City of Laredo¹ that the Stored Communication Act (SCA)² does not apply to data stored in a personal cell phone. The Court’s finding is consistent with other court rulings and one that continues to distinguish between “providers” and” users” of facilities that courts have drawn in determining the scope of facilities under the SCA. In reaching its decision, the Court rejected the Plaintiff’s claim that her employer, the City of San Laredo, Texas, unlawfully accessed text messages and images stored on her cell phone.

The SCA provides in relevant part:³

Whoever:

(1) Intentionally accesses without authorization a facility through which an electronic communication service is provided;

(2) or intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. (emphasis added).

Garcia was a former police dispatcher who was fired after a police officer's wife removed Garcia's phone from an unlocked locker and discovered text messages and images on Garcia's phone that violated department policy. On appeal, Garcia argued that the District Court erred in granting summary judgment for the defendants on grounds that the SCA did not apply to the texts and images kept on Garcia's phone.⁴ The Fifth Circuit upheld the District Court’s ruling and rejected Garcia's argument on appeal. The Court concluded that Garcia’s cell phone was not a facility; nor were its contents in electronic storage.

While the SCA does not define the term "facility," courts have routinely interpreted the statute to apply to the facilities operated by electronic communication service providers such as telephone companies, Internet or e-mail service providers, and electronic bulletin boards but not end users.⁵

However, courts have also held that an individual's computer, laptop, or mobile device is not a “facility” under the SCA.⁶ For example, in iPhone Application, the Court noted that accepting plaintiffs' argument that their iPhones constituted a facility would render the SCA illogical because another section of the statute authorizes providers of an electronic communication service to grant access to a facility.⁷ Accordingly, interpreting the term facility to include a mobile device would have the bizarre effect of allowing service providers to grant third party access to an individual's home computer, laptop, or mobile device.⁸

The Garcia Court’s analysis adds to the growing number of courts distinguishing between providers and users when interpreting the SCA’s reach. Thus, the Court observed that "'the relevant 'facilities' that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage.'"⁹

The Court also rejected Garcia's claim that the texts and images on her cell phone were in electronic storage. The SCA punishes unauthorized access of electronic communication "while it is in electronic storage."¹⁰ Under the SCA "electronic storage" means wire or electronic communication in either "temporary, intermediate storage [...] incidental to the electronic transmission" or storage "by an electronic communication service for the purpose of backup protection."¹¹

Again, courts have relied on the distinction between providers and users in interpreting electronic storage under the SCA. "Information that an internet or email provider stores to its servers, information stored with a telephone company, and information maintained by an electronic bulletin board operator — if such information is stored temporarily pending delivery or for purposes of backup protection — are examples of protected electronic storage under the statute."¹² On the other hand, information stored on a personal cell phone does not fall under the statutory definition of "electronic storage," according to the Fifth Circuit. "An individual's personal cell phone does not provide an electronic communication service just because the device enables use of electronic communication services [...]. Accordingly, the text messages and photos stored on Garcia's phone are not in 'electronic storage' as defined by the SCA and are thus outside the scope of the statue."¹³

The current distinction between providers and users drawn by courts that have construed the SCA highlights the difficulty of assessing data security and privacy risk and obligation in this context. Users access, interact with and retain vast amounts of data during the life cycle of that data, regardless of whether it is kept on his or her own device, hard-drive or on an ISP’s or e-mail provider's servers. Users often make no distinction between the image stored in email on a provider's servers and the same image that has been downloaded to the user's computer, laptop, or mobile device, but as Garcia makes clear, the SCA does not protect data stored on an individual cell phone.

*Seth is a recent graduate of the Indiana University Maurer School of Law who interned at the Federal Communication Commission. Currently awaiting admission to the bar, Seth has also written about the potential impact the Performance Right Act on student radio stations.

¹ No. 11-41118, 2012 LEXIS 25370, (5th Cir. 2012).
² 18 U.S.C. §2701 (2012).
³ §2701(a).
⁴ Garcia alleged violations of the Fourth Amendment, the SCA, and the Texas Constitution and alleged an invasion of privacy tort before the District Court, but raised only the alleged violation of the SCA in her appeal. Garcia, 2012 LEXIS 25370 at *4-5 n.2.
⁵ See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2004) (holding that messages stored on an ISP server are covered by SCA regardless of whether the messages have been delivered); Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994) (holding that the SCA applied to computers used to operate an electronic bulletin board system); see also Crispin v. Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010) (holding private messages transmitted over social network sites are protected from discovery under the SCA).
⁶ See United States v. Steiger, 318 F.3d 1039 (11th Cir. 2003); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1057-58 (N.D. Cal. 2012) (holding plaintiffs' iPhones did not fall under the SCA because the cell phones did not constitute facilities); see also Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11-cv-01073, 2012 WL 3862209 (S.D. Ohio 2012).
⁷ § 2701(c)(1).
⁸ iPhone Application, 844 F. Supp. 2d at 1058.
⁹ Garcia at *9, quoting Freedom Banc, 2012 WL 3862209, at *9.
¹⁰ § 2701(a).
¹¹ 18 U.S.C. § 2510(17) (2012) (emphasis added).
¹² Freedom Banc, 2012 WL 3862209 at *22 (citing Steiger, 318 F.3d at 1049).
¹³ Garcia, 2012 LEXIS 25370 at *11-12.

Forward Article Back to Top

Developers & Platforms Beware: California Attorney General
Files Suit Against Delta Airlines for Privacy Violation
By Karen Neuman

On December 6, 2012, California Attorney General Kamala Harris filed suit against Delta Airlines, Inc. in San Francisco Superior Court for failing to post a privacy policy within its “Fly Delta” mobile app in violation of the California Online Privacy Protection Act (Act). The lawsuit is the first legal action filed by Harris’s office for noncompliance with the Act. Delta was among the companies that were sent notices by Harris giving them 30 days to conspicuously post a privacy policy within their mobile apps about what personally identifiable information is collected by the app and how it will be used.

Customers who download the app can use it for to view reservations, check-in and track checked baggage. According to the complaint the app collects personal information including a user’s name, gender, date of birth, phone number, frequent flyer account number, geolocation information and in some instances photos. Although Delta’s website posts a privacy policy, the complaint alleges that the site’s policy fails to refer to the Fly Delta app and in any event is not reasonably accessible to the app’s users.

The Complaint seeks injunctive and monetary relief, including asking the court to prohibit Delta from making the app available until it complies with the Act and impose penalties of up to $2,500 for each time the app is downloaded without a compliant privacy policy.

This action comes on the heels of agreements reached earlier this year with a number of mobile apps and social media platforms, including Amazon, Apple, Facebook Google and RIM to bring their privacy practices into compliance with the Act.

A clear takeaway is that disclosures about mobile app data collection and use in a company’s website privacy policy alone do not comply with the letter of the law. This lawsuit, together with Harris’s focus on mobile app privacy since the creation of California’s new privacy enforcement unit, indicates that Harris intends to make compliance with the Act a top priority. Other enforcement actions are likely to follow. Companies should familiarize themselves with the Act to make sure their privacy practices comply with it.

Forward Article Back to Top

FCC Rules Confirming Opt-Out Texts Do Not Violate TCPA
By Karen Neuman

On November 29, 2012 the Federal Communications Commission (FCC) issued a declaratory ruling stating that businesses that send a one-time text message to confirm receipt of a consumer’s request to opt out of receiving text messages do not violate the Telephone Consumer Protection Act (TCPA).¹ The ruling eliminates the threat of class actions -- hundreds of which have already been brought against a wide range of consumer product companies for sending such messages since the TCPA was enacted. The ruling also effectively validates best practices of the Mobile Marketing Association and the Cellular Telecommunication Industry Association, which call for the sending of a confirmatory text message in response to a consumer's opt-out request. The ruling is limited to instances where the consumer originally gave prior consent to the sender to receive text messages and where those messages:

1. Merely confirm the consumer’s opt-out request and do not include any marketing or promotional information;
2. are the only additional message sent to the consumer after receipt of the opt-out request”;
3. and are sent within five minutes of a consumer’s opt-out request.

The TCPA, which applies to landline and mobile telephones, prohibits the use of automatic telephone dialing systems to send unsolicited advertising calls (or faxes) to consumers without their prior express consent. In February the FCC updated² rules implementing the TCPA to align them with the Federal Trade Commission’s Telemarketing Sales Rule,³ including eliminating the business relationship exemption and making certain changes to the TCPA’s prior express consent requirement.

The FCC’s ruling was issued in response to a petition filed earlier this year by SoundBite Communications, Inc.⁴ SoundBite had previously been sued under the TCPA for sending, on behalf of businesses, confirming opt-out texts in response to consumer opt-out requests. In its petition, SoundBite asked the FCC to address whether a one-time confirmatory text message violates the TCPA and whether the system used by SoundBite to send the opt-out confirmations is an automatic telephone dialing system as defined by the TCPA.

The FCC only addressed the issue of whether confirmatory text messages constitute TCPA violations. The FCC declined to rule on other issues raised in SoundBite’s petition, including whether its confirmation messages are not covered by the TCPA because the software used to send them are not autodialers under the TCPA. This question is likely to be addressed by the FCC in the future, which is considering whether certain technologies and types of consent are subject to or permitted under the TCPA.

¹ 47 U.S.C. §227.
² Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Dkt. 02-278, Report and Order, 27 FCC Rcd 1830 (2012).
³ 16 C.F.R. Part 310.
⁴ SoundBite Communications, Inc., Petition for Expedited Declaratory Ruling, CG Docket No. 02-278 (filed Feb. 16, 2012).

Forward Article Back to Top

Article 29 Working Party Announces Launch of Binding Corporate Rules for Processors

On December 21 the European Commission’s Article 29 Working Party announced the launch of Binding Corporate Rules (BCRs) for data processors. The BCRs will serve as internal codes of conduct that govern transfers of personal data outside the European Union by a processor who acts on behalf of and under the instructions of data controllers. The beneficiaries of these BCRs will be entities that perform high volume data processing for EU data controllers that transfer data outside the EU. BCRs that are approved will eliminate the need for processors to negotiate for adequate protections for data transfers outside the EU for each processing contract. Data processors will be required to seek the approval of data protection authorities that is similar to the process that is already in place for data controllers. The BCRs take effect January 1, 2013.

Forward Article Back to Top

EU Data Protection Supervisor Issues Opinion on Cloud Computing in Europe

On November 16 Peter Hustinx, the European Data Protection Supervisor (EDPS) issued an opinion addressing the impact of the proposed EU Data Protection Regulation on cloud computing services that involve the storage of personal data on servers or in data centers that are located outside the EU. The opinion is the latest in a series of recent policy initiatives to accelerate the adoption of cloud computing in Europe in order to realize the economic benefits of cloud services and establish Europe as a global destination for safe and secure computing.

The EDPS is an independent supervisory authority that promotes good practices among EU institutions and bodies by providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Hustinx’s opinion addresses key challenges to simultaneously promoting cloud computing while ensuring that data is protected in a manner that will be consistent with the stringent standards and requirements of the new Data Protection Regulation. Some of these challenges involve how to allocate responsibility for personal data among cloud clients and service providers within a legal framework that protects individuals but where businesses that collect that data are typically business customers of the service providers. Another, related challenge involves how to allocate responsibility for personal data among organizations in the cloud computing supply chain in a manner that is aligned with the regime embodied in the Data Protection Regulation.

That regime places explicit data protection and security obligations on organizations that collect personal data, yet the service provider‘s “take it or leave it” terms make compliance with the Regulation difficult for these organizations. One way of dealing with this “contractual asymmetry” suggested by the opinion would be to designate the cloud service provider a co-data controller. Doing so would lead to a more realistic allocation of responsibilities between the parties which would occur during negotiation of service agreements Even so, the disparity in bargaining power between the parties might not be eliminated. According to the opinion, this problem could be overcome by the development and use of standard contract terms and conditions.

The opinion also addresses challenges posed by the International character of cloud computing. Hustinx calls for adapting international data transfer mechanisms to the cloud computing environment, including Binding Corporate Rules, standard contractual clauses and developing effective international cooperation mechanisms. Interestingly, in perhaps a subtle acknowledgement of challenges posed to cloud service providers’ obligations under the Data Protection Regulation by the U.S. Patriot Act, the opinion also calls for international cooperation to reconcile the manner in which access to personal data is sought by law enforcement and to clarify the conditions under which law enforcement may gain access to personal data stored by cloud service providers. Finally, Hustinx calls for multilateral agreements with non-EU countries as necessary.

Forward Article Back to Top

French Data Protection Authority Publishes English Language Compliance Guides

On November 14 the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL), released English-language version of its security and privacy risk management guides. According to the news release, the guides consist of a privacy risk management methodology and a catalogue of measures helping organizations to choose the appropriate controls to protect their personal data processing operations. The guides can be accessed here and here. They provide practical guidance on data retention, management and security.

Forward Article Back to Top

Senate Approves Data Sharing Amendment to VPPA

On December 20, 2012 the U.S. Senate approved amendments the Video Privacy Protection Act (VPPA) to make it easier for consumers to share their video-viewing preferences and habits online, including over social media. If enacted, video rental and streaming providers like Netflix, Hulu, Amazon, and Youtube would be permitted to share information on Facebook, Twitter, and other social media about what movies a customer rented or watched with that customer’s blanket consent. Netflix had been strongly lobbying for this change since it announced the integration of its video rental and streaming service with Facebook on September 22, 2011. Since that time, Netflix users in every country except the United States had been able to share with their friends over Facebook what videos they watched on Netflix. Netflix had contended that the VPPA prevented it from offering this feature in the U.S. As reported here, the amendments were passed in the House in 2011.

Forward Article Back to Top

New Jersey Bars Access to Student Personal Accounts

On December 3 a new law took effect in New Jersey that prohibits both public and private college and university officials from requiring students or applicants to grant access to personal online accounts or services offered through electronic communications devices. The law also prohibits officials from retaliating against a student or applicant for their refusal to grant access and from “inquiring in any way” about whether a student or applicant has an online profile or social media account. Unlike other states that have enacted similar laws, the New Jersey statute contains an anti-waiver provision and does not provide a law enforcement exception. The law contains a private right of action for injunctive and monetary relief.

Forward Article Back to Top

FTC Clarifies Definition of “Creditor” In Red Flags Rule

On November 30, 2012, the Federal Trade Commission announced that it issued an interim final rule that clarifies the definition of “creditor” in the Red Flags Rule (Rule) to align it with the definition of the term in the Red Flag Program Clarification Act of 2010 (Act). As we reported previously, the Act was intended to end uncertainty about the Rule’s application.

The Red Flags Rule requires certain “creditors” to establish policies and procedures for detecting signs of potential identity theft, or “red flags” and take specified measures in response. The term "creditor" was broadly defined to include "any person who regularly extends, renews, or continues credit or any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of any original creditor who participates in the decision to extend, renew, or continue credit." Many businesses were surprised to discover that they were subject to the Rule, including lawyers, newspapers, medical professionals, and “mom and pop” retailers. An avalanche of requests for exemption and an ABA lawsuit prompted numerous FTC decisions to delay enforcement. The Interim Final Rule excludes most lawyers, health care providers and certain other businesses, limiting the Rule’s application only to creditors that in the ordinary course of business: 1) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; 2) furnish information to certain consumer reporting agencies in connection with a credit transaction; or 3) advance funds to or on behalf of a person, based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf. The FTC is seeking public comment before the Rule becomes final on February 11, 2013.

Forward Article Back to Top

California Supreme Court to Consider Application of Song-Beverly to Online Transactions

The California Supreme Court is poised to rule on a key issue involving the state’s “zip code privacy” law. As we reported previously, two years ago the Court ruled in Pineda v. Williams Sonoma Stores that the Song-Beverly Credit Card Act of 1971 (Song-Beverly), prohibits the collection and recording of customer zip code data by brick and mortar merchants as a condition of accepting payment during credit card transactions. Pineda resulted in a flood of lawsuits against a wide variety of retailers, and prompted retail gas stations to successfully seek a statutory exemption to the law. In 2011 a state trial court refused to dismiss actions against Apple, e-Harmony and Ticketmaster for alleged Song-Beverly violations and the California Court of Appeals affirmed. The Complaints alleged that the companies collected address information from consumers during online credit card transactions involving purchases that did not need to be shipped, making the collection of zip codes unnecessary to complete the transactions. In its Petition for Review Apple contends that the plain language of Song-Beverly demonstrates that it does not apply to online retailers and that any finding to the contrary would defeat the law’s purpose, which is to prevent fraudulent transactions.

Forward Article Back to Top