|
|
|
FTC
Seeks Comment on Proposed Amendments to COPPA Rule
On September 15, 2011 the Federal Trade
Commission (FTC) released proposed changes to
the Childrens Online Privacy Protection Act (COPPA)
Rule. The proposed amendments could
impose additional compliance burdens on businesses that operate
childrens websites or online
services -- as well as general audience sites subject to its
requirements. The FTC is accepting
comments on the proposed changes until November 28, 2011.
Changes would include:
- expanding the definition of personal information;
- changing the collection; parental
notice and parental consent mechanisms;
- updating confidentiality and security requirements;
and
- strengthening FTC oversight of self-regulatory safe
harbor programs.
The COPPA Rule requires that operators
of websites or online services directed to children
under 13, or general audience sites that have actual knowledge
that they collect personal
information from children under 13, obtain verifiable parental
consent before collecting, using,
or disclosing such information from children.
In 2010 the FTC accelerated scheduled review
of the rule to address mounting concerns about
threats to childrens privacy posed by their adoption
of rapidly evolving technologies, including
accessing, viewing and interacting with content over mobile
devices. During the review period
the FTC expanded enforcement including applying the rule to
such new technologies as mobile
apps.
The FTC proposes
the following changes:
- Updating the definition of personal information
to include geolocation information and certain types
of persistent identifiers used for functions other than
the websites internal operations, such as tracking
cookies used for behavioral advertising, and identifiers
that track a child across websites or online services
for targeted advertising. Also included would be information
that permits direct online contact with a child, including
screen or user names that are not used solely to support
internal operations.
- Modifying the definition of collection
so operators may allow children to participate in interactive
communities, without parental consent, as long as operators
take reasonable measures to delete all or virtually
all childrens personal information before it is made
public, a change that is intended in part to address the
iterative nature of certain filtering technologies.
- Adding new methods for obtaining verifiable parental
consent, including electronic scans of signed
parental consent forms, video-conferencing, and use of government-
issued ID checked against a database, provided that the
parents ID is deleted promptly after verification
is done. In addition the FTC proposes eliminating what it
views as the less- reliable e-mail plus method
of obtaining verifiable parental consent.
- Establishing a voluntary 180-day notice and comment process
to encourage new consent mechanisms whereby parties
may seek FTC approval of a particular mechanism or permitting
operators participating in a Commission approved safe-harbor
program to use a method permitted by that program.
- Adding to the rules confidentiality and security
provisions a requirement that operators ensure that any
service providers or third-parties to whom they disclose
a childs personal information have in place reasonable
procedures to protect it; requiring operators to retain
the information for only as long as is reasonably necessary;
and take reasonable measures to protect against unauthorized
access to, or use in connection with its disposal.
- Strengthening FTC oversight of self-regulatory safe
harbor programs by requiring
these programs to audit their members at least annually
and report periodically to the
FTC the results of those audits.
Operators of childrens websites and
other online services, including those operating over
emerging platforms such as mobile apps, as well as general
audience sites subject to COPPA,
should closely monitor developments in this proceeding to
anticipate how the proposed changes
could affect their business and regulatory strategies.
Please contact Karen Neuman at kneuman@slrno.com
if you would like addition information or
wish to discuss your business or regulatory strategy in light
of the proposed changes.
California
Updates its Data Breach Notification Law
On August 31, 2011, California Governor
Jerry Brown signed SB
24 into law, a measure that amends the states landmark
data breach notification statute (Cal. Civ. Code §§
1798.29 & 1798.82), by mandating the inclusion of certain
information in notifications that are already required under
existing law to be sent to California residents who may have
been affected by a data breach.
SB 24, which will take effect January
1, 2012, also requires that the notifying entity send an
electronic version of the notice to the state Attorney General
(AG) in instances where a breach affects
more than 500 California residents. According to SB 24s
sponsor, Joe Simitian (D-Palo Alto), this
requirement is intended to enable law enforcement to see
the big picture and better understand
statewide patterns of identity theft. Businesses, agencies
and individuals subject to the law and who
use substitute notice provisions permitted under the current
statute must also provide an electronic
version of the notice to the states Office of Information
Security or the Office of Privacy Protection.
Organizations that are subject to HIPAAs HITECH breach
notification requirements will be deemed
to be in compliance with laws breach notice content
requirements but must still comply with the AG
notification requirement.
Since 2003, California law required covered
entities and individuals to notify affected persons of a
data breach. However, unlike other state data breach laws,
Californias statute did not mandate what information
the breach notices should contain or require that state
authorities be notified of the breach. Previous bills that
addressed these gaps were vetoed by Governor Browns
predecessor.
SB 24 addresses these gaps by establishing
the following standard content requirements, which
must be written in plain language for required
breach notices:
- The name and contact information of the notifying entity
or person;
- a list of the types of personal information that were
or reasonably believed to have
been breached;
- toll-free telephone numbers and addresses of the major
credit reporting agencies if the
breach discloses Social Security, Drivers license
or a California ID card number;
- the actual, estimated date or date range of the breach
if it is possible to ascertain;
- general description of the breach, if it is possible
to determine; and
- whether notice was delayed due to a law enforcement
investigation.
SB 24 also authorizes covered entities
and individuals to include in the notices, if they wish
to do
so, information about measures taken to protect persons
whose information has been compromised as
well as steps affected persons may take to protect themselves.
Please contact Karen Neuman at kneuman@slrno.com
if you would like additional information
about Californias breach notification law, as amended
by SB 24.
Reports Highlight New "Supercookies" Used to Track Web Activity for Social
Advertising
Privacy researchers from Worcester Polytechnic
Institute, University of Wyoming, University of California,
Berkeley, and Good Research recently released their second
report on tracking technologies used by websites and online
advertisers,
Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning
(2011 Report).1 The report highlights
the need for website operators and online service providers
to be familiar with the information collection and disclosure
practices of third party service contractors, including social
advertisers and analytics companies. Periodic due diligence
should be conducted to ensure that these service providers
arent using tracking technologies that contravene users
express privacy preferences and that websites are in compliance
with their own privacy policies.
Background.
The first report,
Flash Cookies and Privacy, released in August 2009, examined
the use of persistent Local Stored Objects (LSOs), more commonly
known as Flash cookies, to track users despite
the users attempts to protect their online privacy by
taking such steps as deleting cookies. The findings in this
report were the linchpin in
class actions against some of the advertisers and websites
that the report found to be using Flash cookies.
Clearspring, whose Addthis tool
allows website visitors to share a websites content
on social media and used Flash cookies to track people who
visited websites with Addthis installed, was a named
defendant in one of the
actions. That lawsuit, along with a similar action
against Quantcast, was settled this year, with the companies
agreeing to not use LSOs in their products.2
The 2011 Report, along with additional
work by Jonathan Meyer at Stanford,3 has similarly
formed the basis for allegations in lawsuits against websites
and advertisers who use the new supercookies and
other forms of persistent trackers highlighted in the report.
The report reviews how Flash cookie use has changed in the
last year and identifies two additional supercookies, Cache-Cookies
and HTML5 Local Storage. KISSMetrics, a web analytics company,
and their now former client Hulu.com, were
sued for privacy violations after the report noted their
use of ETags, a type of cache-cookie.4
The common thread between the supercookies
discussed in the 2011 Report5 is that each is
more persistent and allows for greater data storage than
standard HTTP cookies. Flash cookies and ETags respawn HTTP
cookies after a user has deleted them or gone into private
browsing mode to prevent cookie creation. (Private
browsing is an option available in many Internet browsers,
such as Internet Explorer and Firefox, which prevents websites
from downloading cookies or storing new information in the
cache after the browsing session ends). HTML5 storage does
not respawn HTTP cookies, but where HTTP cookies automatically
expire after some period of time, HTML5 storage does not
expire and so it must be affirmatively deleted by the user
to disable tracking. Flash cookies and ETags can be used
to respawn HTML5 cookies, in addition to HTTP cookies.
Flash Local Storage Objects.
Flash LSOs, like other supercookies,
are resistant to deletion as they are not deleted
through the browser as one would do for standard HTTP cookies.
The user is required to take
additional steps to prevent tracking. Flash LSOs hold more
data than HTTP cookies, enabling
better tracking and can be used to respawn or recreate HTTP
cookies that a user has deleted.
Flash LSOs, the subject of the prior report, have decreased
in use since the release of that
report. Of the 100 sites investigated by the authors, 100
flash cookies were found, down from
281. Only two sites used flash cookies to respawn HTTP cookies.
Cache-Cookies and ETags.
Cache-cookies are not actually cookies.
This method of tracking involves using the web
browsers cache to associate information between a
deleted cookie and a new cookie. ETags
are generally used by websites to tell a browser whether
the site has changed, and if not, to use
the copy of the website stored in the browsers cache
rather than downloading new data.
The report discusses how an ETag in
a cached copy of a website can include a unique
identifier. Even if a user deletes her cookies, when she
returns to the website and downloads
a new cookie, the ETag in the cached copy still exists and
can give the website enough
information to associate the new cookie with whatever data
was collected via the old cookie.
In this way, the old cookie is said to respawn. Also, if
a user visits websites via his or her
Internet browsers private browsing mode,
this type of tracking is not prevented. Specifically,
if a user visits a website while not in private browsing,
information is stored in the cache and may then still be
retrieved when later visiting the website in private browsing
mode. The only
way to prevent this tracking is to manually clear the cache
prior to revisiting the website.
HTML5 Local Storage.
The Report concluded that HTML5 cookies
raise privacy concerns because they never
expire. Instead, the user is required to affirmatively delete
the cookie. The storage capacity
is also significantly greater than any of the other cookies
mentioned here, as well as standard
HTTP cookies. A number of sites also respawned HTML5 cookies
using either ETAGs or Flash
cookies and others used matching values for their HTML5
and HTTP cookies, which makes
respawning and association between the cookies easier.
CONCLUSION.
Companies wishing to take advantage
of social advertising tools should take a close look
at the tracking technologies employed by businesses offering
those tools to make sure that the
technology does not override consumer privacy preferences.
One way to obtain assurance is to
determine if these businesses comply with pertinent industry
best practices and standards. As
the lawsuits that rely on the findings of the researchers
reports make clear, the plaintiffs bar
does not distinguish between the companies that develop
persistent tracking technologies and
the businesses that use those technologies for legitimate
business purposes.
Please contact Karen Neuman at kneuman@slrno.com
if you would like to discuss this
report and the potential impact of its findings on your
business.
1 Ayenson, et.al., Flash
Cookies And Privacy II: Now With HTML5 And ETag Respawning,
2011 (2011 Report)
2 In Re Quantcast Advertising Cookie Litigation,
2:10-cv-05484-GWJCG, (Cal. C.D. 2011)(Settlement Agreement
at
§4.19).
3 A recent report out of Stanford reviewed Microsofts
use of ETags, a cache-cookie. Jonathan Meyer, Tracking
the Trackers: Microsoft Advertising (Aug. 18, 2011),
http://cyberlaw.stanford.edu/node/6715
4 Wendy Davis, KISSmetrics, Hulu Sued Over
New Tracking Technology, MEDIAPOST, Aug. 1, 2011,
http://www.mediapost.com/publicationsfa=Articles.showArticle&art_aid=155032
5 Ayenson, supra note 1.
U.S.
Department of Commerce Releases Privacy Report
On December 16, 2010, two weeks after the
FTC released its report on consumer privacy, the U.S. Department
of Commerce released its privacy Green Paper --
Commercial Data Privacy and Innovation in the Internet Economy:
A Dynamic Policy Framework. The report was drafted by the
Agencys Internet Policy Task Force. It seeks comment
on a number of policy recommendations intended to promote
online consumer privacy while ensuring that the Internet remains
a platform that spurs innovation, job creation, and economic
growth. This balance would be achieved by the adoption of
a baseline commercial data privacy framework built
on expanded Fair Information Practice Principles (FIPPs)
that act in concert with strong protections embodied
in existing sector-specific laws. The FTC would remain the
lead privacy enforcement authority for the U.S. Government.
Formal comment will be sought through a
separate Federal Register Notice on several
other key policy recommendations. They include: 1) Creation
of a national privacy policy
office (PPO) within the Commerce Department to coordinate
the development of voluntary,
enforceable privacy codes of conduct in specific industries.
(Compliance with these codes of
conduct would operate as safe harbors); and 2) national data
breach legislation for electronic
records that contemplates a role, including enforcement, for
state authorities. In a nod to the
strength of state legislative data breach laws, the report
recommends that any federal data
breach legislation track state regulatory approaches
that have proven effective.
Unlike the FTC report, the Green Paper
does not recommend implementing a do-not-
track (DNT) mechanism. Instead, the role of the Commerce
Department in developing DNT and
similar technologies and will be addressed through the Federal
Register notice.
The Agency also intends to use the formal
comment period to examine the
circumstances under which expanded FTC rulemaking authority
may be warranted.
In addition, the report calls for Administration
review of the Electronic Communications Privacy Act (ECPA)
in order to ensure strong privacy protection in cloud-based
computing environments and location-based services, while
preserving the ability of law enforcement to engage in legitimate
information gathering. This recommendation comes amidst
ongoing Congressional ECPA reform efforts and in the wake
of recent court decisions that have acknowledged the difficulty
of applying the law, enacted in the mid-1980s, to the continually
evolving technologies and communications platforms.
TThe report also notes that different
approaches to commercial data privacy, both
in the U.S. and abroad, can pose challenges for business
(and potential consumer harm), and
interfere with the promotion of trade and commerce of cross-border
compliance obligations.
It recommends that the U.S. continue work with the EU and
other trading partners to
promote increased global interoperability of privacy
frameworks. It also recommends that the U.S. support
the APEC Data Privacy Pathfinder Project as a model framework
for countries
with common values but divergent privacy
legal frameworks.
The Green Paper can be viewed by clicking:
http://www.ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf.
Comments are due on due January 28, 2011. The
filing period provides a useful opportunity for business
to potentially shape the regulatory
outcome of this proceeding.
For additional information, please contact
Karen
Neuman at kneuman@slrno.com.
Karen
Neuman discusses Privacy Legal Risks Associated with the use
of Biometrics in Higher Education
On November 18, 2010 Karen Neuman discussed
legal risks associated with the use of biometric systems
for identity management by higher education institutions during
an Educause Live! Web seminar. Noting
that the emergence of biometrics technologies offers colleges
and universities potential new tools
for confirming identity for campus security and managing access
to facilities, the same technologies
create legal and reputational risks that must be considered
before implementation. Karen provided a
framework for evaluating these risks taking into account
key federal, state, and European privacy laws,
as well as common law. She concluded her remarks by offering
some strategies for minimizing legal risk
based on existing laws and regulations.
Karen Neuman discusses Legal Risks Associated with Local Government Use of Social Media
On September 30, 2010, Karen Neuman shared
her perspective about legal risks associated with local government
use of social media at the 30th Annual Conference of the National
Association of Telecommunications Officers & Advisors
in Washington, D.C. In addition to addressing first amendment
issues raised by use of social media tools to engage the public,
Karen outlined how these tools can trigger state open meetings
and public records laws. She also focused on emerging law
involving employee use of social media in the workplace and
the privacy of constituents who access and interact with government
social media sites, particularly when using mobile devices.
Observing that the legal landscape is still evolving, Karen
offered some strategies for minimizing risk.
Flash Cookie Lawsuits Sound Warning for Industry
A pair of federal court lawsuits filed this summer should sound a warning for website operators using
tracking technologies that can override consumer privacy preferences.
The cases, Valdez v. Quantcast Corp.,
et al, CV10-5484 GW JCG (C.D. Cal, July 23, 2010) and
White v. Clearspring Technologies, 2:10-cv-05948-UA
(C.D. Cal., August 10, 2010), allege that a number of well
known websites violated federal and state privacy and consumer
protection laws -- including the Federal Electronic Communications
Privacy Act, Computer Fraud and Abuse Act and California's
Computer Crime Law and Invasion of Privacy Act -- by depositing
"Flash" cookies on users' websites to track their
online activities. The Plaintiffs in each suit seek unspecified
monetary damages and injunctive relief.
Flash cookies, more accurately known
as "locally stored objects", can be used by websites
to collect cookie like information on a user's computer.
They can be used for such diverse purposes as remembering
preferences, watching online video, setting default volume
levels on video players or assigning a unique ID to users
for tracking across the web, regardless of browser. Most
users are unaware that when a Flash cookie is deposited
on a computer the steps they take to prevent online tracking
by deleting traditional browser cookies typically do not
remove Flash cookies.
The Plaintiffs in Quantcast brought
suit against MTV, ESPN, Hulu, MySpace & Scribd, among other
websites, alleging that their use of LSOs (or Flash cookies)
secretly stored user data on Adobe's Flash Player to recreate
information contained in browser cookies that had been deleted
by users. Also named as a defendant was San Francisco-based
advertising technology company Quantcast – creator of the
LSO used by the websites.
Clearspring was filed on behalf of parents
and their children against one of Quantcast's competitors,
Clearspring Technologies, as well as several websites including
Disney, Warner Bros. Records, SodaHead and Demand Media.
The Plaintiffs claim that Clearspring simultaneously deposited
http cookies and a Flash cookie in users' Flash media payers
when users visited the defendants' websites. When users
deleted the http cookies from their browsers, unbeknownst
to them, the Flash cookie restored and/or recreated history
and other information, including the user's name and IP
address, which in turn, was used by the defendants and others
for online tracking and ad serving. The Plaintiffs also
claim that the defendants' privacy policies failed to disclose
that users' activities were being tracked online through
the use of Flash cookies.
While some of the factual allegations
in each action may differ somewhat the fundamental grievance
is the same: that the defendants used a technology to track
the plaintiffs' online activities without notice or consent.
Although the lawyers are, for the most
part targeting high-profile, "deep pocket" defendants,
at least one of the defendants, SodaHead, is a small online
polling company; no website should be considered under the
radar. It would not be surprising to see this effort expanded
to other websites that rely on Flash or similar tracking
technology, including social media sites, particularly as
those sites add location based features.
We expect that this suit will be closely
watched by the Plaintiffs'bar, privacy advocates and policymakers.
The larger issue appears to be one of consumer knowledge
about and control over the collection and use of their information
and less about specific technology. That said, the use of
technologies like Flash cookies should be viewed as risky
because they enable tracking online activities without a
user's knowledge, including when consumers believe they
have taken the necessary steps to prevent tracking.
Companies that employ Flash cookies
or similar tracking technologies that can be used to override
consumer privacy preferences should monitor developments
in these proceedings. In the process, they should consider
taking measures to try to minimize the potential for becoming
a target for this type of lawsuit. At a minimum, companies
should firmly understand the capabilities of the tracking
technologies they employ and the extent of information collected;
they should provide clear notice of the use of these technologies
in their privacy policies. If Flash cookies are employed,
companies should prominently disclose their use and provide
a link to Adobe's site for instructions for deleting these
cookies. Companies may also want to consider alerting customers
to other tools that can delete flash cookies or prevent
them from being used altogether.
Please contact Karen
Neuman at kneuman@slrno.com
if you would like more information about this litigation
or guidance about the use of online tracking technologies.
Federal
Court Rules that Certain Postings on Social Network Sites
are not Discoverable Under Stored Communications Act
A federal judge in California recently
determined that private messages transmitted over social network
sites are protected from discovery under the Stored Communications
Act (SCA), 18 U.S.C. §2701,
which restricts the governments ability to require Internet
Service Providers to knowingly disclose
information in their possession about their customers and
subscribers. The Court also ruled that wall
postings and comments, such as those posted by users on Facebook
and MySpace, may also be
protected the SCA, but only to the extent that access to these
communications is restricted by users
privacy settings rendering them not public.
In reaching its decision in Crispin
v. Audigier, Inc., 2010 WL 2293238, (C.D. Cal. 2010),
the Court undertook an extensive analysis of the SCA noting,
in the process, the difficulty of applying a statute that
was enacted over 2 decades ago to todays communications
technologies and users practices. That said, this case
could alter the way content posted on social networks is managed
by organizations in anticipation of potential litigation.
It could also affect the legality of access to social network
communications in other contexts, affecting, for example,
the ability of employers to obtain information about employees
or potential hires.
The plaintiff, an artist, initiated
a copyright infringement action against a clothing designer
alleging
breach of an oral license for the limited use of the Plaintiffs
artwork in the manufacture of certain types
of garments. The Complaint included allegations that the
Defendant violated the terms of the license
by failing to include the Plaintiffs logo on various
garments displaying the Plaintiffs designs and also
sublicensed the Plaintiffs design work without the
Plaintiffs consent. During discovery the Defendants
served subpoenas on various third parties, including Facebook,
MySpace and other social networking
websites. The Defendants claimed that the Plaintiffs
social media communications revealed the nature
and terms of the agreement between the parties. The Court
granted the Plaintiffs motion to quash the
subpoenas granted by a Magistrate on grounds that 1) the
social network sites private messaging and e-
mail webmail services constituted electronic communications
services (ECS) under the SCA and 2) the
web hosting websites and social networking websites were
ECS providers under the SCA, which protects
unopened private messages transmitted via an ECS provider
as temporary storage. 18 U.S.C. § 2510(17)
(A). In so ruling, the Court concluded that a private, undeleted
message opened by a user renders the
communication stored for backup purposes as
defined in the statute.
The Court noted that other aspects of
social networking sites, Facebook wall postings
and comments
and MySpace comments presented a distinct and more difficult
question requiring an analysis of the
SCA, including understanding the distinction between an
RCS provider and an ECS provider. Analyzing
the statute, the Court first noted observed that the SCA
defines an ECS provider as any service which
provides to users
the ability to send or receive wire
or electronic communications. 18 U.S.C. § 2510
(15). The Court next observed that the SCA defines an RCS
provider as an entity providing the public
computer storage or processing services by means of an electronic
communications system, and that
an electronic communications system is defined as any wire,
radio electromagnetic, photo-optical or
photo electronic facilities for the transmission of wire
or electronic communications and any computer
facilities or related electronic equipment for the electronic
storage of such communications. Id. §2510(14);
§2702(a)(2).
The Court construed these provisions
to conclude that social networking services are RCS providers
with
respect to wall postings and comments since the posts, once
made, are stored by the provider within
the meaning of the SCA. Accordingly, the Court held that
wall postings and comments are protected
under the SCA either as restricted access electronic bulletin
boards or because social networks are RCS
providers that store comments for limited use by a restricted
number of users.
The case was remanded to the Magistrate
to ascertain whether the Plaintiffs privacy settings
rendered
the wall postings public and beyond the protection of the
SCA.
This case illustrates the challenge
courts face when applying a law enacted over two decades
ago to
rapidly evolving electronic communications technologies.
This dilemma is ongoing as regulators and
policy makers struggle to keep pace with innovation resulting
in a platform specific approach to protecting
privacy an approach that poses challenges to users
and business alike as each tries to discern a predictable
framework for ascertaining privacy protection for user generated
content.
This case should also be seen as a cautionary
tale for employers who may now find themselves
running afoul of the law if they obtain access without consent
to their employees' social networking sites
communications when the employees have opted to restrict
access. This decision also calls into question
whether an employer can use legal processes such as a subpoena
to obtain information from the private
social networking accounts of employees.
Please contact Karen
Neuman at kneuman@slrno.com
if you would like additional information about this
case or if you would like guidance about the application
of privacy law to social media communications.
Supreme
Court Ducks Broad Privacy Ruling but Provides Guidance on
Employer Access to Employee Communications over Workplace
Communications Devices
On June 17, 2010 the Supreme Court issued
its much-anticipated decision in City of
Ontario, California v. Quon, 1 in which it ruled unanimously
that a Police Departments search
of an employees Department-provided mobile communications
device was reasonable under
the Fourth Amendment. The case was decided much more narrowly
than anticipated; the
Court stopped short of addressing the broader question of
an employees claim to privacy
in his or her electronic communications, and the content of
those communications, while at
work. Instead, the Court appeared to invite further litigation
on this issue in order to better
understand changes in information transmission
technology and what society accepts as
proper behavior. Nevertheless, the opinion provides
some practical guidance for public and
private sector employers about employer regulation of and
access to employee communications
transmitted over employer-issued devices, and underscores
the need for comprehensive
policies.
The case arose when the City of Ontario
initiated an investigation into an exchange
of text messages originating from the lead Plaintiff, Quon,
a city SWAT team officer, to his
wife and two other SWAT team members, including one with whom
he was romantically
involved. The Citys service plan had a monthly character
limit for outgoing messages tied
to each device and the City was charged a fee for exceeding
the limit. The City had a policy
that warned employees that they should have no privacy expectation
in communications
sent over their Department-provided devices. Despite the policy,
Quons superior told him
that his text messages would not be audited as long as he
personally paid for any overages.
Quon exceeded the monthly character
limit, prompting the Police Chief to investigate
whether 1) the character limit was too low for the Citys
law enforcement needs and, if so,
2) whether police officers were being required to pay for
sending work-related messages.
At the Citys request, its service provider, Arch Wireless,
searched the text messages
on Quons pager and provided the City with a transcript
of his messages. The City then
conducted an audit of Quons on-duty messages. The
audit revealed that the majority of the
messages Quon sent during work hours were personal, many
of which were sexually explicit.
Quon, his wife, and the two other colleagues brought suit
against the City and Arch
Wireless claiming in part that the audit violated their
Fourth Amendment rights. The district
court concluded that the Citys audit was reasonable
because its purpose was to determine
whether the service plan was appropriate and not simply
to investigate Quons use of his
government- issued pager. The Ninth Circuit reversed. It
ruled that although conducted for
a legitimate purpose, the search was unreasonable because
there were less intrusive means
the City could have utilized to determine whether the service
plan was inadequate for the police
departments needs.
The Supreme Court reversed the Ninth Circuit. Writing for
the majority, Justice Kennedy
concluded the search was reasonable, noting that the Citys
policy reserved the right to monitor
employee communications and therefore limited employee expectations
of privacy in them.
The Court rejected Quons argument that the policy
was informally modified by his superiors
assurance that his text messages would not be audited as
long as he paid for overages.
Although narrowly decided on Fourth Amendment grounds, this
opinion seems to
recognize that the Court will ultimately be asked to decide
the appropriate framework for
determining the respective rights of employers and employees
with respect privacy in the
workplace when it comes to employee communications and employee
privacy regarding those
communications. Nevertheless, this case strongly suggests
that employers can take the
following measures to minimize the risk of litigation initiated
by employees, as well as by non-
employees involved in a questionable exchange:
-
Public employers will want to pay particular attention to
the impact of state public
records laws when assessing public employees privacy
interests in workplace
communications. The majority surmised that Quon should have
known that, as
a law enforcement officer, his on-the-job communications
were likely subject to
disclosure under Californias Public Disclosure Act.
-
The Court noted that employers increasingly (if reluctantly)
tolerate personal
use of employer equipment for private use. Increased employee
access of
personal e-mail accounts, social media and texts using employer-issued
devices
requires a thoughtful, holistic evaluation of the workplace
technology and
communications ecosystem, and a realistic assessment
of employee practices.
This evaluation should result in carefully written use and
privacy policies that put
employees on unambiguous notice about the circumstances
under which the
employer can monitor and access employee communications.
-
Use and privacy policies should be comprehensive and address
all media,
platforms, devices and technologies, including social media.
-
Use and privacy policies should ensure that access to the
contents of
employee communications is obtained pursuant to a clearly
articulated,
legitimate business or work-related purpose, such as the
investigative
purpose asserted by the City in this case. Employer activities
that are
performed for a legitimate business purpose will be less
likely to be found
unreasonable.
-
Develop employee training materials and conduct employee
training
programs to minimize the potential that a supervisor will
unintentionally create
an expectation of privacy, like appears to have happened
in Quon, verbally or
through other means. Training materials and programs should
be periodically
updated to reflect changes in the law and communications
technologies or
practices.
Please contact Karen
Neuman at kneuman@slrno.com
if you would like more information
about this case or guidance about privacy in the workplace.
12010 WL 2400087, No. 08-1332 (U.S., Jun.
17, 2010).
FTC
Again Postpones Enforcement of the Red Flag Rule
The FTC announced on May 28, 2010 that
it is again postponing enforcement of the Red Flag Rule until
December 31, 2010. Enforcement has been postponed several
times since the Rule was promulgated last year in order to
clarify the scope of its coverage and give businesses time
to comply with the requirement that they develop and implement
programs to detect indicia of potential identity theft. As
noted previously several entities protested application
of the Rule as to their members, including the ABA and AMA.
The current delay is in response to pending house and senate legislation.
FCC SEEKS COMMENT ON RECLASSIFYING BROADBAND
On June 17, 2010, the Federal Communications
Commission approved a Notice
of Inquiry (NOI) seeking public comment on the appropriate
legal framework to address certain aspects, the provision
of broadband Internet service by broadband Internet Service
Providers (ISPs). As expected, a key proposal would involve
reclassifying broadband Internet service from the agencys
2002 designation as a largely unregulated information
service to a telecommunications service subject
to regulation under Title II of the Communications Act.
The NOI also seeks comment on the appropriate
classification of terrestrial wireless and satellite broadband
Internet services, as well other issues.
As expected, this proceeding follows the
D.C. Circuits recent decision in Comcast
Corp. v. Federal Communications Commission, No. 08-1291 (D.C.
Cir., Apr. 6, 2010)., which called into question the FCCs
authority to issue rules governing Broadband Internet access
and services provided by ISPs.
The NOI specifically asks for information
about the following approaches that are intended to respond
to the Comcast Courts concerns:
- Whether the Commissions information service
classification of broadband Internet service remains legally
sound and adequate to support effective performance of the
Commissions responsibilities;
- The legal and practical consequences of classifying broadband
Internet connectivity as a telecommunications service
to which all the requirements of Title II of the Communications
Act would apply; and
- A third way under which the Commission would
reaffirm that Internet content and applications remain generally
unregulated under Title I of the Communications Act; identify
the Internet connectivity service that is offered as part
of wired broadband Internet service as a telecommunications
service; and forbear under Section 10 of the Act from applying
all provisions of Title II other than the small number that
are needed to implement fundamental universal service, competition
and market entry, and consumer protection policies.
Comments are due on July 15, 2010; reply
comments are due on August 12, 2010.
If you would like more information about
this proceeding and the proposed changes, please contact Karen
Neuman or Jeff
Olson at 202-454-9401.
Karen
Neuman discusses Local Government Use of Social Media
Karen
Neuman shared her perspective on several legal
issues associated with local government use of social media
at a regional meeting of telecommunications officers and advisors
in Long Beach, California June 3, 2010. In addition to focusing
on first amendment issues associated with government use of
social media, Karen outlined how use of these tools can trigger
state open meetings and public records laws, as well as privacy
issues. Observing that the legal landscape is still evolving,
Karen offered some strategies for minimizing risk.
Karen
Neuman to Moderate May 19, 2010 FCBA Privacy & Data Security
Committee Brown Bag Program About Privacy and Data Security
Issues Involving Marketing to Minors.
Marketing to minors is under increased
scrutiny by the FTC, FCC, State Attorneys General, and legislators
across the country. Karen
Neuman will moderate a panel discussion
among experts that will address the complex regulatory and
enforcement landscape that faces media, communications companies
and other businesses wishing to reach children, tweens
and teens via email, social media, text messages and other
emerging technologies. Speakers including Phyllis Marcus,
Division of Advertising Practices, FTC; Dana Rosenfeld, Kelley
Drye, and Andra Dallas, Staff Attorney, CARU.
D.C.
Circuit Decides Comcast Case; Implications for FCC
Net Neutrality Proceeding
The recent decision by the D.C. Circuit
Court of Appeals in the Comcast case1, overturning the FCCs
decision finding Comcast to be in violation of the Commissions
Net Neutrality Policy (NNP), has caused quite
a stir. Among other things, the decision calls into question
those portions of the National Broadband Plan (NBP)
that assume that the agency will be able to regulate at least
certain aspects of the provision of broadband services via
the Internet.
The good news for the Commission is that the court concluded
that the agency has some measure of ancillary
jurisdiction over Internet-based services, based on the Communications
Acts grant of general regulatory authority over communication
by wire and radio under Title I of the Act. The problem in
the Comcast case was that, in the courts view, the Commission
had failed to articulate a nexus between that general, Title
I regulatory authority, and a specific statutory mandate in
one of the operational titles in the Act, such
as Title IIs very specific grant of regulatory authority
over certain activities of common carriers, and how the NNP
was tied to the latter. One of the more interesting aspects
of the decision is the extent to which the court seemed to
go out of its way to draw the agency a roadmap as to how it
might better construct the missing nexus.
Particularly in light of the Commissions
pending Net Neutrality rulemaking, the agency has several
options for addressing the D.C. Circuits concerns.
Obviously, it could seek rehearing (and suggest rehearing
en banc), but the odds of success are not high. Similarly,
Supreme Court review could be sought, and while that court
might agree to consider the case given the potential importance
of the issue, the likelihood of a favorable outcome seems
problematic. Historically, the Supreme Court has not been
very expansive in its interpretation of the scope of the
FCCs powers under Title I ancillary jurisdiction.
The agency can always seek a congressional fix, but pursuing
that course can prove uncertain as well, in terms of both
substance and timing. The Commissions best option
- - both on the merits and from a timing perspective as
well - - seems to be to address the D.C. Circuits
decision head on in the context of the ongoing Net Neutrality
rulemaking. There, two general approaches are available.
The first is to parse the jurisdictional issues a bit more
finely than was done in the NNP, using the guidance provided
by the court to establish the necessary substantive nexus
that was found lacking in Comcast. The record assembled
in the rulemaking should provide the Commission with ample
evidence for such an approach. However, this course still
leaves the agency relying on Title I ancillary jurisdiction,
which is always something of a weak reed upon which to base
a significant regulatory regime.
The better approach is to jettison the Title I jurisdictional
predicate and, instead, recognize what now is obvious and
declare that Internet service providers (ISPs)
are in fact carriers, directly subject to Title II jurisdiction.
While this would represent a reversal of longstanding Commission
policy, the agency has full statutory authority to reverse
a prior policy course based upon, e.g., changed circumstances.
Clearly, the record assembled in the Net Neutrality rulemaking,
coupled with the lengthy proceedings that led up to the
adoption of the NBP, provide a more than adequate basis
for the Commission to conclude that its old policy of categorizing
ISPs as non-carriers no longer serves the public interest
and that, as a factual matter, ISPs now conduct themselves
- - particularly from a consumers perspective - -
in a manner indistinguishable from traditional common carriers.
For example, when the FCC first decided that ISPs should
not be subject to Title II regulation, it did so in part
because: (1) the then-nascent ISPs had no market power;
(2) their services were distinguishable from traditional
communications services; and (3) the agency did not want
to stifle the new industrys development through unnecessary
regulation. As with any similar Commission policy judgment,
there would be adequate opportunity to revisit the issue
as the industry evolved. Today, the ubiquity of the Internet,
its central role in commerce, and the ISPs growing
head-to-head competition with traditional telephony-based
services (e.g., VOIP), provide an unassailable basis for
revisiting the Title II question. The Commission can reasonably
conclude that in a marketplace in which traditional wireline
and mobile carriers are subject to Title II (and the agencys
statutory forbearance authority), it is irrational to leave
one - - now mature - - competitor operating essentially
unregulated. Articulated properly - - and backed by record
evidence - - such a policy reversal should be sustained
on the inevitable appellate review.
The above scenario has been dubbed the nuclear option,
mainly by the ISPs and their financial backers, because
it arguably would subject the ISPs to a host of new regulations
and, most importantly, financial burdens, mostly in the
form of having to contribute to the Universal Service Fund
(USF) for the first time. However, it does not
necessarily follow that exercising the nuclear option will
inexorably lead to nuclear winter for the ISPs.
First, the bulk of Title II requirements that might otherwise
be imposed on the ISPs can be eliminated under the Commissions
forbearance authority, just as those burdens have been eliminated
for the traditional carriers. Second, it makes no sense
to continue to exempt the ISPs from USF obligations when
it is generally agreed that a critical national goal for
the next decade is to ensure universal broadband access
to the Internet, just as universal access to the telephone
network was a national goal of the last century. While this
no doubt would subject the ISPs to new financial obligations
- - and perhaps skew their near-term financial projections
- - such a result would hardly signal the devastation of
this industry segment. To the contrary, there is no reason
to believe that the ISPs will find that, simply by virtue
of having become subject to Title II, the entrepreneurial
acumen that drove them to their current level of success
suddenly will desert them.
In short, whatever basis previously existed to support
the regulatory fiction that the ISPs were not really acting
as common carriers, the facts on the ground today no longer
sustain that position. In a sense, the Comcast court did
the FCC a favor by forcing it to at least consider revisiting
the matter. Particularly given the centrality of the Internet-based
economy to the nations future well-being, it would
be irrational for the agency to continue to rely on a patently
out-dated rationale to maintain this regulatory fiction.
Moreover, the courts historically have accorded the FCC
considerable deference when it has reversed course based
on substantial record evidence and a reasoned explanation
for its actions. This is so, even when the Commissions
action has the effect of overturning a prior
adverse court decision. The Commission clearly has the statutory
authority to take such action in the context of the ongoing
Net Neutrality rulemaking, and the evidentiary basis for
doing so.
1 Comcast Corp. v. Federal Communications
Commission, No. 08-1291 (D.C. Cir., Apr. 6, 2010).
FTC
Announces Review of COPPA Rule
On March 24, 2010 the Federal Trade Commission
initiated a long anticipated review of the Childrens
Online Privacy Protection Act Rule1 (COPPA Rule) to consider
expanding current provisions intended to protect the online
privacy of children. The announcement comes at a time when
the agency is undertaking a wholesale examination of privacy
in a wide range of contexts, including mobile communications,
social networking and online gaming. The focus of this proceeding
involves the impact of location based services and mobile
devices on childrens privacy.
The COPPA Rule currently prohibits operators
of commercial websites and online services from collecting
personal information from children under the age of 13 without
first seeking the consent of a parent or legal guardian. Covered
entities must also employ reasonable measures to protect the
confidentiality, security and integrity of the information
they collect.
In the notice published in the Federal
Register, the FTC emphasized that changes to the online
environment, including the increasing use of mobile technology
by children to access the Internet warrant accelerated review
of the rule. The notice specifically seeks comment on how
the use of this technology, interactive television and gaming
or other interactive media impact COPPA enforcement.
The outcome of this proceeding could
have a significant impact on businesses that are subject
to its requirements. Expansion of the definitions of such
key terms and personal information and the Internet
could impose additional burdens on operators of childrens
and general audience websites alike, which could, in turn,
make it more difficult for businesses to engage young people
and even adults online. The interest in age verification
and filtering technologies should be seen as an indication
that the FTC may not be satisfied with the current framework
for protecting childrens privacy.
The FTC is specifically interested in:
- the use of automated systems to filter technology prior
to posting as a means for effectively reviewing content
generated by children;
- whether operators have the ability to contact specific
individuals using information collected from children
online, such as persistent IP addresses, mobile geolocation
data, or information collected in connection with behavioral
advertising, and whether the rules definition of
personal information should be expanded accordingly;
- whether there are additional technological methods for
obtaining verifiable parental consent that should be added
to the rule, and whether any of the methods currently
included should be removed;
- Whether parents are exercising their right under the
rule to review or delete personal information collected
from their children, and what challenges operators face
in authenticating parents; and
- Whether the rules process for FTC approval of
self-regulatory guidelines known as safe harbor
programs has enhanced compliance, and whether the
criteria for FTC approval and oversight of the guidelines
should be modified in any way.
Comments are due June 30, 2010. A public
roundtable meeting has been scheduled for June
2, 2010, during which interested parties may share their
views with agency staff, scholars, privacy advocates and
businesses. Click here
to view the text of the request for comment.
If you would like more information about
the rule and the proposed changes, please contact Karen
Neuman at kneuman@slrno.com.
The National Broadband Plan
In response to a congressional mandate,
the Federal Communications Commission (FCC) sent
to Congress on March 16, 2010, the National Broadband Plan
(NBP), in which it evaluated the current state
of broadband deployment and made specific recommendations
for the future, to encourage economic growth, job creation,
global competitiveness and the like.
The FCC proposed that the government act
in four specific ways to achieve these objectives:
- Designing policies that promote robust competition
and that maximize innovation, investment and consumer welfare;
- Ensuring efficient allocation and management of
government-owned and government-influenced assets (such as
spectrum, infrastructure, and rights-of-way) in a manner that
encourages network upgrades and competitive entry;
- Reforming current universal service mechanisms to
support both the deployment of broadband and voice in high-cost
areas (e.g., primarily rural) and efforts to boost adoption
and utilization by making broadband more affordable; and
- Reforming laws, policies, standards and incentives
to maximize the benefits of broadband in highly government-controlled
or influenced sectors such as public education, health care,
energy, homeland security, economic opportunity and government
operations.
The NBP outlines six specific goals
to be adopted by 2020:
- At least 100 million homes should
have affordable access to broadband at actual download speeds
of at least 100 megabits per second, and actual upload speeds
of at least 50 megabits per second;
- The U.S. should lead the world in mobile innovation,
with the fastest and most extensive wireless networks of
any nation;
- Every American should have affordable access to
robust broadband service and the means and skills to subscribe
to it if they so choose;
- Every American community should have affordable
access to at least 1 gigabit per second broadband service
for anchor institutions, such as schools, hospitals, and
government buildings;
- Every first responder should have access to a
nationwide, wireless, interoperable broadband public safety
network; and
- Every American should be able to use broadband
to track and manage their real-time energy consumption.
One of the most interesting provisions of the NBP is the
identified need for some 500 MHz of additional spectrum
to support mobile broadband, a substantial portion of which
is proposed to be reallocated from television broadcasting.
The broadcast and mobile services industries have been engaged
in a running battle over spectrum for decades. In the late-1970s
through early-1980s the FCC reallocated the then-generally
fallow 800 MHz segment of the UHF TV band for the development
of the first cellular networks. Twenty-some years later,
the broadcasters surrendered another hefty slice of their
upper-UHF allocation, the 700 MHz band (the bulk of which
was auctioned off 3 years ago for Advanced Wireless Services),
in return for which they were authorized to provide digital
television, as well as multichannel video and information
services. Now, having completed that not-inexpensive transition
to digital operation a year ago, the FCC is proposing that
television licensees voluntarily surrender their
licenses for reallocation and auction for mobile services,
in return for a portion of the auction revenue.
While the FCC clearly has the legal authority under the
Communications Act to reallocate the subject spectrum today
(setting aside whether it has the political will to exercise
that authority), granting the broadcasters a piece of the
auction pie is not within the agencys gift. That part
of the proposed deal will require congressional
approval, which, if granted, will also provide the Commission
with the necessary political cover for the reallocation.
Another component of this deal that that has been mentioned
is granting those broadcasters who surrender their licenses
the opportunity to become (for lack of a better characterization)
local cable channels, with guaranteed access to the local
cable systems (the ex-broadcast signal presumably would
be distributed directly to cable head-ends via fiber). Here,
too, congressional action would be required to create this
new broadcast/cable relationship. How this might
fare in the face of the inevitable constitutional challenge
is problematic at best, given the fairly thin constitutional
reed that presently upholds the current must-carry regime.
The obvious battle lines have been drawn on the Hill, and,
as always, the devil will be in the details, while the law
of unintended consequences - - the most pervasive law in
Washington, DC - - will be fully in play. It will be fascinating
- - if not necessarily an inspiring civics lesson - - to
watch this process play itself out.
Additional spectrum-related issues also will be addressed
in the various inquiry and rulemaking proceedings that will
be initiated or reactivated by the FCC during the following
months. These will involve, among others, examining ways
to accelerate the deployment of spectrum-based smart-grid
systems, low-power patient-monitoring technologies, and
networks designed to operate in the white spaces.
Particularly with respect white-space technologies, the
Commission faces a potential dilemma. Its recent opening
of the TV white spaces for various smart low
power technologies has generated considerable investment
in the development and deployment of such systems. However,
the goal announced in the NBP, to reallocate a substantial
portion of the TV band, may negatively impact the development
of these new white space systems. The Commission must take
considerable care to not inadvertently undermine these valuable
new technologies, which can greatly increase the efficiency
of use of many spectrum bands.
To read the full text of the National
Broadband Plan, please click here.
For additional information on this or
other matters, please contact Jeff Olson at jolson@stlro.com,
202-454-9401 or 703-628-2142.
The
mobile frontier: Karen Neumans article on recent legal developments
in mobile advertising in the Electronic Retailer magazine
"The accelerated growth of mobile
commerce, combined with the acuity of location-based applications
makes it possible for direct response retailers to use the
mobile channel for locally targeted mass marketing. One estimate,
according to Mobile Marketer, puts worldwide mobile phone
connections at 4 billion; while another by Neustar and SMS
Mobile Marketing predicts that mobile revenue in the United
States will reach $3.3 billion by 2013. SMS text messages
dominates mobile advertising in markets like the U.S."
Read more: http://www.electronicretailermag.com/er0310_frontier
Archived STLRO News & Information
|
|
|