Privacy & Information Security Law Blog

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

Today three advocacy organizations filed a complaint with the Federal Trade Commission (“FTC”), demanding that it investigate and impose drastic requirements on entities involved in online data analytics and behavioral advertising.  In their complaint, the U.S. Public Interest Research Group (“U.S. PIRG”), the Center for Digital Democracy and the World Privacy Forum target Google, Yahoo!, BlueKai, PubMatic, TARGUSinfo and others for allegedly participating in what the U.S. PIRG terms a “Wild West” of online collection and auctioning of data for marketing purposes.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers.  The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.”  The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy.  The announcement of a ...

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement.  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire.  The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

A class action complaint filed on December 9, 2009, in Illinois federal court alleges that WideOpen West, Finance, LLC ("WOW"), an Internet service provider, violated its users' privacy by "installing spyware devices on its broadband networks."  Valentine v. WideOpen West (N.D. Ill., No. 1:09-cv-07653).  This action against WOW follows the October 6, 2009, dismissal by a district court in California of similar claims against six out-of-state ISP defendants (including WOW) filed in November 2008 by the same lead plaintiff.  The court in Valentine v. NebuAd, Inc. et al. (N.D. Cal., No. 3:08-cv-05113) found that the ISP defendants were not subject to personal jurisdiction in California, leaving the now-defunct NebuAd as the only defendant in that case.  Plaintiff Valentine has now brought this action against WOW in the Northern District of Illinois.

On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy."  The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts.  The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace.  Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company ...

On October 5, 2009, the Federal Trade Commission (“FTC”) issued amendments to its Guides for the Use of Endorsements and Testimonials in Advertising (“Guides”).  Reactions to the amendment have primarily focused on the provisions that require bloggers to disclose their relationship with companies whose products they endorse.  Largely absent from the commentary, however, have been observations regarding theories articulated in the amendments that demonstrate the risk of enforcement for companies that do not have a blog and that do not use third-party bloggers for promotion.

On September 15, 2009, the Federal Trade Commission unveiled a series of public roundtables that will focus on the effect of modern technology and business practices on the privacy of consumer information.  The goal of the panels is to explore how to best balance the concerns for consumer privacy, beneficial use of consumer information and technological innovation.  The discussions will address myriad technologies and practices, such as social networking, cloud computing, behavioral marketing, mobile marketing and, generally, the collection of consumer information for ...

On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the validity of the Act to Prevent Predatory Marketing Practices Against Minors (the “Act”), which is set to take effect on September 12, 2009.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for ...

New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.

The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a ...

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law ...

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different ...

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. 

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates.  This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices.  In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes.  The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used.  At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.  These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities.  The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade.  An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007.  In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation.  If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.

As part of its ongoing efforts to examine evolving internet marketing practices, earlier today the Federal Trade Commission released a report on self-regulation of online behavioral advertising.  This report analyzes the comments received from interested parties in response to proposed self-regulatory principles issued by the Commission in December 2007.  It covers a wide range of issues including the increasingly blurred line between personally identifiable information and non-personally identifiable information and the applicability of regulations to "first party" ...

The Federal Trade Commission ("FTC") recently settled complaints against two telemarketing companies that allegedly called numbers listed on the National Do Not Call Registry.  The companies will pay a combined total of nearly $1.2 million dollars in civil penalties to settle charges that their marketing practices ran afoul of the Telemarketing Sales Rule ("TSR").

On December 1, 2008, a strict anti-spam law came into effect in Israel.  The legislation, enacted as an amendment to the country’s Communications Law, prohibits the delivery of advertisements using mobile text messaging, email, fax or automatic dialing systems without first obtaining the recipient’s explicit written consent.  The law contains several exceptions to the prior consent requirement.  For example, advertisers may reach out to businesses to inquire whether they wish to receive marketing communications.  Advertisers also may send unsolicited marketing ...

A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).