Privacy & Information Security Law Blog

On November 8, 2017, Sears Holding Management Corporation (“Sears”) requested that the FTC reopen and modify a 2009 Commission Order (the “Order”) settling charges that Sears inadequately disclosed the scope of consumer data collected through the company’s software application. The initial FTC complaint alleged that Sears represented to consumers that its downloadable software application would track users’ “online browsing,” but in fact tracked nearly all of the users’ Internet behavior. Sears petitioned the FTC to modify the Order’s definition of ...

Recently, the Office of the Privacy Commissioner of Canada (“OPC”) issued its 2017 Global Privacy Enforcement Network Sweep results (the “Report”), which focused on certain privacy practices of online educational tools and services targeted at classrooms. The OPC examined the privacy practices of two dozen educational websites and apps used by K-12 students. The “sweep” sought to replicate the consumer experience by interacting with the websites and apps, and recording the privacy practices and controls in place. The overarching theme of the Report is “user controls over personal information,” which the OPC further refined into four subthemes: (1) transparency, (2) consent, (3) age-appropriate collection and disclosure, and (4) deletion of personal information.

On October 23, 2017, the Federal Trade Commission issued a policy enforcement statement providing additional guidance on the applicability of the Children’s Online Privacy Protection Rule (“COPPA Rule”) to the collection of children’s audio voice recordings. The FTC previously updated the COPPA Rule in 2013, adding voice recordings to the definition of personal information, which led to questions about how the COPPA Rule would be enforced against organizations who collect a child’s voice recording for the sole purpose of issuing a command or request.

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

On June 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an updated version of its Code of Practice on Subject Access Requests (the “Code”). The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests (“SARs”). The revisions more closely align the ICO’s position with the court’s judgments.

On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites (e.g., in privacy policies) or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information. Pursuant to H.B. 2090, a company engages in an unlawful trade practice if it makes assertions to consumers regarding the handling of their information that are materially inconsistent with its actual practices. Consumers can ...

On April 6, 2017, New York Attorney General Eric T. Schneiderman announced that privacy compliance company TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. According to Attorney General Schneiderman, the enforcement action taken by the NY AG is the first to target a privacy compliance company over children’s privacy.

On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business).

On February 6, 2017, the House of Representatives suspended its rules and passed by voice vote H.R 387, the Email Privacy Act. As we previously reported, the Email Privacy Act amends the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers.

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.

On December 14, 2016, the FTC announced that the operating companies of the AshleyMadison.com website (collectively, the “Operators”) have settled with the FTC and a coalition of state regulators over charges that the Operators deceived consumers and failed to protect users’ personal information. The FTC worked with a coalition of 13 states, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner to resolve this matter, which was initiated in the wake of the website’s July 2015 data breach.

This post has been updated. 

On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.” 

Recently, the Cyberspace Administration of China published for public comment a draft of the Regulations on the Online Protection of Minors (“Draft Regulations”). The Draft Regulations are open for comment until October 31, 2016.

On October 14, 2016, California Attorney General Kamala D. Harris announced the release of a publicly available online form that will enable consumers to report potential violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires website and mobile app operators to post a privacy policy that contains certain specific content.

A recent study from the National Institute of Standards and Technology (“NIST”) warns that an overabundance of computer security measures might actually lead users to engage in “risky computing behavior at work and in their personal lives.”

On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition.

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

On June 25, 2016, the Cyberspace Administration of China published its new Administrative Provisions on Internet Information Search Services (the “Provisions”). The Provisions will come into effect on August 1, 2016.

In a recently published decision, the Belgian Court of Cassation confirmed the broad interpretation given to the “right to be forgotten” by a Belgian Court of Appeal (i.e., Cour d’Appel de Liège, 2013/RG/393, September 25, 2014).

The judgment was rendered in a case initiated by an individual against a Belgian newspaper for not complying with a request to remove from its online archives an article from 1994 regarding a car accident causing the death of two persons in which the individual was involved.

On May 23, 2016, half of the EU Member States sent a letter to the European Commission and the Netherlands (which holds the rotating presidency), seeking the removal of barriers to the free flow of data both within and outside the EU to benefit the EU from new data-driven technologies, according to Reuters and EurActive.com.

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information.

On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its plan for audits this year to assess compliance with Russia’s data localization law, which became effective on September 1, 2015. The localization law requires companies to store the personal data of Russians in databases located in Russia. The audit plan indicates that the Roscommandzor will audit large, multinational companies doing business in numerous jurisdictions and processing the personal data of Russian citizens ...

On January 12, 2016, the European Court of Human Rights (“the Court”) ruled in Bărbulescu v. Romania that companies can monitor their employees’ online communications in certain circumstances.

The case concerned the dismissal of a Romanian engineer, Bărbulescu, by his employer, for the use of the company’s Internet and in particular, Yahoo Messenger, for personal purposes during work hours. The employer alleged that Bărbulescu was violating internal regulations that prohibit the use of the company’s equipment for personal purposes.

On December 28, 2015, the People's Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People's Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

On November 20, 2015, Markus Heyder, Vice President of the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP, discussed how “transparency is increasingly understood as a core component of addressing the challenges of the modern information economy” and a key catalyst for a productive and innovative information economy in an article entitled Transparency and the Future of Driverless Privacy published by the International Association of Privacy Professionals.

On November 5, 2015, the White House released the proposed text of the Trans-Pacific Partnership Agreement (the “TPP”) containing a chapter on cross-border data transfers in the context of electronic commerce. In the chapter on Electronic Commerce, Chapter 14, the TPP includes commitments from participating parties to adopt and maintain a legal framework to protect personal information, and encourages cross-border data transfers to help facilitate business and trade.

On November 2, 2015, Federal Communications Commission (“FCC”) Chairman, Tom Wheeler, indicated in an interview that the agency would take on the issue of broadband privacy within the next several months, most likely in the form of a notice of proposed rulemaking. Chairman Wheeler said that the FCC’s inquiry would look at the privacy practices of “those who provide the networks” (i.e., Internet service providers (“ISPs”)) and how such businesses are protecting their customers’ information.

On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.

On August 11, 2015, the Online Trust Alliance, a nonprofit group whose goal is to increase online trust and promote the vitality of the Internet, released a framework (the “Framework”) for best practices in privacy and data security for the Internet of Things. The Framework was developed by the Internet of Things Trustworthy Working Group, which the Online Trust Alliance created in January 2015 to address “the mounting concerns and collective impact of connected devices.”

On August 7, 2015, Delaware Governor Jack Markell signed four bills into law concerning online privacy. The bills, drafted by the Delaware Attorney General, focus on protecting the privacy of website and mobile app users, children, students and crime victims.

On May 25, 2015, the Privacy and Big Data Institute at Ryerson University in Canada announced that it is offering a Privacy by Design Certification. Privacy by Design is a “framework that seeks to proactively embed privacy into the design specifications of information technologies” to obtain the most secure data protection possible. Organizations that attain the certification will be permitted to post a “Certification Shield” “to demonstrate to consumers that they have withstood the scrutiny of a rigorous third party assessment, assuring the public that their product or service reflects the viewpoint of today’s privacy conscious consumer.”

On July 28, 2015, the UK Supreme Court announced its decision to grant permission in part for Google Inc. (“Google”) to appeal the England and Wales Court of Appeal’s decision in Google Inc. v Vidal-Hall and Others.

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.

Legislators in New Hampshire and Oregon recently passed bills designed to protect the online privacy of students in kindergarten through 12th grade.

On June 11, 2015, New Hampshire Governor Maggie Hassan (D-NH) signed H.B. 520, a bipartisan bill that requires operators of websites, online platforms and applications targeting students and their families (“Operators”) to create and maintain “reasonable” security procedures to protect certain covered information about students. H.B. 520 also prohibits Operators from using covered information for targeted advertising. H.B. 520 defines covered information broadly as “personally identifiable information or materials,” including name, address, date of birth, telephone number and educational records, provided to Operators by students, their schools, their parents or legal guardians, or otherwise gathered by the Operators.

On June 9, 2015, Max Schrems tweeted that the Advocate General of the European Court of Justice (“ECJ”) will delay his opinion in Europe v. Facebook, a case challenging the U.S.-EU Safe Harbor Framework. The opinion was previously scheduled to be issued on June 24. No new date has been set.

On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

On May 7, 2015, the Digital Advertising Alliance (“DAA”) announced that, as of September 1, 2015, the Council of Better Business Bureaus and the Direct Marketing Association will begin to enforce the DAA Self-Regulatory Principles for Online Behavioral Advertising and the Multi-Site Data Principles (collectively, the “Self-Regulatory Principles”) in the mobile environment.

On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

• personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
• a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
• unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.

On March 23, 2015, the Federal Trade Commission announced the formation of the Office of Technology Research and Investigation (“OTRI”), which the FTC describes as “an office designed to expand the FTC’s capacity to protect consumers in an age of rapid technological innovation.”

On March 13, 2015, the U.S. Department of Commerce Internet Policy Task Force (“IPTF”) issued a request for public comment regarding cybersecurity issues affecting the digital economy. The IPTF’s request invites all stakeholders interested in cybersecurity to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” For each issue identified, the IPTF’s request for comment asks interested parties to opine on a series of questions, including (1) why the issue is suited to a multistakeholder process and (2) why a multistakeholder process would benefit the digital ecosystem.

On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.

On March 3, 2015, Steven Barnes, the host of the new Penn Law podcast series, Case in Point: Great Minds on Law and Life, interviewed Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, and Anita Allen, professor of law and philosophy at the University of Pennsylvania Law School and vice provost for faculty on trends in privacy and cybersecurity, discussing what we mean when we talk about our right to privacy.

On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On January 1, 2015, Finland’s Information Security Code (2014/ 917, the “Code”) became effective. The Code introduces substantial revisions to Finland’s existing electronic communications legislation and consolidates several earlier laws into a single, unified text. Although many of these earlier laws remain unchanged, the Code includes extensive amendments in a number of areas.

On January 27, 2015, the Federal Trade Commission announced the release of a report on the Internet of Things: Privacy and Security in a Connected World (the “Report”). The Report describes the current state of the Internet of Things, analyzes the benefits and risks of its development, applies privacy principles to the Internet of Things and discusses whether legislation is needed to address this burgeoning area. The Report follows a workshop by the FTC on this topic in November 2013.

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design - from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.

On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.

On January 6, 2015, Federal Trade Commission Chairwoman Edith Ramirez gave the opening remarks on “Privacy and the IoT: Navigating Policy Issues” at the 2015 International Consumer Electronics Show (“International CES”) in Las Vegas, Nevada. She addressed the key challenges the Internet of Things (“IoT”) poses to consumer privacy and how companies can find appropriate solutions that build consumer trust.

On January 12, 2015, President Obama announced at the Federal Trade Commission several new initiatives on data security and consumer privacy as part of a weeklong focus on privacy and cybersecurity. He noted that on January 13 at the Department of Homeland Security, he would address how to improve protections against cyber attacks, and on January 14, he would address how more Americans can have access to faster and cheaper broadband Internet. He stated that the announcements he is making this week are “sneak previews” of the proposals he will make in next week’s State of the Union address.

On December 31, 2014, Russian President Vladimir Putin signed legislation to move the deadline for compliance to September 1, 2015, for Federal Law No. 242-FZ (the “Localization Law”), which requires companies to store the personal data of Russian citizens in databases located in Russia. The bill that became the Localization Law was adopted by the lower chamber of Russian Parliament in July 2014 with a compliance deadline of September 1, 2016. The compliance deadline was then moved to January 1, 2015, before being changed to September 1, 2015 in the legislation signed by President Putin.

On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.

On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order. The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

On November 25, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 9/2014 (the “Opinion”) on device fingerprinting. The Opinion addresses the applicability of the consent requirement in Article 5.3 of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) to device fingerprinting. As more and more website providers suggest using device fingerprinting instead of cookies for the purpose of providing analytics or for tracking purposes, the Working Party clarifies how the rules regarding user consent to cookies apply to device fingerprinting. Thus, the Opinion expands on Opinion 04/2012 on the Cookie Consent Exemption.

On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.

On November 12, 2014, the Federal Trade Commission announced that in response to FTC complaints, a federal court has ordered two debt brokerage companies to notify over 70,000 consumers whose sensitive personal information was posted on a public website by the debt brokerage companies.

On October 22, 2014, the Federal Trade Commission announced that several interrelated online marketing and advertising companies (“Stipulating Defendants”) agreed to pay nearly $10 million to settle allegations that they engaged in a pattern of text message spamming, robocalling and mobile cramming practices in violation of Section 5 of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule.

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

A recent decision by the United States Court of Appeals for the Ninth Circuit reinforces the importance of obtaining affirmative user consent to website Terms of Use for website owners seeking to enforce those terms against consumers. In Nguyen v. Barnes & Noble Inc., the Ninth Circuit held that Barnes & Noble’s website Terms of Use (“Terms”) were not enforceable against a consumer because the website failed to provide sufficient notice of the Terms, despite having placed conspicuous hyperlinks to the Terms throughout the website.

On September 17, 2014, the Federal Trade Commission announced that the online review site Yelp, Inc., and mobile app developer TinyCo, Inc., have agreed to settle separate charges that they collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On September 18, 2014, the French Data Protection Authority (the “CNIL”) announced plans to review 100 French websites on September 18-19, 2014. This review is being carried out in the context of the European “cookies sweep day” initiative, an EU online compliance audit. The Article 29 Working Party organized this joint action, which runs from September 15-19, 2014, to verify whether major EU websites are complying with EU cookie law requirements.

On September 16, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including updates in the EU and Germany, highlights on the UK Information Commissioner’s Office annual report and an APEC update.

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep carried out in May of this year to assess mobile app compliance with data protection laws. Twenty-six data protection authorities worldwide evaluated 1,211 mobile apps and found that a large majority of the apps are accessing personal data without providing adequate information to users.

On September 4, 2014, the Federal Trade Commission announced a proposed settlement with Google Inc. (“Google”) stemming from allegations that the company unfairly billed consumers for mobile app charges incurred by children. The FTC’s complaint alleges that since 2011, Google violated the FTC Act’s prohibition on unfair commercial practices by billing consumers for in-app charges made by children without the authorization of the account holder.

On September 15-16, 2014, the National Institute of Standards and Technology (“NIST”) will sponsor a workshop to further its Privacy Engineering initiative. The workshop will focus on developing draft privacy engineering definitions and concepts that will be explored in a forthcoming NIST report.

On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

On August 14, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) submitted its response to the National Telecommunications and Information Administration’s (“NTIA’s”) request for public comment on big data and consumer privacy issues. The NTIA’s request, which follows the White House’s recent study of big data, the May 2014 Big Data Report, and the associated President’s Council of Advisors on Science and Technology Report, seeks further public input on how big data impacts the Consumer Privacy Bill of Rights, and whether the Consumer Privacy Bill of Rights should be modified to contemplate big data.

On August 6, 2014, the Federal Trade Commission announced that it had approved a safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”), stating the program provides the “same or greater protections” for children under the age of 13 as those contained in the new Children’s Online Privacy Protection Rule (the “COPPA Rule”). An updated version of the COPPA Rule came into effect July 1, 2013.

On August 1, 2014, the Federal Trade Commission released a new staff report examining the consumer protection implications of popular mobile device applications that provide shopping and in-store purchase services. The report, What’s the Deal? An FTC Study on Mobile Shopping Apps, details the findings from a recent FTC staff survey that studied consumer rights and data protection issues associated with some of the most popular mobile shopping apps on the market.

On July 31, 2014, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on its Telemarketing Sales Rule (“TSR”) as “part of the FTC’s systematic review of all current Commission regulations and guides.” In the press release accompanying the Federal Register notice, the FTC stated that its questions for the public focus on (1) the use and sharing of pre-acquired account information in telemarketing, and (2) issues raised by the use of negative-option and free-trial offers in combination with general media ads designed to generate inbound telemarketing calls from consumers. The FTC’s review process comes less than a year after the Federal Communications Commission’s revisions to its Telephone Consumer Protection Act rules became effective.

The EU Sub-Committee on Home Affairs, Health and Education of the UK House of Lords has published its Second Report for 2013-14, entitled EU Data Protection Law: A 'Right to Be Forgotten'? (the “Report”). The Report summarizes the findings of the Sub-Committee’s investigation into the right to be forgotten, and was triggered in large part by the European Court of Justice’s (“ECJ’s”) decision in Google v. Costeja (Case C-131/12, “Costeja”). In Costeja, the ECJ held that individuals have a right to request that their personal data no longer be displayed by online search engines in the results for searches made on the basis of the individual’s name, particularly if the information is inadequate, irrelevant or excessive (commonly referred to as the “right to be forgotten”).

On July 15, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including the recent judgment in the Costeja case, the Centre for Information Policy Leadership’s work on a risk-based approach to privacy, the new Canadian anti-spam legislation that went into effect on July 1, and other developments in the U.S. and EU.

On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

On July 10, 2014, the Federal Trade Commission announced that it filed a complaint against Amazon.com, Inc. (“Amazon”) for failing to obtain the consent of parents or other account holders prior to billing them for in-app charges incurred by children. According to the complaint, Amazon, which offers children’s apps through its Appstore, bills Amazon account holders in real money for virtual items that children obtain within an app (i.e., “in-app” charges).

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a white paper entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice. This is the first paper in the Centre’s new multi-year Privacy Risk Framework Project. It follows the Centre’s March 2014 Risk Workshop, held in Paris with Centre members, privacy experts, regulators and other stakeholders. The Risk Framework Project is the next phase of the Centre’s earlier work on organizational accountability, focusing specifically on one important aspect of accountability – conducting risk assessments that identify, evaluate and mitigate the privacy risks to individuals posed by an organization’s proposed data processing.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.