Privacy & Information Security Law Blog

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”

On December 5, 2012, the Federal Trade Commission announced that the online advertising company Epic Marketplace, Inc. (“Epic”) agreed to settle charges that it engaged in “history sniffing” to secretly and illegally collect information about consumers’ interest in sensitive medical and financial issues. History sniffing is the practice of determining whether a consumer has previously visited a webpage by checking how a browser displays a hyperlink. The consent order requires Epic to destroy all data collected from history sniffing and bars Epic from engaging in history sniffing in the future.

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

On November 21, 2012, the UK Committee of Advertising Practice (“CAP”) released new rules on online behavioral advertising (“OBA”). CAP is the UK body which writes and maintains the UK advertising codes, which are administered and enforced by the UK Advertising Standards Authority (“ASA”).

On November 21, 2012, the UK Supreme Court handed down a judgment in The Rugby Football Union vs. Consolidated Information Services Limited (Formerly Viagogo Limited), a case addressing the application of Article 8 of the EU Charter of Fundamental Rights (Protection of Personal Data) in the context of court orders seeking to disclose the identities of alleged wrongdoers.

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

In late October 2012, California Attorney General Kamala D. Harris began sending letters to approximately 100 mobile app operators, informing them that they are not in compliance with the California Online Privacy Protection Act (“CalOPPA”). Pursuant to CalOPPA, “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” must post a privacy policy that contains specified elements. A mobile app arguably could be an “online service” under CalOPPA, which provides that an online service operator that collects “personally identifiable information” and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. The law affects a wide range of mobile app operators because of its very broad definition of “personally identifiable information,” which includes any “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” such as a name, an email address or any other identifier “that permits the physical or online contacting of a specific individual.”

On November 15, 2012, the UK Office of Fair Trading (the “OFT”) launched a call for information to investigate whether offering “personalized pricing” based on data companies collect about consumers’ online behavior violates consumer protection legislation in the UK. The OFT will look at how companies gather data related to “consumers’ browsing history, purchases, demographic, hardware, operating system, etc and use this to personalise products and prices.” In particular, as indicated on the OFT’s website, the OFT will analyze:

In partnership with SC Magazine, we are pleased to announce that on November 22-23, 2012, SC Magazine will host its 2012 Virtual Summit “Tackling the Big 3: Clouds, Consumerisation, Cybercrime,” featuring Hunton & Williams partner Bridget Treacy. Following a year of sharp increases in data breaches and regulatory fines, the SC Summit will explore and focus on cybercrime, mobile devices and cloud security – three key priorities for 2013. Bridget Treacy and Paul Swarbrick, Chief Information Security Officer and Head of Cybersecurity for National Air Traffic Services, will open the Summit with their keynote presentation, “Where’s the Danger? From Cybercrime to Consumerisation to the Cloud, Today’s Most Potent Threats Unmasked.” Paul will discuss the data security issues that keep him awake at night and Bridget will offer vital, current perspective on the ever-changing legal landscape.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:

Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.

On October 26, 2012, the Federal Trade Commission finalized its settlement agreements with two businesses that allegedly exposed thousands of customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on the companies’ computer systems. The approved settlements prohibit Georgia auto dealer Franklin’s Budget Car Sales, Inc. (“Franklin”) and Utah-based debt collector EPN, Inc. (“EPN”) from misrepresenting their privacy and information security practices and requires both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years. The settlement with Franklin also bars the company from violating the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule and Privacy Rule.

On October 22, 2012, the Federal Trade Commission released a report entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies.” The report focuses on privacy concerns associated with facial recognition technology, which is becoming increasingly ubiquitous across a variety of commercial applications ranging from search engines to video games to password authentication.

On October 22, 2012, the Federal Trade Commission announced a proposed settlement agreement with Compete, Inc. (“Compete”), an online market research company that collects clickstream data from consumers to generate and sell analytical reports about consumer behavior on the Internet.

In the opening session of the 34th International Conference of Data Protection and Privacy Commissioners, Conference Executive Committee Chair and Article 29 Working Party President Jacob Kohnstamm introduced this year’s conference. He noted that the topic of this year’s closed session will be profiling. Kohnstamm also indicated that future DPA conferences would focus on the closed session, which typically is comprised of current and former data protection authorities. Among the speakers in the 2012 closed session is Professor Fred H. Cate, Senior Policy Advisor for the Centre for Information Policy Leadership at Hunton & Williams LLP.

On October 4, 2012, the Federal Trade Commission announced that Artist Arena LLC (“Artist Arena”), an operator of fan websites for several popular recording artists, agreed to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule (“the Rule”) by improperly collecting personal information from children under the age of 13 without first obtaining verifiable parental consent. The settlement will impose a $1 million penalty on Artist Arena, bar future violations of the Rule and require deletion of the information collected in violation of the Rule.

As reported in the Hunton Employment & Labor Perspectives Blog:

Employees use social media extensively in communication for personal and business reasons. Employers are increasingly monitoring this use, and insisting on access to some of the more popular sites. California took notice of this trend and passed legislation to protect employee privacy. On September 27, 2012, Governor Edmund G. Brown Jr. signed AB 1844 making California the third state to limit access to employees’ social media account, joining Maryland and Illinois.

On September 27, 2012, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), together with the German Federal Commissioner for Data Protection, published a guide on traffic data retention. The guide, which is aimed at telecom providers, includes a comprehensive chart that clarifies data retention periods for different types of services, such as telephone, SMS, Internet and email, and their respective types of traffic data (e.g., mobile identification numbers, IP addresses and International Mobile Equipment Identity data) based on the purposes for the data storage.

On September 25, 2012, the Federal Trade Commission announced that it had settled a case involving allegations of spying by software company DesignerWare, LLC (“DesignerWare”) and several rent-to-own companies that rent computers to consumers, such as Aaron’s, Inc., ColorTyme, Inc., and Premier Rental Purchase. The FTC collaborated with Illinois Attorney General Lisa Madigan in its investigation.

On September 27, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on complying with the requirements of the UK Data Protection Act 1998 (“DPA”) in the context of cloud computing services (the “Guidance”). In its Guidance, the ICO reminds data controllers that transferring personal data to the cloud does not absolve them of their compliance obligations under the DPA.

On September 12, 2012, Congressman Edward Markey (D-MA) released a bill that would require companies to tell customers about monitoring software installed on their mobile devices and obtain customers’ express consent before engaging in monitoring. These requirements would apply to mobile phone makers, network providers and application developers.

On September 5, 2012, the Federal Trade Commission issued guidelines for mobile app developers entitled “Marketing Your Mobile App: Get It Right from the Start.” The guidelines are largely a distillation of the FTC’s previously expressed views on a range of topics that have relevance to the mobile app space. They are summarized below:

On August 10, 2012, a federal district court in California denied Hulu’s motion to dismiss the remaining claim in a putative class action suit alleging that the online streaming video provider transmitted users’ personal information to third parties in violation of the Video Privacy Protection Act (“VPPA”). The VPPA prohibits a “video tape service provider” from transmitting personally identifiable information of “consumers,” except in certain, limited circumstances. According to the complaint, Hulu allegedly allowed KISSmetrics, a data analytics company, to place tracking codes on the plaintiffs’ computers that re-spawned previously-deleted cookies, and shared Hulu users’ video viewing choices and “personally identifiable information” with third parties, including online ad networks, metrics companies and social media networks.

On August 10, 2012, the Federal Trade Commission announced that it has accepted the final settlement with Facebook which resolves allegations “that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” As we previously reported, the settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information; (2) obtain users’ “affirmative express consent” before sharing their information with any third ...

On August 1, 2012, the Federal Trade Commission announced that it is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). According to the FTC, the second-round revisions modify certain COPPA Rule definitions to “clarify the Rule’s scope and strengthen its protections for the online collection, use, or disclosure of children’s personal information.” The FTC developed these new definitions after reviewing the 350 public comments submitted in response to the Commission’s September 2011 proposal to amend the Rule.

On July 24, 2012, a bipartisan group of eight members of Congress sent letters to nine major data brokerage companies requesting information on how the companies collect, assemble and sell consumer information to third parties. Representatives Ed Markey (D-MA) and Joe Barton (R-TX), who serve as co-chairmen of the Bipartisan Congressional Privacy Caucus, are leading the inquiry. The Privacy Caucus, which is an ad hoc group rather than a formally constituted congressional committee, is comprised of members who have a common interest in privacy issues. The Caucus cannot call formal hearings, compel production of materials or pass legislation.

In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.

On May 30, 2012, the Federal Trade Commission hosted a public workshop addressing the need for new guidance on advertising and privacy disclosures online and in mobile environments. During the workshop, the FTC announced that it hopes to release an updated version of its online advertising disclosure guidance this fall that would incorporate input from businesses and consumer advocates. Topics explored at the workshop included:

• Best practices for privacy disclosures on mobile platforms and how they can be short, effective and accessible to consumers;
• how to put disclosures in proximity to offers on mobile platforms;
• social media disclosures; and
• the placement of material information on webpages.

On June 7, 2012, the Federal Trade Commission announced settlement agreements with two businesses that allegedly exposed customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on their company computers and networks.

In its complaint against Franklin’s Budget Car Sales (“Franklin”), a Georgia automobile dealership that also provides financing services to its customers, the FTC alleged that Franklin failed to implement reasonable security measures to protect the consumer personal information that Franklin routinely collects in connection with its business. The FTC claimed that personal information of approximately 95,000 customers, including names, Social Security numbers, addresses, dates of birth, and drivers’ license numbers were made available and disclosed by a P2P application installed on a computer that was connected to Franklin’s computer network. In addition to alleging violations of Section 5 of the FTC Act, the FTC also claimed that Franklin violated the Gramm-Leach Bliley Act (“GLB”). This is the first FTC case against an auto dealer involving GLB violations. The FTC stated in its complaint that Franklin failed to implement reasonable security policies and procedures in violation of the GLB Safeguards Rule, and also failed to send consumers annual privacy notices and to provide the required opt-out mechanisms in violation of the GLB Privacy Rule.

On June 7, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion analyzing the exemptions to the prior opt-in consent requirement for cookies. Although the Opinion focuses on cookies, the Working Party also notes that the same analysis applies to any technology allowing information to be stored or accessed on a user’s computer or mobile device.

In recent months, two high-profile cases involving Hulu and Netflix have raised questions regarding the scope and application of the Video Privacy Protection Act (“VPPA”), a federal privacy law that has been the focus of increasing attention over the past few years. In the Hulu case, Hulu users claimed that the subscription-based video streaming service disclosed their viewing history to third parties. 

On May 25, 2012, the UK Information Commissioner’s Office posted updated guidance on how to comply with amendments to EU data protection law requiring businesses to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies. Last year, the ICO gave organizations a grace period expiring on May 26, 2012, to comply with the new cookie rules.

On April 26, 2012, the U.S. House of Representatives approved the Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 3523), which is aimed at facilitating the exchange of cyber threat intelligence information between the government and certain private entities. In addition, the House approved the Federal Information Security Amendments Act of 2012 (H.R. 4257), which modifies the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems.

On April 9, 2012, Maryland became the first state to pass legislation that would prevent employers from asking or forcing employees and applicants to hand over their social media login credentials. The bill, which passed the state Senate unanimously (Senate Bill 433) and the House of Delegates by a wide margin (House Bill 964), now awaits Maryland Governor Martin O’Malley’s signature.

On April 5, 2012, social media giant Twitter, Inc. (“Twitter”) filed a civil lawsuit against spammers and makers of spamming software claiming violations of Twitter’s user agreement and various California state and common laws. Borrowing from the popular term for unsolicited email messages, Twitter’s complaint describes “spam” on Twitter as “a variety of abusive behaviors” including “posting a Tweet with a harmful link … and abusing the @reply and @mention functions to post unwanted messages to a user.” The suit alleges that certain defendants violated Twitter’s Terms of Service, which prohibit “spam and abuse,” by distributing software tools “designed to facilitate abuse of the Twitter platform and marketed to dupe customers into violating Twitter’s user agreement.” Other defendants allegedly operated large numbers of automated Twitter accounts through which they attempted to “trick Twitter users into clicking on links to illegitimate websites.”

On March 22, 2012, the Article 29 Working Party (the “Working Party”), adopted an Opinion analyzing the privacy and data protection law framework applicable to the use of facial recognition technology in online and mobile services, such as social networks and smartphones. The Working Party defines facial recognition as the “automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.”

Drawing on its eleven years of experience facilitating multistakeholder processes, on April 2, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments in response to the Department of Commerce’s National Telecommunications and Information Administration’s request for public comments on the multistakeholder process to develop consumer data privacy codes of conduct. The NTIA’s request relates to the topics and processes that will inform the creation of binding codes of conduct as discussed in the Obama Administration’s February ...

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.

On March 21, 2012, the U.S. Department of Commerce’s National Telecommunications and Information Administration announced a one-week extension to the deadline for responses to their March 2 request for public comments on the multistakeholder process to develop consumer data privacy codes of conduct. Comments are now due on Monday, April 2, 2012. The request for comments relates to both the topics and processes that will inform the creation of binding codes of conduct as discussed in the Obama Administration’s February release of a framework for a Consumer Privacy Bill of ...

On February 24, 2012, Eric Chabrow of BankInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the need for a Consumer Privacy Bill of Rights, Sotto briefly outlined the strengths and weaknesses of the proposed bill, and its potential impact on businesses.

A growing number of companies are implementing cloud computing solutions to lower IT costs and increase efficiency. Although cloud technology offers an array of advantages, organizations that rely on the cloud must compensate for the corresponding increase in risk associated with outsourcing business operations to a third party. A recent article authored by a Hunton & Williams Insurance Litigation & Counseling partner discusses the ways in which business interruptions caused by cloud service provider failures may be covered by contingent business interruption insurance ...

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

The Digital Advertising Alliance (“DAA”) recently announced that its members will work “to add browser-based header signals to the set of tools by which consumers can express their preferences” not to be tracked online and will work with browser providers to develop “consistent language across browsers…that describes to consumers the effect of exercising such choice.”

This announcement came on the heels of the Obama administration’s release of a framework for a Consumer Privacy Bill of Rights. The DAA’s agreement represents the industry’s attempt to appease consumer privacy concerns in the face of the growth of online advertising. The DAA represents over 400 advertising and technology companies.

The White House today released its long-awaited report outlining a framework for U.S. data protection and privacy policy. As expected, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Global Innovation in the Global Digital Economy” articulates a Consumer Privacy Bill of Rights based on the individual’s right to exercise control over what personal data companies collect from the individual and how companies use the data. The Consumer Privacy Bill of Rights, which reflects principles of fair information practices and applies to personal data, sets forth individual rights for consumers and corresponding obligations of companies in connection with personal data. It also provides for the consumer’s right to:

• transparent privacy and data security practices;
• expect that companies will collect, use and disclose data in a manner consistent with the context in which it was collected;
• have their data handled in a secure manner;
• access and correct personal data;
• set reasonable limits on the personal data that companies collect and retain; and
• have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

On February 14, 2012, a joint U.S. congressional committee, including Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV) and Dianne Feinstein (D-CA), introduced the Cybersecurity Act of 2012 (the “Act”). Although the legislation appears to have strong bipartisan support, during a February 15 hearing before the Homeland Security and Governmental Affairs Committee, Senator John McCain (R-AZ) indicated that he and six Republican colleagues would propose their own cybersecurity legislation in March.

On February 16, 2012, the European Court of Justice held in the SABAM vs. Netlog case (C-360/10) that imposing an obligation on social networks to install a “general filtering system” to prevent all users from sharing copyrighted music is disproportionate to the extent that such filters may infringe on user privacy rights or block lawful communications. SABAM, a Belgian copyright association, had filed an injunction against social network provider Netlog that would have required Netlog to install filtering systems to prevent copyright infringements by Netlog users. The Belgian court deciding on the injunction requested a preliminary ruling from the ECJ.

Since October 2011, the Hong Kong Office of the Privacy Commissioner for Personal Data has published three “Guidance Notes” to help data users comply with the Personal Data (Privacy) Ordinance (the “Ordinance”). These Notes are not legally binding, nor are they intended to serve as an exhaustive guide to the application of the Ordinance, but they provide good, practical examples and tips that the Commissioner has developed as it has implemented the Ordinance.

On January 5, 2012, the Federal Trade Commission announced a proposed settlement with Upromise, Inc., a membership reward service that gives cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The FTC alleged that the “Personalized Offers” feature on the Upromise TurboSaver Toolbar (1) collected far more information about users’ browsing behavior than was disclosed at the time of installation, and (2) contrary to representations in the company’s privacy notice, transmitted that information, which included data such as Social Security numbers and financial account numbers, in clear text.

On December 23, 2011, the Federal Trade Commission announced that it is seeking public comments on the privacy and security implications raised by the use of facial recognition technology. The FTC recently held a public workshop entitled “Face Facts: A Forum on Facial Recognition Technology,” that discussed the current and future commercial applications of facial recognition technologies and the associated privacy and security concerns.

On December 13, 2011, the Information Commissioner issued updated guidance on compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”)). Organizations were given a twelve-month grace period to comply with the new law. Initial guidance on the Regulations was released on May 9, 2011, but the Information Commissioner characterized that guidance as merely a “starting point for getting compliant rather than a definitive guide,” signaling that further advice would follow if appropriate. 

On December 1, 2011, a consolidated litigation against Netflix was ordered to private mediation pursuant to an agreement between the parties. As we previously reported, the plaintiffs allege that Netflix’s practice of maintaining customer movie rental history and recommendations after their subscriptions are cancelled violates the federal Video Privacy Protection Act (“VPPA”). In August 2011, several similar cases against Netflix were consolidated by a federal court in California.

News of the mediation order comes as a significant amendment to the VPPA awaits Senate ...

On November 29, 2011, the Federal Trade Commission announced that Facebook has settled charges that it deceived consumers by making false privacy promises. The settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information (2) obtain users’ “affirmative express consent” before sharing their information with any third party that “materially exceeds the restrictions imposed by a user’s privacy setting(s),” (3) implement procedures to prevent a third party from accessing users’ information no later than 30 days after the user has deleted such information or terminated his or her account, (4) establish, implement and maintain a comprehensive privacy program, and (5) obtain initial and biennial assessments and reports regarding its privacy practices for the next 20 years.

On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.

On November 17, 2011, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent.

On November 2, 2011, Germany’s Federal Minister of the Interior met with stakeholders from the social networking industry and announced the development of a self-regulatory code for social networks. According to the Ministry’s press release, the code is aimed at enhancing data protection, consumer protection and the protection of minors on the Internet.

In endorsing the initiative, the Interior Minister stated, “self-regulation can also prove efficient in the social networking context, allowing for quick and flexible arrangements that enhance transparency and user ...

This week, the Digital Advertising Alliance (the “DAA”) unveiled new “Self-Regulatory Principles for Multi-Site Data” (the “Principles”), aimed at expanding the scope of industry self-regulation with respect to online data collection. The Principles are designed to supplement the Self-Regulatory Principles for Online Behavioral Advertising which were issued in July 2009. The DAA is composed of several constituent industry groups such as the American Association of Advertising Agencies, Council of Better Business Bureaus, the Direct Marketing Association and the Interactive Advertising Bureau.

On November 8, 2011, the Federal Trade Commission announced that the operator of skidekids.com, a social networking website that advertises itself as the “Facebook and Myspace for Kids,” has agreed to settle charges that he collected personal information from approximately 5,600 children without parental consent, in violation of the Children’s Online Privacy Protection Act (“COPPA”) Rule. The proposed settlement will bar future violations of COPPA and misrepresentations about the collection, use and disclosure of children’s information.

On November 4, 2011, Congressmen Edward Markey (D-MA) and Joe Barton (R-TX) reiterated their privacy concerns over the handling of customer preferences in connection with Verizon’s new advertising initiative. After learning that Verizon had notified its customers of the implications of a targeted advertising campaign, on October 6, 2011, Reps. Markey and Barton, Co-Chairmen of the bipartisan Congressional Privacy Caucus, wrote a letter containing several inquiries to both Verizon and Verizon Wireless. In particular, Reps. Markey and Barton requested clarification regarding the companies’ potential disclosure of aggregated customer location information and website viewing history to third parties.

On October 27, 2011, the United States District Court for the Northern District of California dismissed claims that Facebook misappropriated users’ names and likenesses in promoting its “Friend Finder” feature. Friend Finder identifies potential “friends” for a Facebook user by matching his or her email contacts with users already registered with Facebook, then presenting the user with friend suggestions. Facebook promoted the feature by displaying the names and profile photos of current friends as examples of users who had found friends with Friend Finder.

On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard.  Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

On September 15, 2011, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing and Technology held a hearing on “the impact and burden” of European privacy regulation.  Paula Bruening, former Vice President of the Centre for Information Policy Leadership at Hunton & Williams LLP, was one of five witnesses who testified at the hearing.

On September 8, 2011, Richard Allan, Facebook’s Director of European Public Policy, met with the German Federal Ministry of the Interior (the “Ministry”) and endorsed the Ministry’s initiative for a future self-regulatory code for social networks with a focus on data security, consumer protection and the protection of minors.

On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia (“DPA”) imposed a fine of €60,000 on Easycash GmbH (“Easycash”), a leading German service provider for electronic payments.

Over the past several weeks, online tracking practices involving the use of Flash cookies and ETags have been the subject of new research studies, class action lawsuits and significant media attention.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As reported in the Hunton Employment & Labor Perspectives Blog, on August 18, 2011, the National Labor Relations Board’s Acting General Counsel issued a report discussing fourteen social media cases recently decided by the Board.  The cases highlighted in the report offer insight regarding how the NLRB will handle various social media issues in the future.

Read the full post, which provides an overview of several of the cases highlighted in the NLRB’s report.

On August 5, 2011, the Beijing Second Intermediate People’s Court announced its decision in what is reported to be the largest criminal case to date involving the misuse of personal information in Beijing, China.  The Court based its ruling on Article 7 of the Seventh Amendment to the Criminal Law, which applies to three types of criminal activities: (1) illegal sale of citizens’ personal information, (2) illegal provision of citizens’ personal information, and (3) illegal access to citizens’ personal information.

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  Specifically, the Ordinance amends the existing legal framework concerning cookies and introduces an opt-in regime for the use of cookies.

On August 19, 2011, the Data Protection Commissioner’s Office of the German federal state of Schleswig-Holstein (“ULD”) ordered all businesses in that state “to shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites.”  Although this warning is specific to Facebook users, the regulator’s explanation of its motives reveals a fundamental concern about common data analytics practices:

“By using the Facebook service traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics (Ger.: Reichweitenanalyse).  Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years.  Facebook builds a broad individual and for members even a personalised profile.  Such a profiling infringes German and European data protection law.  There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

The Department of Commerce released an English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales, Ley No. 29733).  The law passed Peru’s Congress on June 7, 2011, and was signed by the president July 2, 2011.  Peru’s adoption of this new law is in keeping with a recent trend in Latin America, where Uruguay, Mexico and Colombia also have passed privacy legislation.

On July 27, 2011, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) published a draft rule including provisions regulating the processing of personal information by “Internet Information Service Providers.”  The draft rule, entitled “Provisions on the Administration of Internet Information Services” (the “Draft Provisions”), is not the first rule regulating Internet information services in China.  In 2000, the MIIT enacted the “Measures for the Administration of Internet Information Services” (the “Measures”), which took effect on September 25, 2000.  However, the Measures do not include any explicit provisions addressing the protection of personal information.

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.

As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

In April 2011, a technical malfunction suffered by the Amazon Elastic Compute Cloud resulted in a multi-day outage affecting hundreds of businesses.  The incident offered high-profile evidence of both the widespread popularity of cloud computing and the potential consequences of storing company data in the cloud.  It also drew attention to cloud service contracts, raising questions about performance levels and backups in the event of a service disruption.  With more and more businesses seeking to take advantage of the efficiency and cost savings offered by cloud computing, the ...

Adam Kardash from Heenan Blaikie LLP in Canada reports that Industry Canada and the Canadian Radio-television and Telecommunications Commission (“CRTC”) have released draft regulations for Canada’s Anti-Spam Legislation (“CASL”).  CASL imposes a consent-based anti-spam regime that restricts organizations’ ability to send commercial electronic messages.  Industry Canada and the CRTC are charged with the task of implementing regulations under CASL.

As reported in BNA’s Privacy Law Watch, on July 2, 2011, Peruvian President Alan García signed the Personal Data Protection Law (Ley de Protección de Datos Personales, Ley No. 29733), making Peru the latest Latin American country to adopt EU-style omnibus privacy legislation.  Implementing rules for the new law are to be drafted in the next few months.

On June 27, 2011, the Federal Trade Commission announced that it had reached a settlement with Teletrack, Inc. (“Teletrack”), a consumer reporting agency that sells consumer reports and other services to businesses that serve financially distressed consumers, after alleging that the company had sold information obtained through its consumer reporting business to marketers to create a marketing database. The FTC considered that the information sold by Teletrack, which included lists of consumers who applied for certain credit products, constituted “consumer ...

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.”  Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade.  In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy.  We should take steps to embrace and protect it – and that starts with robust cyber security.”  She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

On June 10, 2011, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the Federal Trade Commission, claiming that Facebook’s facial recognition and automated online image identification features harm consumers and constitute “unfair and deceptive acts and practices.” According to a post on The Facebook Blog, the Tag Suggestions feature matches uploaded “new photos to other photos [the user is] tagged in.”  Facebook then “[groups] similar photos together and, whenever possible, suggest[s] the name of the friend in the photos.”  On June 13, 2011, Congressman Edward Markey (D-MA) released a statement supporting the complaint and indicating that he will “continue to closely monitor this issue.”

On June 8, 2011, the Department of Commerce’s Internet Policy Task Force released a report entitled “Cybersecurity, Innovation and the Internet Economy.”  The report contains four broad policy recommendations: (1) the creation of a nationally recognized approach to minimize vulnerabilities for the Internet and networking services industry, (2) the development of incentives to combat cybersecurity threats, (3) increased cybersecurity education and research, and (4) the promotion of international cooperation to enable sharing of cybersecurity best practices.

On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD).  This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate.  In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

According to a complaint submitted to the Federal Trade Commission on May 11, 2011, the popular cloud-based data storage provider Dropbox, Inc. made false claims about the security of its users’ data, thereby putting them at risk while gaining an unfair advantage over competitors that actually offer the sort of security Dropbox advertised.  The Dropbox service allows users to create folders on their computers that automatically sync with corresponding folders on Dropbox’s servers.  Users can specify whether their folders are public or private.  The allegations concern the folders designated as private, which are touted as being protected by encryption.  According to the complaint, which was filed by Christopher Soghoian (a security researcher and former technologist at the FTC’s Division of Privacy and Identity Protection), although Dropbox represented that its encryption features would render a user’s files completely inaccessible to any person other than the user, in fact, Dropbox employees maintained copies of the encryption keys and could therefore access the contents of users’ files.  This left Dropbox users’ files susceptible to unauthorized access (e.g., governmental demands for data, hacking attacks, rogue insiders).

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.