Privacy & Information Security Law Blog

On May 8, 2014, the Federal Trade Commission announced a proposed settlement with Snapchat, Inc. (“Snapchat”) stemming from allegations that the company’s privacy policy misrepresented its privacy and security practices, including how the Snapchat mobile app worked. Snapchat’s app supposedly allowed users to send and receive photo and video messages known as “snaps” that would “disappear forever” after a certain time period. The FTC alleged that, in fact, it was possible for recipients to save snaps indefinitely, regardless of the sender-designated expiration time.

Hunton & Williams LLP’s Centre for Information Policy Leadership president, Bojana Bellamy, has been selected to participate in the “Privacy Bridge Project,” a new transatlantic initiative that seeks to develop practical solutions to bridge the gap between European and U.S. privacy regimes. Bellamy joins a distinguished group of approximately 20 privacy experts from the EU and U.S., convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party.

On May 7, 2014, the Department of Health and Human Services (“HHS”) announced that NewYork-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date, to settle charges that they potentially violated the HIPAA Privacy and Security Rules.

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

On May 6, 2014, the Office of the Privacy Commissioner of Canada announced the Global Privacy Enforcement Network’s (“GPEN’s”) second annual enforcement sweep. The sweep will focus on mobile app privacy and how mobile apps collect and use personal data.

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

On April 24, 2014, the Belgian Data Protection Authority (the “Privacy Commission”) published a Draft Recommendation regarding cookie usage, inviting all stakeholders to provide their input on the text. The Draft Recommendation clarifies the Belgian legal framework for the use of cookies and similar technologies, examining in detail the different purposes for which cookies and similar technologies may be used (e.g., authentication, storage of preferences) and explaining the steps to be taken to ensure compliance for each type of cookie use.

On April 30, 2014, the Asia-Pacific Economic Cooperation (“APEC”) released the Findings Report of the Joint Oversight Panel of the APEC Cross-Border Privacy Rules (“CPBR”) system, confirming that Japan has met the conditions for participation in the CBPRs. Accordingly, Japan has now joined the U.S. and Mexico as a participant in the APEC CBPRs. Canada recently expressed its intent to join the system soon, and other APEC economies are in the process determining how and when they may join.