Privacy & Information Security Law Blog

On December 18, 2012, the Federal Trade Commission issued Orders to File Special Report (the “Orders”) to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers. In the Orders, the FTC requests detailed information about the data brokers’ privacy practices, including:

• the data brokerage companies’ online and offline products and services that use personal data;
• the sources and types of personal data the data brokerage companies collect;
• whether, and how, the companies acquire consumer consent before obtaining, collecting, generating, deriving, disseminating or storing the personal data;
• whether, and how, the personal data is aggregated, anonymized or de-identified;
• how the companies monitor, audit or evaluate the accuracy of the personal data they obtain;
• if, and how, consumers are able to access, correct, delete or opt out of the collection, use or sharing of the personal data the data brokerage companies maintain about the consumers;
• how the data brokerage companies provide notice to consumers about their data privacy practices;
• the advertisements or promotional materials the companies use to describe their products and services; and
• information about any complaints or disputes, or governmental or regulatory inquiries or actions, related to the companies’ data privacy practices.

U.S. Federal Trade Commission Chairman Jon Leibowitz announced on Monday that David C. Vladeck, director of the FTC's Bureau of Consumer Protection, is leaving the Commission on December 31, 2012 to return to the Georgetown University Law Center.

On December 19, 2012, the Federal Trade Commission announced the adoption of its long-awaited amendments to the Children’s Online Privacy Protection Rule (the “Rule”). The FTC implemented the Rule, which became effective on April 21, 2000, pursuant to provisions in the Children’s Online Privacy Protection Act of 1998 (“COPPA”).

On December 10, 2012, Tom Field of HealthcareInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the top legal issues in 2012, Lisa said that data breaches remain at the top of the list, with an increase in malicious cyberattacks. She also addressed the need to combat cybercrime.

On December 13, 2012, the UK Information Commissioner’s Office (“ICO”) announced a consultation on a draft subject access code of practice (the “Code”). The Code is open for public comment until February 21, 2013.

On December 18, 2012, the Information Commissioner’s Office (“ICO”) released an enforcement report (the “Report”) on the extent of compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011). The ICO previously issued an interim report on organizations’ attempts to achieve compliance, in which it concluded that organizations “must try harder” with their cookie compliance efforts.

On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.

On December 10, 2012, the Federal Trade Commission issued a new report, Mobile Apps for Kids: Disclosures Still Not Making the Grade, which follows up on the FTC’s February 2012 report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. The FTC conducted a follow-up survey regarding pre-download mobile app privacy disclosures, and whether those disclosures accurately describe what occurs during use of the apps.

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”