On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions. The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.
The main criticism from vzbv referred to ...
Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act ("GLBA") model privacy notice. The final model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA. The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information. Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements. The final model notice is the result of the agencies' consumer research and testing. It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.
On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State. The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations. The most recent round of amendments was announced August 17, 2009.
Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data. These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces. The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest. Also, the potential penalties for violation ...
The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice. The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA. Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA. Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.
The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices. The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties. In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.
The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.
The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists. The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule. MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada. The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions. The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.
Maybe, but it's not that kind of "boxing"...think walls and a lid instead of a ring. "Boxing is where a consumer’s vision and choices are limited by his or her digital history and the analytics that make judgments based on that digital history." Government agencies are concerned with outcome-based analytics and its impact on consumer choice. Read more on "Boxing and Concepts of Harm," written by Marty Abrams of the Centre for Information Policy Leadership, published in the September 2009 issue of Privacy and Data Security Law Journal
In its announcement that it would convene a series of public roundtables to address developing privacy issues, the Federal Trade Commission requested empirical data on consumer privacy expectations. In response to that request, researchers at the University of California at Berkeley and the University of Pennsylvania have released a study entitled "Americans Reject Tailored Advertising." Survey data reported in the study found that 66% of Americans reject targeted advertising online; 86% reject such ads when told they are made possible through online data collection. The ...
On September 15, 2009, the Federal Trade Commission unveiled a series of public roundtables that will focus on the effect of modern technology and business practices on the privacy of consumer information. The goal of the panels is to explore how to best balance the concerns for consumer privacy, beneficial use of consumer information and technological innovation. The discussions will address myriad technologies and practices, such as social networking, cloud computing, behavioral marketing, mobile marketing and, generally, the collection of consumer information for ...
On August 17, 2009, Massachusetts announced revisions to its information security regulations and extended the deadline for compliance with those regulations. In the press release announcing the revised regulations, the Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation noted the concerns of small business leaders regarding the impact on their companies, stating that the updated regulations “feature a fair balance between consumer protections and business realities.”
On July 28, 2009, the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon. Among the highlights:
- On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010
- Vietnam is set to enact consumer protection legislation including privacy provisions in 2010
- Hong Kong's Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
- The Philippines is set to enact ...
The Federal Trade Commission (“FTC”) recently issued new rules and guidelines to promote the accuracy of consumer information included in credit reports. The final rules and guidelines were issued in conjunction with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the “Agencies”) pursuant to Section 312 of the Fair and Accurate Transactions Act of 2003 (“FACTA”). The Agencies’ release regarding the new rules, entitled “Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act” and “Guidelines for Furnishers of Information to Consumer Reporting Agencies,” was issued on July 1, 2009. The final rules and guidelines will take effect on July 1, 2010.
In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).
On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA"). Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act. To date, these powers have been shared among all financial services regulators, including the Federal Trade ...
The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry. The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests. The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area. We will keep you posted as more details regarding the plan emerge.
On June 4, 2009, the Federal Trade Commission (“FTC”) reported that Sears Holdings Management Corporation (“Sears”) agreed to enter into a settlement regarding the Commission’s allegations that the company violated Section 5 of the FTC Act in connection with a new online community application it had developed. Participation in the community allowed Sears to track consumers’ online and, to some extent, offline activities. The FTC’s action is notable as a potential precursor to future enforcement by the FTC in the areas of both transparency and tracking online behavior, the latter having been previously highlighted as an area of interest for the agency. The settlement, discussed in more detail below, is notable in that its requirements make clear that substantial tracking of consumer behavior must be sufficiently transparent (not disclosed only in a lengthy privacy policy or agreement), consumers’ opt-in consent to such tracking must be obtained and, disclosures regarding the nature of the tracking must be made at a meaningfully early stage of the transaction.
On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection." According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.
In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call. The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different ...
In February 2009, the Ponemon Institute published the results of its inaugural study "Germany - 2008 Annual Study: Cost of a Data Breach." The study is the first such research study undertaken in Germany, using data from actual incidents to estimate the costs of dealing with data breaches by German companies. The study examined the experience of 18 German organizations that suffered a breach. These case studies reviewed ranged in size an incident involving less than 3,750 records to an incident involving more than 90,000 records. The breaches reviewed occurred across ten industry ...
On May 5, 2009, the Federal Trade Commission’s ("FTC's") Acting Director of the Bureau of Consumer Protection, Eileen Harrington, testified before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection in support of the proposed federal Data Accountability and Trust Act (H.R. 2221). The Act would require companies to implement reasonable data security policies and procedures to protect personal information. It would also mandate security breach notifications for consumers affected by data security breaches.
Federal Trade Commission Chairman Jon Leibowitz has appointed six senior staff members with extensive experience in the private sector, in the public interest community, in academia, and in government.
“We’re delighted to attract such a talented and creative group of people,” Leibowitz said. “Their leadership and expertise will help ensure that the Commission’s work on behalf of American consumers will continue to be effective. We’re very fortunate.”
Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers.
This week, the Federal Communications Commission announced a broad consumer privacy enforcement action against over 600 telecommunications carriers. The Commission issued notices of liability against carriers that failed to certify compliance with regulations governing the protection of Consumer Proprietary Network Information (“CPNI”) and carriers that filed inadequate certifications. The Commission proposed fines of $20,000 against carriers that failed to file the required certification and up to $10,000 against carriers whose certifications were non-compliant.
A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy. Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009).
Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared. During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number. Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information. Pinero alleged that she relied on this statement in her decision to turn over her information.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code