On September 12, 2011, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (“ONC”) unveiled a model privacy notice for personal health records (the “PHR Model Privacy Notice”). The PHR Model Privacy Notice was developed by ONC in collaboration with consumers and vendors of personal health records (“PHRs”). The PHR Model Privacy Notice is intended to enable consumers to “understand privacy and security policies and data sharing practice information, compare PHR company practices, and make informed decisions.”
Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation. In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...
On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information. Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.
On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute. The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians. Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002. The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.
Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998. Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”
On August 15, 2011, the Federal Trade Commission announced a settlement with W3 Innovations, LLC, doing business as Broken Thumbs Apps (“W3”) for violations of the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule. This marks the FTC’s first privacy settlement involving mobile applications.
On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents. The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.
As reported in BNA’s Privacy Law Watch, on July 19, 2011, President Obama announced his intention to nominate Maureen K. Ohlhausen to the Federal Trade Commission. Obama sent his official nomination to the Senate on July 21, 2011. If approved, Ohlhausen will serve a seven-year term beginning on September 26, 2011, replacing Commissioner William E. Kovacic.
On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy. The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.
On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking. Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.
On June 16, 2011, the German Federal Ministry of the Interior officially opened a National Cyber Defense Center as part of the comprehensive cybersecurity strategy that was adopted by the German federal government on February 23, 2011. The Cyber Defense Center is intended to serve as a common platform for rapid information exchange and better coordination of protective and defensive measures against information technology security incidents.
On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11. Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.
On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.” Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.
On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.” In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.
On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”). The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...
Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada. As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology. According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.
Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses. In return, Reding expects businesses to ensure “safe and transparent digital products and services.”
Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data. The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.
On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.” Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade. In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security.” She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”
On June 15, 2011, Senator Al Franken (D-MN) and Senator Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (the “Act”). As we reported previously, Senator Franken is chairman of the newly-created Senate subcommittee on Privacy, Technology and the Law. In his press release, Senator Franken explained that the Act is designed to “close current loopholes in federal law” while giving customers the ability to learn about and prevent the collection of their location information. The Act would apply only to non-government entities and would not impact law-enforcement activities. At a May 10, 2011 hearing, both Google and Apple were questioned about their privacy practices, and Franken subsequently challenged them to require their application developers to adopt clear and understandable privacy policies.
On June 10, 2011, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the Federal Trade Commission, claiming that Facebook’s facial recognition and automated online image identification features harm consumers and constitute “unfair and deceptive acts and practices.” According to a post on The Facebook Blog, the Tag Suggestions feature matches uploaded “new photos to other photos [the user is] tagged in.” Facebook then “[groups] similar photos together and, whenever possible, suggest[s] the name of the friend in the photos.” On June 13, 2011, Congressman Edward Markey (D-MA) released a statement supporting the complaint and indicating that he will “continue to closely monitor this issue.”
On June 9, 2011, two plaintiffs filed a class action complaint against Google in the United States District Court for the Southern District of Florida. The complaint alleges that Google’s Android phone “engaged in illegal tracking and recording of [p]laintiffs’ movements and locations … without their knowledge or consent” and that Google violated the Computer Fraud and Abuse Act and Florida statutory and common law by failing to inform Android users that their movements were being tracked and recorded through their phones.
On May 27, 2011, a class action complaint was filed in the United States District Court for the Northern District of California against Google and its recently acquired subsidiary, Slide, alleging that they violated the Telephone Consumer Protection Act (“TCPA”) when they sent text messages to people’s cell phones without first obtaining their consent.
On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands. EU law on the use of cookies is changing. Opt-in consent will be required, but specific requirements may differ across the EU. What are organizations doing to ensure compliance with the new cookie law? Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take. Learn about cookie compliance in France, Germany and the ...
On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins. Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook. Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent. This change poses significant practical challenges for website operators. In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.
On May 12, 2011, the Federal Trade Commission announced that Playdom, Inc., a Disney subsidiary, has agreed to pay $3 million to settle charges that the company violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Rule (“COPPA Rule”) “by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.” This settlement marks the largest civil penalty imposed for an FTC COPPA Rule violation.
On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information. According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”
On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network. Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.” Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.
On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.
Read Legal Bisnow’s article, “Hottest Practice Area?”.
On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers. On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins. Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained. The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure. Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.
On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).
The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years. To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.
On April 5, 2011, Lisa Sotto, partner and head of the Privacy and Data Security practice at Hunton & Williams LLP, discussed the Epsilon email breach in an interview with Tracy Kitten of Information Security Media Group. The interview covered issues such as data protection requirements for sensitive consumer data, steps companies should take to protect data and lessons to be learned from the breach. Download the podcast now.
On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).
Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand. Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption. According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.
On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe. As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.
On April 13, 2011, Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (the “Act”), which seeks to “protect and enhance consumer privacy” both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information.
On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.
The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market. Reports of the completed privacy impact assessments must be made available to the national data protection authorities. The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks. It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.
On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.” The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period. Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.
On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.” According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.” Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.
Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011. These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011. The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date. The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.
On March 30, 2011, the Federal Trade Commission announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. According to the FTC’s complaint (main document, exhibits), Google led Gmail users to believe that they could choose whether or not they wanted to join Google Buzz. The options for declining or leaving Google Buzz, however, were ineffective. For those who joined Google Buzz, the controls for limiting the sharing of their personal information were difficult to locate and confusing. Furthermore, the FTC charged that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance. Finally, the FTC alleged that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.
On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information. The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year. The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.
On March 16, 2011, at a U.S. Senate Commerce Committee hearing, Senator John Kerry (D-Mass.) announced his intention to introduce privacy legislation that would create “a common code of conduct that respects the rights of both the people sharing their information and legitimate organizations collecting and using it on fair terms and conditions.” Kerry indicated that he had “reached out to our colleagues on both sides of the aisle, to privacy experts at firms, in academia, and in the advocacy community,” and asked for input into the process from witnesses at the hearing.
On March 16, 2011, U.S. Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling called on Congress to enact robust, baseline legislation to “reform consumer data privacy in the Internet economy.” Speaking before the U.S. Senate Committee on Commerce, Science and Transportation, Assistant Secretary Strickling emphasized the Department of Commerce’s support for a legislative proposal that would adopt many of the recommendations of the “Green Paper,” a Department report authored last December.
On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”
On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels. The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.
On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.
On March 7, 2011, Arthur Steinberg and the Philadelphia Federation of Teachers Health and Welfare Fund sued CVS Caremark Corporation (“CVS”), alleging that its unauthorized disclosure of protected health information (“PHI”) constituted an unfair trade practice. The complaint claims that CVS, one of the nation’s largest pharmacies, sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send ...
On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.
On March 4, 2011, Congressman Cliff Stearns (R-FL) announced plans to introduce new online privacy legislation. The proposed bill is based on legislation Stearns drafted in 2005, the Consumer Privacy Protection Act, which was not reported out of committee. While speaking at a Technology Policy Institute event, “Online Privacy After the DOC and FTC Reports,” Stearns stressed that this new legislation would seek to balance “privacy with innovation,” protecting the interests of both businesses and their online customers.
According to Stearns, “[t]he goal of the ...
“LOANMOD TXT MSGS VIOL8 LAW, SEZ FTC.” So reads the headline on the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog. The posting announced the FTC’s complaint against a marketer who sent more than 5.5 million spam text messages at a “mind boggling” rate of about 85 per minute, every minute of every day. Allegedly, most or all of the messages were unsolicited, and, like most text messages, they caused many recipients to incur standard text messaging charges.
On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act. The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.
On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies. Some security and privacy considerations.”
In our August 2009 blog post on data protection issues in China, we noted that there was no uniform Chinese law that specifically addresses the protection of personal data, and that it seemed likely that Chinese personal information protection law would continue to develop as a patchwork of piecemeal regulations. This remains true today, and developments since our previous article was published have in fact reinforced this assumption. In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer ...
On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”). This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.
Connecticut’s newly-elected Attorney General George Jepsen recently announced an agreement with Google, Inc. concerning the company’s refusal to comply with a Civil Investigative Demand brought by his predecessor, freshman Senator Richard Blumenthal (D-CT). According to a January 28, 2011 press release, to facilitate settlement discussions with the Connecticut-led, 40-state coalition, Google will stipulate that “payload data” compiled in 2008 and 2009 “contained URLs of requested Web pages, partial or complete e-mail communications or other information, including confidential and private information” transmitted by individuals across unsecured wireless networks.
On January 28, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments with the United States Department of Commerce in which the Centre stressed privacy governance based on data stewardship by accountable organizations. The Centre was one of a number of organizations that submitted comments in response to the Department of Commerce’s privacy paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was released in December 2010. The theme of today’s comments is similar to that which the Centre suggested earlier this month in its comments responding to the European Commission’s consultation paper.
In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.
Virginia SB 1041
On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person. The law currently applies only to organizations, corporations and agencies supported by public funds. In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.
Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.
The Federal Trade Commission announced today that it is extending the deadline for public comments on its December 1, 2010 report, “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers.” In light of the complex issues raised by the report, a number of organizations requested an extension of the original January 31, 2011 deadline. Stakeholders now have until February 18, 2011, to submit their comments.
On January 12, 2011, Adobe Systems Incorporated (“Adobe”) announced in its Adobe Flash Platform Blog that it is working with browser vendors to integrate control features into browser user interfaces that will allow users to more easily control local shared objects (“LSOs”) on their computers. Local shared objects, often referred to as Flash cookies, store information about online activity, including things like browsing history, login details and preferences. In August 2010, we reported on several lawsuits that had been filed against online advertising networks for, among other things, using Flash cookies to re-create deleted browser cookies.
In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent. Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications. The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.
On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors. The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.
On December 14, 2010, the United States Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a “subscriber enjoys a reasonable expectation of privacy in the content of emails” stored, sent or received through a commercial internet service provider (“ISP”). According to the court, the government must have a search warrant before it can compel a commercial ISP to turn over the contents of a subscriber’s emails.
In 2008, a jury sitting in the Southern District of Ohio convicted defendants Steven Warshak, Harriet Warshak and TCI Media, Inc. of various crimes relating to defrauding customers of Berkeley Premium Nutraceuticals, Inc. Before trial, Warshak’s motion to exclude thousands of emails that the government obtained from his ISP was denied. The defendants appealed their convictions, arguing that the government’s warrantless seizure of Warshak’s private emails violated the Fourth Amendment’s prohibition on unreasonable searches and seizures.
As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”
During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”). He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust. The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing. He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective. The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.
On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation. The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.
On December 7, 2010, Microsoft announced in a blog post that Internet Explorer 9 will feature a new “opt-in mechanism” and “Tracking Protection Lists” to help consumers control tracking of their online activity. Since the Federal Trade Commission released its privacy report last week, there has been considerable debate regarding consumer protection on the Internet, especially with respect to the “Do Not Track” concept. Microsoft’s blog post states, “We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection ...
On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection. The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.
The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate. The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft. The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that ...
On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking. The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.” It includes the following elements:
David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism. Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies. In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow. According to Vladeck, the report will address several major themes, including the following:
On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.” The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.
On November 8, 2010, Connecticut Insurance Commissioner Thomas Sullivan announced that Health Net of Connecticut, Inc. (“Health Net”) had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties. The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut. Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.
On October 27, 2010, the U.S. Commodity Futures Trading Commission (the “CFTC”) issued two notices of proposed rulemaking (“NPRMs”), citing Gramm-Leach-Bliley Act (“GLBA”) privacy rules, and marketing and data disposal rules of the Fair Credit Report Act (“FCRA”).
The proposed rules come in the wake of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which places two new categories of covered entities (i.e., “swap dealers” and “major swap participants”) under the CFTC’s jurisdiction. Under the proposals, those entities would be subject to certain GLBA privacy rules that regulate the treatment of consumers’ nonpublic personal information, and sections of the FCRA that address affiliate marketing and data disposal.
The international group of data protection commissioners today admitted the U.S. Federal Trade Commission into membership.
Meeting at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, the commissioners determined that the FTC had the requisite authority and independence to qualify for membership.
The decision has been a long time coming. The U.S. has long sought to be recognized as a member of the data protection group. Last year, the U.S. application was rejected at the international conference in Madrid.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, today provided a high-level outline of the Commission’s forthcoming report on the future of privacy.
Speaking at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Vladeck said the report reflected two broad conclusions. First, current privacy law places too much burden on consumers to read and understand privacy notices and make privacy choices. The second conclusion is that there is a pressing need to reexamine the conception of “harm” in U.S. law to move beyond only economic and physical harms.
On October 19, 2010, Federal Trade Commissioner Julie Brill indicated that the FTC’s forthcoming behavioral advertising report will recommend a self-regulatory framework, as opposed to new legislation, to help protect consumers’ privacy. Mediapost.com reported that Ms. Brill offered suggestions on improving privacy practices with respect to Internet advertising, such as by providing “consistent and simplified notice about online tracking and ad-serving,” and that such notice should focus more on the unexpected or non-obvious uses of data (such as an e-commerce company’s transfer of consumers’ addresses to shipping companies).
On October 5, 2010, the Department of Energy (“DOE”) released a report entitled “Data Access and Privacy Issues Related to Smart Grid Technologies.” The idea behind the Smart Grid is that electricity can be delivered more efficiently using data collected through monitoring consumers’ energy use. In connection with the preparation of its report, the DOE surveyed industry, state and federal practices with respect to Smart Grid technologies, focusing on the issue of residential consumer data security and privacy. The DOE noted that advanced meters or “smart meters” were a focal point of the report due to their “ability to measure, record and transmit granular individual consumption.” That said, a Smart Grid consists of “hundreds of technologies and thousands of components, most of which do not generate data relevant to consumer privacy.”
David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010. Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date. Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own. Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general. Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.
Mr. Vladeck noted three key areas for future enforcement. The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).
The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws. On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network. The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...
On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified. In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals. The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”
As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act. The magazine, which catered to a young gay audience, had a website privacy policy that asserted “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.” Readers who submitted online profile information were told that their information “will not be published. We keep it secret.” The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.
On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling. The cases involved consumer complaints implicating the companies in several illegal acts. The companies claimed they had obtained prior consent from the consumers they contacted. The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games. The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies. The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.
As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”). Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.
In the latest chapter of the Federal Trade Commission’s ongoing efforts to promote consumer privacy with respect to online behavioral advertising, FTC Chairman Jon Leibowitz has reportedly suggested that the FTC may propose a Do Not Track Registry. The registry would be similar to the FTC’s popular Do Not Call Registry, which allows consumers to opt-out of many types of telemarketing calls, but registration on the Do Not Track Registry would not stop online advertisements. Instead, it would prevent those advertisements from being targeted to users based on their prior online ...
On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data. “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement. Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet. He indicated that his bill would go beyond the regulation of targeted ...
David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).
Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information. The charges stem from alleged lapses in the company’s data security that permitted hackers to access tweets that users had designated as private and to issue phony tweets from the accounts of some users, including then-President-elect Barack Obama. According to the FTC’s complaint (main document, exhibits), these attacks on Twitter’s system were possible due to a failure to implement reasonable ...
As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule. The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The FTC previously has stated that health care providers could be deemed “creditors” under the Rule. The agreement will grant relief to ...
The Centre for Information Policy Leadership at Hunton & Williams LLP made ten recommendations in response to the U.S. Department of Commerce’s notice of inquiry, “Information Privacy and Innovation in the Internet Economy.” The Centre’s recommendations strongly suggest that organizational accountability is the key to providing the flexibility needed to use information robustly while protecting the interest of individuals in maintaining private space in a digital age:
“The flexibility to be innovative must be conditioned on the organization’s accountability for the manner in which it uses, manage, and protects data. … To strike the appropriate balance between the value created by data use and the risk that use poses to privacy, organizations must implement privacy processes that are as dynamic as their business processes.”
On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information. In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals. The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008. The firm responded quickly by notifying ...
Julie Brill and Edith Ramirez took their oaths of office on April 5 and 6, 2010, completing the Federal Trade Commission’s roster of five commissioners and facilitating the Commission’s new tougher stance on privacy. As we previously reported, Ms. Brill and Ms. Ramirez were confirmed by the U.S. Senate on March 3, 2010. There are now three Democrats and two Republicans on the Commission.
Last year, when the Commission was comprised of one Democrat, two Republicans, an independent and a vacant seat, FTC Chairman Jon Leibowitz announced an aggressive agenda for the Commission, including a “privacy re-think.” The new Democratic majority will make it easier to advance that agenda through recommendations to Congress, responses to market requests for greater self regulation and the approach taken with respect to enforcement cases.
On March 17, 2010, the Federal Trade Commission convened the last of its three-part series of roundtable discussions entitled “Exploring Privacy.” In her opening remarks, outgoing Commissioner Pamela Jones Harbour emphasized the critical importance of privacy to consumers, stating that “consumer privacy cannot be run in beta,” and that companies often inappropriately expose consumer data during new product rollout. David Vladeck, Director of the FTC’s Bureau of Consumer Protection, then set the stage by invoking the “notice is broken” theme that recurred during the first two roundtables on December 7, 2009, and January 28, 2010, and was echoed by participants in the March 17 event.
The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products. Ms. Harbour lamented that companies do not take consumer privacy seriously. She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.” Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default. Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data. Soon after the launch, Google changed the defaults to allow users more control. Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.
On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services. The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers. The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...
On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms. Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina. She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General. Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles ...
The Federal Trade Commission’s second “Exploring Privacy” roundtable concluded Thursday, January 28, 2010. The roundtable did not provide many firm conclusions, but it did help further refine some hard issues facing privacy protection.
Although Thursday’s hearing was intended to be devoted to technology issues, the role of regulation appeared to dominate the discussions. “Everyone is dying to talk about regulation,” said Jessica Rich, Deputy Director of the Bureau of Consumer Protection, moderating a panel on Technology and Policy.
On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers. The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.” The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy. The announcement of a ...
On December 7, 2009, the Business Forum for Consumer Privacy released “A Use and Obligations Approach to Protecting Privacy: A Discussion Document" at the Federal Trade Commission’s roundtable entitled “Exploring Privacy.” The roundtable was a first step in the FTC’s effort to re-examine privacy protection in light of rapid, dynamic changes in technology, advances in data analytics and increasingly ubiquitous data collection and use. The paper is the product of a three year effort on the part of the Forum to develop an approach to protecting data that meets the needs of businesses and consumers in this emerging environment. The paper may be found at www.informationpolicycentre.com.
On Monday, December 7, the Federal Trade Commission began a three-part series of roundtables collectively entitled "Exploring Privacy." The conference opened with a presentation by Richard M. Smith featuring data flow charts he developed with FTC staff to illustrate the current “personal data ecosystem” and how personal information moves in various online and offline contexts. The charts that served as the basis for his discussion (available here) offer a sense of the FTC’s understanding of today’s information marketplace. Other panels covered topics such as consumer expectations, information brokers and online behavioral advertising.
Senior staff changes at the Federal Trade Commission have enhanced privacy’s profile within the agency. Jessica Rich is the new Deputy Director of Consumer Protection. Ms. Rich has been the Acting Associate Director responsible for the Division of Privacy and Identity Protection following nearly a decade as Assistant Director for the Division. Rich has long been seen as the FTC’s staff’s privacy thought leader. The new Privacy Division Associate Director is Maneesha Mithal. Ms. Mithal brings a strong international background to the position. The new Assistant Director is ...
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code