Privacy & Data Protection

The Federal Trade Commission (FTC) has struck again in the data privacy world, this time at 13 companies that allegedly misrepresented in their privacy statements that they were U.S.-EU or U.S.-Swiss Safe Harbor certified. This latest enforcement sweep demonstrates the FTC’s privacy focus and reinforces the need for companies to make accurate public representations.

The FTC charged the 13 companies with misleading consumers and has proposed placing them under a familiar 20-year consent order. The consent order requires the companies to refrain from  misrepresenting privacy or security program adherence and to keep strict records for the FTC’s overview. For the next 20 years, any companies that disobey the consent order will be subject to a $16,000 civil penalty per violation.

The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks (collectively, “Safe Harbor”) are the most popular of several mechanisms through which companies can legally transfer personal data from Europe to the United States. There are currently over 4,300 U.S. companies certified to the U.S.-EU Safe Harbor.

As FTC Chairwoman Edith Ramirez said this week, “The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are important agreements, and the FTC remains strongly committed to enforcing them. Companies must not deceive consumers about their participation in these programs.”

The FTC’s focus on Safe Harbor enforcement, and privacy enforcement in general, raises concerns for companies of all sizes. Indeed, the FTC has now undertaken 39 Safe Harbor-related enforcement actions against both small and large U.S. companies in the past five years. Here are five key items for companies to review based on the lessons learned from these settlements:

Continue Reading Recent FTC Safe Harbor Enforcement Takeaways

First, it was the “Internet of Things” and now it is the “Internet of Dolls.” Mattel, maker of the iconic Barbie doll, has announced plans to introduce “Hello Barbie,” a doll with a Siri-like ability to communicate. The new Barbie, which connects to the cloud through WiFi, can have conversations, tell jokes, and play games with the children who own them.

Hello Barbie also has the ability to listen and learn girl’s preferences and adapt to them accordingly.  During a recent demonstration when a Hello Barbie prototype was asked “What should I be when I grow up?” she responded “Well, you told me you like being on stage. How about a dancer? Or a politician? Or a dancing politician?”

This Barbie doll is likely just the first in what will surely be a long line of dolls and toys that have incredible technological capabilities—whether it is a Siri-like ability to communicate, video recording technology, or the chance to communicate to friends.

But, as these new frontiers of play develop, manufacturers and marketers need to work to ensure that we can strike a balance between innovative play and children’s safety and privacy. And the lines aren’t always clear.

Continue Reading When Your Toys Talk Back: Children’s Privacy and Safety in an Age of Wired Toys

The CapitolLast week, the Senate broke Congressional silence by passing Resolution 101 – enunciating the chamber’s position on how the country should approach the burgeoning technology of the “Internet of Things,” or what’s more commonly known as the “IoT.” Amidst a series of recent hearings in both the House and the Senate, the IoT industry and others have been keenly eyeing Capitol Hill for hints at whether and to what extent it may regulate the new technology. Although the Resolution did not stake out a definitive position on the question, it seemed to imply that a light-touch – for now – may be the best course of action. The Senate’s Resolution emphasized the many benefits to be realized through the IoT and relegated oft-cited privacy concerns to a quick reference that the U.S. should strive to avoid the technology’s “misuse.” Industry should nonetheless keep its finger on the pulse of IoT legislative and executive developments. The Resolution is, of course, the opinion of only one half of the Legislature, and federal agencies such as the Federal Trade Commission have already been exercising independent authority to enforce consumer protection in the IoT space. Stay tuned.

Image courtesy of Flickr by of d.aniela.

To tackle the challenges of launching products on the Internet of Things, the FTC recommends designing security into interconnected products from the outset as well as monitoring products post sale to quickly identify security risks. Most consumer product companies already have similar programs in place to ensure the safety of the products and meet CPSC reporting and compliance requirements. Whether designing for safety or security, regulators expect design engineers to play a central role in an overall program that operationalizes safety and security as part of ordinary business processes. Both the CPSC and FTC demand engineering solutions for legal compliance and ask companies to build multiple layers of safety and security into a product by design.

Protecting against cybersecurity risks and safeguarding data collected by products on the Internet of Things needs to become business as usual, not some special new legal requirement. Existing corporate process development programs built to ensure a continuous improvement loop in product design need to be updated to ensure that safety, security and privacy are built into every product on the Internet of Things. For more on the FTC’s recommendations for products on the Internet of Things read their report released today.

Image courtesy of Flickr by UMHealthSystem

 

At this year’s National Law Journal (NLJ) Regulatory Summit in Washington, DC, held on December 1, 2014, speakers focused on the current and future of the federal regulatory landscape in the United States.  Highlights included:

  • Former Congressional Leaders Speak on Future Trends in Health Care and Other Sectors

The featured speakers included former U.S. Senate Majority Leader Tom Daschle and Former Speaker of the House of Representatives Dennis Hastert.The former congressional leaders spoke of the current political division between what Daschle described as “rugged individualism versus collective action.”  While acknowledging an increased divide between political parties, the speakers hoped to see possible movement in some areas, possibly in the areas of Medicare, Medicaid or tax reform.Much of their discussion focused on health care issues as prominent areas of focus going forward, although they predicted more action in the courts and at the state level than at the federal level.Trends to watch for included a movement away from fee for service, and also continued emphasis on wellness extending beyond the health care sector and into businesses themselves as a way to reduce health care costs.

Continue Reading Highlights from the National Law Journal Regulatory Summit 2014

On September 30, 2014, California Governor Jerry Brown signed into law Assembly Bill 1710, which contains a new set of personal information protections that affect all businesses that “own, license, or maintain personal information about Californians.” In what may become a precedent for other jurisdictions, the law includes the nation’s first mandatory state requirement for breached entities to offer breach mitigation services – including credit monitoring – to all affected individuals. Further, the law includes new restrictions on the sale of social security numbers (SSNs). These amendments to the existing California Civil Code Sections 1798.81.5, 1798.82, and 1798.85 will take effect on January 1, 2015.

While offering some sort of breach mitigation services has become common practice for breached entities, California will now require any notifying entity that is the source of a breach to “offer to provide appropriate identity theft prevention and mitigation services … at no cost to the affected person for not less than 12 months.” This obligation will apply only to breaches involving Californians’ names combined with an SSN, driver’s license number, or California ID number.

Continue Reading California Enacts Tough New Privacy Protections

Both have recently brought legal actions against video game makers alleging that their rights of privacy or publicity have been violated by characters in video games. The lawsuits are the latest in a series of high profile disputes that pit an individual’s personality rights against a game maker’s First Amendment rights.

Various states have enacted statutes that protect an individual’s right to “publicity” or “privacy.” The statutes differ from state-to-state but the basic idea is that an individual should have some right to prevent unauthorized commercial use of his or her name, likeness and identity by a third party. This is sometimes referred to as “personality rights.”

The expressive content of video games, on the other hand, is subject to protection under the First Amendment. The extent to which the First Amendment rights of a video game manufacturer may permit the use of real people as characters in video games without violating the individual’s personality rights has been the subject of much interest and discussion in the recent past.

The discussion resumed in earnest in early July when Ms. Lohan brought an action in New York state court alleging that the maker of the video game Grand Theft Auto V had violated her right of privacy under New York state law by the use of her image, likeness, “screen persona” and details from her personal life in depicting a character in the game named Lacey Jonas. A few weeks later, Mr. Noriega brought an action in California state court alleging that the maker of the video game Call of Duty: Black Ops II violated his right of publicity under California state law by illegally using his image and likeness in connection with a character described “as a kidnapper, murderer and enemy of the state.” The lawsuits have been treated by some in the media and by some commentators with a certain degree of amusement and in Mr. Noriega’s case – whose colorful resume includes convictions for drug trafficking, racketeering and money laundering as well as a lengthy stint as a U.S. Prisoner of War – outright disbelief, but they raise serious issues regarding the interplay between the First Amendment and the rights of privacy and publicity.

Continue Reading What Do Actress Lindsay Lohan and Former Panamanian Strongman Manuel Noriega Have in Common?

A bill has been introduced in the California legislature that would dramatically increase retailers’ liability for data breaches. Dubbed the “Consumer Data Breach Protection Act,” Assembly Bill 1710 would enact sweeping changes to California’s data breach notification laws, setting short deadlines by which consumers would need to be notified of breaches and increasing the penalties associated with such breaches. AB 1710’s new provisions would apply to all businesses that sell goods or services to California residents and accept credit or debit cards, although the law retains exemptions for certain businesses that are subject to other privacy regulations (such as financial institutions).

The California Retailers Association has already come out in opposition to the bill, and in years past, has successfully fought similar efforts to expand the state’s data breach notification laws. However, given the number of recent high profile data incidents, lawmakers are in a stronger position this year to amend California’s data protection laws. Indeed, as introduced, AB 1710 made only minor nonsubstantive changes to the data privacy laws, but in the wake of various well-publicized data breaches, the bill’s authors substantially amended the bill to increase the “teeth” in the law.

The following briefly summarizes some of the bill’s key proposed changes:

Expands Restrictions on Data Use and Retention. AB 1710 limits retention of “payment-related data” to the amount of time required for “business, legal, or regulatory purposes.” Retention of payment-related data would be prohibited if it is unnecessary for those purposes. The bill also requires businesses to create “payment data retention and disposal” policies specifying the amount of time such data will be retained. The bill prohibits the retention of certain types of data, such as card verification codes, PIN numbers, social security and driver’s license numbers. The bill also forbids the sale of an individual’s social security number. The term “payment-related data” is defined to include all items that fall within the current statutory definition of “personal information,” such as a consumer’s name, social security number, driver’s license number, account numbers, and user name and passwords.

Continue Reading California Legislature Seeks to Restrict Data Use and Ramp Up Retailer Liability for Data Breaches

The deadline for complying with new Telephone Consumer Protection Act (TCPA) regulations is on Wednesday, October 16, 2013. The new rules, promulgated by the FCC in 2012, govern the circumstances under which telemarketers can contact consumers. Non-compliance puts both telemarketers and those companies that they act “on behalf of” at potential risk. As of October 16, companies that utilize mass marketing through auto-dialers, predictive dialers, and pre-records (commonly known as “telemarketing robocalls”) must obtain “prior express written consent” before calling residential and mobile phones. The new rule applies to both text messages and voice calls.

Click here to read Crowell & Moring’s previous client alert on the matter.

In case you haven’t heard, online privacy is getting very complicated and Internet users are worried.  It’s no wonder given all the activity in the industry, with daily stories on stolen identities and data breaches, companies you’ve never even heard of collecting information about you and even mobile game applications knowing about your physical whereabouts. (Let’s not even get into the recent NSA PRISM disclosures!)  So different than in the 1990s when online privacy was pretty much an “Opt-in” or “Opt Out” proposition or people didn’t even know to worry about it.  Today, things are much more complex.  Pew Research Center’s recently published survey, Anonymity, Privacy, and Security Online, confirms that most users want control over their online personal information but fear that this is no longer possible. 

It isn’t just government surveillance that people are worried about; in fact, users are more intent on masking their personal information–things like email and download content, contacts and their online presence–from hackers and advertisers to even friends and family members.  How hard are they trying to hide?  Well, the study reports that 64 percent of users clear their browser history or disable cookies while 14 percent have resorted to setting up anonymous browsing capabilities.  And, 13 percent actively misidentify themselves in their efforts to “hide.”  It’s not that individuals want to be completely hidden online, they just want to decide when they are unseen based on  what kind of data is at issue, who might be watching, and what they think might happen if they don’t hide.  Not surprisingly, the younger and more sophisticated users are more likely to “bounce” back and forth between disclosing who they are and remaining anonymous depending on what they are doing online.

Personal photos top the list of key pieces of personal information users know are available online.  Next come birthdates, phone numbers (both cell and home), home addresses and group affiliations.  Over one third of online users avoid websites that ask for their name, and 41 percent have deleted or modified a prior posting.

Perhaps users are more aware of what information about them is floating around out there in cyberspace because cybersecurity is having a hard time keeping up with the sophisticated methods of hackers.  21 percent of online adults report having had an email or social media account hijacked and 11 percent having had vital information like Social Security numbers, bank account data, or credit cards stolen.  With all this complexity and increasing numbers of identity theft, it is not surprising then that 68 percent of those surveyed do not believe current laws are sufficient to protect individual online privacy.  So what’s to be done?  Industry groups are racing to pull together self-regulatory measures and codes of conduct in an effort to avert what they fear could be cumbersome and overreaching legislation and regulations in both the security and privacy spheres—whether or not they succeed in time remains to be seen.  And, of course, the government is keeping a careful watch over the whole issue (pun intended)!