Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.
The FTC’s scheduled enforcement date for the Red Flags Rule is November 1. The American Bar Association challenged the Rule’s applicability to lawyers arguing that it would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Rule.
Judge Walton rejected the FTC’s definition of a creditor stating that under the FTC’s interpretation, a plumber who charges a customer after working on a toilet for two days also would be considered a "creditor."
It is not clear at this point whether the FTC will appeal the decision.
An article about this development is available at: http://legaltimes.typepad.com/blt/2009/10/judge-ftc-cannot-make-lawyers-comply-with-identity-theft-laws.html
The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice. The model notice incorporates financial institutions’ required disclosures pursuant to Section 503 of the GLBA. Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA. Once adopted and published in the Federal Register, the financial services agencies’ final model notice will take effect in 30 days.
The financial services agencies’ announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated. More information about the model notice is available here.
The new OBA guidelines are designed to follow the previously-released seven Self-Regulatory Principles adopted by DMA; the Association of National Advertisers; the American Association of Advertising Agencies; the Interactive Advertising Bureau; and the Council of Better Business Bureaus.
Among the new OBA rules is a requirement that when information is collected from or used on a website for online behavioral advertising purposes, visitors should be provided with notice (easy to find, read, and understand) about the third party’s policies for online behavioral advertising. The rules also describe methods that third parties should use to provide notice about OBA.
The mobile marketing sections are described as an expansion of DMA’s existing guidelines for wireless communications and require, among other things, prior express consent for mobile marketing.
A press release announcing and linking to the guidelines is available at: http://www.the-dma.org/cgi/disppressrelease?article=1357
The FTC announced a settlement with Inconix Brand Group under which Iconix will pay a $250,000 civil penalty to settle FTC allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission.
Iconix owns, licenses, and markets (offline and on its websites) apparel brands including Mudd, Candie’s, Bongo, and OP. The FTC alleged that Iconix required consumers on certain of its websites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other website features. On one website, MyMuddWorld.com, Iconix also allegedly enabled girls to publicly share personal stories and photos online. The FTC alleged that in connection with certain of these sites, since 2006, Iconix knowingly collected and stored personal information from approximately 1,000 children without first notifying their parents or obtaining parental consent in violation of COPPA.
Information about the settlement can be found on the FTC’s website, at: http://www.ftc.gov/opa/2009/10/iconix.shtm.
The judiciary committee for Maine legislature voted Friday to recommend the repeal of the controversial Maine privacy law that restricts gathering or publishing information about minors. According to Peggy Reinsch, a committee staff attorney, the committee agreed that the measure is unconstitutional because it violates the First Amendment and affects interstate commerce. Ms. Reinsch also reportedly stated that the committee is recommending that the legislature draft a more limited measure addressing the collection of minors’ health-related information. An article about this development is available at:
U.S. District Court Judge D. Brock Hornby, who is overseeing a Maine data breach case involving a 2007-2008 breach of the Hannaford Brothers supermarket chain, has reversed his earlier decision to dismiss a class-action lawsuit against Hannaford Brothers.
Maine law covering breaches allows consumers to recover damages if the merchant’s negligence caused a direct loss to the consumer’s account. Judge Hornby is asking the state’s Supreme Court whether "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?” If the Supreme Court decides that such losses do merit compensation, it may eliminate some of the protections that have shielded retailers from legal liability for data breaches.
Schwarzenegger issued a statement explaining his veto of Senate Bill 20, a bill that would imposed additional requirements on entities issuing data breach notifications. According to his statement the bill was unnecessary because "there is no evidence that there is a problem with the information provided to
consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do
anything with the notices."
A copy of his statement is available at: http://info.sen.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_vt_20091011.html
If adopted into law, the bill would have required that consumers be provided with a plain language description of the data loss incident, including the timing of the incident and the type of personal information exposed. Senate Bill 20 also would have directed data holders to submit a copy of the notification letter to the state Attorney General´s office if more than 500 California residents were affected in a single incident.
An article about this development is available at http://www.californiachronicle.com/articles/view/123684.