The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Start preparing for Canada’s anti-spam legislation

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.


Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent


The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out

Leave a comment

Upcoming Program: Nuts and Bolts of Privacy and Identity Protection.

The Young Lawyers Division Antitrust Law Committee and the Privacy and Information Security Committee will be presenting a teleconference program on November 19, from 12:00 to 1:30 pm EDT, on the Nuts and Bolts of Privacy and Identity Protection.
This program should be particularly interesting to law students and young lawyers interested in having a career in privacy and information security law. The program is free to ABA members.
From the flyer:
The Internet and other evolving information technologies, wired and wireless, have prompted the development of powerful tools for the collection, processing, storage and use of personal information. These trends create numerous issues regarding limitations on corporate rights to use that information and obligations to protect it from a variety of new risks and vulnerabilities. Legislators, regulators and the courts are rapidly developing new law and compliance obligations to address the privacy and security implications of the information economy. After providing background on the nuts and bolts of privacy and identity protection, our panelists will engage in a lively discussion that will touch on the various aspects of privacy and data security enforcement.”
There will be three panelists. Two of the panelists are attorneys in private practice, and the third panelist is an attorney at the Federal Trade Commission. You will be able to ask questions to the panelists, either in advance or during the program.

You can register for this teleconference here. We hope you will be able to join us for this exciting program!

Leave a comment

The Cloud Computing Act of 2012 is Introduced

Senator Amy Klobuchar [D-MN] introduced on September 19 a bill, S.3569, the “Cloud Computing Act of 2012”, which is “[a]bill to improve the enforcement of criminal and civil law with respect to cloud computing, and for other purposes.” Senator John Hoeven [R-ND] co-sponsored the bill, which has been referred to the Committee on Commerce, Science, and Transportation.
The Act would amend the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, which incriminates access to computers without authorization or by exceeding authorized access, to obtain information considered to be protected data, or anything of value. It also incriminates transmitting a program, information, code, or command, which, as result causes damage to a protected computer.
Defining Cloud Computing
The Cloud Computing Act would make each instance of unauthorized access a separate offense when the protected computer is part of a cloud computing service.  The Act defines ‘cloud computing service’ as:
a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by he provider.”
Isn’t the life of a cloud computing service customer great? The service is “convenient”, the access “on-demand” and all of this service involves “minimal management effort.” Where do I sign? I am writing this only half in jest, but if I would ever represent a cloud computing service company sued under the Cloud Computing Act of 2012, I would make sure that the judge is convinced that my client runs an inconvenient service, whose access is spotty at best, and involves great management effort.
Defining what is cloud computing in a somewhat more neutral way is apparently a difficult exercise, and the author of the bill probably took inspiration from the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which defined cloud computing in a paper published last May as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
How the Act Would Calculate Damages
Violating the CFAA is punishable under 18 USC § 1030(c)(2) (B) (iii) by a fine or imprisonment for not more than 5 years, or both, if the value of the information obtained exceeds $5,000. Under the Cloud Computing Act, the value of the loss of the use of a protected computer that is part of a cloud computing service, the value of the information obtained, and the value of the aggregated loss would be the greater of either the value of the loss of use, information, or aggregated loss to one or more persons, or the product of multiplying the number of cloud computing accounts accessed by $500.
Therefore, if the number of cloud computing accounts is at least 11, plaintiffs could prove the value of their losses met the threshold for punishment under the CFAA. This is welcome, as plaintiffs often fail to prove that they have suffered more than $5,000 in damages.
For instance, in In re Doubleclick Inc. Privacy Litigation (S.D.N.Y. 2001) plaintiffs claimed, inter alia, that by placing cookies on their computers, DoubleClick had violated the CFAA. Defendant did not contend that plaintiffs’ computers were not “protected" under the CFAA, nor that their  access was unauthorized, but rather argued that their losses did not meet the $5,000 threshold set by the CFAA. Plaintiffs had claimed invasion of privacy, trespass to their personal property, and misappropriation of confidential data, but failed to prove that this represented a loss of more than $5,000.
Promoting Interoperability with Foreign Laws
The Act would also suggests that there should be work at the international level, including consultations between the United States and the European Union, in order to ensure that the Act is interoperability with foreign laws. This is certainly welcome, as data in the cloud often resides on servers located in foreign jurisdictions.
It would also direct the Secretary of State to conduct each year, for four years, a study on international cooperation regarding data privacy, retention, and security. The study would include recommendations for best practices.

Leave a comment

FTC Aggressively Enforcing COPPA Compliance

The FTC meant what it said about aggressively targeting COPPA violators. It announced on Thursday that celebrity fan website operator, Artist Arena, will pay a $1 million penalty for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). This penalty is significantly more than the $250,000 fine in last March’s settlement against RockYou, and demonstrates the FTC’s increasing commitment toward COPPA compliance.

COPPA regulates operators of commercial websites or online services directed to children under the age of 13 that collect, use, and/or disclose children’s personal information. Among other things, the rule requires that these operators post a privacy policy outlining its data collection and use practices, provide notice of these practices directly to parents, and obtain verifiable parental consent prior to collecting data from children under 13.

Artist Arena operates fan websites for teen and “tween” pop-star celebrities such as,,, and http://www.SelenaGomez. Members can create profiles, “friend” other members, and post comments on members’ walls. To register, users must provide their personal information, including their names, addresses, email addresses, birthdates, and gender. According to the FTC’s complaint, Artist Arena represented in its privacy policy that it would not collect children’s personal information or activate their registration without verifiable parental consent. Despite these representations, Artist Arena allegedly registered over 25,000 children under 13 without parental notice and consent, and collected and maintained the personal information from almost 75,000 additional children who began, but did not complete the registration process.

This is the first of likely many high-stakes enforcement actions for alleged COPPA violators. In fact, the FTC is pushing to expand the liability of operators for third-party violations. Back in August, the FTC issued a Notice of Proposed Rulemaking seeking comments on proposed changes to COPPA. In pertinent part, the FTC wants to expand the definition of “operator” under the rule to include personal information “collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The FTC believes that a website operator that uses a third-party service to collect personal information from children under 13 – without itself engaging in such collection – should be considered a covered operator under the Rule. In this instance, although the operator does not own, control, or have access to the information collected, the data is collected on its behalf and for its benefit.

Given the FTC’s demonstrated commitment to prosecute alleged COPPA violators and its push for expanded liability under the rule, operators of websites directed to children under 13 that collect children’s personal information, either by itself or through a third-party service, should align its collection and use practices in accordance with COPPA to avoid being the next FTC enforcement target.