The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Start preparing for Canada’s anti-spam legislation

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.

1. OBTAINING CONSENT

Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent

2. UNSUBSCRIBE MECHANISM

The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out http://www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law

Advertisements


Leave a comment

FTC Aggressively Enforcing COPPA Compliance

The FTC meant what it said about aggressively targeting COPPA violators. It announced on Thursday that celebrity fan website operator, Artist Arena, will pay a $1 million penalty for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). This penalty is significantly more than the $250,000 fine in last March’s settlement against RockYou, and demonstrates the FTC’s increasing commitment toward COPPA compliance.

COPPA regulates operators of commercial websites or online services directed to children under the age of 13 that collect, use, and/or disclose children’s personal information. Among other things, the rule requires that these operators post a privacy policy outlining its data collection and use practices, provide notice of these practices directly to parents, and obtain verifiable parental consent prior to collecting data from children under 13.

Artist Arena operates fan websites for teen and “tween” pop-star celebrities such as http://www.RihannaNow.com, http://www.DemiLovatoFanClub.net, http://www.BeiberFever.com, and http://www.SelenaGomez. Members can create profiles, “friend” other members, and post comments on members’ walls. To register, users must provide their personal information, including their names, addresses, email addresses, birthdates, and gender. According to the FTC’s complaint, Artist Arena represented in its privacy policy that it would not collect children’s personal information or activate their registration without verifiable parental consent. Despite these representations, Artist Arena allegedly registered over 25,000 children under 13 without parental notice and consent, and collected and maintained the personal information from almost 75,000 additional children who began, but did not complete the registration process.

This is the first of likely many high-stakes enforcement actions for alleged COPPA violators. In fact, the FTC is pushing to expand the liability of operators for third-party violations. Back in August, the FTC issued a Notice of Proposed Rulemaking seeking comments on proposed changes to COPPA. In pertinent part, the FTC wants to expand the definition of “operator” under the rule to include personal information “collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The FTC believes that a website operator that uses a third-party service to collect personal information from children under 13 – without itself engaging in such collection – should be considered a covered operator under the Rule. In this instance, although the operator does not own, control, or have access to the information collected, the data is collected on its behalf and for its benefit.

Given the FTC’s demonstrated commitment to prosecute alleged COPPA violators and its push for expanded liability under the rule, operators of websites directed to children under 13 that collect children’s personal information, either by itself or through a third-party service, should align its collection and use practices in accordance with COPPA to avoid being the next FTC enforcement target.


1 Comment

Rep. Markey Introduces Mobile Device Privacy Act

On September 12, Reps. Markey (D-MA) and DeGette (D-CO) introduced the Mobile Device Privacy Act, H.R. 6377.  If enacted, the bill would place obligations on the mobile phone industry to disclose the use of tracking software, and to obtain consumer consent before the software is downloaded onto a device.

In a press statement introducing the legislation, Rep. Markey – who is co-Chair of the Bipartisan Congressional Privacy Caucus – stated that "Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information.  This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to transmission."  Opponents of the legislation, such as the Software & Information Industry Association, have argued that it "would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism."

The Markey bill would create new regulatory authority for the Federal Trade Commission to oversee aspects of the mobile industry.  The bill would require the FTC, in consultation with the FCC, to issue rules requiring mobile device manufacturers, service providers, mobile operating system developers, and app developers to make disclosures to users about "monitoring software" installed on a mobile device.  Monitoring software is broadly defined to include all software that "has the capability to monitor the usage" of the device, the user’s geolocation, and to transmit this information elsewhere.  In the same vein, the bill also envisages FTC rules requiring device sellers and app developers to obtain a user’s "express consent" before monitoring or transmitting any information collected.  The bill also envisages that all entities in receipt of monitoring data (i.e. first and third parties) implement information security policies and practices spanning data collection, retention, and disposal.

Enforcement authority under the bill goes primarily to the FTC, with secondary authority being given to the FCC and the states.  The bill does not exclude private enforcement actions by individuals.  Statutory damages for these breaches would vary between $1,000 per unintentional violation, and $3,000 per intentional violation.

The bill will not likely receive further attention from this Congress, which went into recess over the weekend pending the November elections.

 


Leave a comment

Senate Hearing Addresses Privacy Implications of Facial Recognition Technology

On July 19, 2012, the U.S. Senate Judiciary Committee, Subcommittee on Privacy, Technology and the Law, held a hearing entitled “What Facial Recognition Technology Means for Privacy and Civil Liberties”.  Individuals from academia, industry, and federal agencies examined the use of facial recognition technology and its potential impact on privacy and civil liberties. 

Social media giant Facebook has been the impetus behind the facial recognition movement.  In 2010, Facebook acquired the licensing to create unique “face prints” for its nearly 800 million users – without their knowledge or consent – in a program called “tag suggestions.”  Outside of social media, companies are increasingly relying on facial recognition technology to gauge viewer response to video content, confirm user identities at ATMs, and identify consumer trends for brand loyalty and rewards programs.

In line with the privacy principles articulated in the Federal Trade Commission’s (FTC) March 2012 Privacy Report, panelists discussed the need for transparency in facial recognition technology use and opt-in requirements for these services.  In particular, panelists disagreed on the extent to which conventional opt-in requirements should be applied in the facial recognition context.  In his staunch opposition, FTC Commissioner J. Thomas Rosch testified that a rigorous cost-benefit analysis should be conducted before the FTC embraces an opt-in requirement and imposes “best practices” for facial recognition services on the grounds of potential misuse. 

Despite Commissioner Rosch’s dissent, the FTC is said to release a report later this year setting forth recommended best practices and the extent to which “affirmative express consent” will be required for the collection and use of data made available through facial recognition technology. 

Written with assistance by Jalyce Mangum. 


Leave a comment

Google to Pay Record $22.5 Million to Settle FTC Privacy Charges

Just ten months after it entered into a consent decree with the the FTC in a case charging that it violated its privacy promises when it launched Google Buzz, Google has agreed to pay $22.5 million to settle charges that it violated that agreement by making misrepresentations to Apple Safari users. In addition to the $22.5 million civil fine – the largest ever obtained by the FTC for a violation of one of its orders – the settlement agreement requires that Google disable all the tracking cookies it said it would not place on user’s computers.

According to the FTC complaint, Google told Apple Safari users that the browser’s default privacy options would protect them from being tracked by Google’s DoubleClick advertising network – stating that Safari’s default settings were effectively the same thing as opting out of DoubleClick tracking. Google then went ahead and placed advertising tracking cookies on Safari user’s computers anyway – in many cases by utilizing an exploit to circumvent the privacy protections built into Safari. These misrepresentations, the FTC charged, violated the earlier consent decree that barred Google from misrepresenting the extent to which consumers can control collection of their information.

This case is just the latest in which the FTC brings its enforcement power to bear in ensuring companies respect their own privacy policies and representations. As FTC Chairman Jon Leibowitz states in the FTC press release, “all companies must . . . keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

In an interesting twist, though, Google was allowed a fairly strongly worded denial of liability in the consent decree.  Paragraph 2 of the decree states that Google "denies any violation of the FTC Order, any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those
regarding jurisdiction and venue."  This language, rather than the more common "neither admit nor deny" formula, caused Commissioner J. Thomas Rosch to issue a fairly strongly worded dissent.  Pointing out that the FTC had essentially charged Google with contempt and that it was Google’s "second bite at the [deceptive conduct] apple", Commissioner Rosch found the Commission’s acceptance of Google’s denial of liability "inexplicable."


Leave a comment

7th Circuit: Parking Ticket Practice Violates Privacy Law

Many drivers know the futility of trying to fight a parking ticket, but one Illinois driver came up with an attack against his that has ended up with the Seventh Circuit Court of Appeals, sitting en banc, backing him up in an opinion released this past Monday. At 1:35 a.m. on August 20, 2010, a Palatine, Illinois, police officer ticketed Jason Senne’s illegally parked car and placed the ticket on the car windshield. Mr. Senne retrieved the ticket about five hours later and, not willing to pay the $20 fine and move on, fought back by filing suit against Palatine for violation of the Driver’s Privacy Protection Act, 18 U.S.C. §§2721-25 (“DPPA”).

DPPA, which was enacted after a stalker obtained the home address of actress Rebecca Schaeffer from the California DMV and then used the information to find and kill her, places strict limits on how and why personal information contained in state DMV records can be released. It restricts not only disclosure by DMV employees, but also disclosure by those who lawfully obtain information from the DMV (in the Schaeffer matter, the stalker had hired a private investigator to obtain the information).

It turns out that in Palatine, when a police officer writes a parking ticket, information about the car’s owner is downloaded from the DMV and then printed on the parking ticket itself. This information includes the owner’s full name, address, driver’s license number, date of birth, sex, height, and weight. The parking ticket is then placed on the windshield of the car. Mr. Senne contended that placing the ticket on the windshield, in public view, constituted a disclosure of that private information in violation of DPPA and filed suit in Federal District Court. Palatine moved to dismiss the suit for failure to state a claim. It contended that the parking ticket was not a disclosure and that, even if it was, it was permitted under a specific exception in DPPA. The District Court agreed with Palatine and dismissed the case, a decision that was affirmed on appeal. The Seventh Circuit Court then agreed to rehear the case en banc and, in a decision issued this past Monday, reversed the District Court.

Palatine argued that placing the ticket on the windshield did not constitute a disclosure because Mr. Senne had failed to allege that anyone other than himself had actually seen it. The Court, in rejecting Palatine’s argument, stated that the effect of placing the ticket on the windshield made the information available to any passer-by. The Court ruled that whether or not anyone else saw it is irrelevant, the act of placing it on the windshield is itself a publication that is prohibited by DPPA. The Court’s opinion is available here.


Leave a comment

Toward a Federal Breach Notification Law? Data Security and Breach Notification Act of 2012 Introduced in U.S. Senate

Senator Pat Toomey [R-Pa] introduced on June 21 a bill, the Data Security and Breach Notification Act of 2012 (the Data Breach Act), which could become the Federal data breach notification law. If enacted, entities collecting and maintaining personal information would have to secure this information, and would also have to provide notice to individuals affected by a breach of security involving personal information.

The Data Breach Act would preempt State laws (Section 6), and would take effect one year after its enactment.

Senator Tooney published a statement explaining why he believes such a law is needed:

"A number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure. Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices. Our bill would eliminate the burden of complying with varying standards and laws, ensuring that all consumers and their personal information are afforded the same level of protection."  

Scope of the Data Breach Act

The bill would cover entities over which the Federal Trade Commission (FTC) has authority pursuant to section 5(a)(2) of theFTC Act, and also common carriers subject to the Communications Act of 1934.

Howvever,financial institutions subject to Title V of the Gramm-Leach-Bliley Act would be exempt from the Data Breach Act, as would entities covered by the regulations issued under 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that such entities are subject to the requirements of such regulations with respect to protected health information.

Information Security

The covered entities would have to “take reasonable measures to protect and secure data in electronic form containing personal information” (Section 2).  The bill does not, however, define what these ‘reasonable measures’ should be, which could lead to uncertainty for businesses.

Personal information would not include information “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable” (Section 5(5)(B)(ii)). Therefore, it seems that encrypting personal information would serve as a safe harbor for covered entities.

Notification of Information Security Breach

The Data Breach Act would define a “breach of security” as an “unauthorized access and acquisition of data in electronic form containing personal information” (Section 5(1)).

Each covered entity owning or licensing personal data would have to notify individuals of a security breach, if their personal data was or may have been affected by the breach. Entities would have only to notify American citizens or residents, Section 3(a)(1).  Therefore, if a breach on an U.S. system affects the data of, say, international clients of a company, a covered entity could argue that it does not have to notify them of the breach. In practice, though, international clients could not be ignored without some public relations damage.  The entity would also have to inform the FBI of any breach of security which may affect more than 10,000 persons, Section 3(a)(2).  

If the system where the breach occurred is maintained by a third party, the third party will have to notify the covered entity of the breach, which in turn will notify individuals, Section 3 (b)(1)(A).  ISPs would not be considered a third party by the Act, Section 3(b) (1) (C). However, an ISP becoming aware of a breach involving data owned by one of its entity-customers would have to notify the entity of the breach, if the covered entity can be ‘reasonably identified.’

Timeliness of Notification

Covered entities would have to notify individuals affected by the security breach “as expeditiously as practicable and without unreasonable delay,” Section 3 (c) (1). However, the notification may be delayed if a Federal law enforcement agency requests so in writing in order to avoid that the notification impedes a civil or a criminal investigation, or if a Federal national security agency requests it in writing if the notification would threaten national or homeland security. In both cases, the notification may be held for a “reasonably necessary period,” which would be determined by the Federal agency requesting the delay, Section 3(c)(2)(A) et Section 3(c)(2)(B).

Method and Content of Notification

The notification could be accomplished by mail, telephone, or by email. It would have to contain the date or the estimated date of the breach, as well as the range of the breach. It would also have to contain a description of the personal information that was accessed and the contact information an individual affected by the breach may use to learn more about the breach, and to find out which personal data was held the entity covered by the breach, Section 3 (d).

A substitute notification would be authorized instead of a direct notification to the affected individual if a direct notification is not feasible because of excessive cost relative to the entity’s resources, or if the entity does not have sufficient contact information for the individual affected by the breach.  Such substitute notification could be a “conspicuous notice” on the entity’s web site, or a notification published or broadcast by major media in the areas where the affected individuals may live, Section 3 (d)(2).

In practice, this may lead to some disparities. If a deep-pocket company suffers a breach, but is unable to contact the affected individuals directly because it does not have their contact information, it could then choose to publish or broadcast the notification. It would have to do so at least all around the U.S. territory, and one could even argue that it would have to be done around the world, as U.S. citizens living abroad may be affected by the breach as well.  

An entity with lesser means may not be able to do so, as such publication would be quite expensive.  A direct notification might not be feasible because of the high cost for the company, yet a substitute notification would be even more expensive if the entity does not have enough information about the affected individuals to contact them. Some small companies process a huge volume of personal data, yet may not have the financial capacity to notify all the individuals concerned by the breach.

Liability

Violating section 2 and section 3 of the Data Breach Act would be considered unfair or deceptive acts or practices under the FTC Act, and the FTC would have the power to enforce the Data Breach Act.

The maximum civil penalty for a covered entity having violated the Data Breach Act would be $500,000 for all violations of section 2 and $500,000 for all violations of section 3 resulting from a single breach of security, Section 4 (c) (3)(A)&(B). There would be no private cause of action against a person for violation of the Data Breach Act, Section 4 (d).

It is not the first time that such a bill has been introduced in Congress. Last year, S. 1207, the Data Security and Breach Notification Act of 2011, was introduced by Senator Mark Pryor [D-AR}, which itself was a re-introduction of S. 3742 during the 111th Congress. S1207 was not enacted. It remains to be seen if Senator’s Toomey’s bill is to have the same fate.

However, the bill has already received the support of AT&T, in a statement by Tim McKone, Executive Vice President of Federal Relations, which read:

The security of our customers’ personal information is of utmost importance to us and is a priority in how we conduct our business. That is why we are pleased by Senator Toomey’s thoughtful and comprehensive bill, the ‘Data Security and Breach Notification Act of 2012.’  It is a common sense bill that will eliminate uncertainties and ultimately consumer confusion by establishing uniform requirements.”

 The CTIA, the Wireless Association, also supports the bill. Jot Carpenter, its Vice President of government affairs issued this statement:

CTIA welcomes the introduction of Senator Toomey’s bill. By advancing a proposal that offers a comprehensive, uniform approach to data security and breach notification, Senator Toomey demonstrates that it is possible to protect consumers while providing clear, consistent guidelines to businesses.”

Another data breach notification bill, H.R. 3730, sponsored by Rep. Joe Donnelly [D-IN], the Veterans Data Breach Timely Notification Act, has recently passed the House Veterans’ Affairs Subcommittee.  The bill is not as inclusive as the Data Security and Breach Notification Act, as it would only require the Secretary of Veterans Affairs to provide notice to veterans whose sensitive personal information is involved in a data breach.