The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Withdraws FCRA Commentary

Recently, the FTC withdrew its Statement of General Policy or Interpretations under the Fair Credit Reporting Act ("FCRA"), including the FTC’s Commentary on the FCRA (the "Commentary’), the day before the authority to enforce and administer the FCRA transferred to the new Consumer Financial Protection Bureau (“CFPB”).

The FTC also released a staff report entitled "Forty Years of Experience with the Fair Credit Reporting Act."  This report provides background on the FTC’s role in enforcing the FCRA, and includes a section-by-section summary of the agency’s interpretations of the FCRA. 

In announcing the withdrawal of the Commentary and release of the staff report, the FTC stated that the Commentary "has become partially obsolete since it was issued 21 years ago."  The new staff report deletes several interpretations in the Commentary that have since been repealed, modified or otherwise amended, and adds updated interpretations to reflect changes in the law since the Commentary was released in 1990.  The FTC stated that, given the Commentary’s staleness, it "does not believe it is appropriate to transfer the Commentary."

Continue reading

Leave a comment

Ninth Circuit Determines the Meaning of “Electronically Printed” Under FACTA

On May 24, 2011, the United States Court of Appeals for the Ninth Circuit determined that an email receipt was not an “electronically printed” receipt as used by the Fair and Accurate Credit Reporting Act (“FACTA”). Under FACTA, entities are prohibiting from printing “more than the last 5 digits of the [credit or debit] card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. Sec. 1681c(g)(1). This restriction only applies to “receipts that are electronically printed, and [does] not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.” Id. Sec. 1681c(g)(2).

In Simonoff v. Expedia, Inc., Simonoff claimed that Expedia violated FACTA by including the expiration date of his credit card on an email receipt for an online transaction. To be a violation of FACTA, an email displayed on a computer screen would have to be considered an “electronically printed” receipt. Upholding the district court’s decision and agreeing with a previous Seventh Circuit decision regarding this issue, the Ninth Circuit determined that the plain meaning of “print” and “electronically printed” does not include email displayed on a computer screen.

Specifically, the Ninth Circuit found that the ordinary meaning of “print” involves a “physical imprint onto paper or another tangible medium.” The court also found that the term “electronically” clarifies the “manner of printing by differentiating receipts printed with electronic devices from receipts printed by hand; it does not change the definition of ‘print.’” Further, the court looked to Congress’s intention in enacting FACTA and determined that “Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts.” The court also looked to other factors of the FACTA statute, such as “the staggered implementation schedule that applies to physical devices that print paper receipts, and the limitation of the statute to receipts produced at the point of the sale or transaction,” to determine the meaning of “electronically printed.” Accordingly, the court determined that “[t]he text of FACTA simply leaves no room to doubt that ‘electronically printed’ receipts include only receipts impressed onto a tangible medium by electronic devices at the point of the sale or transaction, not receipts that are electronically transmitted to an email account or displayed on a computer screen.”

Leave a comment

Lame Duck Privacy Bills

In the last two weeks of 2010, President Obama signed the following three acts addressing privacy:


Red Flags Program Clarification Act of 2010


President Obama signed the “Red Flag Program Clarification Act of 2010,” S. 2987, (“Clarification Act”) on December 18, 2010, which became Public Law No: 111-319.  The Clarification Act narrows the definition “creditor” under the Fair Credit Reporting Act (FCRA) by adding a definition to Section 615(e), 15 U.S.C. § 1681m(e), to address issues with the breadth of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flag Rule”). 


The FTC’s Red Flag Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act, under which the FTC and other agencies were directed to draft regulations requiring “creditors” and “financial institutions” with “covered accounts” to implement written identify theft prevention programs to identify, detect and respond to patterns, practices or specific activities—the so called “red flags”—that could indicate identify theft.   The FTC interpreted the definition of “creditor” to include entities that regularly permit deferred payment for goods and services, which included lawyers, doctors, and other service providers not typically considered to be “creditors.”  This interpretation led to lawsuits by professional organizations, including the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants, challenging the FTC’s position that the Red Flags Rule should apply to its members.


The Clarification Act limits the definition of creditor to entities that regularly and in the ordinary course of business: (i) obtain or use consumer credit reports, (ii) furnish information to consumer reporting agencies, or (ii) advance funds to or on behalf of a person.  The definition of creditor specifically excludes creditors that “advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  However, the Clarification Act also allows the definition of creditor to be expanded by rules promulgated by the FTC or other regulating agencies to include creditors which offer or maintain accounts determined to be subject to a reasonably foreseeable risk of identity theft. 


S. 2987 was introduced and by Senator John Thune (R-S.D.) and co-sponsored by Mark Begich (D-Alaska) on November 30, 2010, and the Senate unanimously approved the bill the same day.  An identical companion bill was introduced in the House, H.R. 6420, by Representatives John Alder (D-N.J.), Paul Broun (R-Georgia), and Michael Simpson (R-Idaho) on November 17, 2010.  S. 2987 passed the House on December 7, 2010.


The FTC had previously delayed enforcement of the Red Flags Rule several times, most recently in May 2010 when it delayed enforcement through December 31, 2010.  The FTC’s Red Flags Rule website,, notes that the FTC will be revising its Red Flags guidance to reflect the Clarification Act changes.


Social Security Number Protection Act of 2010


            President Obama also signed the “Social Security Number Protection Act of 2010,” S. 3789, on December 18, 2010, which became Public Law No: 111-318.  S. 3789 was introduced by Senator Dianne Feinstein (D-Cali.) and co-sponsored with bipartisan support, including Senator Judd  Gregg (R-N.H.).  The Act aims to reduce identity theft by limiting access to Social Security numbers, according to a statement from Senator Feinstein.


            The Act prohibits any federal, state, or local agency from displaying Social Security numbers, or any derivatives of such numbers, on government checks issued after December 18, 2013.  The Act also prohibits any federal, state or local entity agency from employing prisoners in jobs that would allow access to Social Security numbers after December 18, 2011.


            S. 3789 unanimously passed in the Senate on September 28, 2010, and passed in the House by voice vote under suspension of its rules on December 8, 2010. 


Truth in Caller ID Act of 2009

            On December 22, 2010, President Obama signed into law the “Truth in Caller ID Act,” S. 30, which became Public Law No: 111-331.  The Caller ID Act is intended to combat the problem of caller ID “spoofing” where identity thieves alter the name and number appearing as caller ID information in an attempt to trick people into revealing personal information over the phone.


            The Caller ID Act amended Section 227 of the Communications Act of 1934, 47 U.S.C. § 227, to make it illegal to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm.  However, the Caller ID Act specifically prohibits anything in it from being construed as preventing or restricting any person from using caller ID blocking. 


The Federal Communications Commission (“FCC”) is required to prescribe regulations to implement the Act within six months.  The Caller ID Act specifically exempts law enforcement activity and caller ID manipulation authorized by court order, and it also allows the FCC to define other exemptions by regulation.  


            The FCC can impose civil forfeiture penalties of up to $10,000 per violation, or $30,000 for each day of continuing violation, up to a cap of $1,000,000 for any single act or failure to act.  Willful and knowing violations of the Caller ID Act can result in criminal penalties including the same monetary penalties and up to a year in prison.


S. 30 was introduced by Senator Bill Nelson (D-Fla.) on January 7, 2009, and passed in the Senate on February 23, 2010.  The bill was approved in the House on December 15, 2010 by voice vote under suspension of its rules.  S. 30 was very similar to H.R. 1258 introduced by Representatives  Eliot Engel (D-N.Y.) and Joe Barton (R-Tex.) and passed by the House on April 14, 2010, according to a statement released by Representative Engle.

Leave a comment

AICPA Challenges Application of FTC’s Red Flags Rule to CPAs

The American Institute of Certified Public Accountants ("AICPA") challenged application of the Federal Trade Commission’s Red Flags Rule to accountants.  In its lawsuit, filed in U.S. District Court for the District of Columbia, the AICPA alleges:

  • that the FTC is exceeding its congressionally granted powers under the 2003 law by interpreting its Red Flags Rule to apply to accountants;
  • that the FTC has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft;
  • that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an extension of credit; and
  • that the FTC failed to identify any legally supportable basis for applying the rule to accountants.

The AICPA’s challenge follows the recent ruling by the U.S. District Court for the District of Columbia that the Red Flags Rule is not applicable to lawyers.

Coverage of the lawsuit is available here.

Leave a comment

House Approves Bill to Exempt Certain Entities From FTC Red Flag Rules

On Oct. 20 the House approved H.R. 3763, a bill that would exempt certain businesses from the Federal Trade Commission’s (FTC’s) Red Flags Rules. Under the bill, health care, accounting, and legal practices with 20 or fewer employees would be excluded from the Rules definition of a "creditor" and the FTC also would be required to issue new regulations allowing any business to apply for an exemption.
To date the Senate has not introduced a companion bill.
The FTC’s enforcement deadline for the Rule is November 1, 2009.
A copy of the bill is available at: Information about the FTC’s Red Flags Rule is available at:

Leave a comment

How do I know if the FTC’s new Affiliate Marketing Rule applies to my company’s marketing activities?

On October 23, 2007, the Federal Trade Commission (FTC) announced the release of its final rulemaking on affiliate marketing. The Rule implements section 214 of the Fair and Accurate Credit Transactions Act of 2003, and becomes effective January 1, 2008. All covered entities must comply by October 1, 2008.

There has been great confusion in the industry regarding the Rule’s scope and applicability. Upon first glance, the Rule appears to have a very broad scope. In fact, the Rule states that it "applies to any person over which the FTC has jurisdiction that uses information from its affiliates for the purpose of marketing solicitations, or provides information to its affiliates for that purpose." (Similar rules applicable to entities that are not regulated by the FTC were issued separately by other regulators.) However, a further analysis of the key defined terms of the Rule narrows the scope and provides a better understanding of when a company is, in fact, covered by the Rule. Such key terms include: "affiliate," "solicitation" and, most importantly for defining the scope of the Rule, "eligibility information."

The Rule prohibits a "person" from using "eligibility information" about a consumer that it receives from an "affiliate" to make a "solicitation" for marketing purposes to the consumer, unless the consumer has been given notice and an opportunity to opt out of such sharing. The Rule generally considers "eligibility information" to be information that bears on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used for the purpose of serving as a factor in establishing a consumer’s eligibility for consumer credit or insurance, employment or for other authorized purposes. Thus, the Rule is aimed at the sharing of this type of consumer information between affiliates, not at the sharing of any kind of consumer information.

Additionally, to be covered, the "eligibility information" must be used to effectuate one or more of the following marketing activities: (a) to identify the consumer or type of consumer to receive a solicitation; (b) to establish criteria used to select the consumer to receive a solicitation; or (c) to decide which of a company’s products or services to market to the consumer or to tailor a company’s solicitation to that consumer.

The Rule defines "solicitation" to include "the marketing of a product or service initiated by a person to a particular consumer that is: (i) based on eligibility information communicated to that person by its affiliate… ; and (ii) intended to encourage the consumer to purchase or obtain such product or service." This definition would include certain telemarketing calls, direct mail and e-mail, but would not include communications directed at the general public, such as television ads, general circulation magazines and billboard ads.

In summary, if the information that your company wishes to use does not constitute "eligibility information," then the Rule would not apply, even if you have received such information from an affiliate and are using such information to make "solicitations," as defined by the Rule. Additionally, if the entity from which your company received the eligibility information is not an "affiliate" as defined in the Rule, the Rule would not apply to your company’s proposed marketing activities. It should be noted, however, that in both cases, other applicable rules may apply to the sharing such consumer information. Finally, the Rule provides for several exceptions to its general requirements.