The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

California Continues to Expand Consumer Privacy Protections, Enacting Further Amendments to CalOPPA and the Data Breach Notification Law

On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents.  These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.

“Do Not Track” Disclosures

The first bill, AB 370, amends the California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. Code § 22575 et seq.), requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanisms, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding personally identifiable information collection over time and across third-party websites.

The new law states that website operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the privacy policy that links to a description, including the effects, of any program or protocol the operator follows that offers consumers that choice, but defines neither the content of the disclosure nor “do not track.”

Data Breach Notification for Disclosure of Online Account Access Information

The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account.  Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”   A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.

In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means.  If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.

However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by:  (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.


1 Comment

Less Than Satisfied with Self-Regulation? FTC Chair Renews Push for Do Not Track

Edith RamirezFTC Chair Edith Ramirez created some waves in her first speech to the advertising industry this week. Ramirez renewed the call for a universal Do Not Track mechanism—and impliedly ignored the progress of AdChoices, the Digital Advertising Alliance’s opt-out program.  The FTC’s critical stance, along with a renewed initiative in the Senate, signal that the government is unsatisfied with the industry’s progress toward enhanced consumer controls over privacy and may seek a public, rather than private, solution.

“Consumers await a functioning Do Not Track system, which is long overdue,” Ramirez said. “We advocated for a persistent Do Not Track mechanism that allows consumers to stop control of data across all sites, and not just for targeting ads.”

The comments, spoken before the American Advertising Federation at their annual advertising day on Capitol Hill, illustrated a rift between advertisers and regulators over the progress of self-regulatory programs and consumers’ perceptions of online behavioral advertising. Two years ago, the FTC called on advertisers to develop a program that would give consumers a choice to opt out of behaviorally targeted ads. Speaking to AdWeek, Stu Inglis, a partner at Venable who acts as the DAA’s attorney, said of Ramirez’s remarks:  “We have solved it. The DAA’s program covers 100 percent of the advertising ecosystem. We made our agreements.”

The DAA also recently released the results of a poll it commissioned, stating that nearly 70 per cent of consumers responding that they would like at least some ads tailored directly to their interests, and 75 per cent saying that they preferred an ad-supported internet model. (The poll comes with some caveats, described by an AdWeek piece today.)

However, in her speech Ramirez spoke of consumers’ “unease” with online tracking: “An online advertising system that breeds consumer discomfort is not a foundation for sustained growth. More likely, it is an invitation to Congress and other policymakers in the U.S. and abroad to intervene with legislation or regulation and for technical measures by browsers or others to limit tracking,” she said.

Ramirez also urged the advertising community to keep working within the multiparty process led by the W3C  (World Wide Web Consortium) to develop a browser-based Do Not Track program. However, there has been little concrete progress in the talks so far.

The online advertising industry may be running out of time. Senator Jay Rockefeller D-W.Va.), chair of the Senate Commerce Committee, announced that he would hold a hearing next week to discuss legislation that would mandate a Do Not Track standard.  The chairman, along with Sen. Richard Blumenthal (D-CT), introduced the Do Not Track Online Act in February.  The bill would direct the FTC to write regulations governing when internet firms must honor a consumer’s request that their information not be collected, and deputize the FTC and state attorneys general to enforce the rules.

“Industry made a public commitment to honor Do-Not-Track requests from consumers but has not yet followed through,” Rockefeller said of the hearing. “I plan to use this hearing to find out what is holding up the development of voluntary Do-Not-Track standards that should have been adopted at the end of last year.”

If Congress and the FTC agree that the advertising industry hasn’t honored its commitments, the chances for self-regulation without a government mandate may dwindle further.

Sources:

AdWeek:  FTC Chair Stuns Advertisers

The Hill: Sen. Rockefeller to Push for Do Not Track at Hearing


Leave a comment

“Do Not Track” – House Committee Hearings – Dec. 2

The House Commerce Committee’s hearing on the FTC’s proposed "Do Not Track" registry is scheduled for tomorrow, December 2nd. Details, along with a witness list, are on the House Commerce Committee’s website.
According to the announcement, the hearing "will examine the feasibility of establishing a mechanism that provides Internet users a simple and universal method to opt-out from having their online activity tracked by data-gathering firms."  It not clear whether tomorrow’s hearing will address hybrid online/offline tracking. Apple responded in July to a Congressional letter regarding its GPS-based tracking practices, but it is not on the invited witness list.
The concept of a universal “Do Not Track” list traces back to at least 2007, when an alliance of privacy groups proposed a list to the FTC, modeled after the FTC’s successful “Do Not Call” list (See Wall Street Journal Article).