Commentary

In November 2009, the association of German data protection authorities (“Düsseldorfer Kreis”) issued a resolution titled “Data Protection Compliance of Web Analytics Tools for Website Audience Measurement.” This resolution has a clear impact on business and contains many risks. The big question is whether the use of web analytics tools as it is today is still compliant with German data protection.

If you are a retailer with brick-and-mortar stores in California and accept credit cards for payment, take note.  You may want to take a few simple steps to avoid liability for an increasing number of claims under an old law that has received a lot of recent attention.  Plaintiffs have filed several recent class action lawsuits in California against major retailers for alleged violations of California's Song-Beverly Credit Card Act (the "Act").  The Act places certain restrictions on merchants that accept credit cards.  In general, the law prohibits or limits a merchant's ability to request and record personal identification information concerning the cardholder.  Examples of personal identification information include the cardholder's address and telephone number.

On June 12, 2009 the Article 29 Data Protection Working Party adopted an opinion regarding its expectations for operators, application providers and users of social networking services – including those based outside the EU – to meet the requirements of EU data protection law.  See WP 163, “Opinion 5/2009 on online social networking.”

The keynote speaker at the ABA Consumer Protection conference in DC on June 18, 2009 was Bureau of Consumer Protection Director Dave Vladeck. He identified as one of this goals "rethinking" the agency's approach to privacy issues. He asked for the audience's "help," meaning the agency will probably convene a town hall meeting this fall to address these issues. We and our clients are all invited to attend. A synopsis of his substantive views follows.

Nevada has amended its data security law to require businesses that transfer personal information on hardware or mobile storage devices outside the "logical and physical controls of the data collector or its data storage contractor" to encrypt the information. Previously, Nevada's law only required encryption for non-fax electronic transmissions of personal information. The amended law also includes a technical standard for encryption, requires businesses that accept credit or debit cards to meet the payment card industry data security standards (PCI DSS), and contains an immunity provision. The law, S.B. 227, will go into effect on January 1, 2010.

In an interview with GovInfoSecurity.com, Joel Winston, associate director of the FTC's Division of Privacy and Identity Protection, commented on current FTC priorities, risks to consumers, and the FTC's Red Flag Rules. Currently, Winston said that the FTC would focus on addressing privacy issues associated with online behavioral advertising and investigating data breaches and the adequacy of data security measures. Winston also identified two major risks to consumers: (1) consumers not protecting their own data and (2) private and government organizations failing to protect consumer data. Finally, Winston discussed the FTC Red Flag Rules, saying that many businesses are still unsure whether the rules apply to them and how to comply with the rules. He noted that the rules are broad and flexible: they apply to any business that extends credit but allow businesses flexibility in taking reasonable measures to protect against identity theft. The full interview is available here.

On May 18, 2009, the Interactive Advertising Bureau (IAB) released its best practices for social media advertising.  These best practices are intended to aid advertising growth on social networks, while also helping to safeguard consumer privacy.  The guidelines recommend opt-in and opt-out policies for the use of profile data in ads and additional user privacy oversight, including the ability of a consumer to preview an ad before his or her profile data is used.  The guidelines also establish a common language around social media by defining key terms such as social ad, social graph, interaction data, and profile data.  "Industry standards are essential to making social media easy, safe and scalable for advertisers," said Seth Goldstein, CEO of Socialmedia.com and co-chair of the IAB's UGC Social Media Committee in an IAB press release.  According to Forrester Research, social media marketing is projected to increase approximately 60% in 2009 to $716 million.

A commentary titled Privacy Challenges to Smart Grid by Perkins Coie Of Counsel Susan Lyon has been published in Sustainable Industries magazine.  The article describes potential privacy concerns posed by developing smart grid energy systems and smart meters that collect energy-use data and by emerging smart appliances with the ability to transmit information across the Internet.

The Department of Justice's May 12, 2009, Report to Congress covers all applications made by the Government during calendar year 2008 for authority to conduct electronic surveillance and physical search for foreign intelligence purposes under FISA, all applications made by the Government during calendar year 2008 for access to certain business records (including the production of tangible things) for foreign intelligence purposes, and certain requests made by the Federal Bureau of Investigation pursuant to national security letter authorities.  While the number of wiretaps and searches conducted in 2008 were lower than in 2007, the number of National Security Letters increased.

In big and small screen thrillers law enforcement is able to track you via your cell phone signal in seconds flat. But how real is that capability and what privacy safeguards are in place when everyone’s got a cell phone? In an interview featured on the NPR program On The Media, Perkins Coie Privacy Partner Al Gidari explains how your cell phone signal may know you better then you know yourself.

The Federal Trade Commission has issued a prepared statement on “Legislative Hearing on H.R. 2221, the Data Accountability and Protection Act, and H.R. 1319, the Informed P2P User Act” Before the Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection.

http://www.ftc.gov/os/2009/05/P064504peertopeertestimony.pdf

The Federal Trade Commission staff has issued a report, “Beyond Voice: Mapping the Mobile Marketplace.”  The report focuses on cost disclosures about mobile services; unwanted mobile text messages, malware, and spyware; and expedited review of the Children’s Online Privacy Protection Rule to in view of changes in the mobile marketplace. 

http://www.ftc.gov/opa/2009/04/mobilerpt.shtm

The 2008 Wiretap Report is out!  A total of 1,891 intercepts authorized by federal and state courts were completed in 2008, a decrease of 14 percent compared to the number terminated in 2007. Not surprising given past reports, the vast majority of wiretaps were conducted on cell phones or mobile devices, and the vast majority of wiretaps involved drug investigations.  There were two instances reported of encryption encountered during state wiretaps; neither prevented officials from obtaining the plain text of the communications.  For more interesting observations on the 2008 Wiretap Report, read the full post.

Computerworld, a leading source of technology news and information, has identified Perkins Coie's Privacy and Security Updates as an excellent, free source of succinct analysis on privacy and security developments. The article also identified numerous other free and fee-based sources of information for privacy professionals.

On February 12, 2009, the Federal Trade Commission (FTC) issued a staff report, titled "Self-Regulatory Principles for Online Behavioral Advertising." (the FTC Staff Report) While the FTC Staff Report primarily focuses on the FTC's revised principles for online behavioral advertising (Principles), described as "guidelines for self-regulation," it also notes a few Principles are based on existing law potentially applicable to a broad range of Web sites not just those engaged in behavioral advertising. Most significantly, the report describes as "existing" law a requirement for Web site operators to obtain affirmative express consent to make retroactive material changes to privacy policies.  The following is the first of a three part series of blogs summarizing guidance contained in the report. The first part, in "read more" details below, describes new FTC guidance on material changes to privacy policies of interest to all Web site operators.  The second part, analyzes the FTC's expanding definition of personal information.  The third part will detail the FTC's general guidance for those engaged in online behavioral advertising.

The Article 29 Working Party adopted its "Working Document 1/2009 on pre-trial discovery for cross border civil litigation" on February 11, 2009.  The document is the first attempt by the Working Party to address the numerous issues associated with conducting discovery between EU and non-EU countries.

UK -- The Information Commissioner's Office recently published a technical guide designed to assist organizations with complying with the Data Protection Act of 1998 ("DPA").

Breaches of personally identifiable information (PII) by governmental agencies have increased dramatically in recent years.  In response to this security threat, the National Institute of Standards and Technology (NIST) has issued draft guidelines, entitled "Guide to Protecting the Confidentiality of Personally Identifiable Information" (SP 800-122), which set forth standards for identifying PII and protecting its confidentiality.  While SP 800-122 is primarily designed to help U.S. federal agencies, businesses may find some of these recommendations useful as well.

On December 17, 2008, the Federal Trade Commission (FTC) issued a report on the private sector’s use of consumers’ Social Security numbers (SSNs).  The purpose of the report is to develop a deeper understanding of the relationship between the SSN and identity theft and explore approaches that will preserve the SSN’s beneficial uses while curtailing its availability and value to identity thieves.  To that end, the FTC’s report contains recommendations to make SSNs less available to identity thieves, while at the same time making it more difficult for them to misuse those SSNs they are able to obtain.

On December 11, 2008, the Federal Trade Commission issued a press release describing a one million dollar settlement with Sony BMG Music Entertainment over charges that it violated the Children's Online Privacy Protection Act (COPPA). The FTC based its charges, at least in part, on date of birth and other information collected on general audience sites not directed at children. The settlement matches the largest penalty ever assessed by the FTC for a COPPA violation in its action against Xanga.com.

On September 4, 2008, the Ninth Circuit reinstated part of the California Financial Information Privacy Act ("SB1"), Cal. Fin. Code §§ 4050-4060, allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. American Bankers Ass'n. v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008). This decision overturns the court's 2005 ruling, in which the Ninth Circuit held that the federal Fair Credit Reporting Act ("FCRA") preempts SB1 with respect to affiliate sharing of "consumer report information." American Bankers Ass'n v. Gould, 412 F.3d 1081 (9th Cir. 2005). The new decision preserves consumers' rights under California law to restrict affiliate data-sharing related to non-consumer report information.

Last week, Microsoft, Google and Yahoo!, alongside a diverse coalition of leading human rights organizations, academics, investors and technology leaders, announced the launch of the Global Network Initiative. The Initiative's participants view this as a significant step forward in the effort to protect and advance technology users' freedom of expression and privacy rights.

The Federal Trade Commission is holding a half-day public workshop November 13th at Southern Methodist University (SMU) Dedman School of Law in Dallas.  The workshop will feature government officials, industry experts, attorneys and privacy officers presenting on ways businesses can better secure personal information and protect the privacy of consumers and employees.

Information about the workshop including registration can be found here:  http://www.ftc.gov/bcp/workshops/infosecurity/index.shtml

The New York Times reported today that diplomats from the EU and the US may be nearing agreement on a "binding international agreement" to enable law enforcement and security agencies to obtain and process personal data from the EU without the restrictions that are currently placed on the onward transfer of personal data from the EU to the US.  Will this agreement eliminate the frustrating compliance hurdles for private companies doing business in the EU?

Regulators in the United States and the European Union take very different approaches to the nature of IP addresses in data protection law. The United States' regulatory system does not generally treat IP addresses as personal data. The European Union-level administrative position, however, is that IP addresses constitute personal data when they can be linked to an individual user.

The Administrator of U.S. Courts has released the 2007 Wiretap Report, and the number of wiretaps is up 20% over 2006.  But the real story is that the increase was fueled by state wiretaps; federal wiretaps actually decreased.  The Wiretap Report is published each year, and it never fails to disappoint.  Read the full post for the details....

In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.

The FTC settlements now follow a familiar pattern, but the consent decrees are always worth reading to understand the failures beyond the obvious loss of data that warranted FTC attention.

Over the last few months, there has been much discussion about reported cases where the Transportation Safety Administration has seized laptops and cell phones of travelers entering or returning to the United States and reviewed or copied the contents.  These border searches are disturbing both from a privacy and protection of intellectual property perspective, but in fact, are lawful.  The only question is the appropriate legal standard to be applied when conducting the search.  A new Congressional Research Service report explains the standards currently being applied by the courts, and a group of privacy advocates have sued for more information about TSA policies.  What should companies and their mobile employees do in the face of this risk?

On November 1-2, 2007, the Federal Trade Commission hosted a two day conference about privacy and related issues in online behavioal and targeted advertising. The central (but unstated) issue underlying the conference was the continuing debate about the usefulness of online privacy policies as a tool to provide notice to consumers and to obtain their consent for information collection and use.

Albert Gidari was quoted in an article on page 1 of the Washington Post, titled Cellphone Tracking Powers on Request: Secret Warrants Granted Without Probable Cause by Ellen Nakashima.  The article discusses tracking cell phone users on less than a showing of probable cause.  It can be found at this link: http://www.washingtonpost.com/wp-dyn/content/article/2007/11/22/AR2007112201444.html

Perkins Coie Partner Albert Gidari was quoted today on Page A06 of the  Washington Post regarding proposed amendments to the Foreign Intelligence Surveillance Act or "FISA."  The article is titled Librarians Say Surveillance Bills Lack Adequate Oversight. Link to it here:  http://www.washingtonpost.com/wp-dyn/content/article/2007/11/01/AR2007110102233.html?hpid=moreheadlines

Recent regulatory activity by some state attorneys general suggests that social networking sites are being held to a high standard when it comes to protecting their users from online predators, harassment and obscene content.

The U.S. Department of Commerce hosted a conference entitled “Conference on Cross Border Data Flows, Data Protection, and Privacy” in Washington, DC on October 15 and 16. The conference, sponsored by the U.S. Department of Commerce and the Article 29 Working Party in Europe, held at the conference center of the Federal Trade Commission, was designed to continue the international discussion on the E.U. Safe Harbor Framework, data protection, and the importance of cross border data flows to international trade.

On October 12, 2007, California Governor Arnold Schwarzenegger vetoed Assembly Bill 779, which would have required retailers that suffered a breach of the security of its systems to reimburse issuing banks the reasonable and actual costs of providing notice to consumers and reissuing the credit cards, debit cards, or other payment devices to such consumers.

The Office of the Privacy Commissioner of Canada has published guidance for organizations for notifying customers when a privacy breach occurs. A privacy breach is the result of an unauthorized access to or collection, use or disclosure of personal information in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA) or similar provincial privacy legislation. The guidance is just that, guidance, and neither PIPEDA nor any other law in Canada currently requires notice for a breach. However, it is expected that the guidance will serve as the basis for amending PIPEDA in the near future. The Commission also published a checklist for organizations to use in evaluating the need to provide notice. The checklist is a handy outline of considerations for dealing with security breaches.

On September 17 - 18, 2007, Al Gidari will join attorneys, security and compliance professionals, and executives and managers serving information technology-dependent organizations in Seattle, Washington to compare experiences and information, and develop new strategies for addressing complex legal obligations and risks. The event is sponsored by Microsoft Corporation and the University of Washington's Computer Science and Engineering Department have joined the Center for Information Assurance and Cybersecurity, the Shidler Center for Law, Commerce and Technology, and others. For registration, see: http://www.infosec-institute.org/

Two recent data disposal cases serve as a fresh reminder to businesses of the need to ensure that proper destruction protocols are in place as part of an overarching cradle-to-grave data protection program. Effective data protection programs must sufficiently address not only the initial collection, use and disclosure of personal information but also effective procedures to properly store or dispose of personal information once it is no longer needed.

The FTC appears to have taken an interest in exploring potential regulation of how businesses in the private sector use Social Security numbers (SSNs). In tandem with the President's recently formed Identity Theft Task Force, the FTC recently requested public comment regarding the extent and purpose for current SSN use in the private sector, the role SSNs in identity theft, and whether there are feasible alternatives to using SSNs in the normal course of business.

Companies that rely on SSNs to conduct business should consider submitting comments to the FTC. Comments are due September 5th, 2007.

Could someone hijack the wiretapping software installed in a carrier's network and put the intercept capabilities to their own nefarious use?  That is apparently what happened in Greece to the wireless service provider Vodafone Greece. And the targets of the taps?  The Greek Prime Minister, mayor of Athens and even an employee of the U.S. Embassy in Greece. If it wasn't true, it would make a great Tom Clancy novel.

Pursuant to a court order, the FBI remotely installed spyware to identify a bomb threat suspect. The FBI installed a Computer and Internet Protocol Address Verifier, or CIPAV, on the suspect's MySpace account. The spyware yielded the IP address assigned to the suspect's computer and a log of the computer's outbound connections.

According to the Federal Trade Commission (FTC), a company that fails to provide adequate security for customer credit card and personal information is engaging in an unfair practice in violation of Section 5 of the FTC Act. On June 16, 2005, the FTC settled just such a case against BJ's Wholesale Club, Inc., a large warehouse store operator.