Commentary

In November 2009, the association of German data protection authorities (“Düsseldorfer Kreis”) issued a resolution titled “Data Protection Compliance of Web Analytics Tools for Website Audience Measurement.” This resolution has a clear impact on business and contains many risks. The big question is whether the use of web analytics tools as it is today is still compliant with German data protection.

If you are a retailer with brick-and-mortar stores in California and accept credit cards for payment, take note.  You may want to take a few simple steps to avoid liability for an increasing number of claims under an old law that has received a lot of recent attention.  Plaintiffs have filed several recent class action lawsuits in California against major retailers for alleged violations of California's Song-Beverly Credit Card Act (the "Act").  The Act places certain restrictions on merchants that accept credit cards.  In general, the law prohibits or limits a merchant's ability to request and record personal identification information concerning the cardholder.  Examples of personal identification information include the cardholder's address and telephone number.

The keynote speaker at the ABA Consumer Protection conference in DC on June 18, 2009 was Bureau of Consumer Protection Director Dave Vladeck. He identified as one of this goals "rethinking" the agency's approach to privacy issues. He asked for the audience's "help," meaning the agency will probably convene a town hall meeting this fall to address these issues. We and our clients are all invited to attend. A synopsis of his substantive views follows.

In an interview with GovInfoSecurity.com, Joel Winston, associate director of the FTC's Division of Privacy and Identity Protection, commented on current FTC priorities, risks to consumers, and the FTC's Red Flag Rules. Currently, Winston said that the FTC would focus on addressing privacy issues associated with online behavioral advertising and investigating data breaches and the adequacy of data security measures. Winston also identified two major risks to consumers: (1) consumers not protecting their own data and (2) private and government organizations failing to protect consumer data. Finally, Winston discussed the FTC Red Flag Rules, saying that many businesses are still unsure whether the rules apply to them and how to comply with the rules. He noted that the rules are broad and flexible: they apply to any business that extends credit but allow businesses flexibility in taking reasonable measures to protect against identity theft. The full interview is available here.

On May 18, 2009, the Interactive Advertising Bureau (IAB) released its best practices for social media advertising.  These best practices are intended to aid advertising growth on social networks, while also helping to safeguard consumer privacy.  The guidelines recommend opt-in and opt-out policies for the use of profile data in ads and additional user privacy oversight, including the ability of a consumer to preview an ad before his or her profile data is used.  The guidelines also establish a common language around social media by defining key terms such as social ad, social graph, interaction data, and profile data.  "Industry standards are essential to making social media easy, safe and scalable for advertisers," said Seth Goldstein, CEO of Socialmedia.com and co-chair of the IAB's UGC Social Media Committee in an IAB press release.  According to Forrester Research, social media marketing is projected to increase approximately 60% in 2009 to $716 million.

The Department of Justice's May 12, 2009, Report to Congress covers all applications made by the Government during calendar year 2008 for authority to conduct electronic surveillance and physical search for foreign intelligence purposes under FISA, all applications made by the Government during calendar year 2008 for access to certain business records (including the production of tangible things) for foreign intelligence purposes, and certain requests made by the Federal Bureau of Investigation pursuant to national security letter authorities.  While the number of wiretaps and searches conducted in 2008 were lower than in 2007, the number of National Security Letters increased.

The Federal Trade Commission staff has issued a report, “Beyond Voice: Mapping the Mobile Marketplace.”  The report focuses on cost disclosures about mobile services; unwanted mobile text messages, malware, and spyware; and expedited review of the Children’s Online Privacy Protection Rule to in view of changes in the mobile marketplace. 

http://www.ftc.gov/opa/2009/04/mobilerpt.shtm

The 2008 Wiretap Report is out!  A total of 1,891 intercepts authorized by federal and state courts were completed in 2008, a decrease of 14 percent compared to the number terminated in 2007. Not surprising given past reports, the vast majority of wiretaps were conducted on cell phones or mobile devices, and the vast majority of wiretaps involved drug investigations.  There were two instances reported of encryption encountered during state wiretaps; neither prevented officials from obtaining the plain text of the communications.  For more interesting observations on the 2008 Wiretap Report, read the full post.

On February 12, 2009, the Federal Trade Commission (FTC) issued a staff report, titled "Self-Regulatory Principles for Online Behavioral Advertising." (the FTC Staff Report).  The following is the second of a three part series of blogs summarizing guidance contained in the report. The first part, describes new FTC guidance on material changes to privacy policies of interest to all Web site operators.  The second part, below (click "read more"), analyzes the FTC's expansion of protected information to include non-personally identifiable information, including IP addresses associated with particular computers or devices, at least in the context of certain forms of online behavioral advertising (the practice of tracking an individual's online activities over time to deliver personalized advertising).  The third part, to follow, will detail the FTC's general guidance for those engaged in third party online behavioral advertising.

On February 12, 2009, the Federal Trade Commission (FTC) issued a staff report, titled "Self-Regulatory Principles for Online Behavioral Advertising." (the FTC Staff Report) While the FTC Staff Report primarily focuses on the FTC's revised principles for online behavioral advertising (Principles), described as "guidelines for self-regulation," it also notes a few Principles are based on existing law potentially applicable to a broad range of Web sites not just those engaged in behavioral advertising. Most significantly, the report describes as "existing" law a requirement for Web site operators to obtain affirmative express consent to make retroactive material changes to privacy policies.  The following is the first of a three part series of blogs summarizing guidance contained in the report. The first part, in "read more" details below, describes new FTC guidance on material changes to privacy policies of interest to all Web site operators.  The second part, analyzes the FTC's expanding definition of personal information.  The third part will detail the FTC's general guidance for those engaged in online behavioral advertising.

On December 17, 2008, the Federal Trade Commission (FTC) issued a report on the private sector’s use of consumers’ Social Security numbers (SSNs).  The purpose of the report is to develop a deeper understanding of the relationship between the SSN and identity theft and explore approaches that will preserve the SSN’s beneficial uses while curtailing its availability and value to identity thieves.  To that end, the FTC’s report contains recommendations to make SSNs less available to identity thieves, while at the same time making it more difficult for them to misuse those SSNs they are able to obtain.

On September 4, 2008, the Ninth Circuit reinstated part of the California Financial Information Privacy Act ("SB1"), Cal. Fin. Code §§ 4050-4060, allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. American Bankers Ass'n. v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008). This decision overturns the court's 2005 ruling, in which the Ninth Circuit held that the federal Fair Credit Reporting Act ("FCRA") preempts SB1 with respect to affiliate sharing of "consumer report information." American Bankers Ass'n v. Gould, 412 F.3d 1081 (9th Cir. 2005). The new decision preserves consumers' rights under California law to restrict affiliate data-sharing related to non-consumer report information.

The Federal Trade Commission announced the release of a new Final Rule regarding the "Definitions and Implementation Under the CAN-SPAM Act" on May 12, 2008, which revises the Code of Federal Regulations implementing rules regarding CAN-SPAM, 16 C.F.R. Part 316. While largely reinforcing its observations in its Notice of Proposed Rulemaking, the Commission adopted a few new interpretations of defined terms, and offered some insight regarding CAN-SPAM implementation. The Commission:

1. Clarified that the definition of "person" includes organizations, commercial and non-profits alike;

2. Addressed scenarios where a single commercial e-mail contains advertisements for the products or services of multiple entities, and clarified who would be the "sender" of such an e-mail;

3. Addressed affiliate marketing schemes, and in certain situations extended CAN-SPAM liability to marketing entities and sellers whose affiliates send unsolicited commercial messages that violate CAN-SPAM.

4. Permitted the use of Post Office boxes and private mail boxes to satisfy the "valid physical postal address" requirement of CAN-SPAM, provided that the boxes are accurately registered pursuant to postal regulations;

5. Reiterated that recipients of commercial e-mail messages may not be charged a fee or any form of consideration to opt-out of future mailings, and should be required to provide no more personal information than their e-mail addresses to exercise their opt-out options.

6. Discussed "forward-to-a-friend" programs, and potential CAN-SPAM liability of a seller that includes such functionality on its Web site.

The Final Rule becomes effective 45 days after its publication in the Federal Register.

The Ponemon Institute published a study of 35 data breaches in 2007. The costs of responding to the breaches ranged from $225,000 to almost $35 million, with an average of $6.3 million or $197 per record compromised. In 2006, the average cost per incident was $4.8 million or $182 per record. While the costs related to investigations, notification and services offered to affected individuals decreased, the cost of lost business increased more than 30 percent and no accounts for 65 percent of data breach costs.

The Federal Judicial Center recently published a Pocket Guide for Judges on "Managing Discovery of Electronic Information." This 22 page booklet is written for federal judges and contains sections on: Describing Electronically Stored Information ("ESI"), Early Consideration of ESI – Rules 26(f) and 16, ESI and Initial Disclosures, Allocation of Costs, Discovery from Nonparties, Form of Production, Waiver of Privilege or Work-Product Protection, Preservation of ESI, and Spoliation and Sanctions.

On November 1-2, 2007, the Federal Trade Commission hosted a two day conference about privacy and related issues in online behavioal and targeted advertising. The central (but unstated) issue underlying the conference was the continuing debate about the usefulness of online privacy policies as a tool to provide notice to consumers and to obtain their consent for information collection and use.

On October 4 - 5, 2007, Conference Co-Chair Kirk Soderquist and speakers Don Karl and Shaalu Mehra will join other leading industry professionals and practitioners discussing content, access and intellectual property issues, recent court decisions, financing, cross-border issues, the growth of casual games, M&A transactions and outsourcing agreements.

A recent decision by the United States District Court for the Central District of California in MySpace, Inc. v. Wallace, No. 07-1929 (C.D. Cal. 2007), has paved the way for entities offering interactive messaging on private networks to use the CAN-SPAM Act to combat spam. Messages sent through private networks may qualify as electronic mail messages under the Act even though they are sent over an intranet rather than the public internet. Therefore, social networking websites, chat and video game providers, and web portals who may not consider themselves to be internet service providers because they use private networks, nevertheless may fall within the purview of the CAN-SPAM Act.

On August 5, 2007, President Bush signed the "Protect America Act of 2007." The Act amends the Foreign Intelligence Surveillance Act of 1978 such that surveillance directed at a person reasonably believed to be located outside the United States no longer requires a government application to, and order issuing from, the FISA Court. Under the Act, communications can be monitored (i.e., intercepted) in real time or reviewed after receipt and storage, for example, in the case of email. The Act provides procedures for the government to issue directives to providers to provide data or assistance, for the government to seek an order to compel provider compliance from the FISA Court, and for the recipient of a directive to seek relief from the FISA Court from an unlawful or overly burdensome directive. Under the Act, providers receive cost reimbursement and full immunity from civil suits for compliance with any directive.

The Ninth Circuit recently held in Douglas v. Talk America Inc., No. 06-75424, 2007 WL 2069542 (9th Cir. July 18, 2007) that the unilateral addition of a mandatory arbitration clause and other amendments to an online contract are invalid absent actual notice to the customer. The Douglas decision calls into question the common practice by ecommerce companies of amending their online terms and policies at will with little in the way of notice other than posting the revised terms or policies and perhaps including a revised effective date on the terms or policies themselves. The concerns are probably overstated, and we review some best practices for your consideration.

Kmart Corporation recently agreed to settle Federal Trade Commission charges that Kmart engaged in deceptive practices in advertising and selling its Kmart Gift Cards and Cash Cards. The FTC’s press release, settlement agreement, complaint and related materials are available at the FTC Web site. The FTC alleged that Kmart failed to adequately disclose the terms and conditions that applied to the gift cards – specifically those related to so-called "dormancy fees." Although the consent decree applies only to Kmart, it is significant because it is the first formal action the FTC has taken with respect to gift cards and because it provides a roadmap to the FTC's general thinking about gift card disclosures. It is a vivid reminder that issuers of gift cards must consider federal consumer protection laws, in addition to numerous state gift certificate, consumer protection and unclaimed property laws, as they structure their gift card programs. It also adds to the pressure many states have been placing on gift card issuers to avoid expiration dates, dormancy fees and other service fees.

Priceline, Travelocity and Cingular Wireless each contracted with DirectRevenue LLC to deliver ads to consumers. To service its clients (including Priceline, Travelocity and Cingular Wireless), DR installed adware on millions of computers. The adware, which was undisclosed to users and difficult to remove, monitored the websites visited by the users and collected the information they typed into web forms. The NY AG filed a law suit alleging that DirectRevenue had violated New York consumer protection law, then pursued DirectRevenue's three major advertiser clients.

Private networks and equipment, facilities or services that interconnect public or private networks are exempt under the Communications Assistance for Law Enforcement Act or "CALEA."  But when private networks are connected to a public network like the Internet, do private network operators have any obligation to make the equipment or facilities that support the connection compliant with CALEA?  The question is an important one for businesses that provide Internet access to their employees, state and local networks, and internetworking and infrastructure providers as well as schools, libraries and advanced research networks.

On October 4, 2006, the Federal Trade Commission ("FTC") issued a notice in which it proposed two modifications to its Telemarketing Sales Rule ("TSR"). The first of these modifications would require express prior written agreement to send prerecorded telemarketing messages. The second would liberalize the TSR's calculation of "abandonment rate" in telemarketing campaigns using a predictive dialer.

In an update dated August 2, 2005, available here, we informed you about legislation in Michigan and Utah that prohibited sending certain types of advertisements to pager and fax numbers, cellular and land line telephone numbers, along with instant messaging identities, email addresses and other electronic "contact points" listed on registries maintained by each state.

The Federal Trade Commission ("FTC") has charged seven companies with violating the Controlling the Assault of Non-Solicited Pornography And Marketing ("CAN-SPAM") Act for actions of their marketing affiliates. Under affiliate marketing programs, companies do not e-mail consumers directly, but pay others to send messages on their behalf to drive Internet traffic to Web sites.

In Mainstream Marketing Services, Inc. et al. v. FTC et al., the 10th Circuit Court of Appeals has upheld the FTC's DNC list, holding that "the do-not-call registry is a valid commercial speech regulation because it directly advances the government's important interests in safeguarding personal privacy and reducing the danger of telemarketing abuse without burdening an excessive amount of speech.