St. Ledger-Roty & Olson LLP

PRIVACY & INFORMATION LAW UPDATE
August 2012
A bimonthly update of trends and developments in privacy law & policy

Karen Neuman, Editor

  • You are receiving this publication because of your interest in privacy and data security. It is for informational including advertising purposes only and not a substitute for legal advice.
  • Not interested? Unsubscribe or forward to someone who might be.
  • Did someone send you this Update? Subscribe to receive your own or view past issues.

In this Issue:
FTC Delays Adopting New COPPA Rule; Issues Notice of Supplemental Rulemaking
Contentious Start to NTIA Multistakeholder Process
California Attorney General Creates Privacy Enforcement and Protection Unit
FTC Files Data Breach Action Against Wyndham Corporation
Delaware Adopts Student Social Media Privacy Law Signaling Emerging Risk for Educational Institutions
Spokeo Settles with Federal Trade Commission over FCRA and FTC Act Charges
New Jersey Settles COPPA Action Filed against Kids' Education Apps

INTERNATIONAL PRIVACY NOTES:
U.S. Approved to Participate in APEC's Cross Border Privacy Rules System
Article 29 Working Group Issues Opinion on Cookie Consent Exemption

UPDATES:
Federal Court Rules in Favor of Retrospective Application of California Zip Code Privacy Case
Mobile Tracking Lawsuit Against Apple Allowed to Go Forward

NEWS & ANNOUNCEMENTS:
Ari Moskowitz Earns CIPP/US Certification

FTC Delays Adopting New COPPA Rule; Issues Notice of Supplemental Rulemaking
By Karen Neuman
     Ari Moskowitz

The FTC has delayed adopting an updated rule implementing the Children’s Online Privacy Protection Act (COPPA). Instead, on August 1, 2012, it issued a Notice of Supplemental Rulemaking & Request for Comment (Supplemental Notice) proposing modifications to the proposed rule published almost a year ago. The modifications were based on comments that raised concerns about definitions of key terms in the proposed rule, including “Operator”, “website or online services directed to children”, ”screen” and “usernames”, “personal Information”, and “support for internal operations”. The modifications reflect complex challenges that have confronted the FTC in its initiative to update the COPPA rule as children’s online sites and services rapidly integrate a variety of new technologies into their products. Comments are due September 10, 2012.
Read more...

 

Contentious Start to NTIA Multistakeholder Process
By Karen Neuman

On July 12, 2012, the National Telecommunications and Information Administration (NTIA) convened the anticipated first meeting of the U.S. Department of Commerce’s “multistakeholder” process to develop industry self-regulatory codes to protect consumer privacy. The meeting was intended to focus on mobile application privacy, including how to improve transparency. However, NTIA officials found themselves defending the process, which included asking participants to identify and vote on substantive priorities. A number of participants criticized the approach and questioned....
Read more...

 

California Attorney General Creates Privacy Enforcement and Protection Unit
By Ari Moskowitz

California, whose Constitution guarantees its citizens a right to privacy, recently created a Privacy Enforcement and Protection Unit as part of the eCrime Unit in the state’s Department of Justice. California Attorney General Kamala Harris announced that this unit will be tasked with civil prosecution of State and Federal privacy laws as well as educating the public about its privacy rights and the responsibility for making informed decisions about disclosing and protecting personal data. The unit “will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government.”
Read more...

 

FTC Files Data Breach Action against Wyndham Corporation
By Karen Neuman

On June 27, 2012 the Federal Trade Commission (FTC) announced that it sued Wyndham Worldwide Corporation, and three subsidiaries, for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The Complaint was filed in federal district Court in Arizona. The FTC seeks injunctive relief to prevent future breaches and fines. Businesses should implement and update robust security practices, and review privacy policies to ensure that relevant promises are aligned with those practices. In addition, businesses should adopt strong incident procedures, including processes for notifying consumers and authorities of a data breach in order to mitigate harm and minimize the potential for future incidents.
Read more...

 

Delaware Adopts Student Social Media Privacy Law Signaling Emerging Risk for Educational Institutions
By Karen Neuman

On July 20, 2012, the Governor of Delaware signed into law a measure that prohibits colleges and universities from requesting or requiring a student to disclose password or other account information in order to gain access to the student’s social networking profile or account by way of an electronic communication device. It is the first state to enact such a law. Specifically, educational institutions are prohibited from:
Read more...

 

Spokeo Settles with Federal Trade Commission over FCRA and FTC Act Charges
By Ari Moskowitz

On June 12, 2012 the Federal Trade Commission (FTC) announced a settlement with Spokeo, Inc. over charges that it violated the Fair Credit Reporting Act (FCRA) and Section 5 of the Federal Trade Commission Act by marketing and selling consumer profiles to the human resources, background screening, and recruiting industries without protecting those individuals as required under the FCRA. This is the first case in which the FTC tackled the sale of social media data in the context of employment screening. It signals the FTC’s interest in enforcing FCRA compliance for companies that impermissibly amass and sell consumer data.
Read more...

 

New Jersey Settles COPPA Action Filed against Kids' Education Apps
By Karen Neuman

On June 26, 2012, New Jersey settled an action brought against a California education mobile app developer and several app companies for alleged violations of the Children’s Online Privacy Protection Act (COPPA) rule. The New Jersey Attorney General and state Division of Consumer Affairs had announced earlier in June that it filed a federal lawsuit charging the defendants with collecting personal information from children and transmitting it to a data analytics firm in violation of the COPPA rule. COPPA authorizes State attorneys general to bring COPPA enforcement actions on behalf of their citizens, and until yesterday, Texas was the only state to do so.
Read more...

 

INTERNATIONAL PRIVACY NOTES

U.S. Approved to Participate in APEC's Cross Border Privacy Rules System

On July 26, 2012, Acting Commerce Secretary Rebecca Blank announced that the Asia-Pacific Economic Cooperation (APEC) approved U.S. participation in voluntary cross-border privacy rules (CBPR) system. Companies that do business in APEC countries and that participate in the CPBR system must comply with baseline privacy practices to achieve the dual goals of consumer privacy protection in the Asia Pacific region while promoting e-commerce, trade and economic growth. APEC’s leaders also approved the FTC’s role as the first privacy enforcement authority for the CBPR self-regulatory system.
Read more...

 

Article 29 Working Group Issues Opinion on Cookie Consent Exemption

On June, 2012 the European Union Article 29 Working Party issued an opinion explaining certain exemptions to prior consent requirements in Article 5.3 of e-Privacy Directive, as revised in 2009 (Cookie Directive). The Cookie Directive requires that prior consent be obtained before a cookie can be deposited on a user’s computer. The opinion explains that this requirement should be seen as applying to “all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies.”
Read more...

 

UPDATES

Federal Court Rules in Favor of Retrospective Application of California Zip Code Privacy Case

On June 25, 2012, the U.S. District Court for the Northern District of California ruled in Dardarian v. Officemax North America1 that a state Supreme Court case, Pineda v. Williams-Sonoma Stores, Inc., applies retrospectively. As we previously reported, the California Supreme Court ruled in Pineda that zip codes are personal information under California’s Song-Beverly Credit Card Act of 1971 (Song-Beverly) 2. The Court further ruled that requesting and recording zip code information violated Song-Beverly.
Read more...

 


Mobile Tracking Lawsuit Against Apple Allowed to Go Forward

We previously reported that In re iPhone Application Litigation was dismissed with leave to amend on the grounds that the plaintiffs did not allege an injury to themselves and so failed to establish standing under Article III of the Constitution.
Read more...

 

NEWS & ANNOUNCEMENTS

Ari Moskowitz Earns CIPP/US Certification

SLRNO is pleased to congratulate our Associate Ari Moskowitz on becoming a Certified Information Privacy Professional in U.S. Privacy law (CIPP/US). Ari earned his CIPP credential from the International Association of Privacy Professionals. Ari’s achievement enhances SLRNO’s ability to provide highly specialized legal and strategic assistance to businesses in all stages of development, whether early stage or established companies. Ari can be contacted at amoskowitz@stlro.com.


FTC Delays Adopting New COPPA Rule; Issues Notice of Supplemental Rulemaking
By Karen Neuman
     Ari Moskowitz

The FTC has delayed adopting an updated rule implementing the Children’s Online Privacy Protection Act (COPPA). Instead, on August 1, 2012, it issued a Notice of Supplemental Rulemaking & Request for Comment (Supplemental Notice) proposing modifications to the proposed rule published almost a year ago. The modifications were based on comments that raised concerns about definitions of key terms in the proposed rule, including “Operator”, “website or online services directed to children”, ”screen” and “usernames”, “personal Information”, and “support for internal operations”. The modifications reflect complex challenges that have confronted the FTC in its initiative to update the COPPA rule as children’s online sites and services rapidly integrate a variety of new technologies into their products. Comments are due September 10, 2012.

The Supplemental Notice proposes the following definitions:

  1. Operator. The definition would be expanded to include third parties that provide content, functionality and/or ad revenue, such as social plug-ins and ad networks, and whose services are integrated with children’s websites and services. Under the new definition, first party operators of children’s websites would be held liable for the COPPA violations of third parties whose services are integrated into their website if those services collect or maintain personal information on behalf of an operator. Information is collected on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of the operator. In addition, other modifications to the proposed rules would mean that third parties that know or have reason to know that they collect personal information through child-directed websites and services, would be considered “co-operators” and independently responsible for those sites’ and services’ COPPA compliance.
  2. Website or Online Service Directed to Children. The FTC revises the definition to clarify how the COPPA rule applies to “mixed use” sites – those that are directed to children and a broader audience, including parents. To avoid treating all users as children under 13, the revision contemplates requiring age screening by mixed use sites to enable providing COPPA protections only to users under 13. Websites that self-identify or are likely to be seen as child-targeted, or whose users are predominantly under 13 must treat all users as under 13 to comply with COPPA.
  3. Screen Names/single sign on. Last year the FTC proposed to include screen or user names in the definition of personal information if used for any function other than supporting internal operations. The FTC received comments arguing that such an approach would undermine the practice of using screen names in place of personal information for sign in across platforms, authentication and similar functions. The FTC agreed and clarified that screen or usernames will be subject to notice and consent requirements only if they function as online contact information. The FTC’s discussion of screen/user names seems to affirmatively endorse the utility and data minimization effects of single sign on.
  4. Definition of Personal Information & Permissible Uses of Persistent Identifiers. The use of persistent identifiers to identify users over time and across different sites and services (and contact them for behavioral advertising) must be COPPA compliant. The definition of personal information in last year’s proposed rule included persistent identifiers -- such as a user number held in a cookie, an IP address, or unique device identifier -- when used for functions other than support for a site’s internal operations. This approach was perceived as limiting important functionalities. The FTC’s discussion in the Supplemental Notice clarifies that an operator can only identify users over time or across websites for certain enumerated activities, such as authentication, maintaining user preferences and functions such as site maintenance and analysis. Persistent identifiers that are used to identify and contact users for behavioral advertising must comply with COPPA’s notice and consent requirements.

The Supplemental Notice & Request for Comment presents an important opportunity for businesses to educate the FTC about how to protect children’s privacy as new and emerging technologies continue to be integrated by children’s online sites and services. This is especially the case for newer companies or organizations that may not have been in a position to comment when the initial rule was proposed last September. The accelerated rollout of apps and devices, and the launch of child directed websites, social media, interactive games and learning destinations underscores the need for a carefully tailored rule that achieves the goals of COPPA without imposing undue compliance burdens, particularly for early stage businesses. Companies that are subject to COPPA, or that will be under the new rule, should consider taking advantage of this opportunity.

Back to Top


Contentious Start to NTIA Multistakeholder Process
By Karen Neuman

On July 12, 2012, the National Telecommunications and Information Administration (NTIA) convened the anticipated first meeting of the U.S. Department of Commerce’s “multistakeholder” process to develop industry self-regulatory codes to protect consumer privacy. The meeting was intended to focus on mobile application privacy, including how to improve transparency. However, NTIA officials found themselves defending the process, which included asking participants to identify and vote on substantive priorities. A number of participants criticized the approach and questioned whether it could promote the creation of meaningful privacy codes. It was unclear how comments previously submitted by stakeholders would be incorporated into the development of the codes. Officials emphasized their roles as facilitators of a process intended to establish collaborative dialogue that will result in adoption of industry privacy codes.

Transparency was identified as a chief priority, one on which NTIA officials stated consensus could be easily reached. Related discussion included the need to catalog personal data collection and use practices by apps for core (as opposed to secondary) purposes, and the importance of providing contextual consumer notifications, as a means for promoting transparency.

NTIA officials attempted to regain control of the conversation by emphasizing that the meeting and its topic should be seen as a starting point that the agency hopes will result in effective privacy policymaking. The meeting ended with an announcement that a second meeting would be convened on an unspecified date in August. In the interim, stakeholders were encouraged to hold meetings among themselves in order to move the ball forward.

On August 3, NTIA published a report by John Verdi, Director of Privacy Initiatives and the meeting’s principal facilitator, in which Verdi announced the agency’s intent to convene two meetings this month, one on August 22, and another on August 29. Verdi also indicated that some participants have established a public mailing list for discussion.

Back to Top


California Attorney General Creates Privacy Enforcement and Protection Unit
By Ari Moskowitz

California, whose Constitution guarantees its citizens a right to privacy, recently created a Privacy Enforcement and Protection Unit as part of the eCrime Unit in the state’s Department of Justice. California Attorney General Kamala Harris announced that this unit will be tasked with civil prosecution of State and Federal privacy laws as well as educating the public about its privacy rights and the responsibility for making informed decisions about disclosing and protecting personal data. The unit “will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government.” This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.”1 The unit will be staffed by 6 prosecutors.

California is frequently at the forefront of privacy regulation and its new privacy unit should be seen, at a minimum, as an effort to align the state’s regulatory and enforcement activities. Other states can be expected to follow suit. In addition to being one of the first states to guarantee an inalienable right to privacy in its constitution,2 California was the first state to enact a data breach notification law. California is also a leader in considering the privacy implications of smart grid technology, passing a law protecting certain information gleaned from smart meters in 2010. Even before passage of that law, though, the California Public Utilities Commission had begun the process of considering rules to protect Smart Grid information, ultimately adopting regulations in 2011.

The state’s leadership on privacy issues also extends to its state and federal courts. For example, the federal courts in California have ruled on important cases involving social media privacy and workplace privacy, as well as hearing numerous class action lawsuits arising under both federal and California privacy laws. The state courts in California have likewise taken an active role in enforcing and interpreting privacy laws. Last year the Supreme Court of California ruled that zip codes are “personal identification information” and their collection during credit card transactions could subject retailers to fines under California’s Song-Beverly Credit Card Act of 1971. (The state subsequently enacted the California Business Protection Act of 2011 which carved out an exemption from Song-Beverly for gas stations that collect customer zip codes).

The creation of this unit comes on the heels of the Attorney General’s February announcement that platform providers including Apple, Microsoft, and Google agreed to a Joint Statement of Principles to protect consumer privacy in apps. This enforcement unit will be responsible for policing that agreement and developing best practices with those signing on to the agreement. It also occurs as state Attorneys General are paying close attention to digital privacy. For example, in June the National Association of Attorneys General announced a national initiative, “Privacy in the Digital Age.” Last month, New Jersey’s Attorney General settled an enforcement action against several app developers for COPPA violations.

The creation of this unit is a clear indication that the California attorney general intends to step up privacy enforcement. Businesses that collect, use, share and retain consumer data should undertake a comprehensive review of their privacy and data security practices for compliance with applicable California law.


1 Press release, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit, State of California, Office of the Attorney General ( July 19, 2012).
2 Privacy Protections in State Constitutions, National Conference of State Legislatures, http://www.ncsl.org/issues-research/telecom/privacy-protections-in-state-constitutions.aspx (though ten states recognize a constitutional right to privacy, only Alaska has a similarly unequivocal statement in its constitution as California).

Back to Top


FTC Files Data Breach Action against Wyndham Corporation
By Karen Neuman

On June 27, 2012 the Federal Trade Commission (FTC) announced that it sued Wyndham Worldwide Corporation, and three subsidiaries, for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The Complaint was filed in federal district Court in Arizona. The FTC seeks injunctive relief to prevent future breaches and fines. Businesses should implement and update robust security practices, and review privacy policies to ensure that relevant promises are aligned with those practices. In addition, businesses should adopt strong incident procedures, including processes for notifying consumers and authorities of a data breach in order to mitigate harm and minimize the potential for future incidents.

The Complaint alleges that Wyndham’s privacy policy misrepresented measures implemented by the company and its subsidiaries to protect customer data. According to the FTC, Wyndham’s repeated security failures exposed consumers’ personal data to unauthorized access. These failures included neglecting to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. In addition, the defendants are alleged to have allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text.

The first breach occurred in April 2008, when intruders gained access to a Phoenix, Arizona Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. The intruders were then able to access to the corporate network of Wyndham’s Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels. This access enabled the intruders to:

  • install “memory-scraping” malware on numerous Wyndham-branded hotels' property management system servers; and
  • access files on Wyndham-branded hotels’ property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.

As a result, more than 500,000 payment card accounts were compromised, and hundreds of thousands of consumers’ payment card account numbers were exported to a domain registered in Russia.

As a result, more than 500,000 payment card accounts were compromised, and hundreds of thousands of consumers’ payment card account numbers were exported to a domain registered in Russia.

Wyndham’s systems were breached twice more in 2009 when intruders employed measures that were similar to the earlier breaches. During these breaches 119,000 payment card accounts were accessed and intruders made fraudulent purchases on those accounts.

This action amplifies the FTC’s broad intent -- embodied in several recent high-profile enforcement actions -- to enforce privacy policy promises and protect consumer information. Accordingly, its potential impact extends well beyond the hospitality industry to all businesses that collect and store consumer data and are subject to FTC jurisdiction.

Back to Top


Delaware Adopts Student Social Media Privacy Law Signaling Emerging Risk for Educational Institutions
By Karen Neuman

On July 20, 2012, the Governor of Delaware signed into law a measure that prohibits colleges and universities from requesting or requiring a student to disclose password or other account information in order to gain access to the student’s social networking profile or account by way of an electronic communication device. It is the first state to enact such a law. Specifically, educational institutions are prohibited from:

  • Requesting or requiring a student to log onto a social networking site, email account, or any other internet site or application, by way of an electronic communication device in the presence of an agent of the institution so as to provide the institution access.
  • Monitoring or tracking a student’s personal electronic communication device by installing a software application upon the device, or by remotely tracking the device, by using intercept technology.
  • Accessing a student’s social networking site profile or account indirectly through any other person who is a social networking contact of the student.

The law shields school officials in instances where they would be otherwise prohibited access to student social media information is undertaken for the safety and protection of other students. California and Maryland have considered similar measures that would prohibit educational institutions from requiring or requesting access to password protected social media content or account information.

The current focus on social media privacy by lawmakers should alert educational institutions (and, as we reported previously, employers) to an issue that will require familiarity with an emerging area of law resulting from the ubiquity of social media. Schools should cease requesting access to student or applicant password protected content in jurisdictions that have prohibited the practice (currently Delaware) or where similar legislation is pending. Accessing publicly available content would not violate such laws; however, accessing such content could impose unforeseen liability. Educational institutions should develop, review and update comprehensive social media policies that address student social media privacy, and provide proper employee training to ensure compliance.

Back to Top


Spokeo Settles with Federal Trade Commission over FCRA and FTC Act Charges
By Ari Moskowitz

On June 12, 2012 the Federal Trade Commission (FTC) announced
a settlement with Spokeo, Inc. over charges that it violated the Fair Credit Reporting Act (FCRA) and Section 5 of the Federal Trade Commission Act by marketing and selling consumer profiles to the human resources, background screening, and recruiting industries without protecting those individuals as required under the FCRA. This is the first case in which the FTC tackled the sale of social media data in the context of employment screening. It signals the FTC’s interest in enforcing FCRA compliance for companies that impermissibly amass and sell consumer data.

The FTC described Spokeo’s business as assembling consumer profiles and then selling the profiles to human resources professionals and recruiters for use in employment considerations. The profiles were culled from information found in "hundreds of online and offline sources, such as social networking sites, data brokers, and other sources.” In the profiles, Spokeo identified specific individuals and disclosed their personal information including “physical address, phone number, marital status, age range, or email address… hobbies, ethnicity, religion, []participation on social networking sites, and may [have included] photos or other information, such as economic health graphics.” Spokeo then marketed to and sold recruiters access to the profiles, highlighting the profiles’ utility for “Explor[ing] Beyond the Resume.”

Though Spokeo changed its terms of service in 2010 to claim that it was not a consumer reporting agency and to prohibit use of its profiles for FCRA-covered purposes, the FTC alleged that the profiles created by Spokeo and Spokeo’s assembling and sale of those profiles to recruiters fit the FCRA’s respective definitions of “consumer reports” and “consumer reporting agencies”. The FCRA violations that the FTC alleged included failure to maintain reasonable procedures for (1) certifying that their customers only used the profiles for “permissible purposes” and (2) assuring maximum possible accuracy of the information. The FTC also alleged that Spokeo failed to provide certain notices required under the FCRA.

Each of the violations of the FCRA was also charged as a violation of the FTC Act’s ban on unfair or deceptive acts or practices, as was an additional charge of violating the agency’s Endorsement Guides by faking endorsements of their products. Specifically, the complaint lays out a scheme in which Spokeo employees pretended to be independent consumers or customers and posted comments endorsing Spokeo’s products on news and technology websites and blogs.

As part of the settlement, Spokeo agreed to pay an $800,000 civil penalty. The settlement also requires that Spokeo abide by the FCRA in the future as well as disclose any relationships it has with those endorsing its products. And, like the privacy settlements that the FTC has engineered over the last several years, under the terms of the settlement Spokeo is subject to rigorous recordkeeping and reporting requirements for 20 years.

Back to Top


New Jersey Settles COPPA Action Filed against Kids' Education Apps
By Karen Neuman

On June 26, 2012, New Jersey settled an action brought against a California education mobile app developer and several app companies for alleged violations of the Children’s Online Privacy Protection Act (COPPA) rule. The New Jersey Attorney General and state Division of Consumer Affairs had announced earlier in June that it filed a federal lawsuit charging the defendants with collecting personal information from children and transmitting it to a data analytics firm in violation of the COPPA rule. COPPA authorizes State attorneys general to bring COPPA enforcement actions on behalf of their citizens, and until yesterday, Texas was the only state to do so.

The lawsuit, Jeffrey S. Chiesa v. 24x7 Digital, LLC, was filed against the developer and the operator of the educational “TeachMe” series of apps for the iPhone, iPad and iPod Touch. The series includes “TeachMe: Toddler,” “TeachMe: Kindergarten,” “TeachMe: 1st Grade,” and “TeachMe: 2nd Grade,” educational games targeted to children of those age groups.

The initiation of this action against an out-of-state corporation occurs as state legislatures and federal policymakers are taking aggressive measures to protect children’s mobile (and online) privacy. (Publication of the FTC’s updated COPPA rule was delayed by the agency’s request for supplemental comment on revisions to the proposed rule.) Operators of children’s online games, apps and developers that are subject to the COPPA rule should review their data collection, retention and use practices and policies for COPPA compliance and for compliance with other applicable laws. This lawsuit should be seen as an important reminder to monitor all COPPA enforcement actions, including those that are brought by state authorities.

The Complaint alleged that children using the “TeachMe” apps are encouraged to provide information that includes their first and last names and a picture of themselves when creating player profiles. The Complaint further alleges that this information was used to “entice” children “to want to purchase a range of products.” According to the Complaint, the apps transmit personal information, including the unique device identifiers (UDID) that identifies a specific mobile device a player is using, to the analytics company without first providing required notice and obtaining verifiable parental consent.

The Complaint sought injunctive relief to prevent future violations of the COPPA rule, including ordering that the defendants permanently destroy all information collected from children in violation of COPPA. Under the terms of the Consent Decree, 24x7digital agreed to:

  • Stop collecting, using, and disclosing children’s personal information without first obtaining verifiable parental consent;
  • provide direct notice to parents as well as its website or mobile apps of the type of information they collect from children, how they use such information, and whether they disclose it to third parties; and
  • destroy within five days all personal information, including metadata, which it had collected or transmitted in violation of COPPA.

State and federal policymakers are engaging in heightened scrutiny of children’s privacy with rapid adoption of mobile apps and social media by even very young children. Similar actions can be expected in the future – brought by either state or federal enforcement authorities, as well as potentially coordinated state and federal actions to protect children’s privacy.

Back to Top


INTERNATIONAL PRIVACY NOTES

U.S. Approved to Participate in APEC's Cross Border Privacy Rules System

On July 26, 2012, Acting Commerce Secretary Rebecca Blank announced that the Asia-Pacific Economic Cooperation (APEC) approved U.S. participation in voluntary cross-border privacy rules (CBPR) system. Companies that do business in APEC countries and that participate in the CPBR system must comply with baseline privacy practices to achieve the dual goals of consumer privacy protection in the Asia Pacific region while promoting e-commerce, trade and economic growth. APEC’s leaders also approved the FTC’s role as the first privacy enforcement authority for the CBPR self-regulatory system.

U.S. companies participating in the system will be able to submit their privacy practices for APEC approval with the baseline privacy practices.

Back to Top


Article 29 Working Group Issues Opinion on Cookie Consent Exemption

On June, 2012 the European Union Article 29 Working Party issued an opinion explaining certain exemptions to prior consent requirements in Article 5.3 of e-Privacy Directive, as revised in 2009 (Cookie Directive). The Cookie Directive requires that prior consent be obtained before a cookie can be deposited on a user’s computer. The opinion explains that this requirement should be seen as applying to “all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies.” Accordingly, the opinion cautions that although “Article 5.3 impacts on the usage of cookies [] the term should not be regarded as excluding similar technologies.”

The Cookie Directive includes the following exemptions to the prior consent requirement:

  1. Where the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or
  2. The cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

The Working Party’s opinion offers guidance on these exemptions to prior consent, including opining that cookies, even multi-function cookies, must “have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once [such purpose] is not needed, taking into account the reasonable expectations of the average user or subscriber.” If multiple cookies are used for differing purposes, multiple notifications and consents may not required. Companies that chose to employ a single notice and opportunity for consent for all such purposes should be able do so provided the notice is clearly explained.

The opinion also identifies cookies that might be exempt from the consent requirement in limited instances, including: 1) authentication cookies; 2) session cookies; 3) user preference cookies; social media session “plug-in” cookies; and 4) multi-media player session cookies, to name a few.

The Article 29 Working Party’s opinions are currently advisory in nature, and lack the effect of binding regulations. As previously reported, however, the European Union’s draft privacy framework regulation will create a new Data Protection Board that will replace the Working Party and oversee pan-European enforceable privacy rules. Nevertheless, the Working Party remains an influential body that EU member states frequently defer to. Accordingly, its Cookie Consent Exemption opinion offers useful guidance for U.S. companies that are subject to EU privacy law assess their compliance obligations under the Cookie Directive.

Back to Top


UPDATES

Federal Court Rules in Favor of Retrospective Application of California Zip Code Privacy Case

On June 25, 2012, the U.S. District Court for the Northern District of California ruled in Dardarian v. Officemax North America1 that a state Supreme Court case, Pineda v. Williams-Sonoma Stores, Inc., applies retrospectively. As we previously reported, the California Supreme Court ruled in Pineda that zip codes are personal information under California’s Song-Beverly Credit Card Act of 1971 (Song-Beverly) 2. The Court further ruled that requesting and recording zip code information violated Song-Beverly.

The Plaintiffs in Dardarian filed a class action alleging against Officemax in connection with its collection of zip code information at the point of sale during credit card transactions. Officemax filed a motion asking the Court to determine that Pineda should only apply prospectively to it. The Court ruled that Pineda applies retrospectively.

It was learned through discovery that Officemax had an “information capture” policy in effect until February 10, 2011, when Pineda was decided. Pursuant to this policy, Officemax’s cashiers requested and recorded the ZIP codes of customers using credit cards at the point of sale. Indeed, the Plaintiffs alleged that when they purchased merchandise at one of Officemax's California stores with a credit card, the store clerk asked them for personal identification information, including their ZIP code. In response to the request, each Plaintiff provided their personal identification information to the clerk, and the clerk recorded their information into OfficeMax's electronic database. OfficeMax argued that it used the information to analyze media markets and decide where to place advertisements, as opposed to locating the customer's full address by reverse engineering.

Officemax also argued that Pineda failed to follow California precedent, in which a lower court3 ruled that a zip code does not constitute personal information. The Court rejected this argument, in part because Officemax started collecting zip codes well before the lower court decision which it cited in its motion, and therefore did not rely on it. The Court also ruled that as a matter of public policy retrospective application of Pineda was appropriate because doing so furthers the intent of Song-Beverly, which is to prevent retailers from collecting personal information from consumers during credit card transactions.

As a result of this decision, the action against Officemax can go forward.


1 11-CV-0947-YGR (N.D. Cal. June 25, 2012)
2 California Civil Code §1747.08
3 Party City v. Superior Court, 169 Cal. App. 4th 497 (Cal. Ct. App. 2008)

Back to Top


Mobile Tracking Lawsuit Against Apple Allowed to Go Forward

We previously reported that In re iPhone Application Litigation was dismissed with leave to amend on the grounds that the plaintiffs did not allege an injury to themselves and so failed to establish standing under Article III of the Constitution.

Plaintiffs filed an amended complaint shortly thereafter, which was subsequently dismissed with regard to most defendants (including Google, Flurry, and Admob). However, Apple’s Motion to Dismiss was denied in part and so two of the claims in the lawsuit against Apple will go forward. In the amended complaint, plaintiffs more clearly stated the injury that resulted from the tracking and collection of their personal information by iPhone and iPad apps, specifically citing the devices and apps used for tracking, the types of information collected (including addresses, age, gender, and search terms), and argued that this was a violation of the Wiretap Act, which is itself a cognizable injury. Finding that the alleged injury can be traced to the actions of all defendants, the Court ruled that the requirements of Article III of the Constitution are satisfied and permitted the action to go forward. However, the Court went on to dismiss much of the case for failure to state many of the specific claims.

First, the court found that iOS devices are not “facilities through which an electronic communications service is provided” and that the information stored on the device is not in “electronic storage” as defined in the Stored Communications Act (SCA). Therefore, the alleged tracking cannot be a violation of that law. The Court also dismissed all of the Wiretap Act, right to privacy in the California Constitution, Computer Fraud and Abuse Act, Conversion, Unjust Enrichment, Trespass, and Negligence counts. The Court allowed only two claims under California law to proceed against Apple. Those claims were brought under California’s Consumer Legal Remedies Act (which, like the FTC Act, bars unfair or deceptive acts or practices) and Unfair Competition Law. The Court reasoned that the plaintiffs’ stated a claim under California law by alleging that Apple’s promises to protect user privacy led to the plaintiffs’ buying their iDevices at a higher price than they would have if it was clear that Apple was tracking certain data. The Court has not yet ruled on whether these allegations are true and declined to find that Apple’s user agreement absolutely bars these claims from proceeding.

Back to Top


NEWS & ANNOUNCEMENTS

Ari Moskowitz Earns CIPP/US Certification
SLRNO is pleased to congratulate our Associate Ari Moskowitz on becoming a Certified Information Privacy Professional in U.S. Privacy law (CIPP/US). Ari earned his CIPP credential from the International Association of Privacy Professionals. Ari’s achievement enhances SLRNO’s ability to provide highly specialized legal and strategic assistance to businesses in all stages of development, whether early stage or established companies. Ari can be contacted at amoskowitz@stlro.com.

Back to Top


Copyright © 2012 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036