St. Ledger-Roty & Olson LLP

PRIVACY & INFORMATION LAW UPDATE
November 2011
A bimonthly update of trends and developments in privacy law & policy

Karen L. Neuman, Editor

  • You are receiving this publication because of your interest in privacy, information management & data security. It is for informational, including advertising purposes only and is not intended to be, nor should it be considered legal advice.
  • Not interested? unsubscribe. Know someone who might be? Please forward.
  • If someone sent you this publication subscribe here to receive future issues.
  • To view previous issues click here.

In this Issue:
FEATURE ARTICLE: Location! Location! Location!
Business Use of GPS Technology and Potential Risk
FTC and Operator of Children's Social Network Settle COPPA and FTC Act Charges
Supreme Court Hears Arguments on Closely Watched GPS Case
First Circuit Finds Mitigation Costs Recoverable in Data Breach Case
Ninth Circuit Rules that the Electronic Communications Privacy Act Protects Non-Citizens
Study Finds Websites Leak PII in Referrer URLs and Headers
FTC Settles Complaint against App Developer over Default Privacy Settings
Privacy & Mobile Apps: Practical Steps for Minimizing Legal Risk

UPDATES:
Comments on Proposed Revisions to the COPPA Rule Due November 28
E.U. Data Protection Directive to be Updated Next Year
California Enacts Song-Beverly Exemption for Zip Code Use by Gas Stations
Privacy Lawsuit Against Apple Dismissed
APEC Leaders Endorse Cross-Border Privacy Rules

PRESENTATIONS & EVENTS
Karen Neuman Discusses Privacy Law and Mobile Apps at San Francisco Mobile Summit.

Feature Article:
Location! Location! Location!
Business Use of GPS Technology and Potential Risk

By Karen Neuman
     Jeff Olson

     Ari Moskowitz

The use of Global Positioning System (GPS) based technology in commerce is becoming ubiquitous. This technology is being embedded in a broad array of business activities, including ground, air, and sea transportation; disaster relief; precision agriculture; construction; mobile communications services; and product and service marketing. Reliance on GPS technology creates both substantial revenue opportunities and significant potential legal and business risks for various entities in the data collection and distribution chain, not just the end-user businesses that rely on GPS-based services.
Read more...

 

FTC and Operator of Children's Social Network Settle COPPA and FTC Act Charges
By Ari Z. Moskowitz

On November 8, 2011 the Federal Trade Commission (FTC) announced that it had filed and settled charges in a COPPA action against Jones Godwin, the operator of Skid-e-kids, a social network for children. The FTC alleged that Godwin violated the COPPA Rule by collecting personal information from 5,600 children without first obtaining parental consent. The FTC also charged Godwin with making false statements in Skid-e-kids privacy policy in violation of the FTC Act’s prohibition on unfair or deceptive trade practices.
Read more...

 

Supreme Court Hears Arguments on Closely Watched GPS Case
By Karen L. Neuman and Ari Z. Moskowitz

On November 8, the Supreme Court heard arguments in the closely watched case of U.S. v. Antoine Jones1. The case involves application of the Fourth Amendment to Global Positioning Systems (GPS) used by law enforcement to track the movements of suspects. The outcome of this case could have a significant impact on law enforcement investigations that rely on new or emerging technologies; it could also affect expectations of privacy as between service providers and consumers.
Read more...

 

First Circuit Finds Mitigation Costs Recoverable in Data Breach Case
By Ari Z. Moskowitz

On October 20, 2011, the First Circuit ruled in Anderson v. Hannaford Bros. Co. that costs incurred by plaintiffs to mitigate potential losses from a data breach of Hannaford’s electronic payment processing system are recoverable damages under Maine law. The ruling affirms in part and reverses in part a lower court ruling.1 Hannaford, a grocery chain, was targeted by hackers who accessed and stole credit and debit card information for up to 4.2 million customers.
Read more...

 

Ninth Circuit Rules that the Electronic Communications Privacy Act Protects Non-Citizens
By Ari Z. Moskowitz

On October 3, 2011, a panel of three judges on the U.S. Court of Appeals for the Ninth Circuit ruled in Suzlon v. Microsoft1 that the Electronic Communications Privacy Act (ECPA) protects the emails of both citizens and noncitizens from disclosure by their email providers. Accordingly, Internet Service Providers that store e-mails are prohibited from turning over the contents of emails and other electronic communications of noncitizens without first obtaining a search warrant or following the alternative procedures outlined in the Act.
Read more...

 

Study Finds Websites Leak PII in Referrer URLs and Headers
By Ari Z. Moskowitz

On October 11, 2011 Jonathan Meyer at Stanford’s Center for Internet and Society released the latest in a series of studies that have examined privacy risks posed by commonly used technologies for targeted advertising and related uses. The study, Tracking the Trackers: Where Everybody Knows Your Username, examined whether information traditionally thought of as “anonymous” and collected during online browsing can be connected to specific user accounts. The study found that 113 of the 250 most visited websites in the United States “leak” personally identifiable information (PII), in the form of usernames or user IDs, to third parties. Some of this information included email addresses, first names, last names, physical addresses, phone numbers, and birthdays. Each website leaked this information to up to 31 third party websites that include advertisers, analytics providers, and social media sites.
Read more...

 

FTC Settles Complaint against App Developer over Default Privacy Settings
By Ari Z. Moskowitz

On October 12, 2011 the Federal Trade Commission announced a settlement with Frostwire LLC, a developer of a peer-to-peer (p2p) file-sharing application for Android, Windows, and Mac operating systems, over the default settings on the file-sharing application. The FTC's complaint alleged that Frostwire's app violated the Federal Trade Act by using deceptive default privacy settings, which would lead consumers to unintentionally and unknowingly share personal files from their mobile device or computer with the public.
Read more...

 

Privacy & Mobile Apps: Practical Steps for Minimizing Legal Risk
By Karen L. Neuman

Mobile apps have grown from a quirky sector of the wireless industry to a complex economy. These apps generate significant revenue from purchases within the app (“in-app purchases”), and the sale of user data to third parties, such as ad networks, for interest-based advertising.
Read more...

 

UPDATES
 

Comments on Proposed Revisions to the COPPA Rule Due November 28

On November 7, Phyllis Marcus of the FTC spoke at a Federal Communications Bar Association “brown bag” during which she fielded questions about the FTC's proposed amendments to the COPPA rule (see the SLRNO September 2011 Update for a detailed overview of the proposed changes).
Read more...

E.U. Data Protection Directive to be Updated Next Year

As reported by the New York Times, Viviane Reding, the European justice commissioner, announced this month that she intends to recommend that the E.U. Data Protection Directive be revised in early 2012, a delay from the original deadline of revising the Directive in November 2011, to include a "right to forget" and to require all companies, whether or not based in the E.U., that collect information on E.U.
Read more...

California Enacts Song-Beverly Exemption for Zip Code Use by Gas Stations

On October 9, Governor Jerry Brown signed AB 1219, the California Business Protection Act of 2011, amending the Song-Beverly Credit Card Act (Act) to create a limited exemption for retail gas stations seeking customer zip code information for transactions conducted at a “retail motor fuel dispenser” or “retail motor fuel payment island automated cashier” to prevent consumer fraud.
Read more...

Privacy Lawsuit Against Apple Dismissed

In re iPhone Application Litigation (See Lalo v. Apple in SLRNO February 2011 Update), which involved allegations that Apple allowed ad networks and apps to track users via their Unique Device Identifier (UDID), was dismissed at the end of September.
Read more...

APEC Leaders Endorse Cross-Border Privacy Rules

At the forum on Asia-Pacific Economic Cooperation (APEC) meeting this week in Honolulu, Hawaii, President Obama and leaders of the other APEC member countries approved the APEC Cross-Border Privacy Rules, a framework to protect consumer data as it moves across borders.
Read more...

PRESENTATIONS & EVENTS
 

Karen Neuman Discusses Privacy Law and Mobile Apps during a breakout session at the 2011 Open Mobile Summit’s AppCelerate program Nov. 4 in San Francisco. Speaking to a gathering of developers, engineers and platform providers Karen summarized trends in privacy law and regulation in the U.S. and EU, and offered some practical steps that developers can take to minimize legal risk when creating and monetizing mobile apps.


Feature Article:
Location! Location! Location!
Business Use of GPS Technology and Potential Risk

By Karen Neuman
     Jeff Olson

     Ari Moskowitz

The use of Global Positioning System (GPS) based technology in commerce is becoming ubiquitous. This technology is being embedded in a broad array of business activities, including ground, air, and sea transportation; disaster relief; precision agriculture; construction; mobile communications services; and product and service marketing. Reliance on GPS technology creates both substantial revenue opportunities and significant potential legal and business risks for various entities in the data collection and distribution chain, not just the end-user businesses that rely on GPS-based services.

For example, the collection of location, mapping, speed, and other information (such as safety-belt usage and other driving behavior data in private and commercial fleet vehicles, or property-specific mapping data to assist with pesticide application on farms) creates a valuable commodity that can be analyzed by companies for internal use, or sold to third parties for commercial purposes, including targeted advertising.

Data collected by GPS devices is also sought-after by law enforcement. The Supreme Court recently heard oral argument in a case that involves law enforcement use of GPS tracking technology for investigative purposes. The outcome of this case could have a broad impact on GPS device manufacturers and licensees, including increased costs for complying with police investigations and business risks associated with limits on assurances that business can offer robust privacy guarantees to users.

A very recent example of the business risks associated with privacy concerns is OnStar’s September 2011 announcement of proposed changes to its privacy policy. OnStar’s new privacy policy reserved the right to collect vehicle operation data from both customers using its GPS in-vehicle navigation and emergency response services, as well as such data from former customers who had cancelled their service but did not disconnect the OnStar device. This, along with OnStar’s decision to share or sell this data once “anonymized” caused an uproar that caught the attention of Congress and led to calls for an FTC investigation.  

On the congressional side, the Location Privacy Protection Act was introduced in the Senate earlier this year. The measure would require businesses that collect location information from mobile devices to obtain express customer consent before collecting that information or disclosing it to third parties. Certain types of companies would also be required to implement specific data security protections.

In the EU, the Article 29 Working Party (the EU Advisory body on Privacy and Data Protection) recently adopted an opinion intended to clarify the privacy legal framework that applies to personal location data obtained from geolocation, including GPS-based, services. The trend for secondary uses of location data not contemplated at the time of collection is a privacy risk that was accentuated in the opinion. This trend could affect the EU compliance strategies of businesses that rely on GPS-collected data and that are subject to the EU privacy legal framework.

As the collection, storage and use of GPS-based personal information becomes the norm in all facets of commerce, the risk of misuse of that data grows, seemingly exponentially. For example, employee on-the-job GPS-based monitoring enables the collection, retention and potential disclosure of personal information that could expose device manufacturers, employers, and users (as well as dealers and repair contractors) to legal risk. Questions about data ownership or control, and corresponding obligations to protect against the loss of proprietary data, or guard against unauthorized access and use of personal or business information, can also create significant exposure. Nevertheless, there are some practical steps that can be taken to minimize risk. Some of them include:

  • Understand your GPS data collection practices and provide legally compliant notice about those practices.
  • Be familiar with where GPS-collected data is stored and jurisdictional compliance obligation. If applicable, understand the legal implications of cross-data border flows.
  • Contractually define legal rights and obligations involving GPS-collected data, and allocate corresponding risk and liability.

Organizations in the data collection and distribution supply chain that understand the opportunities and risks presented by the rapid adoption of GPS-based technology will be better positioned to offer innovative products and services in the future, while turning privacy compliance into a competitive advantage.

Back to Top


FTC and Operator of Children's Social Network Settle COPPA and FTC Act Charges
By Ari Z. Moskowitz

On November 8, 2011 the Federal Trade Commission (FTC) announced that it had filed and settled charges in a COPPA action against Jones Godwin, the operator of Skid-e-kids, a social network for children. The FTC alleged that Godwin violated the COPPA Rule by collecting personal information from 5,600 children without first obtaining parental consent. The FTC also charged Godwin with making false statements in Skid-e-kids privacy policy in violation of the FTC Act’s prohibition on unfair or deceptive trade practices.

The Complaint noted that the Skid-e-kids’ website www.skidekids.com is directed at children and advertises itself as "the social networking alternative for kids ages 7 to 14." In order to register on the site, children were required to provide their date of birth, gender, username, password, and email address. Providing this information registered the child for Skid-e-kids, even though the site never first requested a parent’s email address or other contact information, and never attempted to notify parents or obtain parental consent. Once registered, children could create a profile by entering a “first and last name, city and country, birth date, and gender, as well as freely type information in [an] ‘about me’ field”. The FTC concluded that the site collected and maintained personal information from children in violation of the COPPA Rule.

The Complaint also focused on the Skid-e-kids’ privacy policy, which states, “The Skid-e-kids.com website requires child users to provide a parent's valid email address in order to register on the website. We use this information to send the parent a message that can be used to activate the Skid-ekids account, to notify the parent about our privacy practices…” As the website never required children to provide a parent’s email address and never contacted parents to activate their children’s accounts, the FTC found that this privacy policy violated the FTC Act.

Under the settlement Godwin, the operator, is required to destroy any information he collected in violation of the COPPA Rule. Godwin is also required to provide a conspicuous link to www.OnGuardOnline.gov for any websites he may operates for the next five years and must either retain a third-party to conduct audits or join one of the FTC’s safe harbor programs.

This settlement is a reminder that the FTC is aggressively enforcing COPPA, and that effort is unlikely to abate following the conclusion of the pending proceeding to update the COPPA rule.

Back to Top


Supreme Court Hears Arguments on Closely Watched GPS Case
By Karen L. Neuman and Ari Z. Moskowitz

On November 8, the Supreme Court heard arguments in the closely watched case of U.S. v. Antoine Jones1. The case involves application of the Fourth Amendment to Global Positioning Systems (GPS) used by law enforcement to track the movements of suspects. The outcome of this case could have a significant impact on law enforcement investigations that rely on new or emerging technologies; it could also affect expectations of privacy as between service providers and consumers.

The case arose from an FBI-District of Columbia police investigation of Antoine Jones, a nightclub owner and suspected drug dealer. Surveillance of Jones included installation of a GPS tracking device to his vehicle. A warrant for the GPS device was obtained, but the device was installed after the warrant expired. Additionally, the device was installed in Maryland, although the warrant was only valid in the District of Columbia. The device collected information about Jones’ vehicle’s movements in relation to a house thought to be where Jones was storing drugs. Together with other “plain view” evidence (including visually monitoring Jones’ movements), police subsequently executed a search warrant and seized large amounts of drugs, weapons and cash. Jones was convicted in federal court of drug distribution charges. The D.C. Court of Appeals reversed on grounds that use of the GPS device was an unreasonable search under the Fourth Amendment. The Department of Justice appealed to the Supreme Court.

The issues before the Court include whether warrantless use of a tracking device on a private vehicle to monitor the vehicle’s movements on a public street violate the Fourth Amendment and whether the Defendant’s rights were violated in this case by installing the tracking device without a warrant and without obtaining the Defendant’s consent.

During oral arguments, the Supreme Court appeared unswayed by the government's contention that using the GPS device was a valid Fourth Amendment search. The government relied primarily on U.S. v. Knotts2 in which the Court concluded that a person traveling on public roads in a car has no reasonable expectation of privacy in his movements. Chief Justice Roberts challenged this contention, noting that tracking technology has changed significantly since 1983, when Knotts was decided. The other Justices similarly took issue with the government’s position. For example, Justice Alito noted that “in the pre-computer, pre-Internet age… most of the privacy that people enjoyed was not the result of legal protections or constitutional protections; it was the result simply of the difficulty of traveling around and gathering up information."3

In addition to its potential impact on future law enforcement investigations, this case could result in increased legal costs for GPS providers seeking to resist turning over customer data to the police. These providers might be reluctant to turn over customer data out of concern that the perception of ready law enforcement access to user data could deter consumers from purchasing GPS products and services for their vehicles. Providers will want to ensure that a valid warrant has been properly obtained before disclosing customer data.


1 United States v. Jones, No. 10-1259 (U.S. argued Nov. 8, 2011)
2 United States v. Knotts, 460 U.S. 276 (1983) 
3 Transcript of Oral Argument at 10, United States v. Jones, No. 10-1259 (U.S. argued Nov. 8, 2011), available at http://www.supremecourt.gov/oral_arguments/argument_transcripts/10-1259.pdf

Back to Top


First Circuit Finds Mitigation Costs Recoverable in Data Breach Case
By Ari Z. Moskowitz

On October 20, 2011, the First Circuit ruled in Anderson v. Hannaford Bros. Co. that costs incurred by plaintiffs to mitigate potential losses from a data breach of Hannaford’s electronic payment processing system are recoverable damages under Maine law. The ruling affirms in part and reverses in part a lower court ruling.1 Hannaford, a grocery chain, was targeted by hackers who accessed and stole credit and debit card information for up to 4.2 million customers. The issue before the First Circuit was whether the costs incurred by Hannaford’s customers to mitigate potential losses, including fees paid to obtain new credit cards and the purchase of credit insurance, could be recovered from Hannaford in negligence and an implied contract action. The lower court found that these mitigation costs could not be recovered under negligence and implied contract theories, finding that these costs were too remote and unforeseeable.

The First Circuit also considered the plaintiffs’ claims under the Maine Unfair Trade Practices Act. The lower court dismissed those claims because the plaintiff’s did not allege a substantial injury. The First Circuit dismissed these claims as well, but on the grounds that some of the damages are not reasonably foreseeable and others are sufficiently recoverable under negligence and implied contract theories.

However, the First Circuit reversed the lower court on the negligence and implied contract claims, finding that not only were the plaintiffs’ costs arising from the breach foreseeable, steps taken by the plaintiffs to minimize potential losses were reasonable mitigation costs, and therefore amounted to cognizable damages under Maine negligence and contract law. In reaching its ruling, the Court cited the delay in and inadequacy of Hannaford’s customer breach notification: because Hannaford only acknowledged the breach publicly more than 3 months after the breach, after over 1,800 fraudulent charges had been identified and failed to tell its customers whether their data was among the 4.2 million credit and debit card numbers stolen, the measures taken to mitigate potential losses by the plaintiffs was reasonable.

The Court acknowledged that its ruling is contrary to the dozen cases cited by Hannaford in which courts found that, in cases of a data breach, the costs of credit monitoring services and identity theft insurance were not recoverable damages. The Court distinguished those cases as follows.

First, most involved theft of computer equipment; theft of the data contained therein was incidental. Additionally, no evidence of unauthorized access or use of credit card data in those cases was adduced. Therefore, any injuries to the plaintiffs, including the need to purchase credit insurance, were speculative, not reasonable. By contrast, the Hannaford breach specifically targeted credit card data, resulting in thousands of fraudulent charges.

Second, some of the cases cited by the Defendant involved hackers specifically targeting and accessing financial and other personal information. The plaintiffs in these actions sought damages for incurring costs associated with credit insurance and similar mitigation measures. However, unlike the Hannaford plaintiffs, the plaintiffs in the other cases never alleged that they or any other alleged victims had actually suffered identity theft or unauthorized charges. Accordingly, the Court concluded the mitigation costs were unreasonable and these cases were not persuasive.

In sum, costs incurred by customers to mitigate potential losses from a data breach are more likely to be recoverable when the data stolen has been used for unlawful purposes or when the data specifically targeted in the breach consists of financial information. In order to minimize exposure under this case in the event of a claim for mitigation damages, businesses should be familiar with and implement industry best practices, and comply with applicable data breach notification laws.


1 Anderson v. Hannaford Brothers Co., Nos. 10-2384, 10-2450, 2011 WL 5007175 (1st Cir. 2011)

Back to Top


Ninth Circuit Rules that the Electronic Communications Privacy Act Protects Non-Citizens
By Ari Z. Moskowitz

On October 3, 2011, a panel of three judges on the U.S. Court of Appeals for the Ninth Circuit ruled in Suzlon v. Microsoft1 that the Electronic Communications Privacy Act (ECPA) protects the emails of both citizens and noncitizens from disclosure by their email providers. Accordingly, Internet Service Providers that store e-mails are prohibited from turning over the contents of emails and other electronic communications of noncitizens without first obtaining a search warrant or following the alternative procedures outlined in the Act.

ECPA

ECPA, enacted in 1986, protects electronic communications from unauthorized access by the government. The statute was subsequently updated with an amendment that added the Stored Communications Act (SCA), which protects electronic communications, such as emails, that are stored by Internet service providers. The SCA provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.”2 A public provider of email services (such as Microsoft through its Hotmail service), may not share its users’ emails with the government or any third party without a warrant or similar order. The SCA defines users as “any person or entity… who uses an electronic communications service.”3

SUZLON v. MICROSOFT

The issue before the Court in Suzlon involved construing the term “any person.” The underlying case involved a lawsuit in Australia between an Indian citizen, Rajagopalan Sridhar, and an Indian company, Suzlon Energy. Suzlon petitioned the court to force Microsoft to turn over Sridhar’s emails from his Microsoft Hotmail email account. Microsoft objected, and the 9th Circuit Court agreed, ruling that the SCA protects the emails of both citizens and noncitizens. Looking to the Freedom of Information Act (FOIA), the Court reasoned that the definition of “any person” is clear and should be construed as it is in the FOIA to apply regardless of a person’s citizenship. The Court also found in the SCA’s legislative history that Congress intended “any person” be read inclusively. Therefore, Microsoft was prohibited from sharing Sridhar’s emails with Suzlon.

In reaching its decision, the Court considered Suzlon’s argument that Sridhar’s duty under Australian law to turn over the emails constituted implied consent to Microsoft’s disclosure of those emails. The Court rejected this argument, however, stating that Sridhar never consented to Microsoft disclosing his emails and that any duty to disclose lies with Sridhar, not a third party such as Microsoft.

CONTEXT

This decision is the latest in a line of cases applying ECPA to modern communications technologies. The law was written in 1986, prior to the explosion of email, instant messaging, texting, and social media. Since its enactment, courts have struggled to apply the law to new and emerging technologies, including defining what is protected by ECPA and which of ECPA’s two levels of protection apply to each type of electronic communications. Over the last few years, calls have intensified for Congress to reform ECPA and clarify these issues, including calls from courts themselves.4

In the meantime, some courts have found that some aspects of ECPA which allow disclosure of electronic communications are unconstitutional under the Fourth Amendment.5 The Supreme Court weighed in last year when it found no Fourth Amendment violation when a police department audited the transcripts of text messages sent by officers on their city- provided pagers.6

CONCLUSION

Under this decision, individuals, whether U.S. citizens or foreign nationals, who use American based communications services, including Microsoft’s Hotmail, Google’s Gmail, and, likely, messaging on Facebook, are protected under ECPA against the government obtaining the contents of their communications without first going through the courts. Foreign companies who rely on American third party public providers for hosting their email services should likewise understand that the ECPA can be invoked by the email provider to resist a warrantless request to turn over their or their customers’ emails. One practical outcome of this decision will be to make discovery more costly and difficult.


1 Suzlon v. Microsoft, No. 10-35793 (9th Cir. Oct. 3, 2011)
2 18 U.S.C. § 2702(a)(1)
3 18 U.S.C. § 2510(13)
4 See, e.g., Rehberg v. Paulk, 611 F.3d 828 (11th Cir. 2010); Crispin v. Audigier, 717 F.Supp.2d 965 (C.D. Cal. 2010).
5 See, e.g., U.S. v. Warshak, 631 F.3d 266 (6th Cir. 2010).
6 Ontario v. Quon, 130 S. Ct. 2619 (2010).

Back to Top


Study Finds Websites Leak PII in Referrer URLs and Headers
By Ari Z. Moskowitz

On October 11, 2011 Jonathan Meyer at Stanford’s Center for Internet and Society released the latest in a series of studies that have examined privacy risks posed by commonly used technologies for targeted advertising and related uses. The study, Tracking the Trackers: Where Everybody Knows Your Username, examined whether information traditionally thought of as “anonymous” and collected during online browsing can be connected to specific user accounts. The study found that 113 of the 250 most visited websites in the United States “leak” personally identifiable information (PII), in the form of usernames or user IDs, to third parties. Some of this information included email addresses, first names, last names, physical addresses, phone numbers, and birthdays. Each website leaked this information to up to 31 third party websites that include advertisers, analytics providers, and social media sites.

The leakage of identifying data was determined to be occurring through Request- URIs and Referrer headers, which include the URL of the page that the user is viewing or arrived from. By way of illustration, a third party with an ad displayed on example.com will receive a Referrer header indicating that their ad was viewed on example.com. Similarly, if a person clicks on a link on example.com that takes them to website.com, website.com will receive information indicating that the person arrived at website.com through a link from example.com, as well as personally identifying information about that individual.

For example, if John Doe registers at example.com with the username “JohnDoe” and the email address “johndoe@email.com” companies displaying ads on example.com may receive a Referrer header that their ad was viewed on http://www.example.com/ username=JohnDoe&email=johndoe@email.com. The PII, in this example a username and email address, were embedded in the URL sent to the third party and could therefore be collected by the third party. According to the study, the disclosure and acquisition of PII, does not appear to be intentional. However, it is taking place in violation of the first party websites’ privacy policies. Moreover, many of the third party trackers receiving PII embedded in URLs claim they do not collect PII. The study concludes by suggesting that third party web tracking is not anonymous, despite claims to the contrary.

This study is unlikely to result in legislation. However, many data privacy laws regulate the collection and sharing of PII by any method, whether directly seeking it from a user or indirectly obtaining it through persistent identifiers and, at the very least, require compliance with the company’s own privacy policies. In addition, findings in the previous studies have emboldened the plaintiffs bar and have informed the theories and allegations underlying recent class actions. Accordingly, businesses should be familiar with the tracking technologies they use for analytics or other purposes, and whether those technologies place them in violation of their privacy policy, which could expose them to enforcement or other legal proceedings.

Back to Top


FTC Settles Complaint against App Developer over Default Privacy Settings
By Ari Z. Moskowitz

On October 12, 2011 the Federal Trade Commission announced a settlement with Frostwire LLC, a developer of a peer-to-peer (p2p) file-sharing application for Android, Windows, and Mac operating systems, over the default settings on the file-sharing application. The FTC's complaint alleged that Frostwire's app violated the Federal Trade Act by using deceptive default privacy settings, which would lead consumers to unintentionally and unknowingly share personal files from their mobile device or computer with the public.

For example, the default settings on the Android app meant that as soon as the app was installed by a user, all of the user’s photos, videos, audio files previously stored on the device were shared automatically over Frostwire's p2p network with all other Frostwire for Android users. Additional files or documents added by the user to the Android device after installation of Frostwire's app were also automatically shared under the default settings.

The FTC also alleged misrepresentations in the set-up process and user interface of Frostwire's Windows application. In this version, the set-up process implied that files stored in a folder labeled "Save" would not be shared, whereas files stored in a folder labeled "Shared" would be publicly shared. The default settings, however, shared all files downloaded from the p2p network regardless of which folder they were stored in.

In addition to compliance monitoring, reporting, and recordkeeping requirements, the settlement bars Frostwire from using default settings that will lead to inadvertent sharing and "and requires clear and prominent disclosures about file sharing and how to disable it." Frostwire applications must also allow users to disable sharing of files previously shared and in a manner substantially similar to selecting files for sharing. Frostwire must include a "clearly labeled link or distinctive icon" with the list of shared files to "clear and prominent written, graphical, and audiovisual instructions about how to disable sharing of files." With regard to versions of Frostwire applications already installed, Frostwire must offer free upgrades that bring those applications into compliance with the settlement.

This settlement follows the FTC's April settlement with Google over its privacy policy representations and default settings in Google Buzz. In that case, Gmail users who clicked to sign up for Google Buzz had their list of most frequent email and chat contacts shared on their public Google profile by default, even though Google’s privacy policy indicated that Google would ask for consent before using this information for any purpose other than providing email. The Google Buzz and Frostwire actions by the FTC are an indication that the Commission is looking closely at default privacy settings and whether users are adequately informed of the privacy implications of those settings in apps and other software.

Back to Top


Privacy & Mobile Apps: Practical Steps for Minimizing Legal Risk
By Karen L. Neuman

Mobile apps have grown from a quirky sector of the wireless industry to a complex economy. These apps generate significant revenue from purchases within the app (“in-app purchases”), and the sale of user data to third parties, such as ad networks, for interest-based advertising.

The integration of mobile apps with geolocation (including “hyperlocation”) services, advertising (including interstitials), social media, cloud-based data storage services and mobile payment technologies -- such near field communications -- raises new questions about privacy and data ownership. Device and platform fragmentation add another layer of complexity to the privacy/ data ownership debate because the acquisition of consumer data is integral to monetizing content and attracting and retaining users. The adoption of mobile technologies by children creates potential legal exposure for apps who risk running afoul of laws intended to protect children’s online privacy. Within this ecosystem, the trade in consumer data has triggered regulatory, enforcement and class actions, as well as congressional and criminal investigations.

Legal rights and responsibilities involving mobile apps are evolving, creating uncertainty about legal risk. Privacy has been a principle focus; however disputes about infringing uses of intellectual property have also attracted scrutiny. (See, e.g., Hershey Company v. Hotrix LLC, No. 10-cv-01178 (M.D. Pa. filed June 2, 2010)). Academic reports and media investigations have aroused suspicion about mobile apps and have formed the basis for claims in class actions filed around the country. Developers can reduce legal risk by being transparent about their business practices, becoming familiar with compliance obligations, and taking practical steps that include the following:

  • Evaluate and Understand Your Data Collection and Use Practices. Be familiar with how your app collects user data and discloses it to third parties.
  • Be Transparent. Disclose your specific data collection and privacy practices in clear, concise “plain English”, including for in-app transactions.
  • Be Familiar with Laws and Regulation that Protect Children’s Online Privacy. The Federal Trade Commission (FTC) recently enforced the Children’s Online Privacy Protection Act (COPPA) rule against a children’s mobile app developer for collecting and disclosing children’s’ personal information in violation of the rule. The agency is in the midst of a proceeding to make changes to the rule that could impose significant burdens on developers. You should understand how these changes could impact your business and consider filing comments before the November 28, 2011 deadline with the FTC to educate the agency about any impact.
  • Contractually Clarify Data Ownership and require third party partners to comply with applicable law and industry self-regulatory guidelines. Perform privacy due diligence on third party partners.
  • Create and Implement a Legally Compliant Data Security and Breach Plan. Private lawsuits involving failure to adequately respond to a customer data breach can resulted in significant damage awards and harm to a brand. Creating and implementing a data breach plan can minimize risk, but only if the plan is followed and updated to reflect operational changes, or changes to the legal or regulatory environments.
  • Be Familiar with Foreign Compliance Obligations. The global nature of the app economy may subject you to foreign privacy and data security compliance obligations. Be familiar with the privacy regulatory frameworks of the countries in which you are based or from which you may transfer data to the U.S. and elsewhere.

Back to Top


UPDATES

Comments on Proposed Revisions to the COPPA Rule Due November 28

On November 7, Phyllis Marcus of the FTC spoke at a Federal Communications Bar Association “brown bag” during which she fielded questions about the FTC's proposed amendments to the COPPA rule (see the SLRNO September 2011 Update for a detailed overview of the proposed changes). Questions ranged from the practical effect of eliminating the “email-plus” method of obtaining verifiable parental consent to the consequences of expanding the definition of “personal information” to include IP addresses, and Marcus requested that businesses file comments on these issues. Responding to initial concerns that the FTC was considering raising the rule’s target age from under 13, Marcus explained that the agency lacked the statutory authority to do so and that such a change would require that Congress amend the law. The FTC’s efforts to update the COPPA rule are occurring in the context of ever-increasing adoption of technology by ever-younger children, posing potential enforcement challenges for the agency. One such challenge was recently highlighted in a report that surveyed 1,000 parents of 10-14 year old children in the United States and asked about Facebook and its minimum age requirement of 13. The report noted, among other things, that 55% of parents of 12-year-olds reported having a child signed up for Facebook and 76% of those parents helped their child create the account in violation of Facebook's terms of service. If adopted the proposed changes will impose significant burdens on website operators and mobile apps, and increase potential exposure.


E.U. Data Protection Directive to be Updated Next Year

As reported by the New York Times, Viviane Reding, the European justice commissioner, announced this month that she intends to recommend that the E.U. Data Protection Directive be revised in early 2012, a delay from the original deadline of revising the Directive in November 2011, to include a "right to forget" and to require all companies, whether or not based in the E.U., that collect information on E.U. citizens to abide by the European law. Her proposal also includes a stronger focus on privacy by design. Concern has been expressed in some quarters about the impact of the announcement on the U.S-E.U. Safe Harbor. Thus, given the success of the U.S.-E.U. safe harbor and the difficulty European countries have had implementing the current Cookie Law as discussed in SLRNO's September 2011 Update, the proposed revisions should be expected to face significant scrutiny and resistance from the United States and U.S. based companies.


California Enacts Song-Beverly Exemption for Zip Code Use by Gas Stations

On October 9, Governor Jerry Brown signed AB 1219, the California Business Protection Act of 2011, amending the Song-Beverly Credit Card Act (Act) to create a limited exemption for retail gas stations seeking customer zip code information for transactions conducted at a “retail motor fuel dispenser” or “retail motor fuel payment island automated cashier” to prevent consumer fraud. The exemption was sought by the Western States Petroleum Association and had the support of the California Manufacturers and technology Association to limit application of Pineda v. Williams-Sonoma Stores, Inc. In Pineda the California Supreme Court ruled that zip code information is “personal identification information” under the Act the and that the defendant unlawfully requested and recorded customer zip codes during credit card transactions. (See SLRNO February Update). Retailers are watching closely to see if similar exemptions will be enacted to insulate them from class action lawsuits, hundreds of which were filed in the wake of the Pineda decision.

Back to Top


Privacy Lawsuit Against Apple Dismissed

In re iPhone Application Litigation (See Lalo v. Apple in SLRNO February 2011 Update), which involved allegations that Apple allowed ad networks and apps to track users via their Unique Device Identifier (UDID), was dismissed at the end of September. The judge found the plaintiffs’ allegations lacking, noting that they never identified the devices that were tracked, what apps accessed their personal information, or what harm they suffered. Though the Court rejected the proposition that Apple’s privacy agreements with customers absolutely bar the plaintiffs’ claims, the Court did ask that, in any amended complaint, the plaintiffs explain “why Apple should be held responsible for privacy violations despite Apple’s apparent privacy agreements with customers.”


APEC Leaders Endorse Cross-Border Privacy Rules

At the forum on Asia-Pacific Economic Cooperation (APEC) meeting this week in Honolulu, Hawaii, President Obama and leaders of the other APEC member countries approved the APEC Cross-Border Privacy Rules, a framework to protect consumer data as it moves across borders. The framework was developed with the cooperation of data protection authorities in the various APEC countries, with the Department of Commerce and Federal Trade Commission representing the United States. The rules set up a self-regulatory system to harmonize data privacy protection between APEC countries, facilitating the flow of information around the region. U.S. endorsement of the new framework comes as the U.S. publicly warned that the EU approach is too stringent and called upon EU leaders to adopt alternatives, including industry self-regulatory codes.


PRESENTATIONS & EVENTS


Karen Neuman Discusses Privacy Law and Mobile Apps during a breakout session at the 2011 Open Mobile Summit’s AppCelerate program Nov. 4 in San Francisco. Speaking to a gathering of developers, engineers and platform providers Karen summarized trends in privacy law and regulation in the U.S. and EU, and offered some practical steps that developers can take to minimize legal risk when creating and monetizing mobile apps.

Back to Top


Copyright © 2010 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036