Privacy Bulletin: Issue No. 36
In the News
LifeLock and FTC Settle for $12 Million: On March 9, 2010, FTC Chairman Jon Leibowitz announced that Lifelock, Inc., a provider of identity theft protection services, would pay $11 million to the FTC and $1 million to 35 state attorneys to settle charges that LifeLock used false claims to promote its services. Among other allegations, the FTC alleged that LifeLock's security measures did not protect against the misuse of existing account information. The FTC also alleged that LifeLock made the following false claims: that it would prevent unauthorized changes to customers’ address information; that it constantly monitored activity on customer credit reports; and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC will provide refunds to consumers from the $11 million it will receive in the settlement. Lifelock also will be barred from making deceptive claims and will be required to heighten the security measures it takes to safeguard personal information of its clients.
New Hampshire House Passes Bill Restricting Use of Biometric Data: On March 3, 2010, the New Hampshire House of Representatives passed a bill that would ban the collection of biometric data for identification purposes (except for use in employee identification cards) or as a condition of doing business with, engaging in any business activity or relationship with, or obtaining services from, an agency or entity. For the purpose of the bill, “biometric data” includes fingerprints, palm prints, facial feature pattern characteristics, characteristics of a handwritten signature, voice data, iris recognition data containing color or texture patterns or codes, keystroke dynamics, measuring pressure applied to key pads, hand geometry, retinal scans, and DNA or RNA. If the law is ultimately passed, it will take effect January 1, 2011.
Shopper Cards Used to Trace Salmonella: On March 11, 2010, the Centers for Disease Control (“CDC”) posted an update on a multi-state salmonella outbreak in which it stated that "[Grocery store] shopper card information was successfully used to determine specific brands of a product suspected to cause illness." The CDC asked supermarkets for buying information on victims beginning last winter to determine the source of the outbreak. Although the CDC first gained consent from the patients whose card information it accessed, and focused only on suspect products (products that could contain salmonella) some privacy advocates and long-time critics of these shopper cards are concerned that the practice could lead to mandatory use of the cards.
Maine Repeals Law Restricting Access to Minors’ Personal Information: A state legislative committee voted Thursday to repeal a controversial 2009 Maine law, entitled "An Act to Prevent Predatory Marketing Practices Against Minors." The Attorney General previously has stated she would not enforce the law, which requires companies to obtain parental consent before collecting personal or health information from minors and bans the sale or transfer of health information about minors that identifies individual minors, regardless of how the data was collected. NetChoice, whose members include AOL, eBay, News Corp., and Yahoo, challenged the law last year in the U.S. District Court for the District of Maine. The Court dismissed the lawsuit because of the Attorney General’s decision not to enforce the law. Maine's full legislature will vote on whether to repeal the law later this spring.
NetFlix Cancels Contest After Privacy Lawsuit, "Discussions" with FTC: Netflix, the online and over-the-mail video rental company, announced on March 12, 2010, that it will cancel its “Netflix Prize” contest due to privacy concerns. The new contest is a sequel to a contest launched in 2006, in which NetFlix made available arguably anonymous data to contest participants in an effort to improve its movie recommendation algorithm. The prior contest was the object of a lawsuit brought in December, in which the petitioners claimed that NetFlix inappropriately disclosed customer information. Although NetFlix had attempted to make available anonymous data, researchers had been able to re-identify certain individuals. The contests drew the attention of the FTC. The FTC and NefFlix convened a series of discussions, and, as a result, NetFlix agreed to suspend its contest and to make several voluntary commitments regarding future use of data. For example, NetFlix agreed to release data only to researchers who would contractually agree to limits on the use of that data. NetFlix’s commitments are described in the March 12, 2010 letter from the FTC to Netflix.
Agenda Released for Final FTC Roundtable on Consumer Privacy: On March 10, 2010, the FTC released the agenda for its final roundtable on consumer privacy issues, scheduled for March 17, 2010. The meeting, which is open to the public and available via webcast at ftc.gov, includes panels on Internet architecture and privacy issues, health information and other sensitive information, and a wrap-up discussion on the outcome of all three roundtables and possible next steps. The roundtable will be held at the FTC Conference Center, 601 New Jersey Ave,. NW Washington DC, 20001. Comments on the discussions at the final roundtable will be accepted through April 14, 2010.
Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.
If you have any questions, please contact Jennifer Kashatus