Privacy Bulletin: Issue No. 40

In the News
FTC Delays Enforcement of Red Flags Rule Again: On May 28, 2010, the FTC announced that it is further delaying enforcement of the Red Flags Rule until December 31, 2010. Several Members of Congress requested the delay so as to enable Congress to evaluate legislation that would affect entities covered by the Rule. The Rule became effective on January 1, 2008, with full compliance for all covered entities originally scheduled for November 1, 2008. The FTC has delayed enforcement of the Rule on several occasions.

Consumer Group Suggests Revisions To Boucher's Privacy Bill: Consumers Union, publisher of Consumer Reports magazine, has urged House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.), and Ranking Member Cliff Stearns to make major changes to the draft privacy legislation released May 3, 2010. While Consumers Union lauded certain measures in the bill including requirements that online entities give notice and obtain consent before changing privacy practices with regard to previously obtained information, "there are certain features of the proposal that cause us concern." Ellen Bloom, Consumers Union's director of federal policy, wrote that the consumer group was concerned that "the bill appears to exclusively rely on the notice and choice model, which has been shown to be particularly ineffective in protecting consumer privacy online." The group criticized a provision in the bill that would eliminate private rights of action against those violating provisions of the law.

Consumers Union also recommended changes in the definitions of “covered information” and “sensitive information” to allow for future modifications to the definitions in order to incorporate changes in technology. Those definitions are crucial to the bill, because users must proactively opt out of the collection of information that is not “sensitive” but information that is sensitive cannot be collected unless users affirmatively opt in.

Google Faces Lawsuits Over Wi-Fi Data Collection: In three separate lawsuits, plaintiffs claim that Google’s collection of Wi-Fi user data has violated state and federal privacy laws. Earlier this month, Google admitted that the camera-equipped cars it uses to gather Street View pictures have collected private information from unencrypted wireless networks for three years. Google asserts that the collection was inadvertent and resulted from a programming error that included code for an experimental project within the Street View code.

The Massachusetts lawsuit, filed by Galaxy Services International, seeks class-action status for all Massachusetts Wi-Fi users who may have been affected. The Oregon suit seeks class-action status for residents in Oregon OR in Washington state who may have been affected. The California suit goes further, seeking to include all U.S. residents. Google is also facing inquiries from several countries regarding its data collection, and some countries, including Ireland, already have ordered Google to destroy the information it obtained. The House Judiciary Committee has also launched an inquiry.

Congress Debates Mandatory Black Boxes in New Cars: A bill introduced by Rep. Jackier Speier (D-Calif.) requiring black boxes strong enough to withstand immersion in fire or water and high-speed rollover crashes in all new cars is being debated in the house. The bill passed the House Energy and Commerce Committee on May 27, 2010, despite complaints from Republican members that the bill could violate drivers’ policies. Privacy advocates are concerned about how the information will be stored and the extent to which it can be accessed and utilized.

Facebook Announces Simpler Privacy Controls: On May 26, 2010, Facebook, Inc. CEO Mark Zuckerberg, announced that Facebook has simplified its privacy settings. In the last few weeks, scrutiny of Facebook’s privacy policies has intensified. Facebook also is the subject of a class action lawsuit that alleges that Facebook “knowingly, willfully, unlawfully and intentionally without authorization divulged confidential and private information relating to plaintiff and the class' electronic communications.” The changes announced by Zuckerberg include one control for all user content, easy options for opting out of site applications, and better controls for basic information.

Upcoming Events:
Womble Carlyle Presents a WEBINAR – Planning and Response: Surviving a Data Breach (June 16, 2010; 12:00-1:00PM EDT). Join Heartland Payment Systems General Counsel, Charles Kallenbach, and Womble Carlyle privacy professionals as they discuss the best ways to handle data incidents – from advance preparation to responding to the breach, addressing litigation and official inquiries. For more information and to register, click here.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.