Privacy Bulletin: Issue No. 49

In the News

FTC Issues Preliminary Staff Report Regarding Consumer Privacy and Seeks Comments on Proposal by January 31, 2011: On December 1, 2010, the FTC proposed a framework for how companies that collect consumer data should protect consumers’ privacy. Entitled “Protecting Consumer Privacy in an Era of Rapid Change,” the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer, or device. The proposed framework contains three components: (1) “privacy by design” pursuant to which companies would build privacy protections into their everyday business practices; (2) notice and choice to consumers about a company’s data practices in a simpler, more streamlined manner than has been done in the past; and (3) improved transparency of all data practices, including those of non-consumer facing businesses. The FTC has proposed various protections to implement each of these three components. As one example, with regard to consumer choice, the FTC has proposed “Do Not Track,” which would require companies to include a setting, similar to a cookie, on a consumer’s browser that would signal the consumer’s choices about being tracked and receiving targeted ads. The FTC seeks comments on the proposed framework and the protections contained therein by January 31, 2011.

House Energy and Commerce Committee Hold Privacy Hearing: On December 2, 2010, the House Energy and Commerce Committee held a hearing to address whether to write legislation to mandate a “Do Not Track” mechanism as discussed in the FTC report. The Commission testified about the “Do Not Track” option, which it called the “most practical way” to provide consumers with choices about online behavioral advertising. The Commission stressed that Do Not Track legislation, if enacted, should not “undermine the benefits online behavioral advertising provides consumers” or require maintenance of a distinct registry of users. The Commission also urged Congress to give it rulemaking authority and the ability to fine violators.

On a related issue, on the heels of the release of the FTC report, Senator John Kerry announced on December 1, 2010, that he would introduce privacy legislation in early 2011.

United Kingdom’s Information Commissioner’s Office Issues First Data Protection Fines: The Information Commissioner’s Office reports that it has issued its first data protection fines. Specifically, the U.K’s Information Commissioner’s Office has fined the Hertfordshire County Council 100,000 pounds for breaching the U.K. Data Protection Act. The Office also fined an employment service company 60,000 pounds for the loss of an encrypted laptop with personal information of 24,000 individuals who had used community legal advice centers.

FTC Names First Chief Technologist and New Executive Director: The Federal Trade Commission (“FTC”) has appointed Princeton University Professor Edward Felton as its first Chief Technologist, to advise the agency on new technologies and policy issues. Felton is a professor of computer science and public affairs and was the founding director of the Center for Information Technology Policy at Princeton University. He has also consulted with various agencies, including the FTC, where he currently consults. He will start full-time at his new position in January. The appointment has been widely applauded as the FTC enters a new era with an increasing number of high-profile technology cases.

The FTC also announced that Small Business Administration (“SBA”) Chief Operating Officer Eileen Harrington has been appointed to be the FTC’s Executive Director. An experienced choice, Harrington worked at the FTC for 25 years before her tenure at the SBA. While at the FTC, Herrington was awarded the Service to America Medal for leading in the creation of the National Do Not Call Registry in 2004.

White House Privacy Committee Releases Charter: The Subcommittee on Privacy and Internet Privacy, established by the National Science and Technology Counsel Committee on Technology released its charter earlier this month. The charter focused on three main deliverables: (i) a white paper examining information privacy in the Internet Age; (ii) Internet Privacy Principles, to be applied domestically and globally; and (iii) coordination of Statements of Administration Policy on privacy and Internet privacy. The Subcommittee, created October 24, 2010, is comprised of representatives from over 15 departments, agencies and federal offices and is co-chaired by Cameron Kerry, the General Counsel of the Department of Commerce, and Christopher Schroeder, Assistant U.S. Attorney General.

Facebook Announces Zero Tolerance Policy for Data Brokers: After discovering that a data broker paid application developers for Facebook users’ information, the social networking site announced it has a “zero tolerance” policy for data brokers. Facebook stated on its Developers Blog that data brokers “undermine the value that users have come to expect from Facebook.” Developers are prohibited from giving data from Facebook to data brokers, and Facebook also announced that it was suspending previous violators from accessing Facebook for 6 months. The policy announcement comes at the same time that Facebook has come under fire itself for a new feature, called “Friendship Pages.” The feature shares public information between “friends” to show the relationship histories between the users. Although the information is already public, some critics have claimed that Facebook should have notified all users of the new feature and given a clear opt-in or opt-out feature.

White House Issues Cloud Computing Guidance: On November 2, 2010, the White House issued “The Proposed Security Assessment and Authorization for U.S. Government Cloud Computing,” a document called the “product of 18 months of collaboration with state and local governments, private sector, NGOs, and academia” by U.S. Chief Information Officer Vivek Kundra. The proposal is intended to help government agencies utilize cloud computing by laying out security requirements that private contractors providing these services must meet. CIO Kundra asked for public comment on the proposal, and all comments are due December 2, 2010.

Homeland Security Committee Announces Cybersecurity Hearing: On November 17, 2010, the Homeland Security and Governmental Affairs Committee held a cybersecurity hearing entitled “Securing Critical Infrastructure in the Age of Stuxnet.” The hearing addressed the security implications of the Stuxnet worm and its potential impact on systems that run the U.S.’s infrastructure. Witnesses included Sean McGurk, acting director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center; Michael J. Assante, president and CEO at the National Board of Information Security Examiners; Dean Turner, the director of the Global Intelligence Network at Symantec Corporation; and Mark W. Gandy, global manager of IT Security and Information Asset Management at Dow Corning Corporation. The hearing was held at 10:30 am at the Dirksen Senate Office Building, room SD-342. Live video of the hearing was made available by the Committee.

NLRB Says Firing Based on Facebook Posts Was Illegal: In a groundbreaking case, the National Labor Relations Board (“NLRB”) has issued a complaint claiming that a company’s firing of an employee who criticized her supervisor on Facebook was an unfair labor practice. This is the first time the labor board has argued that workers’ criticisms of their employers on a social networking site are protected. The NLRB issued the complaint against American Medical Response of Connecticut for firing medical technician Dawnmarie Souza after she called her supervisor a psychiatric patient and referred to the supervisor by derogatory terms on her Facebook page. The NLRB also alleged the company’s Internet policies, which prohibited employees from making disparaging, discriminatory, or defamatory comments about supervisors, co-workers, competitors or the company, were overly broad and interfered with employees’ right to engage in protected activities under Section 7 of the NLRA. A hearing is scheduled for January 25, 2011.

Upcoming Deadlines

FTC Red Flag Enforcement Begins January 1, 2011: In May 2010, the FTC once again extended the enforcement date of its Red Flags rule through December 31, 2010. The FTC has not issued a further extension. Therefore, by January 1, 2011, businesses that maintain covered accounts must have implemented a written identity theft prevention program that has been approved by the company’s board or an appropriate board committee. This enforcement deadline does not affect the enforcement of the “Red Flags Rule” already in place for financial institutions and creditors that are regulated by the federal bank regulatory agencies or the National Credit Union Administration.

GLBA Model Notice Must Be Used by January 1, 2011: Financial institutions regulated under the Gramm-Leach-Bliley Act (as amended by the Financial Services Regulatory Relief Act of 2006), must use the GLBA model privacy notice form if they want to obtain safe harbor protection under the GLBA privacy rules. The purpose of the form is to make privacy notices more transparent to consumers.

Privacy and Data Protection Team

The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.