Privacy Bulletin: Issue No. 36

In the News
LifeLock and FTC Settle for $12 Million: On March 9, 2010, FTC Chairman Jon Leibowitz announced that Lifelock, Inc., a provider of identity theft protection services, would pay $11 million to the FTC and $1 million to 35 state attorneys to settle charges that LifeLock used false claims to promote its services. Among other allegations, the FTC alleged that LifeLock's security measures did not protect against the misuse of existing account information. The FTC also alleged that LifeLock made the following false claims: that it would prevent unauthorized changes to customers’ address information; that it constantly monitored activity on customer credit reports; and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC will provide refunds to consumers from the $11 million it will receive in the settlement. Lifelock also will be barred from making deceptive claims and will be required to heighten the security measures it takes to safeguard personal information of its clients.

New Hampshire House Passes Bill Restricting Use of Biometric Data: On March 3, 2010, the New Hampshire House of Representatives passed a bill that would ban the collection of biometric data for identification purposes (except for use in employee identification cards) or as a condition of doing business with, engaging in any business activity or relationship with, or obtaining services from, an agency or entity. For the purpose of the bill, “biometric data” includes fingerprints, palm prints, facial feature pattern characteristics, characteristics of a handwritten signature, voice data, iris recognition data containing color or texture patterns or codes, keystroke dynamics, measuring pressure applied to key pads, hand geometry, retinal scans, and DNA or RNA. If the law is ultimately passed, it will take effect January 1, 2011.

Shopper Cards Used to Trace Salmonella: On March 11, 2010, the Centers for Disease Control (“CDC”) posted an update on a multi-state salmonella outbreak in which it stated that "[Grocery store] shopper card information was successfully used to determine specific brands of a product suspected to cause illness." The CDC asked supermarkets for buying information on victims beginning last winter to determine the source of the outbreak. Although the CDC first gained consent from the patients whose card information it accessed, and focused only on suspect products (products that could contain salmonella) some privacy advocates and long-time critics of these shopper cards are concerned that the practice could lead to mandatory use of the cards.

Maine Repeals Law Restricting Access to Minors’ Personal Information: A state legislative committee voted Thursday to repeal a controversial 2009 Maine law, entitled "An Act to Prevent Predatory Marketing Practices Against Minors." The Attorney General previously has stated she would not enforce the law, which requires companies to obtain parental consent before collecting personal or health information from minors and bans the sale or transfer of health information about minors that identifies individual minors, regardless of how the data was collected. NetChoice, whose members include AOL, eBay, News Corp., and Yahoo, challenged the law last year in the U.S. District Court for the District of Maine. The Court dismissed the lawsuit because of the Attorney General’s decision not to enforce the law. Maine's full legislature will vote on whether to repeal the law later this spring.

NetFlix Cancels Contest After Privacy Lawsuit, "Discussions" with FTC: Netflix, the online and over-the-mail video rental company, announced on March 12, 2010, that it will cancel its “Netflix Prize” contest due to privacy concerns. The new contest is a sequel to a contest launched in 2006, in which NetFlix made available arguably anonymous data to contest participants in an effort to improve its movie recommendation algorithm. The prior contest was the object of a lawsuit brought in December, in which the petitioners claimed that NetFlix inappropriately disclosed customer information. Although NetFlix had attempted to make available anonymous data, researchers had been able to re-identify certain individuals. The contests drew the attention of the FTC. The FTC and NefFlix convened a series of discussions, and, as a result, NetFlix agreed to suspend its contest and to make several voluntary commitments regarding future use of data. For example, NetFlix agreed to release data only to researchers who would contractually agree to limits on the use of that data. NetFlix’s commitments are described in the March 12, 2010 letter from the FTC to Netflix.

Agenda Released for Final FTC Roundtable on Consumer Privacy: On March 10, 2010, the FTC released the agenda for its final roundtable on consumer privacy issues, scheduled for March 17, 2010. The meeting, which is open to the public and available via webcast at ftc.gov, includes panels on Internet architecture and privacy issues, health information and other sensitive information, and a wrap-up discussion on the outcome of all three roundtables and possible next steps. The roundtable will be held at the FTC Conference Center, 601 New Jersey Ave,. NW Washington DC, 20001. Comments on the discussions at the final roundtable will be accepted through April 14, 2010.

Privacy and Data Protection Team
The attorneys in Womble Carlyle's Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

If you have any questions, please contact Jennifer Kashatus (email; 202-857-4506), Sarah Miller (email; 202-857-4448) or any member of our Privacy and Data Protection Team.

Federal Trade Commission Enters Into Settlement with Tenant Screener for Alleged Violations of the Fair Credit Reporting Act

In February 2010, the Federal Trade Commission (“FTC”) entered into a settlement with First Advantage SafeRent, Inc. (“SafeRent”) stemming from allegations that SafeRent violated the Fair Credit Reporting Act (“FCRA”) by failing to provide renters with proper access to their files. SafeRent compiles reports for landlords on prospective tenants, which include eviction history, lease and payment information, and the results of criminal background checks.

Under FCRA, SafeRent is required to make certain information available to consumers and to enable them to dispute and correct that information in a timely manner. SafeRent, however, refused to accept consumers’ faxed requests for files or to update information. Instead, upon receipt of a faxed request, SafeRent allegedly rejected the faxed requests and directed the consumer to mail in a new request, thus imposing delay into the record process, and potentially preventing consumers from obtaining their desired rental property.

The FTC alleged that SafeRent’s practices violated FCRA and constituted an unfair and deceptive trade practice under the FTC Act. SafeRent settled the dispute with the FTC, agreeing to pay a $100,000 civil penalty. Under the settlement, SafeRent also is required to disclose the contents of a tenant’s file upon the consumer's request and to investigate all reports when the tenant disputes their accuracy.

The FTC’s recent action demonstrates its continued enforcement of consumer protection requirements. Companies subject to FCRA should examine their practices for updating consumer information, and ensure that such practices enable consumers to obtain information and correct misinformation in a timely manner.

To view a printer friendly version of this client alert, click here.

Contact Information

If you have any questions regarding these issues, please contact Jennifer Kashatus at (202) 857-4506 or email, or Pamela Rothenberg at (202) 857-4422 or email, or any of our Privacy or Multifamily Real Estate attorneys.

Privacy Bulletin: Issue No. 35

In the News
Google Heads Guilty of Failure to Comply with Privacy Code: An Italian court convicted three Google executives in criminal court for a display of a video on Google’s website that the executives did not create, upload, or review. The court found Google Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and former Chief Financial Officer George Reyes guilty of violating the Italian privacy code by allowing a disparaging video, showing teenage boys bullying a disabled child. Prosecutors alleged that Google failed to take down the video months after the company began receiving complaints, but Google claims it took the video down as soon as it received notice. The decision raises questions regarding free expression and the liability of executives for the content posted on their website. Google executives intend to appeal the decision.

Google’s privacy challenges are not confined to Italy; it has also faced challenges in the United States resulting from the introduction of its new social network, Buzz. A Harvard law student has filed a class action lawsuit against Google, alleging breaches of the Federal Electronic Communications Privacy Act, the Federal Computer Fraud and Abuse Act and the Federal stored Communications Act, due to privacy practices of Google’s network. In the lawsuit, the complainants allege that Google introduced Buzz into the Gmail accounts of Google users that did not request the service, automatically created networks from Gmail contacts, and allowed private information to be published. The lawsuit came on the heels of an FTC complaint filed by the Electronic Privacy Information Center about Google Buzz.

HHS Focuses on Privacy: On February 16, 2010, the Department of Health and Human Services named Joy Pritts, assistant professor at Georgetown University’s Health Policy Institute, as its chief privacy officer- a new position at HHS. As chief privacy officer, Pritts will advise Dr. David Blumenthal, the national coordinator for health IT, on forming policies on privacy, security and data stewardship of electronic health information. The HHS Office for Civil Rights launched a website listing entities that have reported large breaches of health information.

Massachusetts Data Protection Laws Take Effect: On March 1, 2010, stringent data protection laws went into effect in Massachusetts. The new rules require any company that holds the personal information of Massachusetts residents (whether as consumers or employees) to create and implement a comprehensive information security program.

Facebook Beacon Privacy Suit- Decision Delayed: U.S. District Court Judge Richard Seeborg postponed a decision on whether to approve the proposed $9.5 million settlement agreement proposed in the Facebook Beacon targeted advertising class action. Under the terms of the agreement, Facebook would be required to shut Beacon down permanently and contribute $6 million to a new privacy foundation. The Beacon program, launched in November 2007, published information about users purchasers at specific retailers. Several petitioners, including consumer advocacy groups, have asked Seeborg to reject the settlement, because, as it is written, Facebook would have some control over the new privacy foundation, and because it only provides monetary damages to the 19 Facebook members who initially brought suit.

FTC Fines Tenant Screener for Renter File Access and Remediation Delays: On February 9, 2010, the FTC fined First Advantage SafeRent, Inc., a company that compiles reports for landlords on prospective tenants, including history of evictions, lease and payment information, and criminal background checks, for failing to allow renters proper access to their files and to contest disputed information as required by the Fair Credit Reporting Act. The FTC alleged that SafeRent violated provisions of the Fair Credit Reporting Act and engaged in unfair and deceptive practices in contravention of the FTC Act by failing to respond to requests by consumers in a timely manner. SafeRent allegedly advised consumers that faxed their requests that they would have to be mailed instead. The FTC said this practice contravenes the FCRA and could cause tenants to lose out on rental property opportunities.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.