BLOGS: Privacy and Data Protection

Thursday, February 17, 2011, 12:28 PM

Privacy Bulletin: Issue No. 53

California Court Holds that a Retailer’s Collection of Zip Codes Violates California Credit Card Act

On February 10, 2011, the California Supreme Court issued an opinion in Pineda v. Williams-Sonoma Stores, Inc. regarding the permissibility of a retailer’s collection of consumers’ zip codes under California law. Pineda v. Williams-Sonoma Stores, Inc., No. S178241, February 11, 2011. In this case, the plaintiff alleged that the defendant violated California’s Song-Beverly Credit Card Act of 1971. This Act prohibits businesses from requesting that cardholders provide “personal identification information” during credit card transactions and subsequently recording that information. While paying for a purchase at one of the defendant’s stores, the cashier asked the plaintiff for her zip code. The plaintiff complied, allegedly believing that her zip code was necessary to complete the transaction. The plaintiff alleged that the defendant used her name and zip code to locate her home address. The court held that a zip code constitutes “personal identification information” under the Act, and therefore the defendant violated the Act by requesting and recording the plaintiff’s zip code. Many retailers ask consumers’ to provide their zip codes at point of sale transactions. Retailers should review this practice in light of this opinion.

Franken to Chair New Senate Judiciary Subcommittee on Privacy, Technology and the Law

On Monday, February 14, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) announced the creation of a new subcommittee on Privacy, Technology and the Law, which will be chaired by Sen. Al Franken (D-MN) (see February 14, 2011 press release). Tom Coburn (R-OK) will serve as the subcommittee’s ranking member. The subcommittee is tasked with jurisdiction over:

  • the laws and policies governing the collection, protection, use, and dissemination of commercial information by the private sector;
  • privacy issues with social networking and other websites;
  • enforcement and implementation of commercial information privacy laws and policies; private sector privacy protection technologies;
  • privacy standards for the personally identifiable commercial information; and
  • privacy implications of emerging technologies.


Other Senators on the subcommittee include Chuck Schumer (D-NY), Sheldon Whitehouse (D-RI), Richard Blumenthal (D-CT), Orrin Hatch (R-UT), and Lindsey Graham (R-SC).

Privacy Heats Up on Capitol Hill

Three privacy bills were introduced in early February 2011. Rep. Jackie Speier (D-CA) leads the way in introducing two new bills on February 11, 2011 addressing privacy (see February 11, 2011 press release). The Do Not Track Me Online Act of 2011, H.R. ­­­­­654, directs the Federal Trade Commission to establish standards for the required use of an online opt-out mechanism to allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use. Rep. Speier also introduced amendments to the Gramm-Leach-Bliley Act (GLB). The Financial Information Privacy Act of 2011, H.R. 653, will amend GLB to require a consumer to opt-in to allow a financial institution to share his or her nonpublic personal information with a nonaffiliated third party. This differs from current GLB in which financial institutions must provide consumers notice and an opportunity to opt-out before the institution can share a consumer’s nonpublic personal information with a nonaffiliated third party. Rep. Bobby Rush (D-IL) also reintroduced privacy legislation that he introduced last year. H.R. 611, the Best Practices Act, would apply to persons who engage in interstate commerce and who collect or store data containing “covered information” or “sensitive information” (see Wall Street Journal’s article on these initiatives).

FTC Announces Settlements with Credit Report Data Resellers Over Lax Data Security, Inadequate Breach Response

The Federal Trade Commission (FTC) released proposed administrative settlements with three credit report data aggregators on February 3, 2011. In a press release, the FTC alleges that the data aggregators allowed clients to access consumer’s credit reports without basic security measures, such as firewalls and updated antivirus software. The FTC further alleges that this lack of basic security measures allowed hackers to access more than 1,800 credit reports without authorization via the clients’ computer networks. After becoming aware of the breaches, the FTC alleges that the data aggregators did not take any steps to add security measures.

The proposed consent orders bar the respondents from violating the Safeguards Rule and require them to:

  • have comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;
  • obtain independent audits of their security programs, every other year for 20 years;
  • furnish credit reports only to those with a permissible purpose; and
  • maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

According to David Vladeck, Director of the FTC's Bureau of Consumer Protection, these cases should send other companies a message that adequate security measures must be taken in order to protect a consumer's information.

Reps. Barton and Markey Ask Facebook for Information about Making User Data Available to Third Party Websites

Rep. Joe Barton (R-TX) and Rep. Edward Markey (D-MA), co-chairmen of the House Bi-Partisan Privacy Caucus asked Mark Zuckerberg, Facebook CEO, to respond to questions about Facebook's proposed plan to make its users' addresses and mobile phone numbers available to third party websites and application developers. In a press release dated February 2, 2011, Reps. Barton and Markey announced that they asked Zuckerberg to respond to the following questions:

  • Would any user information in addition to address and mobile phone number be shared with third party application developers under the feature as originally planned, and was any of this information shared prior to Facebook’s announcement that it would suspend implementation of the feature?
  • What user information will be shared with third party application developers once the feature is re-enabled?
  • What was Facebook’s process for developing and vetting the feature referenced above before the feature was suspended, and what was the process that led Facebook to decide to suspend the rollout of this feature? What is the process Facebook is currently employing to adjust the feature prior to re-enabling it?
  • What are the internal policies and procedures for ensuring that new features developed by Facebook comply with Facebook’s own privacy policy, and does the company consider this a material change to its privacy policy?
  • What consideration was given to risks to children and teenagers posed by enabling third parties access to their home addresses and mobile phone numbers through Facebook when designing the new feature?
  • What is the opt-in and opt-opt option for this new feature?
  • Why is Facebook, after previously acknowledging in a letter to Reps. Markey and Barton that sharing a Facebook User ID could raise user concerns, subsequently considering sharing access to even more sensitive personal information such as home addresses and phone numbers to third parties?

These questions follow a request by the two Representatives sent to Facebook about companies allegedly gaining access to Facebook users’ personal information without their consent or knowledge.

Class Action filed against McDonald’s, CBS, Microsoft in New York for Behavioral Advertising Practices

Following the filing of a class action lawsuit against Interclick for its behavioral advertising practices, Plaintiff Sonal Bose, as a representative of the class, filed a related class action lawsuit against McDonald’s, CBS, Mazda Motor of America, and others for their engagement of Interclick to conduct behavioral advertising campaigns and engage in browser history sniffing (Bose v. McDonald's Corp., et al., Civil Action No. 1:10-cv-09569 S.D.NY). Plaintiffs alleged that Defendant’s ad campaigns were used as a cover to data mine computers of Plaintiffs to identify websites Plaintiffs had previously visited. Specifically, the Plaintiffs alleged that Defendants “used browser history sniffing to identify defendants’ competitors with whom consumers communicated” and that this information was subsequently merged into Interclick’s database and eventually resulted in the deanonymization of data in consumer profiles such that they contain consumer’s personally identifiable information. These actions, Plaintiffs allege, violate the Computer Fraud and Abuse Act; the Electronic Communication Privacy Act; New York General Business Law Section 349 and common law and, as a result, Plaintiffs are entitled to injunctive relief and applicable damages.

Upcoming Deadlines

February 18, 2011 Deadline for Commenting on Privacy Report

Comments on the Federal Trade Commissions privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” are due on February 18, 2011. The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer or device. The report contains a number of questions set forth by FTC staff for public comment.

February 28, 2011 Deadline for Commenting on NIST’s Draft Cloud Computing Reports

The National Institute of Standards and Technology has requested comments on two draft reports concerning cloud computing by February 28, 2011. The first report, “Guidelines on Security and Privacy in Public Cloud Computing” (Draft NIST Special Publication 800-144), provides an overview of the security and privacy challenges surrounding cloud computing and provides recommendations that organizations should consider when utilizing a public cloud environment. Comments may be sent via email to 800-144comments@nist.gov. The second report, “A NIST Definition of Cloud Computing” (Draft NIST Special Publication 800-145), restates the existing definition of NIST cloud computing as a formal NIST publication. Comments may be sent via email to 800-145comments@nist.gov by February 28, 2011. Although NIST recommendations are made to the federal government, they are relevant to private sector businesses.

Wednesday, February 2, 2011, 12:33 PM

Privacy Bulletin: Issue No. 52

In the News
Supreme Court Finds Privacy Rights of U.S. Workers Outweighed by Government Security Interests: On January 19, 2011, the U.S. Supreme Court ruled in NASA v. Nelson, No. 09-530, that the federal government has broad discretion to make inquiries of workers and their job references. The Court overruled the 9th Circuit’s findings that questioning workers about prior drug counseling and treatment and asking their references for adverse information about them violated workers’ rights to privacy. The Court declined to address whether the questions implicated privacy rights. The Court instead focused on the government’s interest in protecting against security risks, effectively limiting its decisions to cases involving government workers. Some privacy advocates believe the case may ultimately have more far-reaching implications, especially as it comes months after the Court decided in Quon that text message searches by government agencies can be constitutionally conducted. The decision was decided 8-0, with Justices Scalia and Thomas concurring, noting that they believe that the Constitution does not protect informational privacy. Justice Elena Kagan recused herself from the case due to prior involvement in the case.

Supreme Court Considers Whether Corporations Can Invoke FOIA Privacy Provision: On January 19, 2011, the Supreme Court heard oral arguments in FCC v. AT&T, No. 09-1279 to determine whether 5 U.S.C. 552(b)(7)(C), which exempts from FOIA requirements all disclosures that could reasonably be expected to constitute an unwarranted invasion of "personal privacy," protects the privacy of corporate entities. AT&T objects to certain disclosures requested by competitor Comptel in 2005 relating to a 2004 FCC investigation of the telephone company’s billing practices. The 3rd Circuit, in finding for AT&T in the case below, held that “Corporations, like human beings, face public embarrassment, harassment and stigma because of” involvement in law enforcement investigations and should, therefore, be protected from disclosing the results of those investigations to the public.

South Carolina State Insurance Program Breached: On January 14, 2011, the state Budget and Control Board notified individuals insured by the State Employee Insurance Program that their personal information may have been breached. A computer virus attack may have compromised the personal information of up to 5,600 state employees and their dependents, officials say. A spokesman for Governor Nikki Haley said that the state Budget and Control Board had just voted to hire a new director, Eleanor Kitzman, who will ensure “something like this never happens again.”

Rep. Cohen Reintroduces Legislation to Limit Use of Credit Reports by Employers: On January 20, 2011, U.S. Representative Steve Cohen (D-Tenn.) reintroduced the Equal Employment for All Act (H.R. 321) in the House. The Act would prohibit employers from using the credit reports of employees and prospective employees to make employment decisions including hiring, promotions, transfers and terminations. The practice of using credit reports to make employment decisions has been criticized by the Equal Employment Opportunity Commission which recently filed a class action suit claiming the process violates the Civil Rights Act because it has a disparate impact on minorities. Rep. Cohen first introduced the Equal Employment for All Act in August 2009.

California State Senator Reintroduces Data Protection Bill Previously Vetoed by Governor: On January 20, 2011, California state Senator Joe Simitian introduced a data protection measure that describes the specific information which must be disclosed in each data breach notification and requires that the Attorney General of the state be notified for breaches affecting over 500 residents. The same bill was passed by the California legislature last year but was vetoed by Governor Schwarzenegger. The current breach notification law was written by Senator Simitian in 2002, and it has served as a model for numerous other states’ data breach laws.

North Carolina DHHS Clients’ Personal Information Compromised: The North Carolina Department of Health and Human Services has announced that the Division of Services for the Deaf and the Hard of Hearing (“DSDHH”) may have inadvertently thrown out computer disks containing the personal information of North Carolinians who had applied for services from DSDHH’s Equipment Distribution Service between January 2005 through December 2008. DSDHH Director Jan Withers announced that all information maintained by the agency has been encrypted since 2008.

Oregon Senator Pushes for Heightened Process to Obtain Location-Based Information: Senator Ron Wyden (D.- Oreg.) has announced he will introduce a bill requiring law enforcement officials to obtain court-ordered warrants in order to access location-based information from mobile devices. The issue of location-based privacy has gained traction since the United States District Court for the District of Columbia ruled in August that warrantless tracking of an individual’s location through electronic means, as opposed to following a suspect to ascertain his destination on a given trip, violated his Fourth Amendment rights. Sen. Wyden said that, far from hampering a police officer’s ability to do his job, a federal law regulating when a warrant is required to follow a suspect would provide law enforcement with the legal clarity needed to undertake investigations.

Upcoming Deadlines
FTC Moves Comment Deadline for Privacy Report to February 18, 2011: The Federal Trade Commission has granted an extension for responding to its privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share or otherwise use consumer data that can be linked to a specific consumer, computer or device. Comments on this paper were initially to be due January 31, 2011.

Privacy and Data Protection Team
The attorneys in Womble Carlyle’s Privacy and Data Protection Team provide a wide array of privacy services to clients. We work with clients to assess their privacy and data security obligations, and then develop a compliance plan and controls to meet their needs. This includes privacy and security assessments; drafting and reviewing policies and procedures; training employees; managing privacy risks in contracts and mergers and acquisitions; and providing dedicated staffing for client privacy projects and ongoing privacy management. Our team does not operate in a vacuum—our goal is to help clients avoid pitfalls in privacy and data protection so they can focus on their core business. We also assist clients when privacy protections do not work by helping clients address security breaches. The firm also assists clients regarding monitoring and affecting privacy and data protection legislation and regulations. Should the need arise, we aggressively represent our clients in litigation and in agency or law enforcement matters.

back to top