Privacy Bulletin: Issue No. 53

California Court Holds that a Retailer’s Collection of Zip Codes Violates California Credit Card Act

On February 10, 2011, the California Supreme Court issued an opinion in Pineda v. Williams-Sonoma Stores, Inc. regarding the permissibility of a retailer’s collection of consumers’ zip codes under California law. Pineda v. Williams-Sonoma Stores, Inc., No. S178241, February 11, 2011. In this case, the plaintiff alleged that the defendant violated California’s Song-Beverly Credit Card Act of 1971. This Act prohibits businesses from requesting that cardholders provide “personal identification information” during credit card transactions and subsequently recording that information. While paying for a purchase at one of the defendant’s stores, the cashier asked the plaintiff for her zip code. The plaintiff complied, allegedly believing that her zip code was necessary to complete the transaction. The plaintiff alleged that the defendant used her name and zip code to locate her home address. The court held that a zip code constitutes “personal identification information” under the Act, and therefore the defendant violated the Act by requesting and recording the plaintiff’s zip code. Many retailers ask consumers’ to provide their zip codes at point of sale transactions. Retailers should review this practice in light of this opinion.

Franken to Chair New Senate Judiciary Subcommittee on Privacy, Technology and the Law

On Monday, February 14, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) announced the creation of a new subcommittee on Privacy, Technology and the Law, which will be chaired by Sen. Al Franken (D-MN) (see February 14, 2011 press release). Tom Coburn (R-OK) will serve as the subcommittee’s ranking member. The subcommittee is tasked with jurisdiction over:

• the laws and policies governing the collection, protection, use, and dissemination of commercial information by the private sector;
• privacy issues with social networking and other websites;
• enforcement and implementation of commercial information privacy laws and policies; private sector privacy protection technologies;
• privacy standards for the personally identifiable commercial information; and
• privacy implications of emerging technologies.

Other Senators on the subcommittee include Chuck Schumer (D-NY), Sheldon Whitehouse (D-RI), Richard Blumenthal (D-CT), Orrin Hatch (R-UT), and Lindsey Graham (R-SC).

Privacy Heats Up on Capitol Hill

Three privacy bills were introduced in early February 2011. Rep. Jackie Speier (D-CA) leads the way in introducing two new bills on February 11, 2011 addressing privacy (see February 11, 2011 press release). The Do Not Track Me Online Act of 2011, H.R. ­­­­­654, directs the Federal Trade Commission to establish standards for the required use of an online opt-out mechanism to allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use. Rep. Speier also introduced amendments to the Gramm-Leach-Bliley Act (GLB). The Financial Information Privacy Act of 2011, H.R. 653, will amend GLB to require a consumer to opt-in to allow a financial institution to share his or her nonpublic personal information with a nonaffiliated third party. This differs from current GLB in which financial institutions must provide consumers notice and an opportunity to opt-out before the institution can share a consumer’s nonpublic personal information with a nonaffiliated third party. Rep. Bobby Rush (D-IL) also reintroduced privacy legislation that he introduced last year. H.R. 611, the Best Practices Act, would apply to persons who engage in interstate commerce and who collect or store data containing “covered information” or “sensitive information” (see Wall Street Journal’s article on these initiatives).

FTC Announces Settlements with Credit Report Data Resellers Over Lax Data Security, Inadequate Breach Response

The Federal Trade Commission (FTC) released proposed administrative settlements with three credit report data aggregators on February 3, 2011. In a press release, the FTC alleges that the data aggregators allowed clients to access consumer’s credit reports without basic security measures, such as firewalls and updated antivirus software. The FTC further alleges that this lack of basic security measures allowed hackers to access more than 1,800 credit reports without authorization via the clients’ computer networks. After becoming aware of the breaches, the FTC alleges that the data aggregators did not take any steps to add security measures.

The proposed consent orders bar the respondents from violating the Safeguards Rule and require them to:

• have comprehensive information security programs designed to protect the security, confidentiality, and integrity of consumers’ personal information, including information accessible to clients;
• obtain independent audits of their security programs, every other year for 20 years;
• furnish credit reports only to those with a permissible purpose; and
• maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.

According to David Vladeck, Director of the FTC's Bureau of Consumer Protection, these cases should send other companies a message that adequate security measures must be taken in order to protect a consumer's information.

Reps. Barton and Markey Ask Facebook for Information about Making User Data Available to Third Party Websites

Rep. Joe Barton (R-TX) and Rep. Edward Markey (D-MA), co-chairmen of the House Bi-Partisan Privacy Caucus asked Mark Zuckerberg, Facebook CEO, to respond to questions about Facebook's proposed plan to make its users' addresses and mobile phone numbers available to third party websites and application developers. In a press release dated February 2, 2011, Reps. Barton and Markey announced that they asked Zuckerberg to respond to the following questions:

• Would any user information in addition to address and mobile phone number be shared with third party application developers under the feature as originally planned, and was any of this information shared prior to Facebook’s announcement that it would suspend implementation of the feature?
• What user information will be shared with third party application developers once the feature is re-enabled?
• What was Facebook’s process for developing and vetting the feature referenced above before the feature was suspended, and what was the process that led Facebook to decide to suspend the rollout of this feature? What is the process Facebook is currently employing to adjust the feature prior to re-enabling it?
• What are the internal policies and procedures for ensuring that new features developed by Facebook comply with Facebook’s own privacy policy, and does the company consider this a material change to its privacy policy?
• What consideration was given to risks to children and teenagers posed by enabling third parties access to their home addresses and mobile phone numbers through Facebook when designing the new feature?
• What is the opt-in and opt-opt option for this new feature?
• Why is Facebook, after previously acknowledging in a letter to Reps. Markey and Barton that sharing a Facebook User ID could raise user concerns, subsequently considering sharing access to even more sensitive personal information such as home addresses and phone numbers to third parties?

These questions follow a request by the two Representatives sent to Facebook about companies allegedly gaining access to Facebook users’ personal information without their consent or knowledge.

Class Action filed against McDonald’s, CBS, Microsoft in New York for Behavioral Advertising Practices

Following the filing of a class action lawsuit against Interclick for its behavioral advertising practices, Plaintiff Sonal Bose, as a representative of the class, filed a related class action lawsuit against McDonald’s, CBS, Mazda Motor of America, and others for their engagement of Interclick to conduct behavioral advertising campaigns and engage in browser history sniffing (Bose v. McDonald's Corp., et al., Civil Action No. 1:10-cv-09569 S.D.NY). Plaintiffs alleged that Defendant’s ad campaigns were used as a cover to data mine computers of Plaintiffs to identify websites Plaintiffs had previously visited. Specifically, the Plaintiffs alleged that Defendants “used browser history sniffing to identify defendants’ competitors with whom consumers communicated” and that this information was subsequently merged into Interclick’s database and eventually resulted in the deanonymization of data in consumer profiles such that they contain consumer’s personally identifiable information. These actions, Plaintiffs allege, violate the Computer Fraud and Abuse Act; the Electronic Communication Privacy Act; New York General Business Law Section 349 and common law and, as a result, Plaintiffs are entitled to injunctive relief and applicable damages.

Upcoming Deadlines

February 18, 2011 Deadline for Commenting on Privacy Report

Comments on the Federal Trade Commissions privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” are due on February 18, 2011. The report, published on December 1, 2010, would apply a framework for consumer privacy protection for commercial entities that collect, maintain, share, or otherwise use consumer data that can be linked to a specific consumer, computer or device. The report contains a number of questions set forth by FTC staff for public comment.

February 28, 2011 Deadline for Commenting on NIST’s Draft Cloud Computing Reports

The National Institute of Standards and Technology has requested comments on two draft reports concerning cloud computing by February 28, 2011. The first report, “Guidelines on Security and Privacy in Public Cloud Computing” (Draft NIST Special Publication 800-144), provides an overview of the security and privacy challenges surrounding cloud computing and provides recommendations that organizations should consider when utilizing a public cloud environment. Comments may be sent via email to 800-144comments@nist.gov. The second report, “A NIST Definition of Cloud Computing” (Draft NIST Special Publication 800-145), restates the existing definition of NIST cloud computing as a formal NIST publication. Comments may be sent via email to 800-145comments@nist.gov by February 28, 2011. Although NIST recommendations are made to the federal government, they are relevant to private sector businesses.