Privacy Bulletin: Issue No. 56
In a bipartisan effort to address privacy issues, on April 12, 2001, Sen. John Kerry (D-Ma) and Sen. John McCain (R-Az.) introduced “The Commercial Privacy Bill of Rights Act of 2011” (SB 799). Applicable to any person who collects, uses, transfers or stores personally identifiable information (“PII”), unique identified information (“UII”), or other related information that may be reasonably used to identify a specific individual concerning more than 5,000 individuals during any consecutive 12-month period, the bill set forth three privacy rights such information collecting entities should follow in designing their privacy policies:
The Right to Security and Accountability
- Security measures to protect covered information must be implemented by each affected person.
The Right to Notice, Consent, Access, and Correct Information
- Clear notices must be provided to individuals about collection practices and the purpose for such collection.
- Information collectors must provide individuals with the ability to opt-out of information collection and provide opt-ins for the collection of sensitive PII.
The Right to Data Minimization, Distribution Constraints, and Data Integrity
- Information collectors would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service or use the information for research purposes to correct and improve the transaction or service.
- Information collectors must contract with third parties to ensure that any information transferred to third parties maintains the same protections required by the Act and that the information is not combined by the third party with other information in order to identify the individual.
In addition to the above privacy rights, the bill also includes provisions that direct the State Attorneys General and Federal Trade Commission (“FTC”) to enforce the bill’s provision, provided that there is no simultaneous enforcement by both and allow the FTC to approve nongovernmental organizations governing of voluntary safe harbor programs that, if joined, would exempt participants from some of the bill’s provisions. The bill would also prevent private rights of action to enforce its provisions and direct the Department of Commerce to coordinate the development of safe harbor programs by conveneing stakeholders.
Increased Email Fraud Expected Following Epsilon Data Breach
On April 1, 2011, Epsilon, one of the largest permission-based email marketing providers, notified its clients that it detected an unauthorized entry into its email system on March 30. Epsilon’s investigation estimated that approximately 2 percent of Epsilon’s clients were affected and that only email addresses and/or an individual’s name were breached. However, the clients affected in the 2 percent of Epsilon’s estimated 2,500 customers include numerous large corporations that fall into a wide-range of industry sectors. A list of all companies affected by the breach can be found here. As the list sounds like a who’s who of businesses, affected companies are warning consumers to beware of email phishing, increased spam, email fraud and other email scams. Epsilon’s parent company, Alliance Data, is working with federal authorities to further investigate the security breach and will implement any necessary additional security safeguards. It is likely that complete effect of the security breach will not be realized for several months, but any consumers who receive suspicious emails should report such emails to the related company and local authorities.
Google Agrees to 20-Year Privacy Audit Program in Proposed Settlement with FTC
Following allegations that Google used deceptive tactics and violated its privacy policy and its adherance to the EU Safe Harbor by automatically enrolling users and making users previously private profile information searchable and followable in connection with the launch of its social networking platform Buzz, the company entered into a landmark proposed Consent Agreement with the Federal Trade Commission.
As part of the settlement, Google is prohibited from misrepresenting the privacy or confidentiality of its users information and its compliance with its privacy policies and the U.S.-E.U. Safe Harbor. In addition, Google must obtain its users’ consent before sharing their information with third parties if Google modifies its privacy practices contrary to what was in place when the user’s information was collected. Finally, the settlement requires Google to set-up a comprehensive privacy program and have audits conducted every two years for the next twenty years to assess the company’s privacy and data protection practices and confirm compliance with their policies. In connection with its release of the proposed Consent Agreement, the FTC also released an analysis of the proposed consent order and is accepting public comment until May 2, 2011.
The FTC’s requirement for Google to implement a comprehensive privacy program is believed to be the first of its kind. The settlement may start a trend toward the affirmative implementation of privacy programs in the face of allegations of privacy violations and force companies to design privacy mechanisms in their product and service offerings. In fact, in subsequent comments, the FTC has indicated that adopting a comprehensive privacy program that follows the best practices stated in the order is a sound idea for all companies. Those interested in submitting electronic comments on the proposed consent decress should use the following link https://ftcpublic.commentworks.com/ftc/googlebuzz Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.
NJ Feds Allegedly Investigating Privacy Violations of Smart Phone Applications
Following Pandora Media’s April 4 comments in a filing with the U.S. Securities and Exchange Commission that it was subpoenaed for information concerning information-sharing practices by Apple, Android, and other smart phone applications, the Wall Street Journal has reported that federal prosecutors in New Jersey are looking into whether smart phone applications that illegally obtained or transmitted user information is a violation of the Computer Fraud and Abuse Act. This federal investigation comes on the heels of earlier civil class action lawsuits filed by individuals who claim that smart phone applications they downloaded transmitted their personal identifying information to advertisers without consent and a Wall Street Journal article that examined 101 popular smart phone applications and found that more than half sent the device’s unique device identified (“UDID”) or personal details like age and gender to other companies without the user’s awareness or consent. It is unclear which companies are the specific target of the federal investigation (Pandora indicates they were not a specific target of the investigation), but the subpoena could potentially lead to further action by New Jersey and the FTC in the face of complaints of unfair and deceptive trade practices.
Netflix Faces New Class Action Lawsuit Related to Retaining Customer Records
A recent lawsuit filed in California alleges that the popular video rental service violated federal and state law by not destroying records containing personal customer information after those customers cancelled their service. The plaintiffs allege that Netflix improperly retained data relating to both the customers’ payment information and viewing habits. Netflix uses these metrics to recommend similar movies that customers may like, and these personalized recommendations have been an important part of the company’s service model.
But the plaintiffs allege keeping data from former subscribers violates the federal Video Privacy Protection Act, which makes it illegal for companies to disclose customer videotape rentals or purchases. They also claim Netflix violated a California state law that protects customer records.
Last March, Netflix settled a class action suit brought on similar grounds. This time, the plaintiffs are seeking up to $5,500 for each alleged violation. Given that the case was filed on March 11, 2011, the litigation is just beginning and no decision on class certification has yet occurred. Womble Carlyle will be monitoring this case and its potential impact on subscription-based companies that collects customer data.
Social Media Promotion Backfires on Chicago Business
Today many businesses are using social media outlets, such as Twitter, Facebook and LinkedIn, to reach customers and clients. But as indicated by a recent lawsuit filed against one Illinois company, companies are still navigating the proper way to use these tools and protect privacy rights.
A former employee of the Susan Fredman Design Group, a Chicago-based interior design firm, has sued her ex-employer alleging that the company impersonated her on her personal Facebook and Twitter accounts, using those posts to promote the company’s business.
The employee, Jill Maremont, created social media content for the company as part of her job. But while she was in the hospital following a serious auto accident, posts promoting the company still appeared under her name on her personal accounts – posts Maremont says she didn’t write. In the complaint, Maremont says she asked her co-workers to stop impersonating her online, but they continued to do so. The case (Maremont v. Susan Fredman Design Group) is currently being heard in the U.S. District Court, District of Northern Illinois. On March 15th, a judge granted in part and denied in part the defendant’s motion to dismiss.
The lesson here seems obvious, but it bears repeating: businesses should draw a bright line between professional social media accounts designed to promote the business and employees’ personal accounts.
Borrowed Rental Car Carries No Claim to Privacy
If you drive a rental car, but your name is not on the rental agreement, do you have a legitimate claim to privacy if police want to search the car? The U.S. Court of Appeals for the Third Circuit says no. The Court ruled that a person who borrows a rental car has no standing to challenge a search of the car.
The case (United States v. Kennedy) stemmed from the arrest of Shamone Kennedy in Philadelphia. Police impounded the rental car Kennedy had been driving, which had been loaned to him by his girlfriend. When they searched the car, officers found two guns and 200 grams of cocaine. Police then charged Kennedy with additional counts related to this discovery.
Kennedy’s attorneys said the search and seizure was improper. But a U.S. District Court said that since Kennedy wasn’t listed on the rental agreement as a driver of the car, he had no legitimate expectation of privacy and denied the motion. On March 16th, the Court of Appeals upheld that ruling.