Privacy and Security Law Blog

FCC Clarifies Companies' Liability for Third-Party Marketer TCPA Violations

Ronald London — Tue, 14 May 2013 14:08:55 -0800

The Federal Communications Commission (FCC) has issued a long-awaited declaratory ruling governing when a company is liable under the Telephone Consumer Protection Act (TCPA), and FCC telemarketing and autodialing rules, for violations committed by a third party that the company authorizes to sell its goods or services but does not directly ask or otherwise engage to telemarket, by holding that the company may be vicariously liable under federal common law principles of agency for TCPA violations that the third party commits.

The FCC ruling arises out of two TCPA cases involving telemarketing of Dish satellite TV services: one, a “private attorney general” case brought in Ohio federal court, Charvat v. EchoStar Satellite, and another brought by the United States for the FTC and Attorneys General from California, Illinois, North Carolina, and Ohio in Illinois federal court, U.S. v. Dish Network. Charvat sued EchoStar for calls made by independent contractors who had retailer agreements with EchoStar to advertise, promote and solicit orders for its programming, and to install and activate equipment for receiving it. EchoStar defended on grounds it did not place any illegal calls to Charvat, did not operate or control the equipment that initiated the calls, did not provide the retailers with phone numbers or instruct them to place calls, and – until Charvat filed suit – did not even know the retailers made the calls. The government suit involved similar issues.

The trial court dismissed the Charvat suit, but the U.S. Court of Appeals for the Sixth Circuit, after inviting input from the FCC, referred the question of EchoStar’s vicarious liability to the agency under the doctrine of primary jurisdiction. The Illinois court stayed its case pending FCC resolution as well. Petitions invoking the FCC’s declaratory ruling authority followed, resulting in the present order.

Even before Charvat, it had long been clear that under FCC (and Federal Trade Commission (FTC)) rules, when a company outsources telemarketing calls to be made on its own behalf, and the calls violate the law or rules, both the telemarketer and the company that hired it can be liable. The present ruling addresses what happens when a company simply allows others to market its goods or services, without instructing or encouraging them to telemarket, and the third party places non-compliant calls under the TCPA or hires a telemarketer that does so.

The declaratory ruling clarifies that such a company, i.e., the “seller” in TCPA parlance, is not directly liable unless it initiates the non-compliant call, but may be vicariously liable “under a broad range of agency principles, including not only formal agency, but also principles of apparent authority and ratification.” The FCC recognized that a seller can concurrently be a telemarketer and thus be directly liable for non-compliant calls – e.g., when it initiates a call on its own behalf, or when it is intrinsically involved in specific calls by third parties by, e.g., giving them specific and comprehensive instructions as to calls’ timing, manner, etc. However, beyond that, actions taken to benefit a seller by a third party, without more, do not trigger TCPA liability for the seller.

Rather, the FCC held, sellers may be liable for non-compliant conduct by third parties marketing the seller’s goods or services, if the seller is aware of “ongoing conduct encompassing numerous acts” by the third party, and the seller fails to terminate the third party and/or promotes or “celebrates” the third party’s conduct. In that circumstance, the seller has the ability, through its authorization to the third party, to oversee the conduct, even if that supervisory power is unexercised. In such cases, liability is determined based on “general common law” agency-related principles, rather than the law of any particular state, though it is not limited to classical agency principles, but rather also includes apparent authority and ratification as bases for vicarious seller liability.

Factors for when such liability attaches may include whether the seller grants a third party the ability to access data from or enter information into systems normally under the seller’s exclusive control (e.g., about the nature and pricing of a seller’s products/services, or customer information), the third party’s right to use a seller’s trade name, trademark, etc., and whether the seller approved, wrote or reviewed the third party’s telemarketing scripts. A seller is also responsible for unauthorized conduct of a third party that is otherwise authorized to market on the seller’s behalf, if the seller knows (or reasonably should know) the third party is violating the TCPA and/or FCC rules on the seller’s behalf, and fails to take effective steps within its power to halt that conduct, similar to how the FTC has imposed liability under its rules in the past.

These broad outlines will have to be tested by specific cases, but in the meantime, companies can protect themselves by exercising diligence in selecting and monitoring reputable marketers, and by including indemnification clauses in contracts with third-party marketers.

FTC Denies Requests to Extend Effective Date for COPPA Rule Revisions

Ronald London — Thu, 09 May 2013 10:32:05 -0800

Industry Must Comply by July 1, 2013, Can Look to Expanded FAQs for Guidance on Updated Rules for Information Collection and Disclosure, Parental Notice, and Requirements for Mobile Apps

By: Ronald G. London

The FTC has voted to retain the July 1, 2013 effective date for the revisions to its Children’s Online Privacy Protection Act (COPPA Rule), shortly after issuing revised “Frequently Asked Questions” (FAQs) to aid compliance efforts. The FAQs are a key interpretive resource, because there are few enforcement orders – and no real court precedents – that apply COPPA.

This post highlights some key clarifications and a few areas of uncertainty that remain in the FAQs, as a companion to our earlier advisory on the COPPA Rule revisions. Among other points, we explore guidance provided by the FTC staff in the FAQs regarding:

How websites and online services subject to COPPA can handle newly added categories of personal information.
The relationship between websites and online services subject to COPPA and third parties that collect personal information through such sites or services.
The applicability of COPPA to mobile apps and some of the steps app developers/operators must take toward compliance.
Additional detail on providing parental notice as streamlined by the COPPA Rule revisions.
Steps required before children’s personal information may be disclosed to third parties.

Generally, the FAQs underscore how COPPA’s coverage of websites and online services includes mobile apps, as well as “Web sites or online services that have actual knowledge [ ] that they are collecting personal information directly from users of another [ ] Web site or online service directed to children.” Other notable points among the changes to the FAQs, from those that were posted before the COPPA Rule revision, also include:

Definition of “Personal Information”

The revised FAQs highlight the addition of new items of “personal information” under the COPPA Rule, specifically:

Screen or user names that function as online contact information;
Persistent identifiers that can be used to recognize a user over time and across different websites or online services;
Photo, video, or audio files that contain a child’s image or voice; and
Geolocation information sufficient to identify street name and name of a city or town.

The FAQs provide the following key qualifications and instructions about these categories of newly included personal information:

Screen/user names that now constitute personal information if they function as online contact information (and not just if they reveal a person’s email address), if collected before the updated COPPA Rule’s July 1, 2013, effective date, will not be covered by the updated Rule – i.e., it is not necessary to go back and get verifiable parental consent.
- However, the FTC “encourages” getting parental consent if possible, as a “best practice.”
- Moreover, a previously collected screen/user name becomes subject to the revised Rule once any new information is associated with it after the effective date.
Persistent identifiers that now constitute personal information if usable to recognize users over time and across different websites or online services (rather than only when combined with individually identifiable information) do not require parental consent if collected prior to July 1, 2013, i.e., again, no retroactive effect.
- However, if after the effective date a persistent identifier continues to be used to collect information, or has new information associated with it (such as information about a child’s activities on a website or online service), that collection triggers COPPA obligations.
- Regarding the exception that persistent identifiers are not “personal information” if used only to “support the internal operations” of a website or online service:
  - Child-directed sites and third-party plug-ins may rely on this exception regardless of whether the identifiers support only a plug-in’s own internal operations, or both its own internal operations and those of the website as well.
  - However, “personalizing” ad-delivery does not qualify as “support for internal operations.” The FAQs make clear that the internal operations exception was not intended to include behavioral advertising, but rather, seeks to permit maintenance of user-driven preferences, such as game scores, or character choices in virtual worlds. The exception does also allow for collection or use of persistent identifiers in connection with contextual ads.
Photos, videos or audio-recordings were newly added as personal information, but those acquired prior to the effective date do not require parental consent.
- However, the FTC staff “recommends,” again, as a “best practice,” either discontinuing use or disclosure of photos, video and/or audio files after July 1, 2013, or, if possible, obtaining parental consent.
- The FAQs also clarify that, for moderated websites directed to children that prescreen children’s submissions to delete personal information before postings go live, they must either prescreen and delete any photos, videos, or audio recordings of children, even if accompanied by no other information, or first give parents notice and obtain their consent prior to permitting children to upload such files.
  - For child-directed apps that may allow children to upload pictures of subjects other than themselves, their parents, their friends, etc. – i.e., such as places, pets and the like – the app operator must:
    - Pre-screen children’s photos to delete either any photo depicting the child(ren) or that portion of the photo in which they appear, if possible.
    - Remove prior to posting any other personal information – including, for example, geolocation metadata – that the photos may contain.
    - Ensure that persistent identifiers are used only to support internal operations of the app and are not used or disclosed to contact a specific individual or for any other purpose.
  - Notice to and consent from parents is not required if the facial features of children in photos are blurred before posting, provided that any other personal information (such as geolocation metadata) is also removed, and persistent identifiers are used only for internal operations, and are not used or disclosed to contact specific individuals or for other purposes.
The FAQs reinforce that geolocation information qualifies as personal information if it is precise enough to identify the name of a street and city or town. They also explain that, although the Rule revision newly added geolocation information to the definitional list of “personal information,” that change merely clarified a pre-existing FTC view. The FAQs also explain that:
- Parental consent is required prior to the collection of geolocation information regardless of the date the collection occurred.
- Collecting “coarse geolocation information, tantamount to collecting a ZIP code,” but nothing more does not trigger COPPA. Collecting longitude and latitude coordinates does.
- The FAQs do not elaborate on whether 5-digit ZIP codes and ZIP+4 codes should be treated differently, however. The notice of proposed rulemaking that lead to the COPPA Rule revisions asked whether ZIP+4 is the equivalent of a physical address that should be included as personal information, but the final rule did not answer that question.
- The FAQs reinforce that COPPA covers the collection of geolocation information, not just its use or disclosure – so, simply giving users a choice to turn off geolocation does not avoid COPPA obligations, as the child user makes that choice, not the parent.

Definition of “Operator”

The FAQs remind websites and online services directed to children that they are ultimately responsible for the collection of personal information from their users, no matter who does the collecting – therefore, absent an applicable exception, they must:
- Refrain from collecting or allowing others to collect personal information, or
- Provide notice and obtain prior parental consent before collecting or allowing any entity to collect personal information (along with providing all other COPPA protections).
While the FAQs explain that the amended Rule does not require websites and online services directed to children to inform third parties (e.g., ad networks and other plug-ins) of the child-directed nature of the site or service, the FAQs also emphasize that, even if the site or service does so inform third parties, that will not, without more, relieve the site or service of its COPPA obligations. The “recommendation” in the FAQs is that child-directed websites or services do inform third parties and then arrange with them to provide adequate COPPA protections.
- In addition, children-directed websites and online services through which third parties collect personal information should also confirm, where possible, whether the third-party collection falls into an exception (e.g., “internal support” persistent identifiers), or is encompassed within the site’s or service’s notice and consent.
- Ultimately, collections of personal information by third parties at child-directed sites and services will in many cases require interaction between the site/service and the third party in order to ensure that all COPPA restrictions and requirements are honored. Alternatively, in some cases external sources and/or indicia may be used to confirm that a third party collecting information at the site/service is doing so in a manner that does not include personal information, or that includes personal information but satisfies an exception in the rules.
To that end, the revised Rule imposes liability for information collection by or through child-directed sites and services, even if they do not engage in the collection directly. The FAQs recommend that COPPA-covered sites and services take great care with their advertising arrangements, including as follows:
- The FAQs indicate that websites and online services directed to children must understand, before entering an agreement with any entity to serve ads to the site or service, whether there is any way to control the type of ads that appear on the sites and services (by, e.g., stipulating or contracting for only contextual ads, or prohibiting behavioral ads or retargeting).
- COPPA-covered sites should also understand what categories of information will be collected from users on the sites and services in connection with any ads served.
  - In particular, the FAQs emphasize examining whether persistent identifiers are collected for purposes other than support for internal operations, and whether geolocation information will be collected in connection with ads.
  - Further, operators of child-directed apps must inquire into the practices of every third party that can collect information via the app, in order to determine whether their presence requires parental notice of and/or prior parental consent to the collection of personal information from children.

“Website or Online Service Directed to Children”

The FAQs explain that the COPPA Rule “broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network,” and offer as examples services directed to children that:
- allow users to play network-connected games
- engage in social networking activities
- purchase goods or services online
- receive online advertisements, or
- interact with other online content or services.
The FAQs also stress that “mobile applications that connect to the Internet, Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location-based services” may also fall under the COPPA Rule.
The FAQs explain that for apps directed to children, it is not necessary for the privacy policy to be included at the app store, at the point of purchase or download (though that is encouraged) – but note:
- A privacy policy must be posted on the home or landing screen.
- If a child-directed app is designed to collect personal information as soon as it is downloaded, it would be required to provide notice to parents and obtain verifiable consent at the point of purchase, or to insert a landing page where a parent can receive notice and give consent before the download is complete.
The FAQs also stress that sites or services that target children as one of the audiences – even if not the primary audience – are still “directed to children.”
- However, the revised COPPA Rule also provides an accommodation that allows a subset of sites “directed to children” the option of not treating all visitors as children, if the site does not target children as its primary audience and it opts to use age-screening to apply COPPA’s safeguards only to visitors who self-identify as younger than 13.
  - In those cases, the FAQs underscore that it is forbidden to age-screen and completely block users who identify as being under age 13 from participating in any aspect of the site, even if the site does not target children as the primary audience.
  - Rather, the age screen may be used to differentiate between child and non-child users, after which children may be offered different activities or functions that do not collect personal information – but it is not permitted to altogether prohibit children from participating in child-directed sites or services.
  - Also, when age-screening, personal information cannot be collected from any visitor prior to collecting age information, and the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 is prohibited without first complying with the Rule’s notice and parental consent provisions.
- This does not change the fact, however, that general audience sites and online services that do not target children (as the only, primary or sub-category of audiences) are not required to permit children under 13 to participate in the site or service at all, and may accordingly deny them access entirely.
The above dovetails with important, more generally applicable acknowledgements in the updated FAQs that children may lie about their age to gain access to sites that age-screen, and that where websites “screen [] users for age in a neutral fashion, [they] may rely on the age information [] users enter, even if that age information is not accurate,” and even if that “may mean that children are able to register on a site or service in violation of the operator’s Terms of Service.” (However, if it is later determined a particular user is a child under 13, COPPA’s notice and parental consent requirements are triggered.)

Parental Notice

The COPPA Rule requires websites directed to children, or that knowingly collect personal information from children, to post parental notice of their information collection, use, and disclosure practices, in a “prominent and clearly labeled” manner at the site’s home page and at each location where the information is collected.
- The notice must set forth the items of personal information already obtained from the child (generally, contact information only), the purpose of the notice, actions the parent must or can take, and the operator’s use of information collected.
The Rule also requires direct notice to parents in certain circumstances, in which case the notice must also contain a hyperlink to the operator’s information practices.
- In such cases, the FAQs emphasize, it is not sufficient to send a simple email with a link to the website’s online privacy policy – rather, the notice must contain the key information within its four corners, as well as a link to the online privacy policy.
- And for apps directed to children, direct notice must be sent to parents prior to collection of any personal information from a child, with the limited exception that collecting parents’ online contact information is permitted for the sole purpose of sending the direct notice.
  - As an alternative, the direct notice may be sent by other means, such as through the device onto which the app is downloaded.
  - However, such device-based delivery of parental notices is allowed only if that mechanism both provides the notice and obtains consent before any collection of personal information, and is reasonably designed to ensure it is the parent who receives the notice and provides consent.

Parental Consent Mechanisms

The FAQs clarify that mobile apps may not rely on a parent’s app store account to serve as verifiable parental consent even if a credit card is attached to it – mere entry of an app store account number or password, absent other indicia of reliability (e.g., knowledge-based authentication questions, verification of government IDs, etc.) does not sufficiently assure that the person entering the account or password information is the parent rather than the child.
The FAQs also explain that if a third party discovers it has been collecting information via a child-directed service, it must take steps to comply with COPPA, as follows:
- First, it must immediately cease collecting further personal information from users of the child-directed site or service.
- Second, for users from whom it already has collected personal information, the service must either:
  - delete the personal information and close the relevant user accounts, or
  - take the user information offline and initiate the parental notification and consent process, and where the required consent is not promptly obtained, it must delete the personal information and close the account.
  - The FAQS are silent on whether this means that, if segments of personal information that a third party has collected cannot be tracked back to specific sites from which they were collected, only some of which are learned to be child-directed, the third party must delete (or get parental consent for) all of the information in order to comply with COPPA.
    - If that personal information is not segregable, the third party nonetheless may not have to delete all the information. Rather, whether it should (or must) do so, and what other steps it might take, will likely be a highly fact-specific inquiry.
      - In some cases, information obtained from what is later learned to be a child-directed site or service may comprise such a small proportion of information the third party collected overall that it would not be necessary to try to identify which subset of the information came from the child-directed site/service.
      - In other cases, one option would be working with site(s) or service(s) from which unsegregable information was obtained in order to identify which came from a later-discovered child-directed site, then taking appropriate steps for only identification confirmed to have originated with the later-discovered child-directed site.
- Third parties that collect information, if they have not done so already, may want to ensure they can identify the origin of all information collected.

Confidentiality and Security Requirements

The FAQs reinforce the requirement to retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected, and to thereafter delete the information via reasonable measures that protect against unauthorized access or use.
The revised COPPA rule extends this obligation so that disclosing children’s personal information to third parties requires inquiring into that entity’s data security capabilities as follows:
- The website or online service that discloses the information must obtain (by contract or otherwise) assurances about how the third party treats the information it receives.
- And, in evaluating whether those security measures are “reasonable,” all expectations should expressly appear in the contract (or other arrangement), and reasonable means – such as periodic monitoring – must be used to confirm those expectations are met.

* * * *

Finally, the FAQs also provide important information about COPPA enforcement and how continuing questions about the Rule’s interpretation and applicability might be raised. In a somewhat noteworthy shift, the revised FAQs delete a statement from the prior FAQs that the FTC “monitors the Internet for compliance,” leaving enforcement to complaints generated by parents, consumer groups, industry members, and others who believe they have identified violations. The FAQs also herald the creation of a new “COPPA hotline” at CoppaHotLine@ftc.gov for questions or comments.

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Davis Wright Tremaine — Tue, 16 Apr 2013 13:55:04 -0800

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
Update on Mobile Regulatory Issues

To view the full presentation, click here.

NIST Hosts First of Four Planned Cybersecurity Framework Workshops

Ronald London — Thu, 04 Apr 2013 13:52:24 -0800

By Dan Reing

On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013. As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people. The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address. The RFI comment period closes on April 8, 2013.

The objective of NIST’s first cybersecurity session under the EO was to convey its planned approach to developing the Framework, and eliciting ideas and participation from private industry in the RFI process and upcoming workshops. Toward that end, NIST indicated that the next three workshops are intended to be “hands-on,” “roll-up-your-sleeves” standards-development processes. The next workshop is scheduled for May 29th -31st at Carnegie Mellon University in Pittsburgh, with another workshop approximately six weeks later (mid-July), and the final workshop approximately six weeks later (around Labor Day).

NIST staff reiterated – several times – that it will rely heavily on input from private industry to guide the process, and that every comment will be read. Prior to the May workshop, NIST stated, it will review and consider all RFI comments, and undertake initial analysis to identify key commonalities and themes raised to identify key areas of concern. NIST intends to make this initial analysis publicly available before the May workshop, at which it plans to consider Framework development on three tracks: (1) Risk Management; (2) Cyber Hygiene; and (3) Tools and Metrics.

The overarching theme repeated throughout the day by industry and government panelists alike was the need for a Framework driven by industry in a collaborative process with the government. To that end, Patrick D. Gallagher, the Director of NIST, stressed that NIST’s goal is to gather current best practices, standards, processes, and ideas from industry stakeholders as a starting point, and that those responses must guide the Framework development at the subsequent workshops. Likewise, representatives from the Department of Homeland Security (“DHS”), which, among other things, is tasked with articulating performance goals for NIST, focused on presenting this process as a partnership between industry and the government. A common refrain from panelists across all sectors of industry was to ensure that the process does not attempt to “re-invent the wheel,” but instead to adopt, adapt and rely on practices and standards already in use. NIST staff made clear that the agency’s goal is to do just that, consistent with its prior practice.

Other common themes included industry representatives stressing that one size cannot fit all in any Cybersecurity Framework, and that whatever NIST ultimately adopts must be scalable, so that it is implementable and accessible for companies of all sizes. Another repeated refrain was that the Framework must be practical from a business perspective. It was widely accepted that adoption must be incentivized and presented as a matter of general risk management for which a business case can be made. To do that, several panelists stressed, the Framework must be in terms non-IT management and employees will understand, because those responsible for implementation will not always be IT professionals.

Many panelists also advocated the goal of adopting a flexible, evolving Framework so that it is adaptable to constantly changing threats, and that it should incorporate evolving best practices to prevent and respond to new cyber-attacks. Panelists also noted the Framework should consider international standards and how it will fit into the global cybersecurity world. Panelists also highlighted performance metrics as key factors to a workable Framework. Key questions for consideration included clearly identifying goals and establishing in advance what successful implementation will entail.

Bruce McConnell, Senior Counsel (Cyber) for the NPPD Department of Homeland Security, shared DHS’s current formulation of the goal for the Cybersecurity Framework: “Adoption of the framework will [ensure] … a high level of confidence that the essential services [an entity] provides will continue to be delivered to its critical customers in the face of most cyber incidents directly affecting the entity.” DHS acknowledged that to accomplish this, the Framework must include ties to incentives for adoption, and must have measurable compliance and performance standards. At the same time, the Framework cannot impinge privacy and civil liberty concerns – accordingly, DHS has established a task force to measure the impact on concerns according to the Fair Information Privacy Practices.

Finally, another common topic was information-sharing related to Cybersecurity breaches, threats, experiences, and practices – both from the government to the private sector, and vice versa. Workshop participants widely acknowledged that increasing and promoting information sharing will require legislative action in at least the liability, antitrust, and privacy arenas. Even beyond that, there must be considered a safe, anonymized way to share experiences about vulnerabilities and detection practices and operations that will not present further competitive or reputational risk. Toward that end, representatives of various industry Information Sharing and Analysis Centers (“ISACS”) on one panel offered ISACS as a good model for information-sharing, so long as legal impediments are surpassed.

Bills on Use of Mobile-Device-Location Data Reintroduced

Ronald London — Tue, 26 Mar 2013 08:00:38 -0800

By Brad Guyton

Updating our entry on this issue posted during the last Congress, on March 21, 2013, lawmakers in the House and Senate reintroduced companion bills intended to curb government use of mobile users’ geolocation data. The reintroduced Geolocation Privacy and Surveillance Act is nearly identical to legislation introduced nearly two years ago, as described in our prior post. However, unlike two years ago, the bills are not accompanied by companion legislation requiring users’ permission for industry to share geolocation data, as was the case previously with the Location Privacy Protection Act of 2011.

The newly reintroduced Geolocation Privacy and Surveillance Act, sponsored again in the Senate by Sen. Ron Wyden (D-Or.) and in the House by Rep. Jason Chaffetz (R-Utah), would require the government and law enforcement agencies to obtain a warrant before accessing a person’s geolocation data, i.e., GPS information logged through Wi-fi networks and cellular towers. The legislation is modeled after existing wiretapping and electronic surveillance laws and would add to Title 18 of the U.S. Code a new chapter 120 entitled “Protection of Geolocation Information.”

Several exceptions would apply, including those for emergency responders, parents of minors, and intelligence investigations under the Patriot Act. In addition, the bill specifies that the Foreign Intelligence Surveillance Act and this legislation, if adopted, would be the only means by which geolocation information could be lawfully obtained by the government. The bills are expected to be referred to the Judiciary Committees in both chambers, neither of which acted on versions introduced in the previous Congress.

California District Court Finds National Security Letter Statute Unconstitutional

Ronald London — Thu, 21 Mar 2013 10:37:12 -0800

By Brad Guyton and John Seiver

Last week, in In re National Security Letter, the United States District Court for the Northern District of California found unconstitutional two sections of the federal law allowing the FBI to issue “National Security Letters” (“NSLs”) to secretly demand subscriber records from ISPs, telecom carriers and other electronic service providers when investigating international terrorism or conducting clandestine intelligence activities. An as-yet-unnamed telecommunications provider challenged the federal law and United States District Judge Susan Illston ordered the federal government to cease issuing NSLs and stop enforcing NSL gag orders, but stayed the order pending an expected appeal by the government to the Ninth Circuit.

The district court found the nondisclosure provision in 18 U.S.C. § 2709(c), as well as the judicial review provisions of 18 U.S.C. § 3511(b), unconstitutional on grounds that they violate the First Amendment and separation of powers principles. Under the nondisclosure provision, a recipient of an NSL may not disclose to anyone other than an attorney that the FBI has requested such records. The judicial review provisions at issue in the case specify certain limitations on a court’s discretion to modify or set aside an NSL nondisclosure requirement.

The district court followed the Second Circuit’s determination in a similar case decided in 2008, John Doe, Inc. v. Mukasey. In Mukasey the court found the nondisclosure provision was a prior restraint on speech about government conduct. As a content-based restriction, the district court here found the nondisclosure requirement violated procedural safeguards established by the Supreme Court in Freedman v. Maryland, and was not narrowly tailored to serve a compelling governmental interest. Specifically, the district court held that the nondisclosure provision neither required the government to initiate judicial review of the NSL disclosure order nor placed the burden of proof on the government once in court, and that the provision did not provide an adequate limit on the amount of time the gag order may be in place before it is subjected to judicial review. In addition, the district court ruled that the nondisclosure provisions were not narrowly tailored because they applied both to the content of the NSLs and to the mere fact that the recipient had received one, and that they were overbroad because they largely amounted to a permanent ban on speech due to the lack of temporal limitations on the nondisclosure requirement.

The district court also determined that the judicial review provisions in section 3511(b) imposed an unacceptably deferential standard of review, making it incompatible with the court’s ability and duty to review the types of speech covered by the nondisclosure orders. Noting that its review of nondisclosure orders would require a searching standard of review, the district court stated that the level of deference mandated by the statute contradicted the proper standard. Again agreeing with the Second Circuit, the district court determined that treating an FBI certification that disclosure would lead to an enumerated harm as “conclusive” was unconstitutional because it precluded meaningful judicial review, reducing the proper level of scrutiny to, in effect, no scrutiny at all.

Although Judge Illston largely followed the Second Circuit’s decision in Doe v. Mukasey, last week’s decision did not preserve the provisions by “conforming” them as the Second Circuit had. Instead, the court determined that the provisions were neither savable nor severable. It thus barred the government from issuing further NSLs under 18 U.S.C. § 2709 or enforcing the nondisclosure provision – not only in the instant case, but in any other case. (That said, as noted above, the court also stayed the order pending appeal, or for 90 days if no appeal is filed, so the ban on NSLs and further gag order enforcement will not take effect at this time.)

This decision is another challenge to the controversial NSL provisions in federal law and will surely be appealed to the Ninth Circuit and perhaps then to the Supreme Court.

Is the FTC Opening a New Front in the War on Commercial Texting?

Ronald London — Fri, 08 Mar 2013 13:00:21 -0800

By: Ronald G. London

The Federal Trade Commission (FTC) recently announced it concurrently filed eight complaints in courts around the United States against “senders of spam text messages” who allegedly engaged in deceptive acts or practices by promoting supposedly free gift cards. The complaints constitute what the FTC called a “crackdown” on affiliate marketers who allegedly “bombard consumers with hundreds of millions of unwanted spam text[s],” in order to steer them to allegedly deceptive websites promoting the cards.

While the conduct alleged by the FTC details the kind of gambit that often draws the agency’s wrath, the cases are also notable because they allege that merely sending unsolicited commercial texts can be an “unfair practice” under the Federal Trade Commission Act. As texting is already heavily regulated by the Federal Communications Commission (FCC) under the Telephone Consumer Protection Act (TCPA), which also allows private causes of action, including class actions, the FTC’s apparent position seems to up the ante for senders of commercial texts.

The FTC’s deceptive “spam text” complaints collectively charged 29 defendants with sending a combined 180 million-plus unsolicited texts promising free gifts or prizes – including gift cards worth $1,000 at major retailers – to millions of consumers, many of whom, the FTC underscored, had to pay to receive the texts. The FTC alleged the texts had links that led to a “confusing and elaborate” online process that required recipients to provide sensitive personal information, apply for credit, or pay to subscribe to services to get the supposedly free cards. Upon providing their information, consumers allegedly were directed to another site and only at that point told that, to receive the gift cards, they would have to accept a number of “offers” – which could include recurring subscriptions charged to credit cards, and/or applications for credit – with the number necessary to proceed sometimes totaling a dozen or more. And even if consumers completed the offers, they were notified they had to find three others who also would complete offers before they would receive any gift card.

The FTC also alleged the landing sites collected a great deal of personal information – including health information, in some instances – before allowing consumers to continue, in many cases claiming the information was necessary to ship the gift cards. In truth, the FTC alleged, the information was sold to third parties for marketing purposes, making the claims about the need to collect the information deceptive.

In those regards, the FTC’s approach was consistent with its typical unfair and deceptive trade practice enforcement. But each of the eight complaints also includes a count that alleges:

[The] practice of procuring … the transmission of unauthorized or unsolicited commercial electronic text messages to the mobile telephones and other wireless devices of consumers … has caused or is likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition[, which] … is unfair and violates Section 5 of the FTC Act.

In other words, it seems, procuring someone to send “unauthorized or unsolicited … text[s]” can itself be an unfair trade practice. While this might just be an additional way of otherwise trying to get at the bad actors in these cases, one can’t help but wonder how far the notion of unsolicited texts as unfair trade practice might be taken.

To that end, the FTC announcement of its enforcement actions stressed that the defendants sent text messages to random phone numbers, including, in up to 12% of cases, to consumers who do not have a text message subscription plan, the implication being that the recipients incurred costs to which they did not agreed. That is precisely the harm against which other laws regulating text messaging are designed to protect.

Indeed, the TCPA, as administered by the FCC (and interpreted by the courts) makes it unlawful to send text messages to mobile phones without prior express consent. And, as detailed in our entries last fall and spring, the FCC recently raised the consent bar for text messages that are “telemarketing” or “telephone solicitation” (i.e., those that are part of a plan, program or campaign to sell goods/services) to the more demanding and specific prior written, signed consent standard. Significantly, the text messages encompassed in the FTC’s crackdown would all seem to be solicitation, and as the FTC describes them, were not sent with any prior consent of the recipients (written and signed, or otherwise). That would seem to make them unlawful under the TCPA as well.

In the past, the FTC largely has left failures to acquire consent for texts to TCPA enforcement, and had even informally indicated it would not apply its telemarketing sales rule (TSR) to texts, only to voice calls. Yet in the fall of 2011, as we flagged, the FTC targeted unsolicited texts, and now it has again.

Meanwhile, the TCPA allows those who receive text messages to which they did not consent (and other TCPA-violative calls) to sue the senders, and provides for statutory damages of $500 – $1,500 if the texts were sent “willfully” (which the FCC and courts tend to find fairly easily). This has encouraged a healthy TCPA plaintiff’s bar, which of late has led to significant TCPA class action activity. In fact, depending on how one looks at it, and the source relied upon, TCPA actions are up anywhere from 50% to 80% over the past year. And these claims can lead to settlements in the double-digit millions of dollars if efforts to have them dismissed fail.

Adding the implications of the additional unsolicited-text-message counts in the FTC’s spam-text gift card complaints, it appears senders of commercial texts must potentially concern themselves with the FCC, the TCPA plaintiff’s bar and, now, the FTC. Together, these enforcement sources provide ample reason to be scrupulously careful about sending commercial texts only where the necessary consent is present.

NIST Issues Draft RFI for Cybersecurity Framework

Davis Wright Tremaine — Wed, 20 Feb 2013 09:24:55 -0800

By Robert G. Scott, Jr.

Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.

NIST is already accepting comments on the draft RFI. Once the draft RFI is finalized and published in the Federal Register, those wishing to have input will have only 45 days to submit comments to NIST on these wide-ranging cybersecurity issues. NIST will release a draft Cybersecurity Framework within eight months, and must publish a final Framework by February 12, 2014.

DWT can provide further information about NIST’s cyber-risk RFI upon request, and/or guidance or assistance in participating in the Cybersecurity Framework via filing comments with NIST.

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Davis Wright Tremaine — Thu, 14 Feb 2013 15:12:08 -0800

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure. The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.

The Executive Order and Presidential Policy Directive establish the Secretary of the Department of Homeland Security (DHS) as the chief coordinator for a comprehensive harmonization of federal agency efforts to oversee intelligence and various industry segments that may be deemed part of “critical infrastructure.” The Directive identifies energy and communications systems as “uniquely critical” because they enable all other critical infrastructure systems, as defined in the Patriot Act.

The Executive Order promotes greater government sharing of cyber-threat intelligence data with affected private sector entities by calling for coordinated processes that include sector-specific agencies, such as the Federal Communications Commission, Federal Energy Regulatory Commission, Nuclear Regulatory Commission, Federal Reserve Board, and Department of Health and Human Services. The development of these plans, on timetables detailed below, remains subject to input from various stakeholders.

The Executive Order and Presidential Policy Directive contain specific instructions for DHS to recommend measures to harden critical infrastructure. DHS is also to adopt a “Plan B” for “data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities” if primary systems fail. Likewise, the Presidential Policy Directive adopts a national policy to secure “national essential functions,” which covers systems that support “government functions that are necessary to lead and sustain the Nation during a catastrophic emergency.” Ultimately, this may mean increased security for high-speed broadband networks that serve government facilities.

A key element of the Presidential Policy Directive instructs DHS to establish and operate two “national critical infrastructure centers,” one each devoted to cyber infrastructure and physical infrastructure. These infrastructure centers are to operate as hubs of information collection and distribution from other federal departments and agencies and the private sector.

Both the Executive Order and Presidential Policy Directive require government agencies to abide by laws governing privacy and civil liberties. Neither document, however, provides for any form of immunity nor limitation on liability for private entities that participate in information sharing that might be challenged as a violation of other laws or privacy rights.

The executive documents contain numerous detailed timelines for implementation of information sharing processes; creation of a Cybersecurity Framework to reduce cyber risk and adoption of it by federal departments and agencies; and establishment of “incentives” for private sector participation in the Cybersecurity Framework. Key benchmarks along these timelines include:

Expanded Sharing of Cybersecurity Information by June 12, 2013 (120 days)
- The Attorney General, DHS and Director of National Intelligence each must issue instructions to ensure timely production of unclassified reports of domestic cyber threats that identify a specific target.
- DHS is to establish procedures to expand its existing Enhanced Cybersecurity Services Program to all critical infrastructure sectors and provide classified intelligence to “eligible” critical infrastructure companies or commercial service providers that offer security services to critical infrastructure. Security clearances for “appropriate personnel” working for critical infrastructure entities are to be expedited.
- DHS must describe the functional relationships within DHS and across the federal government related to critical infrastructure security and resilience, to serve as a roadmap for participants in the information sharing process.

Establishment of a Cybersecurity Framework and Incentives for Private Participation
- By October 10, 2013, the National Institute for Standards and Technology (NIST) is to publish a preliminary Cybersecurity Framework (with standards, procedures and policies) to reduce cyber risks to critical infrastructure. NIST plans to issue a Request for Information (RFI) to obtain feedback on what it should include in the Framework. NIST has posted a summary of the planned RFI on its web site.
- NIST is to incorporate voluntary standards and industry best practices to the extent possible, and have them be consistent with voluntary international standards. Framework guidance is to be technology neutral. The process is to be open, with public review and comment.
- Agencies are to review the preliminary Framework and, within 90 days of its publication (i.e., January 8, 2014), submit a report to the President stating whether the agency has “clear authority” to implement the framework, and if not, to specify additional authority the agency would require. If current regulatory requirements are deemed insufficient to protect cybersecurity, then within 90 days of publication of the final Framework, agencies must “propose prioritized, risk-based, efficient and coordinated actions” to mitigate the risks.
- The final Cybersecurity Framework is due in one year, by February 12, 2014.
- DHS, in coordination with other executive agencies, is to establish a voluntary program to support the adoption of the Cybersecurity Framework by affected owners and operators of critical infrastructure. Sector-specific guidance is to be developed by sector-specific agencies.
- DHS is to coordinate the establishment of incentives to promote voluntary participation. Recommendations for, and analysis of, industry-specific incentives are to be made by the agencies responsible for each industry, including analysis of whether the incentives require new legal authority.

Identification of Infrastructure With Potential For Catastrophic Impact from Cyber Threat:
- The Presidential Policy Directive requires DHS, within 150 days of the order (July 12, 2013), to “use a risk-based approach” to identify critical infrastructure where a cybersecurity incident could have catastrophic regional or national impact on health, safety, economic security, or national security.
  - Commercial information technology products or consumer information services, however, are exempt from being designated as critical infrastructure at the greatest risk.
- DHS must, in coordination with sector-specific agencies, provide confidential notice to owners and operators of critical infrastructure identified as being “at greatest risk” for catastrophic impact from a cybersecurity incident.

Davis Wright Tremaine, LLP assists communications service providers and other owners and operators of critical infrastructure to understand and navigate cybersecurity issues. Please contact us for more information or guidance.

The FTC and California's Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment

Davis Wright Tremaine — Thu, 14 Feb 2013 07:59:03 -0800

Be sure to spend some time with our recent advisory analyzing two important privacy developments affecting the mobile ecosystem. Our advisory focuses on the Federal Trade Commission Staff Report and the California Attorney General’s recent release of detailed recommendations and best practices for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC’s Staff Report outlines recommendations to improve privacy disclosures and control at different levels of the mobile ecosystem. The California AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. You can access the advisory here.

Analysis of New HIPAA "Omnibus Rule"

Ronald London — Fri, 25 Jan 2013 08:48:33 -0800

Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register. The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits. It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA). The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA. You can access the advisory here.

Advisory Analyzing New COPPA Rule Changes

Ronald London — Fri, 18 Jan 2013 09:44:01 -0800

Be sure to check out our recent advisory examining the extensive changes the Federal Trade Commission (FTC) made to its regulations implementing the Children’s Online Privacy Protection Act (COPPA Rule). The revisions update the Rule to cover technological developments and popular online practices such as social networking, smartphone Internet access, and the use of geolocation information. The advisory details how the FTC refined its definitions of “operator,” “personal information,” and “websites or online service directed to children,” and updated its requirements for providing notice and getting consent from parents, among many other changes the FTC described as seeking to “broaden and clarify” the Rule. The advisory, which also explores practical considerations arising from the updated regulations, can be accessed here.

HIPAA Omnibus Rule Released

Ronald London — Thu, 17 Jan 2013 15:51:08 -0800

By Adam Greene and Becky Williams

At long last, after much delay and speculation, the HIPAA Omnibus Rule has been placed on display at the Federal Register in preparation for formal publication. Clocking in at 563 pages, we have to admit that we have not yet fully analyzed it, but it is expected to address:

• The breach notification harm threshold
• Direct liability for business associates
• Covered entity liability for business associates who are agents
• Sale of “protected health information” or “PHI”
• Use and disclosure of PHI for marketing purposes
• Use and disclosure of PHI for fundraising
• Enforcement where noncompliance is due to “willful neglect”
• Use of compound authorizations for research and authorization of future research
• Restrictions on disclosure of PHI to health plans when patient pays out of pocket
• Use and disclosure of genetic information for underwriting purposes by health plans
• Disclosure of student immunization records to schools

We will provide more information in a DWT alert and can address your particular issues after we have had an opportunity to review and analyze the rule.

President Obama Signs Video Privacy Protection Act Amendment

Ronald London — Fri, 11 Jan 2013 14:03:49 -0800

By Brad Guyton

On January 10, 2013, President Obama signed H.R. 6671, the Video Privacy Protection Act Amendments Act of 2012, which amends the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, to streamline the process for consumers to share data regarding their video viewing activities. In practice, this means video providers such as Netflix will be able to implement features that allow subscribers to share their video viewing history using social media services like Facebook.

The VPPA, which applies to “video tape service providers” that rent, sell, or deliver “prerecorded video cassette tapes or similar audio visual materials,” protects against the disclosure of personally identifiable information (PII) regarding specific video materials or services requested by a customer. Though the VPPA generally has been interpreted as applying to entities that sell or rent physical media like videotapes, DVDs or Blu-ray discs, a 2012 decision by the U.S. District Court for the Northern District of California, which we discussed here, suggested that online video streaming services like Hulu are subject to the law as well.

Prior to the recent amendment, the statute required video tape service providers to obtain the informed, written consent of consumers at the time disclosure of their PII was sought. As such, providers like Netflix were largely unable to secure the type of ongoing customer consent necessary to provide certain social media features – such as Facebook integration – that are available to users outside the United States.

The VPPA amendment makes obtaining the requisite customer consent much easier, as it allows consumers to consent via electronic means on the Internet and, if the consumer so chooses, to grant consent in advance for up to two years. In turn, service providers must obtain the consent on a separate form (distinct from other forms used to disclose legal or financial obligations), and must provide customers the opportunity to withdraw consent on a case-by-case basis, or to withdraw consent from ongoing disclosures.

The ability to obtain advance consent from customers offers increased flexibility for “video tape service providers” and is expected to lead to tighter integration between such video providers and social networks. However, at least while the Hulu litigation continues, the issue it raises concerning the reach of the VPPA could also raise questions about the impact of the new law on the duration of consents received by other online video providers.

Advisory on China's New Online Information Protection Law

Ronald London — Fri, 11 Jan 2013 10:59:46 -0800

Check out our recent advisory detailing China’s New Online Information Protection Law. In the advisory, Lin Zhu, Ron Cai, and Fraser Mendel explain how, on Dec. 28, 2012, the Standing Committee of China’s National People’s Congress enacted a 12-article Decision on Strengthening Online Information Protection, without public consultation and after just one reading. The Decision was released following a recent spate of scandals resulting from online exposure of corrupt officials’ misdeeds and apparently in response to growing public concerns about lack of protection for personal privacy. The Decision applies to only the electronic version of citizens’ personal “electronic information” and is a fairly broad outline providing guiding principles for protecting personal information online, but no implementation or enforcement details. To learn more about the ramifications of the Decision, see the full text of the advisory here.

Small Data Breach Leads to $50,000 HHS Settlement for Hospice

Ronald London — Thu, 03 Jan 2013 06:03:24 -0800

By Adam H. Greene, JD, MPH

In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a relatively small breach and more narrow information security issues.

OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009. This appears to be the first of such breach reports that has led to a settlement. It begs the question of whether other types of small breaches will lead to settlements, such as cases of employee “snooping.”

One final note is that of OCR’s 11 settlements related to HIPAA, this is the fifth from Region X (Seattle). Although there are 10 OCR regional offices, 45 percent of the settlements have come from the Seattle regional office.

HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security

Ronald London — Thu, 20 Dec 2012 09:30:02 -0800

By Adam H. Greene, JD, MPH

The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices. The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.

The five-step process that HHS identifies includes:
1. Deciding appropriate use for mobile devices within the organization;
2. Assessing the risks associated with mobile devices;
3. Identifying a mobile device risk management strategy;
4. Developing, documenting, and implementing mobile device policies; and
5. Training the workforce on the policies.

The videos cover basics of mobile device security, focusing on issues such as including mobile devices in the risk assessment, preparing for and responding to the theft of a mobile device, and appropriate safeguards when using a mobile device to handle health information on a public Wi-Fi network.

A few takeaways from the website:
• Mobile device security is a significant priority for HHS, as evidenced by the resources put into this website and recent enforcement actions (e.g., the recent settlement with Massachusetts Eye and Ear Infirmary)
• HHS expects health care entities to explicitly address mobile device security in their risk assessment, include it in their risk management plans, implement detailed policies, and conduct training specific to mobile devices
• The website includes resources, such as the videos and downloadable posters, that organizations can consider using as part of their security training and awareness.

Based on this website and recent enforcement actions, it appears more likely that if a HIPAA-covered entity experiences a breach involving a mobile device and did not have a risk assessment, policies, and training related to mobile devices, then HHS will consider taking formal enforcement action.

FTC Again Challenges Kids' Mobile App Data Collection and Disclosure Practices

Ronald London — Thu, 13 Dec 2012 08:45:37 -0800

By Bob Scott

The Federal Trade Commission (“FTC”) released on December 10, 2012, its second staff report on disclosures for mobile apps targeted at children, building on its prior report issued 10 months earlier. The reports appear designed to support the FTC’s upcoming proposed changes in Children’s Online Privacy Protection Act (“COPPA”) rules (which we analyzed here and here). Where the first report emphasized mobile app compliance with notice and consent provisions in the FTC’s COPPA Rule, the latest report went beyond examination of disclosures and tested whether apps collected and shared data with third parties, or included interactive features like in-app advertising, purchasing, and/or links to social media. It also focused in particular on the use of device identifiers and concerns raised by their collection and/or use, while in doing so appearing to overlook uses of device IDs that pose no privacy risk and/or that are otherwise pro-consumer.

While the new survey found small improvements in disclosure frequency since the initial review, FTC staff were concerned that when tested, most apps collected and used device IDs, and many shared the device ID with ad networks or analytics companies. The FTC staff did not know how or what use the companies actually made of device IDs, but expressed concern that the data could allow third parties to “potentially develop detailed profiles of the children using the apps, without a parent’s knowledge or consent.” The survey assumes children using these apps do so via a mobile device owned and controlled by a parent, but that parents would have no way to know what data is collected, or how it is used, without more thorough and timely disclosures.

The staff report leverages the FTC’s proposed revision to its COPPA Rule that would define device IDs as “personal information” if they “can be used to recognize a user over time, or across different websites or online services.” The report also cites the proposed exception for collection of device IDs for “internal operations,” which would be limited to network communications, site maintenance and analysis, user authentication, site navigation, maintenance of user preferences, serving contextual ads, and protection against fraud or theft.

But as with the proposed COPPA rule changes, the staff report’s treatment of device IDs does not recognize some uses of device IDs that pose no privacy risk, or are otherwise pro-consumer. These include use of device IDs to preserve customer anonymity, to maintain user game data (like high scores), to limit the number of times targeted ads will be delivered to the device, and to verify valid app installation. The report’s focus on and treatment of device IDs may be harbingers of what to expect from the FTC’s long-awaited COPPA Rule review.

The staff’s report also recognizes parallel efforts by the National Telecommunications Information Administration, which is in the midst of a multistakeholder process to create an industry code of conduct to provide transparency for mobile applications and other interactive mobile services. It further discloses that the FTC is commencing multiple investigations to determine whether certain entities in the mobile app space have violated COPPA’s disclosure and consent requirements, or the FTC Act, through unfair or deceptive app-related trade practices. Staff reports that it will soon issue consumer education directed at parents to help them supervise their children’s online activities, and that it will undertake a third kids app survey at a future date. With the COPPA Rule review hanging over the staff’s endeavors in this area, these are important mile markers to keep in sight as that proceeding progresses.

FTC Settlement Embodies First Agency Action Against Browser History Sniffing

Ronald London — Thu, 06 Dec 2012 12:37:32 -0800

By Bob Scott

The Federal Trade Commission (FTC) announced a proposed settlement of allegations that online advertising company Epic Marketplace, Inc. and its affiliate Epic Media Group (Epic) engaged in deceptive practices by failing to accurately describe their online advertising data practices. Specifically, the FTC alleged that Epic failed to disclose that it ran software script which determined whether consumers had visited web sites outside of Epic’s affiliated advertiser network, and falsely represented that it only collected browser information from web sites within Epic’s network. The settlement is the FTC’s first action against browser history sniffing, and demonstrates the Commission’s continued expansion of jurisdiction through enforcement actions. The proposed settlement must be approved by a majority of the Commissioners before it becomes effective.

According to the FTC, Epic said in its privacy policy that it would collect information about consumers’ visits to sites only within the Epic’s advertising network. Yet in practice, the cookies received from these sites would run a script to determine whether consumers visited sites outside Epic’s network. Epic tracked the results and sent targeted ads based on consumers’ browsing history. Consumers would have no way to know Epic’s software actively searched the browser’s history.

The FTC’s proposed consent order with Epic includes numerous provisions that are remedial on their face, such as a ban on further browser history sniffing, a ban on the use of data already collected, and an order to destroy all previously collected data. In fact, press reports suggest that Epic Marketplace discontinued the browser history sniffing practice in 2011, and that the company may no longer be in business. If, as appears to be the case, the practice has ceased, the proposed consent order is relevant primarily as another in the long line of FTC jurisdictional precedents established through enforcement actions.

Finally, as described by the FTC, Epic’s browser history sniffing practice did not comport with “best practices” of online advertising self-regulatory groups such as the Network Advertiser Initiative and Digital Advertising Alliance. This action thus underscores the importance of careful implementation of these online advertising self-regulatory principles and practices.

New Advisory on HIPAA De-Identification Guidance

Ronald London — Tue, 04 Dec 2012 08:13:55 -0800

Check out our recent advisory describing the New HIPAA Guidance on De-Identifying Health Information. In it, Adam Greene explains that the HHS Office for Civil Rights released guidance on how health information may be de-identified, which allows covered entities and business associates to reduce their exposure to HIPAA and expand their use of health data. The guidance teaches two key lessons – specifically, that health information generally is considered individually identifiable unless certain stringent requirements are met, and that using an appropriate expert can provide ways to de-identify information while retaining important properties that otherwise might be lost through other methods of de-identification. The advisory can be accessed here.