Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

FTC Sends COPPA “Educational” Letters to U.S. and Foreign Companies

By Kate Lucente on Posted in Uncategorized

Written by Sydney White

The FTC sent “educational” letters to more than 90 online companies including providers of mobile applications in order to warn each company that it may be subject to the revised Child Online Privacy Protection Act (COPPA) Rule because it is collecting personal information from children under the age of 13.   The letters, available at http://www.ftc.gov/opa/2013/05/coppa_education.shtm, were sent to both domestic and foreign companies.  If your company received one of these letters and you are not yet COPPA compliant, you should be undertaking an immediate review of your app(s) and/or website and your policies and procedures for compliance.

The FTC adopted changes to the COPPA Rule in December of 2012, which expanded the definition of personal information to include not only a child’s name or address, it also includes photos, videos, audio recordings, and persistent identifiers such as user names, cookies, or mobile device identification numbers that can be tracked across web sites.  Prior to collecting the personal information of children, companies must obtain verifiable parental consent and follow new data security requirements in accordance with the COPPA Rule.  Companies have until July 1 to comply with the Rule.

AUSTRALIA’S OAIC REMINDS BUSINESSES: TAKE “REASONABLE STEPS” TO SECURE THE PERSONAL INFORMATION YOU COLLECT

By Kate Lucente on Posted in Cross-Border Transfers, Privacy and Data Security

Written by Alec Christie and Reyhaneh Saadati

The Office of the Australian Privacy Commissioner has released its new Guide to Information Security: Reasonable Steps to Protect Personal Information.

The Guide aims to assist Australian businesses and those carrying on business in Australia to “take reasonable steps” to protect the personal information they hold in light of the country’s increasingly strict privacy laws.

In terms of compliance, there is no doubt the Guide raises the bar. To be regarded as having “taken reasonable steps” to secure the personal information that they collect, companies will have to do more across a broad swathe of areas – governance, cybersecurity, physical security, data breaches and personnel training among them.

Notably, press releases accompanying the release of the Guide warned that “information security is now the major issue affecting consumer privacy,” and that 100 percent of the high-profile investigations completed by the Australian Privacy Commissioner in 2011-2012 involved data security issues. Our experience confirms the current general lack of awareness among Australian businesses of their information security obligations under the Privacy Act.

Learn more about the Guide and about Australia’s evolving privacy regime.

BELGIUM: CYBER SURVEILLANCE OF EMPLOYEES BY EMPLOYERS

By Jennifer Kashatus on Posted in Privacy and Data Security, Uncategorized

WRITTEN BY:  Patrick Van Eecke

The Belgian Privacy Commission has finally clarified whether or not, and under which circumstances an employer is allowed to monitor the use of internet, e-mail and other e-communication tools by its employees. Prior to the Commission’s additional guidance in this respect, employees could in principle argue that under art. 124 of the Belgian e-Communications Act of 13 June 2005, employers were not allowed to carry out cyber surveillance activities vis-à-vis their employees. 

In its recommendation, the Privacy Commission now confirms that, based on employment law and in particular the employer’s authority over the employee in order to ensure a good course of business, the employer can monitor the employee’s use of the internet and electronic communications, without the employee’s consent. However, such right can only be carried out when the employer complies with the principles of finality (monitoring can only take place for specific purposes), proportionality (no general and systematic control is allowed) and transparency (the employees must be duly informed of the surveillance measures, e.g. by ICT policies, notices, etc.). In addition, employers must also comply with Collective Bargaining Agreement No. 81, imposing these three principles and some additional limitations and warranties in order to ensure that the monitoring takes place in a compliant manner.

 As a result, despite of the Privacy Commission’s new guidance, when planning monitoring activities, it is strongly to recommended to review the envisaged or current practices and policies used or to be used in this respect in order to avoid that evidence gathered by employers could be triggered by employees for being obtained unlawfully.

Should you have any further questions regarding to the above, please contact Patrick Van Eecke (Patrick.van.eecke@dlapiper.com)  or Didier Wallaert (didier.wallaert@dlapiper.com).

BELGIUM: UPDATE ON DIRECT MARKETING

By Patrick Van Eecke on Posted in Cookies, Cross-Border Transfers, Marketing, Privacy and Data Security

The Privacy Commission recently updated its recommendation n°4/2009 on direct marketing with a new recommendation (n°02/2013), in order to align its views with recent changes in the legal landscape.

The new recommendation for instance now clearly refers to the use of cookies in a direct marketing context, stating that the explicit consent of the recipient must be obtained prior to sending (certain) cookies to that person. Furthermore, it is explicitly mentioned that when sending direct marketing while using personal data (e.g. name, telephone number, email address, etc.) for such purpose, not only the provisions of the Belgian Data Protection Act of 8 December 1992 must be complied with, but also the E-Commerce Act of 11 March 2003 and Act on Market Practices and Consumer Protection of 6 April 2010 must be respected.

In its recommendation n°02/2013, the Privacy Commission further highlights some of the initiatives taken by the Belgian Direct Marketing Association (BDMA), a platform gathering, promoting and defending the interests of over 450 companies active in direct marketing (users, consultants, media and service providers).

The most remarkable initiative is the replacement of the so-called ‘Robinson list’ with the ‘Do-not-call-me-anymore list’ (“Bel-me-niet-meer lijst”), which was launched in August last year. The initiative provides consumers with the possibility to subscribe to a list – for a period of two years – in the event they do no longer want to be contacted for direct marketing purposes. This implies that, where a direct marketing campaign is organized, the list with customers/prospects to be contacted must be compared with the Do-not-call-me-anymore list so as to ensure there is no concordance. Important to note is that compliance with the initiative is mandatory for any company sending direct marketing – whereas compliance with the Robinson list was only required for members of the BDMA. Where direct marketing campaigns are carried out in violation of the above, sanctions may be imposed by – inter alia – the Federal Public Service Economics. It should be noted that the list does not apply where marketing is sent in a B-2-B context, nor when direct marketing is sent by fax or delivered door-to-door.

Should you have any further questions regarding to the above, please contact Patrick Van Eecke (Patrick.van.eecke@dlapiper.com)  or Julie De Bruyn (Julie.debruyn@dlapiper.com).

BELGIUM: UPDATE ON PERSONAL DATA SECURITY BREACHES

By Patrick Van Eecke on Posted in Privacy and Data Security, Uncategorized

Following several recent widely publicized data breaches in Belgium, the Privacy Commission issued a new recommendation on security measures and data breaches. The recommendation builds further on its previously issued security reference measures and details specific security requirements regarding a.o. IT architecture and development and production environments.

Remarkably, the Privacy Commission introduces a security breach notification obligation, but for “public incidents” only. Companies are required to have documented alarm and notification procedures for data security breach incidents. In case of a “public incident”, the Privacy Commission must be informed of the causes and damage within 48 hours. A public information campaign will be initiated within 24 to 48 hours after such notification. The Privacy Commission does not specify what is to be understood by a “public incident.”

The Privacy Commission also announces its intention to strengthen legal framework for security measures. Given recent events, the Privacy Commission considers it should not only have the competence to issue recommended security measures, but should also be able to legally enforce those measures.

Should you have any further questions regarding to the above, please contact Patrick Van Eecke (Patrick.van.eecke@dlapiper.com)  or Elisabeth Verbrugge (elisabeth.verbrugge@dlapiper.com).

PENDING CALIFORNIA BILLS SEEK TO EXPAND PRIVACY PROTECTIONS

By Kate Lucente on Posted in Children, E-Commerce and Social Media, Mobile Privacy, Privacy and Data Security, US State Law

Written by Scott W. Pink and Carissa L. Bouwer

California has long been a leader in legislative efforts to protect online privacy rights of consumers.  California passed the nation’s first security breach disclosure law, the first law requiring online privacy policies, and more recently, the first set of privacy guidelines for mobile app providers.  This year California’s legislature is considering several new bills that, if passed, would further strengthen the privacy rights of California residents.  It is important for all companies to monitor these bills because, if passed, they could significantly impact information collection practices.

AB 242

As we mentioned in a previous post, this bill is an attempt to force privacy policies to be written in plain English.  Cal. Bus. & Prof. Code § 22575 presently requires operators of websites or online services that collect personal information from California residents to post a privacy policy describing the collection of personal information, including what is collected and how it is used.  This bill would amend Section 22575 by requiring that the privacy policy be no more than 100 words, written in clear and precise language at no greater than an eighth grade reading level. It would also require the privacy policy to include a statement indicating whether the information collected may be sold or shared with others.  If passed, this bill would require an overhaul of many privacy policies in order to meet the length restriction.  The bill was introduced on February 6, 2013 and has since been referred to the Judiciary Committee and the Business, Professions and Consumer Protection Committee.

AB 257

Introduced February 7, this bill would amend Cal. Bus. & Prof. Code § 22577 and add three new sections to § 22575.  The amendment to Section 22577 clarifies that the requirement to have a posted privacy policy applies to mobile app operators, the operators of mobile app markets, and mobile app advertisers.  Section 22575.1 would require that privacy policies for such mobile applications specify information collection and retention policies, including the types of information collected, the use and retention period for each category of information, the categories of third parties with whom the information will be shared, and the choices a consumer has with regard to his or her personal information.  It would also require a supplemental privacy policy if non-essential information is collected and a “special notice” if the application accesses text messages, call logs, the camera, the dialer, or the microphone, or collects location information, financial information, medical information, or passwords.  In addition, mobile app operators would be required to use security safeguards to protect personally identifiable information from unauthorized access, use, disclosure, modification, or destruction.

Section 22575.2 would require mobile app markets, such as the Apple App Store or Google Play, to include a link to the privacy policy for each mobile app and to report apps that do not comply with the law.  Under Section 22575.3, mobile app advertisers would be required to include a privacy policy, obtain consent before accessing personally identifiable information, and would be prohibited from using unchangeable device-specific identifiers.  This bill was referred to the Judiciary Committee and the Business, Professions and Consumer Protection Committee on March 21, 2013.

AB 1291

Assembly Bill 1291 was introduced February 22 and would amend Cal. Civ. Code § 1798.83, commonly known as the “Shine the Light Law”.  The law requires certain businesses that collect personal information and disclose it to third parties for their marketing purposes to provide those details to people it has had an established business relationship with upon request.  Presently, violations result in civil penalties ranging from $500-3000, and civil actions to recover damages for injuries.

The bill would:

  • Replace “established business relationship” with “customer”, which is defined broadly in the bill and would expand the number of California residents who can request information under this statute or bring a cause of action;
  • Eliminate the need to prove actual injury, as all violations will be deemed to constitute an injury to the customer;
  • Expand the definition of “personal information” to include alias, nicknames, user name, account name, driver’s license number, ID card number, passport number, sexual orientation, gender, gender status, gender identity, mental health, location information, IP address, texts, photos, audio or video recordings, and other material generated by the customer; and
  • Give businesses three ways to comply with the law: 1) provide an address for requests and respond within 30 days providing detailed information about what personal information was shared and with who; 2) provide customers with notice prior to or immediately following a disclosure; or 3) providing a disclosure which complies both with the federal law for financial institutions, 15 U.S.C. § 6803, and the remaining provisions of § 1798.83.

AB 1291 was referred to the Judiciary Committee on March 11, 2013.

AB 319

The federal Children’s Online Privacy Protection Act, or COPPA, governs the online privacy rights of children under 13.  In 2009, Maine passed a law that would have extended COPPA-like protections to all minors under 18.  The Maine law went further than COPPA by prohibiting the collection of personal information of minors under the age of 18 without parental consent and prohibiting the sale or transfer of personal information about a minor if the information was unlawfully collected, identified the minor, or would be used for predatory marketing.  After significant public outcry, including the Maine Attorney General publicly committing not to enforce the law, it was repealed in 2010.

Now, California is seeking to do the same with Assembly Bill 319.  The bill would require operators that 1) have a website or online service directed at minors, or 2) have actual knowledge that they are collecting information from minors to provide notice on the website about what information is collected and how it will be used.  The bill defines minors as persons under the age of 18.  Parents would be allowed to refuse the operator’s further collection or use of the information, and operators would not be allowed to condition a minor’s participation on providing more information than is reasonably necessary.  In addition it creates an obligation for those operators to establish and maintain reasonable procedures to protect any information collected from minors.

COPPA governs the collection of information from children under the age of 13 and contains a preemption clause for inconsistent state or local laws.  15 U.S.C. § 6502(d).  The bill as written will likely be preempted by COPPA.

Europe weighs in on mobile app privacy

By Kate Lucente on Posted in Cross-Border Transfers, Mobile Privacy, Privacy and Data Security

The Article 29 Working Party – the data protection working group for the European Union which is composed of representatives from the European Commission and the data protection authorities of EU member states – recently released it Opinion 2/2013 on smart devices and mobile apps.  According to the Opinion, app developers are subject to some burdensome and sweeping obligations.  Among other things, the Working Party has found that, in keeping with the requirements of the EU Directive on data protection and the ePrivacy Directive, all app developers must:

  •  Ask for consent before the app is installed by the user, and that consent must be freely given, specific and informed.
  • Get specific “granular” consent to each of the following categories of data that the app will access : location info, contact, UDID, identity or name of data subject, “identity of the phone,” payment data, SMS, telephony and SMS, browsing history, email, social network credentials and biometrics.
  • Be aware that “consent does not legitimize excessive or disproportionate data processing.”
  • Get renewed consent for any changes in processing, including for advertising and analytics purposes.
  • Provide app users a single point of contact.

The Working Party also separately recommends other guidelines and practices for app developers , and sets forth requirements and recommendations for the various other players in the mobile app ecosystem, including device manufacturers, app stores and third party advertisers and analytics providers.  Of note, app stores must, according to the Report, enforce app developers’ obligations to provide notice of information processing.

Working Party Opinions are not binding but are considered very persuasive by the data protection authorities of EU member states and the European Commission.  The full report is available here.

DATA PROTECTION LAWS OF THE WORLD

By Kate Lucente on Posted in Cookies, Cross-Border Transfers, E-Commerce and Social Media, Marketing, Mobile Privacy, Privacy and Data Security, Security Breaches

DLA Piper has published the second edition of its Data Protection Laws of the World reference guide, expanding the handbook’s scope to cover 12 key features of the privacy laws of 63 countries that affect our clients.

Data Protection Laws of the World is searchable by country and by subject matter.

View or download the handbook here.

DLA PIPER HOSTS GLOBAL PRIVACY SEMINAR AND RECEPTION

By Kate Lucente on Posted in E-Commerce and Social Media, Mobile Privacy, Privacy and Data Security

On March 6, through rain, sleet and the blizzard that never appeared (but that closed several area airports), 40 privacy professionals from around the world attended DLA Piper’s Global Privacy Seminar in our Washington, DC office.

The event began with a keynote delivered by FTC Commissioner Julie Brill explaining the importance of mobile privacy and the FTC’s many education and enforcement initiatives on this issue. It followed with a panel on mobile privacy compliance in the US and Australia, a panel on keeping up with major shifts in the Asian and EU privacy landscape, and privacy and information management compliance deploying a “bring your own device” program internationally.

Participants included Accenture Global Privacy Director Bojana Bellamy and DLA Piper information law practitioners from our offices in the US, Australia, Hong Kong, Holland and France. After the discussion, guests were joined by UK Information Commissioner Christopher Graham and outgoing FTC Chairman Jon Leibowitz for a cocktail reception.

FTC Chair Edith Ramirez Give First Public Privacy Talk: Discusses Enforcement Efforts and FTC Priorities

By Kate Lucente on Posted in Mobile Privacy, Privacy and Data Security, US State Law

During an interview conducted by DLA Piper’s Jim Halpert at the IAPP Privacy Summit in Washington, DC, new FTC Chair Edith Ramirez offered her first public discussion about her vision of FTC actions on privacy since being sworn in as FTC Chair five days earlier.

Speaking on Friday, March 8, Chair Ramirez emphasized the importance of the FTC’s enforcement activities in the context of privacy, citing recent actions against several major technology and social media companies.  She indicated that under her leadership the FTC would continue its focus on mobile privacy and also vigorously enforce the revised Child Online Privacy Protection Act (COPPA) Rule, which goes into force on July 1, 2013.

When asked about the FTC’s authority to police “unfair” trade practices (as distinct from its authority over “deceptive” trade practices), Chair Ramirez explained that the FTC would continue to use this authority “judiciously,” as it is not a “blank check” to police business practices, but rather a tool to take action in cases of clear harm against business practices that cause or are likely to cause substantial injury to consumers that is not outweighed by the public benefits. However, Chair Ramirez stated that clear harm is not necessarily limited to monetary harm and also encompasses, for example, surreptitious filming of individuals in their homes.

Chair Ramirez also identified the “Internet of Things” – i.e., Internet interconnectivity in devices such as cars, TVs and appliances – and identity theft perpetrated against seniors as priorities for the FTC under her leadership, and she voiced her continued support for the development of a “consensus-based” Do-Not-Track mechanism.

On international privacy issues, Chair Ramirez emphasized her work, in conjunction with the US Department of Commerce, on the APEC Privacy Principles and discussions with European regulators in an effort to move toward interoperability of APEC and EU BCR cross-border data transfer mechanisms.

For additional details on Jim’s interview of FTC Chair Ramirez, see this article on the IAPP website, “New FTC Chair Ramirez points to COPPA, mobile space, BCR-APEC alignment as priorities.”

Back to Top of Page