Note: External links, forms and search boxes may not function within this collection
This is an archived Web site from the Library of Congress
http://privacylaw.proskauer.com/
Archived: 05/01/2008 at 22:08:36
First (02/07/2008)
Previous
#4 of 26
Next 
Last (12/02/2009) 
The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.
Continue Reading...According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.
Continue Reading...Website Operator Can Be Held Liable for State Intellectual Property Violations
A federal district court in New Hampshire recently ruled that Section 230 of the Communications Decency Act of 1996 (“CDA”) does not prevent a state law right of publicity claim against a Website operator. In Doe v. Friendfinder Network, Inc., No. 07-286, 2008 WL 803947 (D.N.H. March 27, 2008), a profile of the plaintiff, including a nude photo and biographical information, was posted by an unknown third party on AdultFriendFinder.com, an online swingers community, without the plaintiff’s knowledge or consent. The plaintiff asserted eight claims against the Website for, among other things, invasion of privacy (including violation of her right of publicity), defamation and false designation in violation of the Lanham Act. On the site’s motion to dismiss, the district court found that all of plaintiff’s claims were barred by the CDA, except her false designation and right of publicity claims. In so holding, the district court challenged and criticized a recent Ninth Circuit decision regarding the CDA’s immunity. Continue Reading...Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).
Continue Reading...In the wake of the December 2007 FTC statement proposing self-regulatory principles for businesses that are engaged in online behavioral targeting (click here for earlier blog post), that activity has continued to provoke consumer groups who advocate for government regulation. The legislature in New York has taken notice and is considering a first of its kind bill, the Third Party Internet Advertising Consumer's Bill of Rights Act of 2008, to regulate third parties Internet advertisers’ tracking activities. The New York legislature’s activity coincides with significant opposition in the European Union to online behavioral advertising practices.
Online behavioral targeting is the process of tracking online users’ behavior and serving ads tailored to that behavior. While the methods vary, the primary methods used online are cookie-based, conveying to advertisers web pages a user visits. Companies may also use search data. This information is sometimes combined with demographic data such as geographic location, to help further personalize advertisements. Glossed over by consumer groups is the fact that tracking usually is conducted anonymously with data collected linked only to a computer’s Internet Protocol (IP) address, not name or other personally identifiable information. In addition, responsible Internet companies are expected to provide clear notice and opportunities for consumers not to participate in such programs. Still, consumer groups have seized on reports of Internet Service Providers contracting with companies such as Nebu-Ad, Phorm and Adzilla who use so-called “deep packet inspection” to collect data on every page a user visits rather than just those that are part of an online advertising network.
The ongoing debate over online behavioral targeting is significant not only because such targeting enables consumers to receive ads that are more relevant and useful to them, but as the FTC has recognized, restrictions that inhibit companies’ ability to obtain advertising revenue may fundamentally affect the ability of the Internet to continue to offer valuable content for free. Continue Reading...In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.
Continue Reading...On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.
According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.
Continue Reading...The Southern District of Florida has held that the Fair Credit Reporting Act (FACTA), applies to both electronic receipts from online purchases and receipts printed in stores. In Grabein v. 1-800-Flowers.com, Inc., 07-22235-CIV, 2008 WL 343179 (S.D. Fla. Jan. 29, 2008), Plaintiff filed a class action lawsuit after he used a credit card to purchase flowers through Defendant’s website and received a receipt that contained both Plaintiff's truncated credit card number and the card’s expiration date. Plaintiff alleged that printing both pieces of information violated FACTA, which provides:
Continue Reading...No person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 15 U.S.C. § 1681c(g).
The Federal Trade Commission has quietly changed its position on the level of parental consent required under the Children’s Online Privacy Protection Act (“COPPA”) for e-cards sent from a website directed to children. Under COPPA, websites directed to children under 13 are required to obtain parental consent prior to the collection of personal information – including an email address or a first and last name – from children under 13. There are certain exceptions to this requirement, including the so-called “one-time use” exception, which permits websites directed to children to collect an email address to respond once to a child’s specific request, provided that the website deletes that email address after doing so. The FTC had taken the position that an e-card – which typically permits a child to send a message to a friend’s email account – fell under this exception. Thus, no parental consent was required. At the end of last year, however, the FTC amended its “Frequently Asked Questions about the Children’s Online Privacy Protection Rule,” available at http://www.ftc.gov/privacy/coppafaqs.shtm, and specifically noted in response to the FAQ concerning e-cards (FAQ 44) that “where an operator’s e-card or forward-to-a-friend system discloses the sender’s email address or first and last name in the message, the operator must obtain verifiable parental consent before such collection and disclosure.” Accordingly, operators of websites directed to children must now comply with COPPA’s verifiable parental consent provisions before permitting children under 13 to send e-cards that disclose their email addresses or full names.
Enter keywords:
