Note: External links, forms and search boxes may not function within this collection
This is an archived Web site from the Library of Congress
http://privacylaw.proskauer.com/
Archived: 11/06/2008 at 20:08:45
First (02/07/2008)
Previous
#10 of 26
Next 
Last (12/02/2009) 
The New York State Consumer Protection Board has released a guide for New York businesses regarding the handling of personal identifiable information and the avoidance of identity theft. The guide also includes a form for reporting breaches to NY state agencies. The guide is available here.
On September 10, 2008, Timberland Company, an outdoor clothing and shoe merchant, along with co-defendant ad agencies GSI Commerce Inc. (“GSI”) and AirIt2Me Inc. (“AirIt2Me”), settled charges brought under the Telephone Consumer Protection Act (“TCPA”) arising from unsolicited text messages advertising Timberland’s holiday sale. Pursuant to the settlement, Timberland must employ best practices in future marketing, and must pay $7 million into a fund for distribution to the class. Prior to any future mobile marketing campaign, GSI agreed to circulate to its marketing personnel a copy of the Mobile Marketing Association’s Consumer Best Practices guidelines, and to establish meaningful training and compliance checks in connection with those guidelines. Additionally, the defendants must pay class counsel a maximum amount of $1,750,000. The settlement has been agreed to by all parties, but is still subject to final approval by the court.
On October 9, in the case R v. S and A [2008] EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights. The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4245473 (D. Vt. Nov. 29, 2007).
Continue Reading...The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program. In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.
Continue Reading...A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company's server do not constitute "personal data" under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), "personal data" is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes "personal data" is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is "no doubt" IP addresses do in fact constitute "data relating to an identifiable person" under the EU Data Protection Directive.
Continue Reading...
Although the use by businesses of prerecorded message telemarketing has been prohibited for years for most calls, many companies have continued to lawfully deliver prerecorded telemarketing calls to their existing customers or others with whom they are deemed to have an existing business relationship (“EBR”). The Federal Trade Commission’s (“FTC”) recent amendments to its Telemarketing Sales Rule (“TSR”) will greatly restrict that practice. Effective September 1, 2009, companies subject to FTC jurisdiction will not be able to make interstate prerecorded telemarketing calls to EBR consumers absent the prior express written agreement of the consumer.
Effective December 1, 2008, any company that continues to make such calls must comply with new restrictions that will continue even after September 1, 2009 when prior express written consent of the consumer is mandatory. The restrictions require that the prerecorded message: (1) state at the outset that the call recipient can be asked to be placed on the caller’s company specific do not call list; (2) make available an automated opt-out mechanism for “live” recipients of a call that enables the recipient to place the number on the company’s do not call list; and (3) if the call is answered by an answering machine or voicemail, leave a toll free number where the recipient can call and be connected to an automated system where they can opt-out of further calls. In addition, such calls must ring for at least 15 seconds or 4 rings before they are disconnected and any message must begin within two seconds of the call recipients’ greeting. The new TSR amendments do not govern purely informational calls (e.g., a doctor’s appointment reminder), intrastate calls, or calls made by entities not regulated by the FTC. Most of those calls will continue to be subject to Federal Communications Commission (“FCC”) rules that permit prerecorded telemarketing calls to EBR consumers subject to the recipient requesting to be placed on a company’s own internal do not call list.
Continue Reading...
The Third Circuit recently ruled that a labor union violated the federal Driver’s Privacy Protection Act (“DPPA”) when it accessed the motor vehicle records of Cintas employees for an improper “labor-organizing” purpose. In Pichler v. UNITE, the divided court affirmed the district court’s grant of summary judgment to the plaintiffs whose home addresses were obtained as part of the Union of Needletrades, Industrial & Textile Employees’ (“UNITE”) drive to organize Cintas employees. In reaching its conclusion, the court held that punitive damages may be awarded for violations of the DPPA. The court also concluded that the union’s assertion that it collected and used personal information from motor vehicle records for litigation -- a permissible purpose under the DPPA -- did not overcome the lower court’s finding that it collected and used the information for impermissible labor-organizing activities.
Continue Reading...The September 2008 issue of "A Moment of Privacy," a monthly e-newsletter brought to you by the Privacy and Data Security Practice Group of Proskauer Rose, LLP, has been released. Past issues of A Moment of Privacy are also available.
Behavioral tracking of consumers online in order to deliver relevant advertising is a privacy issue that is receiving a lot of attention, and one that has been the focus of Federal Trade Commission and consumer group scrutiny. On September 25th, the United States Senate Commerce Committee held a hearing on online privacy and received commitments from the three industry representatives (from AT&T, Verizon and Time Warner Cable) that if they do deploy technologies that are able to track consumer online behavior in order to tailor advertising, that consumers will have clear notice and a full opportunity to provide affirmative consent. None of the companies currently use such technologies in their roles as Internet Service Providers. The broadband providers challenged the rest of the online industry, including web site operators and application providers such as Google, to provide the same protections to consumers. Essentially, the witnesses called for an end to "opt out" when it comes to online advertising.
Continue Reading...A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any "business in this State" to encrypt an electronic transmission (other than via facsimile) of "any personal information of a customer" to "a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission." Id.
Continue Reading...
Enter keywords:
