Earlier this year, we blogged about address book scraping and some of the issues associated with the practice, specifically transparency and the use of unsolicited, deceptive e-mails. In a suit against reunion.com, a recipient alleged that she received a “deceptive” e-mail from the site because it was purported to be from her friend when in fact it was from reunion.com and sent without her friend’s consent.

Now another site has come under scrutiny for similar address book scraping tactics. This July, New York Attorney General Andrew M. Cuomo announced that he intends to sue Tagged.com (“Tagged”) for deceptive e-mail marketing practices and invasion of privacy.

• Email This
• Print
• Comments
• Trackbacks

In early August, the Federal Trade Commission (“FTC”) announced the first enforcement action against a U.S. company for violation of the US/EU Safe Harbor Program. This enforcement action should serve as a call-to-action for all Safe Harbor program participants to review their safe harbor programs now, and re-affirm their compliance.

• Email This
• Print
• Comments
• Trackbacks

When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy. 

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.

• Email This
• Print
• Comments
• Trackbacks

Where the only harm alleged is mere “speculation as to a possible risk of injury,” a claim cannot survive a 12(b)(6) motion to dismiss, according to a District of Connecticut decision issued on August 31, 2009. McLoughlin v. People’s United Bank, Inc., and Bank of New York Mellon, Inc., No. 3:08-cv-00944-VLB (D. Conn. Aug. 31, 2009), thus follows a long and growing line of cases which simply hold that where there is no actual harm, there can be no case. 

• Email This
• Print
• Comments
• Trackbacks

On Wednesday, September 26, 2009, a lawsuit was filed in federal court in Maine to enjoin Maine’s new predatory marketing to minors law, which was previously discussed on our blog. If not enjoined, this problematic law is scheduled to go into effect on September 12, 2009.

The complaint, filed on behalf of offline and online entities, alleges that the law violates the First Amendment and the Commerce Clause of the Constitution, as well as 42 U.S.C. § 1983, and is preempted by COPPA (the Children’s Online Privacy Protection Act).   Injunctive and declaratory relief is sought, as well as attorney’s fees. 

• Email This
• Print
• Comments
• Trackbacks

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts' data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.

 

• Email This
• Print
• Comments
• Trackbacks

In Hernandez v. Hillsides, Inc., S147552 (Aug. 3, 2009) [pdf], the California Supreme Court unanimously held that the mere placement of a hidden video camera in an employee's office could constitute an invasion of privacy, even if the camera was never actually used to record the employee.  Under the specific facts of the case, however, the Court ultimately found no liability because the intrusion was relatively minor, limited and justified, but California employers should be aware that the use of hidden surveillance cameras without notice or warning in "semi-private" office space is likely to produce an actionable claim for invasion of privacy in many cases. 

• Email This
• Print
• Comments
• Trackbacks

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to third parties, even if the business does not have knowledge that the information regards a minor.

• Email This
• Print
• Comments
• Trackbacks

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys. 

WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several years that it is relatively easy to break into a WEP-secured wireless network. For that reason, as discussed further below, industry standards as well as regulators require that WPA (instead of WEP) be used to secure wireless networks that are used to transmit sensitive information such as credit card numbers. Nonetheless, many companies are still using WEP.

• Email This
• Print
• Comments (1)
• Trackbacks