Posted on January 14, 2010 by Mark Brennan

FCC Seeks Comment on Numerous Broadband Privacy Issues

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

  • Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
  • Building Privacy by Design;
  • Concerns surrounding the collection, use, and storage of transactional data; and
  • The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

Tags: , , , , , , , , ,
Posted on November 17, 2009 by Christopher Wolf

New White Paper Co-Authored by Hogan's Christopher Wolf Outlines How "SmartPrivacy" Concept Can be Used to Address the Privacy Concerns Raised by the Smart Grid

A new white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation,  highlights the importance of building privacy into new "Smart Grid" technologies from the outset.  The paper is co-authored by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, Jules Polonetsky and Hogan’s Christopher Wolf.  Wolf and Polonetsky co-authored the paper in their capacity as co-chairs of the Washington-based Future of Privacy Forum.

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.

The paper outlines Commissioner Dr.Ann Cavoukian’s SmartPrivacy concept and how it can be used to address the privacy concerns raised by the Smart Grid.   

Continue Reading...
Tags: , , ,
Posted on September 28, 2009 by Christopher Wolf

Two Hogan & Hartson Advisories on the Use of Social Media

Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other "the best part about the Internet is that no one knows you are a dog".  Even today, many people feel they enjoy complete privacy when interacting online, especially with certain social media sites.  But times have changed from when anonymity meant there were no obvious consequences to online conduct.  The proliferation of the use of social media is much in the news, and the legal issues also are proliferating.

Hogan & Hartson has just authored an advisory, available by clicking here, setting forth the considerations that arise when social media is used by three different groups — an entity itself, the employees of that entity, and third parties in reference to the entity. We discuss the benefits of social media, as well as issues and risks, from each of these three angles.

Also, the U.S. Food and Drug Administration recently announced that it will hold a two-day public hearing in November on how pharmaceutical companies use the web and social-media tools to market their products.  This is the first step in a process that will establish guidelines for drug makers using the tools of social networking.  The Hogan & Hartson advisory on this development is available by clicking here.

 

Tags: , , , , ,
Posted on September 9, 2009 by Christopher Wolf

Maine Law to Protect Kids from Predatory Marketing Effectively On Hold

When the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

A host of businesses and colleges are hoping that old adage has no relevance when it comes to new laws to protect kids online.  Maine's  “Act To Prevent Predatory Marketing Practices Against Minors,” effective September 12, 2009, was the source of major controversy and litigation over the Summer because of the law's extreme overbreadth.  See, e.g.  "Child-Proofing Your Ads: New Maine Law restricts Marketing to Minors", National Law Journal (August 4, 2009)   

A lawsuit brought to enjoin the law from going into effect resulted in the plaintiffs and Maine's Attorney General agreeing that the law could violate the First Amendment to the United States Constitution because of its overbreadth.  U.S. District Judge John A. Woodcock dismissed the lawsuit without prejudice, observing that "[t]he Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications ... and accordingly has committed not to enforce it.”  The Order goes on to say any private suits brought under the law “could suffer from the same constitutional infirmities.”   Thus, most observers believe that businesses run little risk from non-compliance with the law in light of the Judge's observations even though they are dicta.

Even the sponsor of  the law now recognizes that it has problems, but according to press reports blames that on the fact that no one raised any issues during the public hearings on the legislation leading to the law. The law is expected to be revised when the Maine legislature reconvenes in January 2010.

It was over the course of the Summer when Maine’s leaders came to recognize that the hastily-passed law, although bearing a laudable pro-kids/anti-predation title, may not have been exactly what they thought it was. The closer look prompted serious second thoughts and the lawsuit that effectively stays enforcement of the law.

  • To start with, the Maine law goes well beyond predatory practices because it covers all marketing to people under 18 in Maine, whether you know they are under 18 or not. And it greatly exceeds the scope of the federal Children’s Online Privacy Protection Act of 1998  (“COPPA”). 
    • On a national level, COPPA requires web site operators to obtain verifiable parental consent before collecting personal information online from children.  While COPPA applies to children under13 years old, the Maine law includes anyone under age18 and makes no distinction between information collection online or offline – it all is covered whether the business has a commercial web site or not. And unlike COPPA, which does not provide for a private cause of action, the Maine law allows individuals to bring civil suits and to seek punitive damages, equitable relief and attorney costs.
  • Section 9552 of the Maine law prohibits knowingly collecting orreceiving "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent." It also prohibits selling, offering to sell or otherwise transferring to another "health-related information or personal information about a minor."
  • Section 9553 flatly prohibits using health-related or personal information about a minor for "marketing a product or service to that minor or promoting any course of action for the minor relating to a product." There is no parental consent exception.   So, while businesses may be able to collect, receive and sell a minor's information, as long the is verifiable parental consent, they may not use that information for marketing regardless of parental consent prior to collecting the data.

Like many state privacy laws, the coverage of the law extends to those wherever located who collect information from state residents.  Thus, businesses nationwide are covered. And those businesses appear to be prohibited from sending to those under 18 in Maine any marketing information, even materials requested by Maine kinds like college information and volunteer service brochures. No provision is made in the law for non-profit or educational institutions.  And, again, notably, the law does not require knowledge that the person to whom marketing information is sent is under 18, making compliance even more difficult.

At web sites where kids have signed up legally, the sites are banned from communicating with those people if there is a marketing message, even where there is a bona fide request for information.  

And so, businesses of all types would have a hard time figuring out how to exclude Maine’s minors from their marketing efforts without thwarting their legal right to send information to people in the 49 other states, DC and the territories.  That is why the lawsuit seeking an injunction against the law going into effect was brought.  The judge's order avoided an injunction against the State but made it clear that the law had Constitutional deficiencies. 

States often are heralded as incubators of our nation’s privacy laws, but in Maine, the “baby” may not be exactly what the parents expected.

Tags: , , ,
Posted on August 25, 2009 by Tulasi Leonard

Ninth Circuit Rules on CAN-SPAM Standing Requirements

The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited.  Judge Richard Tallman, who authored the court's opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the Ninth Circuit had attempted to comprehensively address the standing requirements under CAN-SPAM. 

The plaintiff, James S. Gordon, operated a website through which he provided email addresses for himself and friends and family members.  He intentionally registered these email addresses with 100-150 email mailing lists.  After the addresses began receiving commercial email, Gordon filed suit against many of the companies, including Virtumundo, Inc., that had sent such email.

The CAN-SPAM Act is primarily enforced by the Federal Trade Commission and state Attorneys General.  However, the Act does provide a private right of action for a "provider of Internet access service adversely affected by a violation."  The Ninth Circuit held that Gordon failed to satisfy either prong of this standing requirement. 

In addressing the service provider prong of the standing requirement, the court noted that the CAN-SPAM Act does not limit standing to traditional Internet service providers and cited to two lower court decisions that held that the social networking services MySpace and Facebook qualified as "access services."  While explicitly declining the opportunity to set forth a general test as to what it means to be "a provider of Internet access service ," the court found that Gordon's service was limited to setting up email accounts and passwords and executing other administrative tasks, which was not enough to raise him to the level of Internet access service provider within the meaning of CAN-SPAM.  Gordon's online access was provide by Verizon, and GoDaddy provided the service that enabled Gordon to create the email addresses and the personalized web site; according to the court, both of these entities could have a compelling argument that they are Internet access service providers.

As for the second prong of the standing requirement, CAN-SPAM itself does not define "adversely affected."  The Ninth Circuit noted that "the harm must be both real and of the type experienced by ISPs."  Where there is suspicion that "a plaintiff is not operating a bona fide Internet access service," courts should take an especially close look at the cited harms.  The court found that Gordon had failed to argue that he had suffered any real harm as contemplated by the CAN-SPAM Act.  He did not have to hire additional personnel, nor did he experience the technical concerns or costs that may be attributed to commercial email.  Rather, the court found that Gordon intentionally sought out and benefited financially from the burdens of which he later complained and could not be considered "adversely affected."

Finally, the court also held that Gordon's state law claims regarding allegedly misrepresented email header information were preempted by CAN-SPAM.  The court held that Gordon's claim that the "from lines" of the emails failed to clearly identify Virtumundo as the sender, did not rise to the level of "falsity or deception," the only type of state law commercial email claim excepted from CAN-SPAM preemption.

Gordon's claims were therefore denied on three counts:  (1) he was not an Internet access service provider; (2) he was not adversely affected; and (3) his state law claims were preempted by CAN-SPAM.  Three strikes and this plaintiff is out.

Tags: , , ,