These separate initiatives come on the heels of the issuance of a “Green Paper” on privacy by the U.S. Department of Commerce Internet Policy Task Force, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.  One of the Green Paper’s key proposals is ensuring “nationally consistent security breach notification rules” through a federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorized enforcement by state authorities. 

In early December, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced a bill that, if enacted, would establish requirements for any notice sent to consumers in the event of a security breach.  The legislation is intended to update Simitian’s landmark 2003 privacy protection which required any business or state agency that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised and inspired more than 40 states to adopt similar legislation.  The proposed bill requires any breach notice to disclose to consumers details of the security breach, including the types of information that were subject of the breach and the date the breach occurred.  While the bill is intended to compel business or agencies to be more forthcoming with consumers regarding details of any security breach, former Governor Arnold Schwarzenegger vetoed similar proposals in 2009 and 2010, citing lack of proof that the bills would benefit consumers and would be overly burdensome on businesses.

Lawmakers in Virginia introduced legislation in January of this year to expand notification requirements following a breach of security with respect to medical information.  While under current Virginia law, the requirement to provide notice only applies to organizations, corporations or agencies “supported wholly or principally by public funds”, the amended bill would extend the state’s requirement to notify individuals of a breach of their medical information to all individuals and public and private entities.  The bill also allows the state’s Attorney General to impose a civil penalty of up to $150,000 per breach of the security of the system or a series of similar breaches of a similar nature that are discovered in an investigation.

The same day that the Virginia bill was introduced, lawmakers in Oregon proposed House Bill 2851 an amendment to the Oregon Consumer Identity Theft Protection Act.  Oregon is currently one of a majority of states whose breach notification laws do not apply to hard-copy records.  The newly-introduced legislation would close that gap by requiring notice of an unauthorized disclosure of data contained in such hard copies.

While not necessarily inconsistent, the recent proposals in California, Virginia and Oregon make it clear that state regulatory and enforcement schemes in the privacy area have not all achieved a uniform point of evolution.  For many years, California had a security breach notification requirement on its books.  Virginia’s regulation on medical information breaches didn’t cover private entities.  And Oregon did not provide protection for privacy breaches resulting from disclosure of information on hard copy documents.

While the federal government speaks of uniform standards, it is still too early to tell whether those standards will take the form of a detailed, robust notification system, be based on the lowest common denominator among the current state schemes or fall somewhere in between those extremes.  We will continue to follow the ongoing developments, at both the state and federal levels, as this debate will no doubt evolve in the coming months and years.

This week the chair of the House Caucus on Privacy, Rep. Edward Markey of Massachusetts, criticized responses received by the Caucus from several large Web publishers admitting that keeping track of data collection on their sites is technically difficult, if not impossible.  Markey said that while the publishers detail their own privacy policies and opt-out procedures, these are often too complicated for the average consumer to follow.  He also pointed out that a single website may have dozens of firms collecting data through ads on the site and consumers would need to consult the policies of each of those firms to determine precisely what information was being collected and how it was being used.  (We recently wrote about this issue in a previous Digitalhhr post in connection with location-based advertising and Apple’s iPhone app policy.) 

Markey said that Congress will continue to look into enacting privacy legislation in the future and while he didn’t mention any specific proposals, as detailed in our recent CLE Webinar on Privacy in a De-Centralized Digital World, two pending privacy bills have been introduced.  The Boucher-Sterns Bill, proposed in May of this year would require that “covered entities” (defined as any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information) provide individuals with a privacy notice and an opportunity to opt-out before collecting, using or disclosing “covered information” about that individual.  Covered information is defined broadly and includes an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  In addition, the bill would also require that covered entities obtain affirmative opt-in consent before: (i) collecting sensitive information such as medical records, sexual orientation and precise geographic location information or (ii) sharing covered information or sensitive information with unaffiliated parties. 

A similar bill known as the “BEST PRACTICES Act”, proposed two months after the Boucher-Sterns Bill, would permit a limited private right of action, allowing individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages.  Both privacy bills would grant enforcement power to the FTC and the states but are not expected to pass this year.

Meanwhile, the FTC has held a series of public roundtables to discuss proposals for regulating consumer privacy as an increasing number of companies engage in the collection, storage and disclosure of end user data.  The last roundtable was held on March 17, 2010 and the FTC has been largely silent since then as to the findings for its much anticipated revised report on privacy guidelines, which is expected later this year.  That report is intended as the follow-up to the FTC‘s 2009 Staff Report, titled “Self-Regulatory Principles for Online Behavioral Advertising”, which was the subject of a previous Digitalhhr post.

However, recent public statements by Maneesha Mithal, the associate director of the FTC Division of Privacy and Identity Protection, suggest that the FTC’s new privacy report will include an emphasis on “consumer control”.  Mithal hinted that the upcoming FTC report may include findings of an increase in the collection, storage and use of data of which consumers are largely unaware particularly with respect to behavioral advertising and a blurring distinction between personally identifiable information and other types of data. 

More importantly, Mithal indicated that the yet-to-be approved report as currently drafted would recommend that all new technologies that involve the collection, storage, processing and/or disclosure of personal information should take into account end user privacy, including privacy reviews, as part of their design.  The draft report also contains a requirement that consumers receive “just in time” notices of collection practices (that is, a notice at the time data is collected), rather than the current practice of incorporating data collection and use provisions as part of a site’s terms of use/service and/or privacy policy.  “Just in time” notices are required under EU regulations, raising the question of whether requiring such new notice obligations might be a first step taken by the FTC to move towards the stricter and more uniform EU model for data protection and privacy regulation.  

In line with its recently stated focus on “consumer control” and in response to a 2007 push by a coalition of privacy groups , the FTC has also been considering improved opt-out mechanisms to online advertising such as a “do not track” list , similar to the National Do Not Call Registry, that would permit consumers to opt out of having their online activities tracked for advertising or marketing purposes. 

The FTC’s 2009 Staff Report proposed non-binding guidelines for an industry currently subject to self-regulation.  It remains to be seen whether the upcoming FTC report will propose actual regulations or seek guidance from Congress on whether to do so.  We will continue to follow the ongoing developments in this evolving discussion.

The FCC’s inquiry involves Google’s call-blocking policy.  In June, Google began noticing extremely high-cost calls to a concentrated number of rural destinations which generated vastly disproportionate costs.  Its internal investigations, using data filters to sort out call patterns, revealed that the top 10 telephone prefixes (the area code plus the first three digits of a seven digit number) to US destinations generated more than 160 times the expected amount and accounted for 26.2 percent of its monthly U.S. costs.  By August, Google began restricting calls to certain high-cost destinations.  Google’s response letter to the FCC describes the Google Voice service and explains Google’s investigation into and rationale behind its call blocking policy.  It claims that its engineers developed a “tailored solution” so that Google Voice currently restricts calls to fewer than 100 specific phone numbers, a practice which Google’s counsel believes is necessary to “prevent these schemes from exploiting the free nature of Google Voice.” 

While Google has only recently began blocking costly calls, the practice whereby rural telecoms charge long distance carriers exorbitant rates to connect and terminate calls from their networks is not new.  In may cases these telecoms partner and share revenue with adult chat service, conference calling centers and others to attract traffic to their networks.  AT&T, and other long-distance carriers, have long complained and sued over these so-called traffic pumping schemes.  However, as common carriers subject to FCC regulations, they were banned in 2007 from blocking calls and are required to deliver phone calls without discrimination to all numbers dialed.  AT&T’s complaint to the FCC is rooted in its contention that Google’s call blocking policy is enabling it to dance around this ban that applies to other carriers.

However, this recent skirmish over Google Voice is really part of a larger debate currently playing out in the regulatory stage over “network neutrality” rules being reexamined by the FCC and AT&T has framed Google’s actions as part of the debate. 

In its Statement on Google Voice and Net Neutrality, AT&T stated that “By openly flaunting the call blocking prohibition that applies to its competitors, Google is acting in a manner inconsistent with the spirit, if not the letter, of the FCC’s fourth principle contained in its Internet Policy Statement.“   The FCC’s fourth principle on net neutrality states that “consumers are entitled to competition among network providers, applications, and service providers, and content providers.“  

Some members of Congress are also concerned about the adverse impact on the market and support for universal service if Google is allowed to operate its telephone services outside of the rules that govern carriers.  As they stated in their letter to the FCC “[I]t is our opinion that a company should not be able to evade compliance with important principles of access and competition set forth by the FCC by simply self-declaring it is not subject to them without further investigation.”

Google responded to these charges by stating that “The FCC’s open Internet principles apply only to the behavior of broadband carriers – not the creators of Web-based software applications.” Google claims that AT&T is attempting to blur the distinction between Google Voice and traditional phone service but maintains that web applications like Google Voice and Skype shouldn’t be treated like traditional phone service.

Google distinguishes Google Voice from traditional phone carriers by explaining that unlike traditional carriers which charge users for their services, Google Voice is a free, web-based software application similar to e-mail rather than a telecom service designed to “supplement and enhance existing phone lines, not replace them” and should therefore be exempt from common carrier rules.   The service is currently available to a limited number of users on an invitation-only basis.  Users are still required to have an existing land or wireless line in order to use Google Voice and are still able to make outbound calls on any other phone device.  Therefore, because Google Voice is a software application, not a telephone company, Google believes that its service is not and should not be subject to common carrier laws or the FCC’s jurisdiction.

Distinctions aside, with nearly 1.5 million users, the increasingly popular service is viewed by some as running a rival service to traditional phone companies.  The heart of the FCC’s inquiry is whether Google Voice is a telecom service or an online software application and whether this distinction really matters.  How different is a call traveling directly over carrier lines from one that goes through software applications?  As of now, the difference appears to be the ability to block less than 100 calls, an option not available to AT&T and other carriers.

Whether the FCC agrees with Google’s characterization of its service and its interpretation of the current open Internet principles may have a dramatic impact on both the telecom and internet marketplaces.  And the FCC’s newly proposed rules on network neutrality may also play a prominent role in this debate.  We will continue to monitor the proceedings and keep you posted.