In his prepared remarks released with the report, FTC chair Jon Leibowitz reiterated that consumers should have choice and control when it comes to revealing their personal information.  He noted that the report is grounded in three principles that companies should follow to ensure that consumers have that control.  First, through “privacy by design”, that is the incorporation of privacy protections into products as they are developed.  Second, providing consumers choice about how their data is collected and used.  And third, providing more transparency to consumers through clear explanations of data handling practices.

The legislative recommendation made by the Commission was somewhat general, calling on Congress to consider enacting “baseline privacy legislation that is technologically neutral and sufficiently flexible to allow companies to continue to innovate.”  One area of the legislation that the Commission focused on was the data brokerage industry, with the Commission calling for targeted legislation that would provide consumers with access to information about them held by a data broker.

The Commission specifically noted that the legislation should not impose an undue burden on businesses that already incorporate into their practices the Fair Information Practice Principles (“FIPPS”), which were set forth in the Obama Administration’s data privacy “white paper” issued in February.  (The FIPPS articulated in the white paper are: (i) transparency, (ii) individual control, (iii) respect for context, (iv) security, (v) access, (vi) accuracy, (vii) focused collection and (viii) accountability.)  The Commission envisions legislation that provides businesses with certainty of their obligations, as well as a scheme of civil penalties and remedies to act as a disincentive to disregard those obligations.

While the scope and detail of any privacy legislation will be left to Congress, the FTC will continue to press the industry on self-regulatory measures to implement its privacy framework.  That framework focuses on five main action items: 

• Implementation of an “easy-to-use, persistent and effective” Do Not Track system
• Improved privacy protection in the Mobile space, including development of short, meaningful disclosures
• Address the invisibility of collection practices of Data Brokers by calling for the creation of a centralized website where data brokers could (i) identify themselves and describe how they collect and use data and (ii) detail access rights and other choices provided to consumers
• Continued review of the tracking activities of Large Platform Providers such as ISPs, social media services, operating systems and browsers
• Promoting enforceable self-regulatory codes, including using the failure of companies to abide by self-regulatory programs they join as the basis for a suit for unfair or deceptive practices. 

None of these broader principles are groundbreaking.  The news, to the extent there was any, came from the detailed discussions of some of the points.  Some examples:

• In a nod to those concerned with the burden that compliance with the framework might place on smaller businesses, the Commission stated that privacy disclosures are not needed for entities that collect limited amounts of non-sensitive data from under 5,000 consumers for their own use (i.e., the data is not shared with third parties).
• The Commission stated unequivocally that the framework applies in all commercial contexts, both online and offline.
• In addressing data that is collected through a consumer device which may not necessarily be considered “personally identifiable information” (PII), the Commission determined that the framework would apply to data that can be “reasonably linked to a specific consumer, computer or other device.”  In clarifying the standard, the Commission provided guidance to companies to minimize linkability, including taking reasonable measures to “de-identify” the data, publicly committing to maintain and use the data only in such “de-identified” fashion and not attempt to “re-identify” the data and contractually prohibiting third parties they share the data with from re-identifying it.

Overall, the report appears to be a reflection of the current, baseline state of affairs in the privacy and data collection ecosystem.  And by promoting best practices and self-regulation approach, the Commission’s approach to privacy is to lead from behind, taking aggressive action primarily against “bad actors” and industry outliers.

Those businesses that adhere to best practices likely need not be overly concerned by the report.  However, it is important for them to consider how the FTC might use the framework set forth in the report (which reflects current practices) to interpret future business initiatives not yet conceived or contemplated.  In that regard, Chairman Leibowitz’ “resounding” statement that “consumers should have choice and control” should never be ignored.

EU Extends Copyright for Sound Recordings by 20 Years

In the European Union, popular music recordings from the 1960’s from acts such as the Beatles and the Rolling Stones were poised to enter the public domain as a result of the expiration of their 50-year copyright term.  In September 2011, however, the European Union voted to extend copyright protection for these works for another 20 years. 

 Perhaps to assuage critics who claim that record labels (and not struggling musicians) will benefit most from the extension, the new EU directive contains a number of accompanying measures to provide balance to individual musicians who may not directly benefit from the copyright extension, including the following:

•  rights to a sound recording may revert to the artist if the record label does not make the recording available for sale to the public (the “use it or lose it” clause);
• a “clean slate” provision that prevents the record label from making any deductions during the extended copyright term from the contractual royalties due to featured artists; and
• creation of a fund, financed by record labels with a percentage of benefits obtained from the copyright extension, for session musicians who signed away rights when a recording was made.

Details as to how some of these measures will be implemented or enforced is not clear from the language of the new directive.  Nevertheless, it seems likely that EU Member States will be expected to implement these accompanying measures in addition to the term extension. 

U.S. Supreme Court Restores Copyright Protection to Foreign Works

On January 18, the U.S. Supreme Court, in a decision watched closely by musicians, publishers, educators, orchestra conductors, upheld a federal law restoring copyright protection to millions of books, paintings, films and musical compositions by foreign artists that were previously in the US public domain.  In doing so, the Court rejected constitutional challenges to the law, holding that nothing in the Copyright Clause or the First Amendment “makes the public domain, in any and all cases, a territory that works may never exit.” 

 The case, Golan v. Holder (docket 10-545), involved a 1994 law enacted by Congress (which became Section 514 of the Copyright Act) to implement certain provisions of the Berne Convention for the Protection of Literary and Artistic Works.  Article 18 of the Berne Convention required member countries to accord other countries minimum levels of copyright protection and treat authors of other countries in the same manner as they treat their own with respect to that protection.  While the U.S. joined Berne in 1989, it did not implement Article 18, in effect, disregarding protection for foreign works.  In 1994, the Berne Convention specifically mandated implementation of Article 18, leading Congress to enact Section 514, which was challenged in Golan.  Section 514 granted copyright protection in the U.S. to foreign works on the same basis as enjoyed under foreign copyright law. 

 Since prior to the enactment of Section 514, the U.S. did not recognize the foreign copyright protection of these works, they were considered to be in the American public domain.  Thus, upholding the application of Section 514, with its equal treatment of works under foreign copyright law, has the effect of providing copyright protection to works that were previously in the public domain.  As noted by Justice Ginsberg, the law merely puts “foreign works on an equal footing with their U.S. counterparts.”

Other provisions of Section 514 take into consideration its impact and attempt to ease transition to the new regime.  In particular:

•  restored works will only be protected until the expiration of the full copyright terms, whether that expiration occurs in the U.S. or in the origin country;
• reanimation of copyright will be limited to only the remainder of the copyright term the work would have been entitled had it never entered the public domain;
•  “reliance parties” who used or acquired a foreign work in the public domain prior to the enactment of Section 514 will be allowed to continue to use the work until the copyright owner gives notice of an intent to enforce; and
• derivative works based on restored or reanimated work must only pay the copyright owner “reasonable compensation” to indefinitely exploit the derivation.

As the Supreme Court noted, unanswered questions remain about how Section 514 will be implemented, but the Court did not consider those questions significant enough to require rejection of the law.  In particular, the treatment of “orphan works” (when the copyright owners of the newly regulated foreign material cannot be identified or located), will likely be among the first issues for Congress to resolve next.

“Termination Rights” To Take Effect in the U.S.        

On January 1, 2013, the controversial “termination rights” provision of U.S. copyright law will be triggered, allowing authors (and their heirs) to begin regaining control of their original works from publishers and record labels to whom the works were previously assigned.  For works assigned in 1978 and thereafter, Section 203 of the Copyright Act of 1976 allows an original author to exercise an option to terminate the existing owners’ rights if 35 years have expired since the assignment. 

The wording of this provision suggests that termination rights are absolute for the original author or heirs, and thus would prevail over any written agreements assigning ownership, even if the agreements state that they are in perpetuity.  There is, however, an important exception for “works for hire,” which are deemed the property of the publisher or record label.     

Termination rights are a particularly hot topic for the music business.  Once a master recording reaches its 35-year mark, it is “game on” for the artists and songwriters who wish to reclaim ownership of qualifying songs from publishers and record labels.  However, it is likely that any attempt to recapture rights will hinge on the language of the applicable contracts between the artists and songwriters, on one hand, and labels and publishers, on the other, specifically whether there is clear assignment language (which would be subject to termination) or “work for hire” language (which would leave ownership of the works with the applicable label or publisher). 

One concern with “termination rights” is the lack of clarity in this provision as it may relate to musicians.  For example, it is unclear who exactly can qualify as an “author” of a sound recording, casting some ambiguity over who can share the rights after they revert.  The law is also murky for non-U.S. artists and whether those artists can exercise termination rights on American recordings.  What is clear, however, is that to enforce termination rights, authors (or their heirs) must comply strictly with the law.  Some of the provisions to be aware of include:

•  a requirement to file termination notices as much as ten years in advance of the effective termination date, but no less than two years before the date an author hopes to recoup their work;
• a provision stating that once a song or recording qualifies for termination, the author has five years in which to file a claim or else the right to reclaim the work relapses;
• a rule that, for works created post-1978 with multiple authors or heirs, a majority must agree to terminate; and
• a caveat that the law only has effect in the U.S., so that a publisher assigned a worldwide copyright will still retain control in foreign markets.

For publishers and other existing owners of copyrighted works who face pending terminations, there are certain considerations to keep in mind:

• time is of the essence to reach out to songwriters or their estates to attempt to negotiate a new deal; 
• if a notice of termination has already been issued, only the current publisher may try to enter into a new deal with the songwriter or his estate before the termination takes effect;
• opportunities may exist for new copyright acquisitions from authors who seek to enforce their termination rights against existing copyright holders, but who may be in the market for a deal with a new publisher; and
• consider whether the “works for hire” exception applies. 

We will keep abreast of developments in these areas, particularly as the new implementation and enforcement schemes are developed.  And we are available to assist any copyright stakeholder seeking to assess how these changes in the copyright law may affect their rights.

**  Betsy Pierce, an associate with the Firm, assisted in the research and drafting of this post.

To many, the decision to open up the top-level of the Internet’s namespace has been a long time coming, creating a powerful tool to launch and/or expand brand marketing, promotion and overall recognition into a whole new realm.  However, taking advantage of these new opportunities will not be a simple process, and unfamiliarity with the complexity of registration and application protocols, as well as the array of technical, operational and legal issues that will arise, may be overwhelming to brand leaders and legal representatives alike.  Further, applying for and obtaining a new gTLD is not only time-consuming, but also extremely costly, with initial application fees of $185,000, coupled with overall integration and implementation fees, as well as ongoing yearly maintenance fees in the event that your application is approved at all.  

So what does this mean for you, and your company or association?  Below is a brief overview of the gTLD process, which should help you identify and analyze the associated benefits and risks that may present themselves. 

Navigating the gTLD Application Process

Many are familiar with the registration of a Second-Level Domain (“SLD”), the name, term or phrase to the immediate left of the “dot” in a web address.  For example, in digitalhhr.com, “digitalhhr” is the SLD.  The process for registering an SLD is simple, and in most instances, merely requires a brief search on the internet and payment of a small fee to one of several registrars like register.com or godaddy.com. 

The new gTLD application process is considerably more complex.  Unlike a simple SLD registration, any entity applying for and (if approved) operating a gTLD will ultimately become a registry itself.  ICANN has therefore established a comprehensive and lengthy approval process. 

As part of the submission, applicants are required to provide substantial background information, including information related to corporate and legal structure and financial resources.   In addition to such background screening, the initial evaluation period consists of two primary areas of review: (i) applicant review–where the entity applying for the gTLD (including all individuals named within the application) will be subject to assessment, including an overall examination of technical, operational and financial capabilities, and (ii) string review–where the applicant’s proposed gTLD string will be evaluated. The applicant review focuses on the applicant itself in order to assess whether it has the means necessary to operate a registry, and whether applicant’s registry services would adversely affect the security or stability of the Domain Name System (“DNS”).  The string review, on the other hand, focuses on the applied-for gTLD string in order to assess such issues as whether the proposed gTLD string would create a user confusion, adversely affect DNS security or stability, etc. 

According to ICANN, this initial period of evaluation may take up to 5 months or more and includes a public comment period.  Applicants who successfully complete this process (including surviving any formal objections that can be filed after publication of the completed application) will then be required to enter into a registry agreement with ICANN, as well as pass certain technical tests before the proposed gTLD is activated.  Overall the application process can take anywhere from 9 to 20 months, depending on the complexity of the application. In addition, all applicants will be required to pay a gTLD evaluation fee of $185,000, which shall be payable by the applicant as follows: $5,000 deposit upon applicant’s request for an application and the remaining $180,000 upon submission of the completed application.  Furthermore, applicants may be required to pay additional fees in certain cases, including where extended review is requested by those applicants that do not pass the initial evaluation. 

The New gTLDs and its Affect on Trademark Owners and Brands.

For many entities, the financial expenditure, coupled with the time, resources and personnel necessary to operate a gTLD registry may deter them from moving forward with the process at all.  But even if a decision is made not to affirmatively use the gTLD process to launch and/or expand a brand, companies must still be concerned with protecting their trademarks.

In the tangled web of major stakeholders, complex processes and potential pitfalls, companies are faced with the daunting task of assessing and implementing new protection and monitoring mechanisms in order to protect their trademarks and brands. ICANN itself has integrated several mechanisms within the gTLD program to help provide comfort to trademark owners, including:

• Formal Objection to gTLD Applications: At the close of the initial submission process in April, 2012, ICANN will publish a list of all applications to the general public, which will launch a period for filing formal objections to any application.  A formal objection may be filed on one of the following four grounds: (i) String Confusion Objection, (ii) Legal Rights Objection, (iii) Limited Public Interest Objection, or (iv) Community Objection. All properly filed objections will be subject to dispute resolution proceedings, which shall be administered by one of the following service providers, depending on the grounds for such objection: the Arbitration and Mediation Center of the World Intellectual Property Organization, the International Centre for Dispute Resolution, or the International Center of Expertise of the International Chamber of Commerce.  In the event that a gTLD is delegated, there will also be a post-delegation procedure to address issues that arise. Such objection procedures are set out in much greater detail in ICANN’s gTLD Applicant Guidebook.
•  Trademark Clearinghouse: The Trademark Clearinghouse is a centralized database, which will be provided, operated and maintained by ICANN, in order to store information in connection with third party trademarks. All trademark owners will be able to register their trademarks with the Trademark Clearinghouse. The Trademark Clearinghouse will be supported by individual registry operators through the establishment of individual Trademark Claims Services, as well as a “Sunrise” Process, as further described below.  
• Trademark Claims Service/Domain Name Registration During the “Sunrise” Period:  In accordance with ICANN’s procedures, all new registry operators must implement both Trademark Claims Services and a “Sunrise” Process during the initial period of general registration. The Trademark Claims Services will provide prospective gTLD registrants with notice of any third party trademark rights in and to the desired domain name, provided that such third party has registered with the Trademark Clearinghouse. However, such notice does not completely prevent the prospective registrant from registering such domain name. If the prospective registrant moves forward with the registration of such domain name, and it is registered in the Trademark Clearinghouse, the registrar will have to provide notice to the rights holder that such domain name has been registered.  In addition to such Trademark Claims Services, a “sunrise” period during the start-up phase for registration must be implemented in order to allow for eligible rights holders in the Trademark Clearinghouse first opportunity to register an SLD at the specific gTLD if a third party is seeking a sunrise registration thereof.  Notice to rights holders registered in the Clearinghouse will be provided by the registry operator upon requested registration by a third party. 

These are only some of the means that trademark owners, companies and brands can use in order to protect their marks. However, careful monitoring of ICANN’s application process and individual registrations, and prompt action, will ultimately be necessary on a moving forward basis in order to properly defend against the potential issues that may arise.     

What Now?

Whether you are an entity ready and willing to take on the challenge of registering a new gTLD, or simply looking to go on the defensive to protect your brand, devising the right strategy in response to the arrival of ICANN’s gTLD program is crucial for all brand owners.  

The DigitalHHR team has been working with clients to assist them in understanding the gTLD initiative, evaluating the potential benefits and pitfalls of moving forward with an application and assessing their brand protection needs, and are available to answer any questions you might have.  We will continue to monitor the progress of ICANN program as we near the start of the application window, particularly as details are made available regarding the Trademark Clearing House.

As we’ve discussed in a previous post, the United States lacks a comprehensive federal privacy law regulating the collection, storage, use and disclosure of personal information in the online context and lawmakers have introduced several new initiatives in an attempt to address the issue.  However, under COPPA, one of the few existing federal laws that deals with online privacy, the FTC has been flexing its muscles by regulating online (i.e., website-based), and with this case, mobile (i.e., app-based), privacy.

According to the FTC, several of W3’s apps are directed at children under the age of 13, including the popular “Emily’s Girl World”, “Emily’s Dress Up”, “Emily’s Dress UP & Shop” and “Emily’s Runway High Fashion”.  These apps encourage, but do not require, users to post comments (which could include personal information) to the Emily’s Girl World blog and to directly email their comments to “Emily”.  The FTC’s complaint states that, “in addition to the collection and maintenance of over 30,000 emails, containing email addresses, [the company has] collected, maintained, and/or disclosed personal information from over 300 Emily’s Girl World app users and 290 Emily’s Dress Up app users who have registered to submit comments.” Specifically, the FTC alleges that W3 failed to: (a) maintain or link to an online notice of its information collection, use and disclosure practices; (b) provide direct notice to parents of their practices regarding the collection, use, and/or disclosure of children’s personal information; and (c) obtain verifiable consent from parents prior to collecting, using or disclosing such information, all in violation of COPPA.

In response to the FTC action, W3 stated that its “sole purpose in collecting email data was to improve the user experience with [its] apps; we never used any email address for marketing purposes or sold it to other firms”.  The company appears to have taken immediate corrective action after receiving notice from the FTC and implemented “a strict email policy that removes any possibility of collecting and retaining email addresses, even unintentionally, from users under the age of 13”.  As part of the settlement, W3 has also agreed to delete all the personal information previously collected from children and to refrain from future violations of COPPA.

This is the second federal enforcement action made public this year over a COPPA violation which suggests that the FTC may continue to aggressively pursue privacy violations involving children.  Playdom, a Disney Enterprises subsidiary, is the first website/app developer to settle with the FTC this year over COPPA violations.  The company operates virtual world websites where users, many of whom are Children, are required to provide ages and email addresses in order to register to play online games.  They are also allowed to post their full names, email addresses, instant messenger IDs, and location data to personal profile pages and online community forums .  In May, Playdom agreed to pay $3 million in a costly settlement over FTC charges, similar to those set forth in the W3 complaint, that it collected information from children without notifying parents and obtaining prior parental consent in violation of COPPA.

Most notably for app developers and distributors, FTC Chairman Jon Leibowitz emphasized the importance of obtaining parental consent, and made clear that the app space is no different from traditional website platforms.  “The FTC’s COPPA Rule requires parental notice and consent before collecting children’s personal information online, whether through a website or a mobile app,” said Chairman Jon Leibowitz in a statement given in response to the settlement. According to Senator Amy Klouchar, who has been working to prevent deceptive in-app purchase practices on mobile devices, “Mobile apps can be great tools for kids to learn and have fun, but parents should never have to worry that their child’s personal information is being collected or violated.”

In light of the current evolving enforcement climate, developers, distributors and operators of apps and websites targeted at children that collect personal information, should, among other things, ensure that they adhere to the requirements of COPPA, including  the basic guidelines described below. Specifically, prior to collecting, using or disclosing personal information received from children under 13, developers, distributors and operators must obtain verifiable parental consent for any such collection, use or disclosure.  They should also provide notice on their apps, websites and other applicable platforms regarding the kind of information that is collected from children, how such information is used and their disclosure practices related thereto. Further, if and whenever requested by a parent (or guardian), such developers, distributors and operators must provide (a) a description of the specific types of personal information collected from that child; (b) the opportunity at any time to refuse to permit further use or maintenance in retrievable form, or future online collection, of personal information from that child; and (c) reasonable means for the parent to obtain any personal information collected from that child. In addition, COPPA rules proscribe conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.

As apps continue their meteoric rise in popularity, and become, in many instances, the preferred method of digital content distribution and consumption, we will continue to monitor the FTC’s actions in both the online and mobile spaces, the new privacy initiatives making their way through Congress and what these events may ultimately mean for the current stakeholders.

In dismissing the State’s arguments that the law was addressing a substantial need of parents which wish to restrict their children’s access to violent games but cannot do so, the Court stated that the ratings of the Entertainment Software Rating Board (ESRB) and video retailers’ efforts in not selling games rated “M” to minors helped ensure that children would not be able to purchase violent video games.   Thus, the “remaining modest gap” that the California law was intended to fill could not be deemed a “compelling state interest” that could overcome First Amendment protection for the games.

The full decision can be found here.  As noted previously, Hughes Hubbard & Reed represented the Entertainment Consumers Association in filing an amicus brief opposing the law.

Sony is not the first, and unfortunately will likely not be the last, to be subject to such attacks.  To date, the largest data breaches include up to 130 million credit card numbers stolen from Heartland Payment System in 2009, up to 100 million accounts from retailer TJX in 2005 and 2006, and more than 4.2 million credit and debit card numbers from the grocery chain Hannaford Bros. in 2008. Recently, at e-mail marketing firm Epsilon, there was a significant data breach which affected about 50 of its business customers.  And just this week it was revealed that a software flaw may have enabled third party applications operating within Facebook to leak user account information.

These incidents have renewed concerns on Capitol Hill about how companies are responding to data breaches, especially in connection with notifying customers that their information may have leaked.  Both Sony and Epsilon sent written responses to questions posed by a House subcommittee on their handling of the breaches. 

Lawmakers appear to recognize that, although security measures may be in place, they are not always fully implemented. House Energy and Commerce Committee members have questioned whether U.S. businesses are taking the necessary steps to protect their data. According to Pablo Martinez, a deputy special agent in charge of the Criminal Investigative Division at the U.S. Secret Service, in nearly all data breaches, the subject company had not taken reasonable precautions. A 2010 report found that 96% of breaches were, in fact, avoidable through simple or intermediate controls”. 

In determining how to begin drafting a comprehensive and effective bill to regulate data breaches, several lawmakers said they planned to use the Data Accountability and Trust Act (2009)(DATA Act), as their starting point. Although introduced and passed by the House, the DATA Act was put to a vote in the Senate. If passed, the Act would have required organizations holding personal data to maintain security policies and to notify affected consumers after a data breach. It addressed the following three major concerns: information security requirements for personal information in general; information security requirements for personal information for ‘information brokers’; and breach notice obligations.

Although the majority of states have enacted data breach laws, the DATA Act proposed an allowance for civil penalties of up to $11,000 per violation (up to $5 million) and each failure to send the required notification to an affected individual would be treated, under the Act, as a separate violation. The risk of such considerable penalties set forth in the Act would surely encourage compliance. On the other hand, there seemed to appear to be certain clauses within the DATA Act that could have lead to even less breach reporting. With regard to breach notice obligations, the bill required that potential victims of identity theft be notified whenever their electronically stored personal information was exposed. Had it been passed, the law would preempt all state laws (not just state laws that are less stringent or contrary to the Act) and would be the first of its kind. All competing state law standards would therefore be eliminated, ultimately leading to less forum shopping. Furthermore, the standard (“risk of harm”) set forth in the DATA Act falls on the higher end of the spectrum as compared to the standards set forth in some state laws which would most likely lead to less frivolous lawsuits.

A major concern with the DATA Act was that it could only be implemented by the FTC. This was problematic as there are numerous companies and organizations that the FTC does not have jurisdiction over including banks, common carries and nonprofits. In order to be effective and worthwhile, the new bill will have to be drafted so that it is not only enforceable by the FTC but by other governmental entities as well. Other apprehension stemmed from the fact that the bill provided that breaches would not have to be reported if the organization in question determined that “there is no reasonable risk of identity theft, fraud, or other unlawful conduct”. The bill also granted an exemption if the breached information was encrypted or protected by any other technologies that, according to the FTC, renders data unreadable.

As expected, lawsuits over the Japanese electronics giant’s breach have started to come out of the woodworks. The first suit came a day after Sony acknowledged the breach. The complaint, filed in the Northern District Court of California, alleges that Sony failed to take “reasonable care to protect, encrypt and secure the private and sensitive data of its users” which prevented PlayStation Network users from being able to “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions”.  The suit seeks monetary compensation and free credit card monitoring.

A second suit, which claims damages in excess of $1 billion (Canadian dollars), was filed by a Toronto-based law firm on behalf of a 21-year-old plaintiff and names Sony Japan, Sony USA, Sony Canada and other Sony entities as defendants.

The aftermath of these recent incidents may prove to be a useful lesson and may expedite the development of better security technology and practices in the private sector and perhaps even force Congress and the FTC to finally pass a bill that will afford sufficient protection to consumers’ personal data.  We will continue to monitor the ongoing developments in privacy and security legislation and its potential impact on our clients.

If enacted, the law would direct the FTC, within specified timeframes, to make rules requiring “covered entities” ‑ those that collect, use, transfer or store “covered information”  of more than 5,000 individuals over any consecutive 12-month period ‑ to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains.  Specific requirements are imposed directly on entities covered under the act.

“Covered information” that is protected under the proposed bill includes personally identifiable information (“PII”), unique identifier information and basically and any information that may be used to identify an individual.  Some provisions require different standard with regard “sensitive personally identifiable information”, which is defined as information relating to medical records or religious affiliations and PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

A high level summary of a draft form of the bill was discussed in our recent webinar, “App-Endectomy: Removing the Mystery from the App Ecosystem.”  Here we’ll present the key highlights of the proposed bill.

Right to Security and Accountability

The bill requires the FTC to initiate a rulemaking proceeding to require covered entities to carry out security measures to protect the covered information it collects and maintains.  These security measures should be proportional to the size, type and nature of the covered information and should be consistent with recognized industry standards and the current guidance provided by the FTC in its privacy framework.  Each covered entity shall have “managerial accountability”, a process to respond to on-frivolous inquiries from individuals.  The bill requires that covered entities implement a “privacy by design” approach that builds privacy protections into their everyday business practices.

Right to Notice and Individual Participation

The bill also requires that the FTC to initiate a rulemaking proceeding to require covered entities to: (i) provide clear, concise and timely notice regarding its information practices and any material changes to such practices; (ii) offer individuals a clear and conspicuous opt-out mechanism for (a) unauthorized uses of their information or (b) use by third parties of their covered information for behavioral advertising or marketing.  The higher opt-in consent is required whenever an entity is dealing with sensitive PII, materially changes its stated practices or when the uses or transfer of information to a third party creates a risk of economic or physical harm to an individual.  Entities should also provide individuals with access to their PII and mechanisms to correct inaccurate PII.  In the event an entity enters bankruptcy or an individual terminates its relationship with an entity, the individual must also have the option to request that is covered information be rendered not personally identifiable if possible.

Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity

The bill’s requirements on data constraints and integrity are fairly standard.  Covered entities should only collect what’s needed.  They must have procedures to ensure the accuracy of the information and they should only retain the info as long as necessary to provide the service.  Whenever a covered entity transfers information a third party, the covered entity and third party must enter into a contract that says the third party won’t combine information to identify individuals without such individual’s opt-in consent.

Enforcement and Penalties

The bill grants the FTC enforcement authority over “knowing or repetitive” violations which shall be treated as unfair or deceptive acts or practices.  State attorneys general are given civil action authority to enforce the Act.  Notably, the Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. 

Monetary penalties for violating the Act are stiff – a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance.  If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater.  Liability is capped at $3 million. The act would preempt state laws, except those laws dealing with health or financial information or data breach notification.

Safe Harbor

There would be safe harbor programs which the FTC would create and supervise that would exempt participating entities from certain requirements of the Act.  However, these programs would have to have, in the FTC’s opinion, similar or more protective requirements than the Act itself.

While Senators McCain and Kerry tout the proposed legislation as a step towards greater and more consistent privacy protection, privacy advocates have argued the Commercial Privacy Bill of Rights Act of 2011 does not go far enough.  Unlike the FTC’s 2010 privacy framework which recommends a “Do Not Track” mechanism, the bipartisan bill doesn’t provide for a “universal opt-out” in which consumers can end all tracking but using a national registry.  Consumer advocates also claim that the bill would prohibit states from implementing stricter measures. 

We will continue to track the ongoing developments in privacy legislation and its potential impact on our clients.

These separate initiatives come on the heels of the issuance of a “Green Paper” on privacy by the U.S. Department of Commerce Internet Policy Task Force, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.  One of the Green Paper’s key proposals is ensuring “nationally consistent security breach notification rules” through a federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorized enforcement by state authorities. 

In early December, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced a bill that, if enacted, would establish requirements for any notice sent to consumers in the event of a security breach.  The legislation is intended to update Simitian’s landmark 2003 privacy protection which required any business or state agency that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised and inspired more than 40 states to adopt similar legislation.  The proposed bill requires any breach notice to disclose to consumers details of the security breach, including the types of information that were subject of the breach and the date the breach occurred.  While the bill is intended to compel business or agencies to be more forthcoming with consumers regarding details of any security breach, former Governor Arnold Schwarzenegger vetoed similar proposals in 2009 and 2010, citing lack of proof that the bills would benefit consumers and would be overly burdensome on businesses.

Lawmakers in Virginia introduced legislation in January of this year to expand notification requirements following a breach of security with respect to medical information.  While under current Virginia law, the requirement to provide notice only applies to organizations, corporations or agencies “supported wholly or principally by public funds”, the amended bill would extend the state’s requirement to notify individuals of a breach of their medical information to all individuals and public and private entities.  The bill also allows the state’s Attorney General to impose a civil penalty of up to $150,000 per breach of the security of the system or a series of similar breaches of a similar nature that are discovered in an investigation.

The same day that the Virginia bill was introduced, lawmakers in Oregon proposed House Bill 2851 an amendment to the Oregon Consumer Identity Theft Protection Act.  Oregon is currently one of a majority of states whose breach notification laws do not apply to hard-copy records.  The newly-introduced legislation would close that gap by requiring notice of an unauthorized disclosure of data contained in such hard copies.

While not necessarily inconsistent, the recent proposals in California, Virginia and Oregon make it clear that state regulatory and enforcement schemes in the privacy area have not all achieved a uniform point of evolution.  For many years, California had a security breach notification requirement on its books.  Virginia’s regulation on medical information breaches didn’t cover private entities.  And Oregon did not provide protection for privacy breaches resulting from disclosure of information on hard copy documents.

While the federal government speaks of uniform standards, it is still too early to tell whether those standards will take the form of a detailed, robust notification system, be based on the lowest common denominator among the current state schemes or fall somewhere in between those extremes.  We will continue to follow the ongoing developments, at both the state and federal levels, as this debate will no doubt evolve in the coming months and years.

What exactly is “device fingerprinting”?  Every time a computer or other mobile device connects to the Internet, it broadcasts information about its properties and settings (such as which browser is running, screen resolution, speed of connection, etc) in order to interact smoothly with websites and other computers.  Device fingerprinting technology collects this information to build a profile that can identify the individual computer or device, and in some instances, the person using it. 

Before its adoption for online marketing, fingerprinting technology was primarily used to prevent software theft, providing a means to confirm that the subject application was only used on authorized computers.  Anti-fraud companies use the technology to identify devices that had engaged in fraudulent transactions to help them prevent similar occurrences in the future.  Privacy legislation proposed this July even advocated its use to identify consumers who had opted-out of online tracking.

But device fingerprinting could also allow for much more effective tracking of online behavior than other current technologies.  Where cookies can be blocked or deleted, it’s much more difficult to prevent fingerprinting or to delete a fingerprint after it has been collected.  One study, surveying 70 million website visits, found that a fingerprint of an applicable device could be generated 89% of the time whereas cookies could only be used 78% of the time.  One developer of device fingerprinting technology claims that it is even able to link the fingerprints of different devices that appear to be used by the same person.  Eventually, the company plans on adding offline activity to the individual’s profile, using email addresses and names the user entered while browsing the web to pull information from other databases.  By collecting, generating and selling this information to marketers, the device fingerprinting could become the basis to deliver targeted ads based on a consumer’s activity from their computer, mobile phone and other devices. 

Fingerprinting and other forms of digital tracking are currently legal but both federal regulators and several members of Congress have warned that the government will intervene if the online-advertising industry does not start doing more to protect consumer privacy.  Recently, the FTC recommended that a Do Not Track System be implemented if the industry doesn’t start coming up with its own solutions soon.  The FTC proposal would require web browsers to implement a do-not-track setting directly in the browser to enable end users to block web service providers, marketers and advertisers from monitoring their online behavior.  The FTC would then police companies that implement tracking technologies and tools to ensure that they comply with user requests.  The ad industry’s current opt-out system only allows consumers to opt-out of targeted advertising, not tracking altogether. 

The industry has taken notice.  Some marketing firms say that they will create an opt-out function if they adopt fingerprint technology, though the details of how that would work are still unclear.  Other initiatives include the “Open Data Partnership”, a service that would allow consumers to see what information has been collected about them, and opt out of being tracked by participating firms.  The service is intended to be a response to the government request for more transparency and consumer control.  Eight data and tracking firms have already committed for the service’s launch in January.  Microsoft has also revealed plans for a tool to block tracking in its next version of Internet Explorer.  The tool, once enabled, will allow users to block tracking attempts from specified web addresses used by tracking companies.  But in order to use the tool, users have to direct the browser as to which tracking attempts should be blocked by selecting from lists compiled by privacy groups and other outsiders.  There won’t be any default setting to block all tracking attempts.  Additionally, the tool will only block tracking by certain technologies, such as cookies and beacons.  It doesn’t address new technologies like digital fingerprinting and “deep packet inspection,” a form of monitoring which analyzes data as it travels from the internet to the computer. 

While support for consumer protections are gaining ground, the $23 billion online advertising industry warns that an end to tracking could also mean an end to the free web content that is currently subsidized and supported by targeted advertising.  And some members of Congress have expressed hesitation about any legislation that might hurt economic recovery.  Data tracking has also enabled the customized web experience that many consumers have come to rely on.  In order for any solution to be viable in the long-term, it will have to find some way to balance these competing concerns.  

In the coming months, we will continue to monitor this and other developments in the ongoing debate over privacy on the internet.

** Kathleen O’Donnell, who joined the firm in September, assisted in drafting this article.

The Facebook disclosures were the result of a common Web standard called a referer.  As web users navigate from site to site, the referer tells the new site which page the user is coming from.  Most of the time, this is an innocuous tool used to help websites track the source of their traffic flow and customize user experience.  However, when user IDs are included in web addresses, as is the case with Facebook and other social networking sites, this practice could potentially expose the browser’s identity.  The user IDs can be used to look up public information on the user’s Facebook profile, which, depending on the selected privacy settings, could include anything from the user’s name to his age, hometown, or even photos.

Sharing any user information with advertising and data companies is a violation of Facebook’s privacy policy.  However Facebook has stated that it does not consider the sharing of IDs with application developers to be a privacy breach and that the disclosures by the applications to advertising companies were, for the most part, inadvertent and a “byproduct of how internet browsers work”.  Facebook has announced a proposed solution that would encrypt user IDs in referer headers to prevent inadvertent disclosure to third parties.  The encryption will be mandatory starting January 1, 2011.  However, the encryption only prevents accidental transmission.  Describing it as a “Web-wide problem”, Facebook states that they are looking forward to working with the Web standards community and browser developers in the future to develop a more complete fix.  

Facebook has had trouble with the disclosure of user IDs before.  In May, Facebook revealed that IDs were being sent to advertisers when users clicked on certain ads on Facebook pages.  In some cases, advertisers received the ID of the user who clicked on the advertisement, as well as the ID of the person whose page the user was viewing at the time. 

The disclosure of user IDs, which has always been a sensitive issue for companies doing business on the web, is becoming more of a hot-button issue as public awareness of the issue increases.  It has already attracted the attention of lawmakers who have asked Facebook to outline the steps it is taking to protect consumer information.  While there is no foolproof method to prevent widespread disclosures of personal information, a two-pronged approach, using both technological solutions and a careful framing of contractual protections may help mitigate the problem and avoid the possibility of increased legislative oversight or intervention.

One technological solution would be the increased use of encryption in connection with coding, storing and transmitting user IDs and other personal information.  However, while encryption could prevent unauthorized disclosures, such technological solutions must be coupled with clear contractual obligations on the part of the various stakeholders to ensure their proper use and implementation.  For example, publishers, ad service providers, search providers, developers and others who rely on the use, analysis and disclosure of user data could include in their various agreements provisions requiring that encryption and/or other data security technologies be implemented in connection with the transfer of data between the parties. 

The agreements could also include provisions that spell out how the parties may use personal data (for example, only for internal use in connection with fulfilling obligations under the underlying agreement), and more critically, include specific restrictions and prohibitions on use (for example, prohibiting the sharing of such information with third parties).  Additionally, the inclusion of provisions requiring the maintenance of records of data practices which would be available for audit might also lead to increased vigilence.  Although these measures place increased burdens on the various stakeholders, absent further technological developments, they may be the best way to convince regulators (and the public) that the industry is serious about protecting consumers’ privacy.

Websites can also take steps on their own to beef up their security policies.  In recent months, Facebook has been working to increase their protection of user data.  Following an investigation by the Canadian Privacy Commissioner, Facebook limited the access that applications have to private information.  Unless the user grants additional permission, the application can only view information in the user’s public profile.  (For our previous article on the Canadian Privacy Commissioner’s investigation, see here.)  In early October, Facebook implemented a new tool to help users control what information applications can access, in response to criticisms that its privacy settings were too complicated.  And, after these latest disclosures, Facebook announced a “clarified” privacy policy stating that user IDs cannot leave an application.  In the event that a developer needs to share information with an advertiser or content provider, they must use an anonymous identifier. 

Whether or not these revised policies actually provide more protection to users’ privacy is yet to be seen.  However, it is probably not a stretch to say that the coming months will bring similar revelations and changes across the Web.  We will continue to monitor this and other developments in the ongoing debate over privacy on the internet. 

**Kate O’Donnell, who recently joined the Firm, assisted in the preparation of this article.