In his prepared remarks released with the report, FTC chair Jon Leibowitz reiterated that consumers should have choice and control when it comes to revealing their personal information.  He noted that the report is grounded in three principles that companies should follow to ensure that consumers have that control.  First, through “privacy by design”, that is the incorporation of privacy protections into products as they are developed.  Second, providing consumers choice about how their data is collected and used.  And third, providing more transparency to consumers through clear explanations of data handling practices.

The legislative recommendation made by the Commission was somewhat general, calling on Congress to consider enacting “baseline privacy legislation that is technologically neutral and sufficiently flexible to allow companies to continue to innovate.”  One area of the legislation that the Commission focused on was the data brokerage industry, with the Commission calling for targeted legislation that would provide consumers with access to information about them held by a data broker.

The Commission specifically noted that the legislation should not impose an undue burden on businesses that already incorporate into their practices the Fair Information Practice Principles (“FIPPS”), which were set forth in the Obama Administration’s data privacy “white paper” issued in February.  (The FIPPS articulated in the white paper are: (i) transparency, (ii) individual control, (iii) respect for context, (iv) security, (v) access, (vi) accuracy, (vii) focused collection and (viii) accountability.)  The Commission envisions legislation that provides businesses with certainty of their obligations, as well as a scheme of civil penalties and remedies to act as a disincentive to disregard those obligations.

While the scope and detail of any privacy legislation will be left to Congress, the FTC will continue to press the industry on self-regulatory measures to implement its privacy framework.  That framework focuses on five main action items: 

• Implementation of an “easy-to-use, persistent and effective” Do Not Track system
• Improved privacy protection in the Mobile space, including development of short, meaningful disclosures
• Address the invisibility of collection practices of Data Brokers by calling for the creation of a centralized website where data brokers could (i) identify themselves and describe how they collect and use data and (ii) detail access rights and other choices provided to consumers
• Continued review of the tracking activities of Large Platform Providers such as ISPs, social media services, operating systems and browsers
• Promoting enforceable self-regulatory codes, including using the failure of companies to abide by self-regulatory programs they join as the basis for a suit for unfair or deceptive practices. 

None of these broader principles are groundbreaking.  The news, to the extent there was any, came from the detailed discussions of some of the points.  Some examples:

• In a nod to those concerned with the burden that compliance with the framework might place on smaller businesses, the Commission stated that privacy disclosures are not needed for entities that collect limited amounts of non-sensitive data from under 5,000 consumers for their own use (i.e., the data is not shared with third parties).
• The Commission stated unequivocally that the framework applies in all commercial contexts, both online and offline.
• In addressing data that is collected through a consumer device which may not necessarily be considered “personally identifiable information” (PII), the Commission determined that the framework would apply to data that can be “reasonably linked to a specific consumer, computer or other device.”  In clarifying the standard, the Commission provided guidance to companies to minimize linkability, including taking reasonable measures to “de-identify” the data, publicly committing to maintain and use the data only in such “de-identified” fashion and not attempt to “re-identify” the data and contractually prohibiting third parties they share the data with from re-identifying it.

Overall, the report appears to be a reflection of the current, baseline state of affairs in the privacy and data collection ecosystem.  And by promoting best practices and self-regulation approach, the Commission’s approach to privacy is to lead from behind, taking aggressive action primarily against “bad actors” and industry outliers.

Those businesses that adhere to best practices likely need not be overly concerned by the report.  However, it is important for them to consider how the FTC might use the framework set forth in the report (which reflects current practices) to interpret future business initiatives not yet conceived or contemplated.  In that regard, Chairman Leibowitz’ “resounding” statement that “consumers should have choice and control” should never be ignored.

Sony is not the first, and unfortunately will likely not be the last, to be subject to such attacks.  To date, the largest data breaches include up to 130 million credit card numbers stolen from Heartland Payment System in 2009, up to 100 million accounts from retailer TJX in 2005 and 2006, and more than 4.2 million credit and debit card numbers from the grocery chain Hannaford Bros. in 2008. Recently, at e-mail marketing firm Epsilon, there was a significant data breach which affected about 50 of its business customers.  And just this week it was revealed that a software flaw may have enabled third party applications operating within Facebook to leak user account information.

These incidents have renewed concerns on Capitol Hill about how companies are responding to data breaches, especially in connection with notifying customers that their information may have leaked.  Both Sony and Epsilon sent written responses to questions posed by a House subcommittee on their handling of the breaches. 

Lawmakers appear to recognize that, although security measures may be in place, they are not always fully implemented. House Energy and Commerce Committee members have questioned whether U.S. businesses are taking the necessary steps to protect their data. According to Pablo Martinez, a deputy special agent in charge of the Criminal Investigative Division at the U.S. Secret Service, in nearly all data breaches, the subject company had not taken reasonable precautions. A 2010 report found that 96% of breaches were, in fact, avoidable through simple or intermediate controls”. 

In determining how to begin drafting a comprehensive and effective bill to regulate data breaches, several lawmakers said they planned to use the Data Accountability and Trust Act (2009)(DATA Act), as their starting point. Although introduced and passed by the House, the DATA Act was put to a vote in the Senate. If passed, the Act would have required organizations holding personal data to maintain security policies and to notify affected consumers after a data breach. It addressed the following three major concerns: information security requirements for personal information in general; information security requirements for personal information for ‘information brokers’; and breach notice obligations.

Although the majority of states have enacted data breach laws, the DATA Act proposed an allowance for civil penalties of up to $11,000 per violation (up to $5 million) and each failure to send the required notification to an affected individual would be treated, under the Act, as a separate violation. The risk of such considerable penalties set forth in the Act would surely encourage compliance. On the other hand, there seemed to appear to be certain clauses within the DATA Act that could have lead to even less breach reporting. With regard to breach notice obligations, the bill required that potential victims of identity theft be notified whenever their electronically stored personal information was exposed. Had it been passed, the law would preempt all state laws (not just state laws that are less stringent or contrary to the Act) and would be the first of its kind. All competing state law standards would therefore be eliminated, ultimately leading to less forum shopping. Furthermore, the standard (“risk of harm”) set forth in the DATA Act falls on the higher end of the spectrum as compared to the standards set forth in some state laws which would most likely lead to less frivolous lawsuits.

A major concern with the DATA Act was that it could only be implemented by the FTC. This was problematic as there are numerous companies and organizations that the FTC does not have jurisdiction over including banks, common carries and nonprofits. In order to be effective and worthwhile, the new bill will have to be drafted so that it is not only enforceable by the FTC but by other governmental entities as well. Other apprehension stemmed from the fact that the bill provided that breaches would not have to be reported if the organization in question determined that “there is no reasonable risk of identity theft, fraud, or other unlawful conduct”. The bill also granted an exemption if the breached information was encrypted or protected by any other technologies that, according to the FTC, renders data unreadable.

As expected, lawsuits over the Japanese electronics giant’s breach have started to come out of the woodworks. The first suit came a day after Sony acknowledged the breach. The complaint, filed in the Northern District Court of California, alleges that Sony failed to take “reasonable care to protect, encrypt and secure the private and sensitive data of its users” which prevented PlayStation Network users from being able to “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions”.  The suit seeks monetary compensation and free credit card monitoring.

A second suit, which claims damages in excess of $1 billion (Canadian dollars), was filed by a Toronto-based law firm on behalf of a 21-year-old plaintiff and names Sony Japan, Sony USA, Sony Canada and other Sony entities as defendants.

The aftermath of these recent incidents may prove to be a useful lesson and may expedite the development of better security technology and practices in the private sector and perhaps even force Congress and the FTC to finally pass a bill that will afford sufficient protection to consumers’ personal data.  We will continue to monitor the ongoing developments in privacy and security legislation and its potential impact on our clients.

If enacted, the law would direct the FTC, within specified timeframes, to make rules requiring “covered entities” ‑ those that collect, use, transfer or store “covered information”  of more than 5,000 individuals over any consecutive 12-month period ‑ to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains.  Specific requirements are imposed directly on entities covered under the act.

“Covered information” that is protected under the proposed bill includes personally identifiable information (“PII”), unique identifier information and basically and any information that may be used to identify an individual.  Some provisions require different standard with regard “sensitive personally identifiable information”, which is defined as information relating to medical records or religious affiliations and PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

A high level summary of a draft form of the bill was discussed in our recent webinar, “App-Endectomy: Removing the Mystery from the App Ecosystem.”  Here we’ll present the key highlights of the proposed bill.

Right to Security and Accountability

The bill requires the FTC to initiate a rulemaking proceeding to require covered entities to carry out security measures to protect the covered information it collects and maintains.  These security measures should be proportional to the size, type and nature of the covered information and should be consistent with recognized industry standards and the current guidance provided by the FTC in its privacy framework.  Each covered entity shall have “managerial accountability”, a process to respond to on-frivolous inquiries from individuals.  The bill requires that covered entities implement a “privacy by design” approach that builds privacy protections into their everyday business practices.

Right to Notice and Individual Participation

The bill also requires that the FTC to initiate a rulemaking proceeding to require covered entities to: (i) provide clear, concise and timely notice regarding its information practices and any material changes to such practices; (ii) offer individuals a clear and conspicuous opt-out mechanism for (a) unauthorized uses of their information or (b) use by third parties of their covered information for behavioral advertising or marketing.  The higher opt-in consent is required whenever an entity is dealing with sensitive PII, materially changes its stated practices or when the uses or transfer of information to a third party creates a risk of economic or physical harm to an individual.  Entities should also provide individuals with access to their PII and mechanisms to correct inaccurate PII.  In the event an entity enters bankruptcy or an individual terminates its relationship with an entity, the individual must also have the option to request that is covered information be rendered not personally identifiable if possible.

Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity

The bill’s requirements on data constraints and integrity are fairly standard.  Covered entities should only collect what’s needed.  They must have procedures to ensure the accuracy of the information and they should only retain the info as long as necessary to provide the service.  Whenever a covered entity transfers information a third party, the covered entity and third party must enter into a contract that says the third party won’t combine information to identify individuals without such individual’s opt-in consent.

Enforcement and Penalties

The bill grants the FTC enforcement authority over “knowing or repetitive” violations which shall be treated as unfair or deceptive acts or practices.  State attorneys general are given civil action authority to enforce the Act.  Notably, the Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. 

Monetary penalties for violating the Act are stiff – a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance.  If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater.  Liability is capped at $3 million. The act would preempt state laws, except those laws dealing with health or financial information or data breach notification.

Safe Harbor

There would be safe harbor programs which the FTC would create and supervise that would exempt participating entities from certain requirements of the Act.  However, these programs would have to have, in the FTC’s opinion, similar or more protective requirements than the Act itself.

While Senators McCain and Kerry tout the proposed legislation as a step towards greater and more consistent privacy protection, privacy advocates have argued the Commercial Privacy Bill of Rights Act of 2011 does not go far enough.  Unlike the FTC’s 2010 privacy framework which recommends a “Do Not Track” mechanism, the bipartisan bill doesn’t provide for a “universal opt-out” in which consumers can end all tracking but using a national registry.  Consumer advocates also claim that the bill would prohibit states from implementing stricter measures. 

We will continue to track the ongoing developments in privacy legislation and its potential impact on our clients.

The explosive popularity of tablets, smartphones and other Internet-connected consumer devices has ushered in a new technology ecosystem driven by Apps. These self-contained software programs have not only provided the stakeholders involved with a compelling way to exploit everything from movies and games to magazines and newspapers, but have created a thriving new marketplace poised for ongoing, accelerated growth. While the stakeholders are many, the myriad of complex business and legal issues facing them are no less staggering in number. For publishers, content creators, App developers, content distributors, aggregators, storefront operators and service providers, the successful navigation of a rapidly evolving landscape of shifting terms and conditions, privacy regulations, content restrictions and corresponding business considerations across multiple devices and platforms has proven a daunting but essential exercise for leveraging the economic opportunities available.

In this CLE-accredited webinar, the DigitalHHR team will explore the critical business and legal challenges associated with the development, publication, distribution, sale and use of Apps. We will discuss the contours of in-App purchases, subscription-based offerings, and “freemium” models, as well as in-App advertising and App-based ad networks. We will analyze the evolving privacy terms and conditions associated with the use of Apps, and the corresponding laws, regulations and case law impacting end user data collection, disclosure and ownership. We will also address the terms and requirements promulgated by the various platform operators, including Apple, RIM (Blackberry) and Google (Android), and how they impact stakeholders’ participation across the different App environments.

The webinar will be held on Thursday, April 7, 2011 from 12:30 p.m. to 1:30 p.m. EDT.

To register, please click here.

These separate initiatives come on the heels of the issuance of a “Green Paper” on privacy by the U.S. Department of Commerce Internet Policy Task Force, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework”.  One of the Green Paper’s key proposals is ensuring “nationally consistent security breach notification rules” through a federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorized enforcement by state authorities. 

In early December, 2010, California State Senator Joe Simitian (D-Palo Alto) introduced a bill that, if enacted, would establish requirements for any notice sent to consumers in the event of a security breach.  The legislation is intended to update Simitian’s landmark 2003 privacy protection which required any business or state agency that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised and inspired more than 40 states to adopt similar legislation.  The proposed bill requires any breach notice to disclose to consumers details of the security breach, including the types of information that were subject of the breach and the date the breach occurred.  While the bill is intended to compel business or agencies to be more forthcoming with consumers regarding details of any security breach, former Governor Arnold Schwarzenegger vetoed similar proposals in 2009 and 2010, citing lack of proof that the bills would benefit consumers and would be overly burdensome on businesses.

Lawmakers in Virginia introduced legislation in January of this year to expand notification requirements following a breach of security with respect to medical information.  While under current Virginia law, the requirement to provide notice only applies to organizations, corporations or agencies “supported wholly or principally by public funds”, the amended bill would extend the state’s requirement to notify individuals of a breach of their medical information to all individuals and public and private entities.  The bill also allows the state’s Attorney General to impose a civil penalty of up to $150,000 per breach of the security of the system or a series of similar breaches of a similar nature that are discovered in an investigation.

The same day that the Virginia bill was introduced, lawmakers in Oregon proposed House Bill 2851 an amendment to the Oregon Consumer Identity Theft Protection Act.  Oregon is currently one of a majority of states whose breach notification laws do not apply to hard-copy records.  The newly-introduced legislation would close that gap by requiring notice of an unauthorized disclosure of data contained in such hard copies.

While not necessarily inconsistent, the recent proposals in California, Virginia and Oregon make it clear that state regulatory and enforcement schemes in the privacy area have not all achieved a uniform point of evolution.  For many years, California had a security breach notification requirement on its books.  Virginia’s regulation on medical information breaches didn’t cover private entities.  And Oregon did not provide protection for privacy breaches resulting from disclosure of information on hard copy documents.

While the federal government speaks of uniform standards, it is still too early to tell whether those standards will take the form of a detailed, robust notification system, be based on the lowest common denominator among the current state schemes or fall somewhere in between those extremes.  We will continue to follow the ongoing developments, at both the state and federal levels, as this debate will no doubt evolve in the coming months and years.

What exactly is “device fingerprinting”?  Every time a computer or other mobile device connects to the Internet, it broadcasts information about its properties and settings (such as which browser is running, screen resolution, speed of connection, etc) in order to interact smoothly with websites and other computers.  Device fingerprinting technology collects this information to build a profile that can identify the individual computer or device, and in some instances, the person using it. 

Before its adoption for online marketing, fingerprinting technology was primarily used to prevent software theft, providing a means to confirm that the subject application was only used on authorized computers.  Anti-fraud companies use the technology to identify devices that had engaged in fraudulent transactions to help them prevent similar occurrences in the future.  Privacy legislation proposed this July even advocated its use to identify consumers who had opted-out of online tracking.

But device fingerprinting could also allow for much more effective tracking of online behavior than other current technologies.  Where cookies can be blocked or deleted, it’s much more difficult to prevent fingerprinting or to delete a fingerprint after it has been collected.  One study, surveying 70 million website visits, found that a fingerprint of an applicable device could be generated 89% of the time whereas cookies could only be used 78% of the time.  One developer of device fingerprinting technology claims that it is even able to link the fingerprints of different devices that appear to be used by the same person.  Eventually, the company plans on adding offline activity to the individual’s profile, using email addresses and names the user entered while browsing the web to pull information from other databases.  By collecting, generating and selling this information to marketers, the device fingerprinting could become the basis to deliver targeted ads based on a consumer’s activity from their computer, mobile phone and other devices. 

Fingerprinting and other forms of digital tracking are currently legal but both federal regulators and several members of Congress have warned that the government will intervene if the online-advertising industry does not start doing more to protect consumer privacy.  Recently, the FTC recommended that a Do Not Track System be implemented if the industry doesn’t start coming up with its own solutions soon.  The FTC proposal would require web browsers to implement a do-not-track setting directly in the browser to enable end users to block web service providers, marketers and advertisers from monitoring their online behavior.  The FTC would then police companies that implement tracking technologies and tools to ensure that they comply with user requests.  The ad industry’s current opt-out system only allows consumers to opt-out of targeted advertising, not tracking altogether. 

The industry has taken notice.  Some marketing firms say that they will create an opt-out function if they adopt fingerprint technology, though the details of how that would work are still unclear.  Other initiatives include the “Open Data Partnership”, a service that would allow consumers to see what information has been collected about them, and opt out of being tracked by participating firms.  The service is intended to be a response to the government request for more transparency and consumer control.  Eight data and tracking firms have already committed for the service’s launch in January.  Microsoft has also revealed plans for a tool to block tracking in its next version of Internet Explorer.  The tool, once enabled, will allow users to block tracking attempts from specified web addresses used by tracking companies.  But in order to use the tool, users have to direct the browser as to which tracking attempts should be blocked by selecting from lists compiled by privacy groups and other outsiders.  There won’t be any default setting to block all tracking attempts.  Additionally, the tool will only block tracking by certain technologies, such as cookies and beacons.  It doesn’t address new technologies like digital fingerprinting and “deep packet inspection,” a form of monitoring which analyzes data as it travels from the internet to the computer. 

While support for consumer protections are gaining ground, the $23 billion online advertising industry warns that an end to tracking could also mean an end to the free web content that is currently subsidized and supported by targeted advertising.  And some members of Congress have expressed hesitation about any legislation that might hurt economic recovery.  Data tracking has also enabled the customized web experience that many consumers have come to rely on.  In order for any solution to be viable in the long-term, it will have to find some way to balance these competing concerns.  

In the coming months, we will continue to monitor this and other developments in the ongoing debate over privacy on the internet.

** Kathleen O’Donnell, who joined the firm in September, assisted in drafting this article.

Please use this form to register for Digital HHR’s webinar — “Whose Data Is It Anyway: Privacy and Data Security in a De-centralized Digital World”, September 21, 2010 at 12:30pm EST. We will email the webinar login credentials and access instructions to you upon receipt of your registration.

The Facebook disclosures were the result of a common Web standard called a referer.  As web users navigate from site to site, the referer tells the new site which page the user is coming from.  Most of the time, this is an innocuous tool used to help websites track the source of their traffic flow and customize user experience.  However, when user IDs are included in web addresses, as is the case with Facebook and other social networking sites, this practice could potentially expose the browser’s identity.  The user IDs can be used to look up public information on the user’s Facebook profile, which, depending on the selected privacy settings, could include anything from the user’s name to his age, hometown, or even photos.

Sharing any user information with advertising and data companies is a violation of Facebook’s privacy policy.  However Facebook has stated that it does not consider the sharing of IDs with application developers to be a privacy breach and that the disclosures by the applications to advertising companies were, for the most part, inadvertent and a “byproduct of how internet browsers work”.  Facebook has announced a proposed solution that would encrypt user IDs in referer headers to prevent inadvertent disclosure to third parties.  The encryption will be mandatory starting January 1, 2011.  However, the encryption only prevents accidental transmission.  Describing it as a “Web-wide problem”, Facebook states that they are looking forward to working with the Web standards community and browser developers in the future to develop a more complete fix.  

Facebook has had trouble with the disclosure of user IDs before.  In May, Facebook revealed that IDs were being sent to advertisers when users clicked on certain ads on Facebook pages.  In some cases, advertisers received the ID of the user who clicked on the advertisement, as well as the ID of the person whose page the user was viewing at the time. 

The disclosure of user IDs, which has always been a sensitive issue for companies doing business on the web, is becoming more of a hot-button issue as public awareness of the issue increases.  It has already attracted the attention of lawmakers who have asked Facebook to outline the steps it is taking to protect consumer information.  While there is no foolproof method to prevent widespread disclosures of personal information, a two-pronged approach, using both technological solutions and a careful framing of contractual protections may help mitigate the problem and avoid the possibility of increased legislative oversight or intervention.

One technological solution would be the increased use of encryption in connection with coding, storing and transmitting user IDs and other personal information.  However, while encryption could prevent unauthorized disclosures, such technological solutions must be coupled with clear contractual obligations on the part of the various stakeholders to ensure their proper use and implementation.  For example, publishers, ad service providers, search providers, developers and others who rely on the use, analysis and disclosure of user data could include in their various agreements provisions requiring that encryption and/or other data security technologies be implemented in connection with the transfer of data between the parties. 

The agreements could also include provisions that spell out how the parties may use personal data (for example, only for internal use in connection with fulfilling obligations under the underlying agreement), and more critically, include specific restrictions and prohibitions on use (for example, prohibiting the sharing of such information with third parties).  Additionally, the inclusion of provisions requiring the maintenance of records of data practices which would be available for audit might also lead to increased vigilence.  Although these measures place increased burdens on the various stakeholders, absent further technological developments, they may be the best way to convince regulators (and the public) that the industry is serious about protecting consumers’ privacy.

Websites can also take steps on their own to beef up their security policies.  In recent months, Facebook has been working to increase their protection of user data.  Following an investigation by the Canadian Privacy Commissioner, Facebook limited the access that applications have to private information.  Unless the user grants additional permission, the application can only view information in the user’s public profile.  (For our previous article on the Canadian Privacy Commissioner’s investigation, see here.)  In early October, Facebook implemented a new tool to help users control what information applications can access, in response to criticisms that its privacy settings were too complicated.  And, after these latest disclosures, Facebook announced a “clarified” privacy policy stating that user IDs cannot leave an application.  In the event that a developer needs to share information with an advertiser or content provider, they must use an anonymous identifier. 

Whether or not these revised policies actually provide more protection to users’ privacy is yet to be seen.  However, it is probably not a stretch to say that the coming months will bring similar revelations and changes across the Web.  We will continue to monitor this and other developments in the ongoing debate over privacy on the internet. 

**Kate O’Donnell, who recently joined the Firm, assisted in the preparation of this article.

This week the chair of the House Caucus on Privacy, Rep. Edward Markey of Massachusetts, criticized responses received by the Caucus from several large Web publishers admitting that keeping track of data collection on their sites is technically difficult, if not impossible.  Markey said that while the publishers detail their own privacy policies and opt-out procedures, these are often too complicated for the average consumer to follow.  He also pointed out that a single website may have dozens of firms collecting data through ads on the site and consumers would need to consult the policies of each of those firms to determine precisely what information was being collected and how it was being used.  (We recently wrote about this issue in a previous Digitalhhr post in connection with location-based advertising and Apple’s iPhone app policy.) 

Markey said that Congress will continue to look into enacting privacy legislation in the future and while he didn’t mention any specific proposals, as detailed in our recent CLE Webinar on Privacy in a De-Centralized Digital World, two pending privacy bills have been introduced.  The Boucher-Sterns Bill, proposed in May of this year would require that “covered entities” (defined as any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information) provide individuals with a privacy notice and an opportunity to opt-out before collecting, using or disclosing “covered information” about that individual.  Covered information is defined broadly and includes an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  In addition, the bill would also require that covered entities obtain affirmative opt-in consent before: (i) collecting sensitive information such as medical records, sexual orientation and precise geographic location information or (ii) sharing covered information or sensitive information with unaffiliated parties. 

A similar bill known as the “BEST PRACTICES Act”, proposed two months after the Boucher-Sterns Bill, would permit a limited private right of action, allowing individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages.  Both privacy bills would grant enforcement power to the FTC and the states but are not expected to pass this year.

Meanwhile, the FTC has held a series of public roundtables to discuss proposals for regulating consumer privacy as an increasing number of companies engage in the collection, storage and disclosure of end user data.  The last roundtable was held on March 17, 2010 and the FTC has been largely silent since then as to the findings for its much anticipated revised report on privacy guidelines, which is expected later this year.  That report is intended as the follow-up to the FTC‘s 2009 Staff Report, titled “Self-Regulatory Principles for Online Behavioral Advertising”, which was the subject of a previous Digitalhhr post.

However, recent public statements by Maneesha Mithal, the associate director of the FTC Division of Privacy and Identity Protection, suggest that the FTC’s new privacy report will include an emphasis on “consumer control”.  Mithal hinted that the upcoming FTC report may include findings of an increase in the collection, storage and use of data of which consumers are largely unaware particularly with respect to behavioral advertising and a blurring distinction between personally identifiable information and other types of data. 

More importantly, Mithal indicated that the yet-to-be approved report as currently drafted would recommend that all new technologies that involve the collection, storage, processing and/or disclosure of personal information should take into account end user privacy, including privacy reviews, as part of their design.  The draft report also contains a requirement that consumers receive “just in time” notices of collection practices (that is, a notice at the time data is collected), rather than the current practice of incorporating data collection and use provisions as part of a site’s terms of use/service and/or privacy policy.  “Just in time” notices are required under EU regulations, raising the question of whether requiring such new notice obligations might be a first step taken by the FTC to move towards the stricter and more uniform EU model for data protection and privacy regulation.  

In line with its recently stated focus on “consumer control” and in response to a 2007 push by a coalition of privacy groups , the FTC has also been considering improved opt-out mechanisms to online advertising such as a “do not track” list , similar to the National Do Not Call Registry, that would permit consumers to opt out of having their online activities tracked for advertising or marketing purposes. 

The FTC’s 2009 Staff Report proposed non-binding guidelines for an industry currently subject to self-regulation.  It remains to be seen whether the upcoming FTC report will propose actual regulations or seek guidance from Congress on whether to do so.  We will continue to follow the ongoing developments in this evolving discussion.

In October 2009, the France’ high court approved “Loi favorisant la diffusion et la protection de la création sur Internet”, or “HADOPI” (see our previous post: Three Strikes and You’re…OUTTTT! (Of French Cyberspace)).  Now almost one year into the life of the law, results have been mixed. The French government has said that it is prepared to begin issuing warnings and sanctions under the law, but no action has been taken yet. Commentators have questioned the feasibility of the law (e.g., the ease with which offenders can regain access to the Internet), and some original supporters of the legislation have qualified their original support of the law in response to adverse political reaction.

The U.K.’s Digital Economy Act  was enacted on June 8, 2010. Aimed at regulating the access of copyrighted material by end-users, one controversial section of the law establishes a system for identifying users who access illegal materials and for gradually increasing technical restrictions on their Internet access. These restrictions involve initially downgrading the quality of a user’s connection (the hope being that slower upload and download speeds will act as a deterrent to piracy) and culminate in a complete denial of Internet access.

Since the enactment of the DEA, the Office of Communication (Ofcom), an independent regulator and competition authority for the UK communications industries, has developed a protocol/obligations codefor implementing the legislation (but has said that plans to disconnect end-users from the Internet would not come into force until next year). ISPs are tasked with identifying and compiling a list of those end-users believed to be engaging in infringing conduct via a three-stage notification process, which includes sending letters to such end-users (which must include certain “standardized” information in connection with the allegations made against the end-user and what actions such end-user can take both to challenge the allegation and to protect their network). Rights’ holders can also request the ISP to identify those end-users who have breached an Ofcom-defined threshold for continued violation of access to information (i.e., following the third notification to a particular end-user), after which the rights’ holder may petition a court for identification of the user for purposes of initiating litigation.

Not surprisingly, the DEA has been subject to criticism from many perspectives.  Certain commentators have claimed that the complete denial of Internet service may violate existing European Union principles and regulations intended to preserve EU residents’ “basic rights and freedoms”, one of which is the right to access and use the Internet, and say that even worse is the manner in which the act was passed into law (which ISPs claim was rushed through Parliament with insufficient scrutiny). Further criticism focuses on the fact that the DEA provides only for an independent, limited appeals process for end-users who believe they have been wrongly accused of copyright infringement (as opposed to due process in a judicial proceeding). Consumer rights groups have raised concerns that an innocent user who has not encrypted her wireless network may be sanctioned if others access the network to engage in authorized conduct.  In addition, some have predicted that the threat of disconnection may alienate the most avid legalbuyers of entertainment content, encouraging them to switch to anonymized, encrypted alternatives so as not to reveal their identity.  Lastly, because the DEA only applies to ISPs with more than 400,000 customers, one consequenceof the law could be a flight of consumers to smaller ISPs, placing the larger ISPs at a commercial disadvantage.

Many major ISPs have recently spoken out against the DEA.  TalkTalk and British Telecom (the UK’s largest providers of broadband to homes) have initiated legal challenges, with their core claim being that the DEA conflicts with existing European Union regulations relating to individual privacy and electronics communications directives, as well as e-commerce directives.  They have also raised concerns about the role of ISPs in policing the Internet (i.e., that ISP’s are mere conduits of content and should not be held responsible for traffic on their services). 

Many reporters and commentators have also started to speculate about the practical ramifications of the DEA.  These include concerns that the increased costs borne by ISPs in identifying and notifying infringing users may be passed onto subscribers, raising access costs across the board.  Additionally, there is speculation that additional taxesmay be imposed on ISPs for transmission of pirated content by their subscribers.  Finally, the potential ramifications of long-term end-user tracking (e.g., data retention issues) have raised additional privacy concerns.

Reception of the three-strikes legislation, or graduated response, has been mixed elsewhere in the European Union and around the world.  In some countries, such as Belgium and Singapore, active or proposed legislation has tried to establish administrative oversight of illegal access to copyrighted material. In others, such as Germany, the government has taken a more laissez-faire approach by asking individual ISPs to handle content regulation and restriction without active government intervention.  

The point of restriction of content access varies as well. Graduated response, such as the process promulgated by HADOPI, puts the onus upon the individual end-user (i.e., if the end-user infringes upon copyright and accesses copyrighted material, she suffers the potential sanction of denial of Internet service). In other proposals, this remedy is rejected in favor of putting the burden on ISPs: the service provider must actively block websites known to provide copyrighted material illegally. Yet other proposed regulations include targeting the website itself and have imposed (or have tried to impose) sanctions against individual websites for their presence within a certain country.

These alternate approaches clearly reveal the competing, deeply-rooted political philosophies and interests engaged in the debate.  Is digital piracy something that should be primarily policed by the government through stringent regulatory schemes?  Or should the responsibility fall to commercial stakeholders, such as content owners and ISPs?  How does one resolve the competing interests between content owners (who seek the most stringent protections available) and ISPs (who may view themselves as a passive provider of a basic service, not an active enforcement agency)?  And will innocent end-users find that they are adversely impacted by the actions of true infringers?

While there may be universal agreement that infringing activity must be inhibited, it is unlikely that a single, unified approach to the problem will emerge any time soon.  However, through trial and error and the experience of “early adapter” nations such as France and the UK, it is possible that a consensus will emerge on a scheme that achieves a balance among the concerns and interests of the various stakeholders.

We will obviously keep an eye on future developments in this area of the law and relevant industry practices.