It has long been the Federal Trade Commission’s (FTC) position that if you make a privacy promise to consumers you should expect to be held to that promise. The FTC’s complaint and its proposed settlement, announced on April 23, 2015, with Nomi Technologies, Inc. (Nomi) highlights this. Nomi’s tracking applications allow retailers to capture the unique media access control address (and other information) of mobile devices of persons who enter a retailer’s physical store as well as persons within a certain distance from the stores. Nomi then made this information available to its retailer customers for analytics purposes. Nomi promised that it would… Read more
Technology Law
Recent Cases Emphasize Clickwrap Basics
Two court decisions in the past couple of months, both from federal courts in California, involving arbitration clauses in clickwrap agreements make clear that the manner in which affirmative assent to website terms is sought from a site’s users makes all the difference when enforceability of those terms is at issue. In early February, the U.S. District Court for the Northern District of California held in Savetsky v. Pre-Paid Legal Services, Inc. d/b/a LegalShield, Case No. 14-03514 SC (N.D. Cal. Feb. 12, 2015), that merely alerting a site user prior to online checkout that the user can obtain more information… Read more
2015 Verizon Data Breach Investigations Report Released
Earlier this week, Verizon released its annual Data Breach Investigations Report (DBIR) for 2015. In the DBIR, Verizon, along with about 70 contributing organizations, presents an extensive survey and analysis of patterns and lessons from significant data breaches over the prior year. While the 2015 DBIR offers a broad range of data breach information, among the notable trends observed are the following: 90% of breaches are attributable to miscellaneous errors (29.4%), crimeware (25.1%), insider misuse (20.6%), and lost or stolen devices (15.3%) Among miscellaneous errors, cases of misdelivery and inadvertent posting or publishing of data made up almost half of… Read more
Can’t Just Phone In U.S.-E.U. Safe Harbor Compliance
Recent civil actions this month brought by the Federal Trade Commission (FTC) against two companies that allowed their certification under the U.S.-E.U. Safe Harbor Framework to lapse while still claiming to be compliant is a timely reminder that the Framework requires annual re-certification. The FTC cited this lapse as a deceptive trade practice by each of TES Franchising, LLC and American International Mailing, Inc. By way of background, shortly after the European Union’s Data Privacy Directive (the Privacy Directive) became effective in 1998, the U.S. Department of Commerce worked with European Union data protection authorities to develop the U.S.-E.U. Safe Harbor… Read more
Canada’s CRTC Levies Fines in Two Email Spam Actions
On July 1, 2014, Canada’s anti-spam legislation (commonly referred to as CASL) came into effect with a focus on uninvited commercial electronic messages (CEMs), including commercial-related emails. While aspects of the Canadian law are similar to the U.S. CAN-SPAM Act, which sets forth specific compliance requirements for unsolicited commercial email messages sent within the U.S., CASL is arguably stricter in that it requires affirmative consent by the recipient. The Canadian Radio-Television and Telecommunications Commission (CRTC) has lost no time in enforcing the new CASL requirements. On March 5, 2015, the CRTC announced a Notice of Violation along with a proposed… Read more
FTC Cautions on Use of Consumer Data Following Business Acquisitions
The Federal Trade Commission (FTC) has long been aggressive in holding businesses accountable for the commitments made to consumers in online privacy policies. Among the related issues that the FTC has revisited over the years is the validity of changing data use practices after a business acquisition or merger. As early as 2000 in the Toysmart bankruptcy case, the FTC adopted a strict view that an acquirer — even one in a bankruptcy setting — could either not acquire (depending on the transaction structure) or undertake new uses of consumer data collected by an acquired company if the acquired company’s privacy policy… Read more
FCC Steps Up Data Enforcement Role With $25 Million Fine
The Federal Communications Commission (FCC) announced yesterday that it has entered into a settlement with AT&T Services, Inc. as a result of the FCC’s investigation of a series of data breaches during 2013 and 2014 at AT&T call centers in Mexico, Colombia, and the Philippines. As part of the settlement, AT&T must pay a $25 million civil money penalty — the largest data enforcement ever imposed by the FCC for data privacy and security concerns — provide data breach notification to affected customers and offer those customers credit monitoring services. The data breaches involved over 40 employees who stole sensitive… Read more