On April 30, the U.S. District Court for the Central District of California held that Section 1747.08 of the Song-Beverly Credit Card Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions, does not apply to online purchase transactions in which the merchandise is shipped or delivered to the customer. Ambers v. Buy.com, No. 13-196, slip op. (C.D. Cal. Apr. 30, 2013). The ruling extends a recent holding by the California Supreme Court in Apple Inc. v. Sup. Ct. Los Angeles, which held that the Song-Beverly provisions do not apply when the item purchased is downloaded via the Internet. In this case, the customer claimed on behalf of a putative class whose claims could total $500 million that Apple created a standard that applies the Song-Beverly protections whenever the retailer has “some mechanism” to verify the customer’s identity. The plaintiff argued that the retailer’s request as part of the purchase transaction for a phone number in addition to the shipping address violated the statutory privacy protection. The court reasoned that as explained in Apple, the state legislature intended to allow retailers to verify that a person making a card purchase is authorized to do so, and stated that the shipping address alone would not work as an anti-fraud mechanism because a person who buys merchandise online may direct shipments to addresses not related to the credit card billing address. As such, the court held that Song-Beverly privacy protection does not apply to online purchases where the merchandise is being shipped or delivered, and granted the retailer’s motion to dismiss.

On May 1, the FTC and the CFPB announced a roundtable to “examine the flow of consumer data throughout the debt collection process” and discuss (i) the amount of documentation and other information currently available to different types of collectors and at different points in the debt collection process, (ii) the information needed to verify and substantiate debts, (iii) the costs and benefits of providing consumers with additional disclosures about their debts and debt-related rights, and (iv) information issues relating to pleading and judgment in debt collection litigation. The event will be held on June 6, 2013 in Washington, DC and is open to the public.

On April 30, the National Institute of Standards and Technology (NIST) published a substantially revised version of its Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” the government’s core computer security guide. Although developed for use by federal agencies, the NIST Special Publication is widely used in the private sector.  The revisions are the most extensive since the document first was published in 2005 and is meant to address evolving and emerging cyber security threats. For example, the new guide incorporates issues specific to (i) mobile and cloud computing, (ii) insider threats, (iii) applications security, (iv) supply chain risks, (v) advanced persistent threats, and (vi) trustworthiness, assurance, and resilience of information systems. It is sector-specific to allow organizations greater flexibility in building information security systems, and also provides for the first time a privacy controls catalog.

On April 25, the FTC issued updated FAQs on the recently amended Children’s Online Privacy Protection Act Rule. The FAQs provide supplemental guidance designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for the amended regulations, which take effect on July 1, 2013.

On April 17, the FTC requested input on the consumer privacy and security issues posed by the connectivity of consumer devices in advance of a public workshop to be held on November 21, 2013. The request notes that connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties. While advances in connected devices provide consumer benefits, greater connectivity also poses privacy and security risks. The FTC seeks comment on (i) the significant developments in services and products that make use of this connectivity, (ii) the technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections), (iii) the current and future uses of smart technology, (iv) consumer benefits, (v) privacy and security concerns, and (vi) how privacy risks should be weighed against potential societal benefits. The FTC is accepting comments through June 1, 2013.

Recently, Connecticut finalized regulations to implement changes to the state’s Uniform Real Property Electronic Recording Act that allows town clerks to accept electronic documents for recording on the land records. Prior to implementation of these changes, town clerks could only accept paper documents for recording. While they may continue to accept paper documents, the regulation permits them to accept delivery of and return electronic documents for the purpose of recording those documents in the land records, consistent with other states. The regulation is also intended to ensure that the records and recordkeeping systems will be maintained properly and securely. The state also has published FAQs for town clerks regarding the new regulation.

On April 2, the U.S. District Court for the Northern District of Illinois certified a class of individuals who downloaded and installed tracking software created and operated by a data company and distributed by one of the company’s third-party bundling partners. Harris v. comScore, Inc., No. 11-5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013). The plaintiffs claim the data company used the tracking software to collect information on consumers’ computers, including social security numbers and other personally identifiable information. The court estimated the software was installed on millions of computers between 2008 and 2011. The court refused to certify unjust enrichment claims due to variances in laws across states, but allowed claims of violations of the Stored Communications Act, the Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act to move forward. Certification of such a large class is unusual for a privacy suit, but the company’s user license agreement and the downloading statement regarding the software provided a basis for shared injury not present in other cases.

On March 18, FinCEN issued guidance to clarify the applicability of Bank Secrecy Act regulations to persons creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies. FinCEN clarifies that a person that obtains a virtual currency to purchase goods or service (a “user”) does not fit within the regulatory definition of a money transmission service, and therefore is not subject to the relevant regulations. However, a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency (an “exchanger”), and a person engaged as a business in issuing a virtual currency, and who has the authority to redeem such virtual currency (an “administrator”), generally are considered money transmitters under FinCEN’s regulations if they (i) accept and transmit a convertible virtual currency or (ii) buy or sell convertible virtual currency for any reason. The guidance reviews FinCEN’s specific determinations regarding different activities involving virtual currencies and the appropriate regulatory treatment of administrators and exchangers under each of the scenarios. Specifically, the guidance addresses (i) brokers and dealers of e-currencies and e-precious metals; (ii) centralized convertible virtual currencies; and (iii) de-centralized convertible virtual currencies.

On March 12, the European Commission announced that the European Parliament voted to support new legislation governing the out-of-court resolution of contractual disputes resulting from online transactions for the sale of goods or services, referred to as Online Dispute Resolution (ODR). The ODR legislation establishes a single EU-wide platform to handle disputes between traders and consumers arising from cross-border online transactions. The platform, which would not be applicable to offline transactions, will:  (1) allow consumers and traders to electronically submit complaints related to online transactions along with related documents to an alternative dispute resolution entity; (2) allow alternative dispute resolution entities to receive and transmit information electronically; and (3) allow the parties to conduct and resolve the dispute resolution process via the platform. The platform is intended to be operational by 2015.

On March 7, the Texas Court of Appeals of the Thirteenth District affirmed a trial court’s holding that the essential terms of an option contract for the purchase of real estate were present when three e-mail messages exchanged by the parties were read together. Dittman v. Cerone, No. 13-11-00196-CV, 2013 WL 865423 (Mar. 7, 2013). The defendant sued for specific performance pursuant to the terms of the three emails, and the trial court ultimately concluded that the e-mails constituted a valid option contract and ordered the plaintiffs to convey the property. The Texas Court of Appeals affirmed the trial court’s holding that the option contract complied with the statute of frauds because (i) the emails construed together provided the essential terms of the contract, (ii) the property was sufficiently identified and confirmed by extrinsic evidence, (iii) the parties’ actions evidenced an intent to conduct certain business electronically, and (iv) the real estate broker had authority to act for the sellers.

Yesterday, the FTC released guidance for mobile and other online advertisers. The new guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” adapts and expands prior FTC guidance to account for a decade’s worth of additional experience with online marketing practices, consumers’ increasing use of smartphones, and merchants’ increasing use of social media marketing.

The new guidance highlights several key considerations for businesses as they develop advertisements for online and mobile media:

• The same consumer protection laws – e.g. UDAP – that apply to commercial activities in other media apply online and in the mobile marketplace.
• Limitations and qualifying information should be incorporated into any underlying claim, rather than provided as a separate disclosure qualifying the claim.
• Marketing materials that may be viewed on a variety of platforms, including handheld devices, should be designed so that required disclosures are effectively delivered on all of the platforms.
• Required disclosures must be clear and conspicuous, as determined by numerous factors.
• If a disclosure is necessary to prevent an advertisement from being deceptive, unfair, or otherwise violative of a FTC rule, and it is not possible to make the disclosure clearly and conspicuously, then that ad should not be disseminated.

To meet the clear and conspicuous standard, Read more…

On February 28, the FTC announced that President Obama will designate Edith Ramirez as Chairman of the FTC, effective March 4, 2013. Ms. Ramirez became an FTC commissioner on April 5, 2010, and has focused on promoting competition and innovation in the technology and healthcare sectors, protecting vulnerable consumers from deceptive and unfair practices, and safeguarding consumer privacy. Prior to joining the FTC, Ms. Ramirez was a lawyer in private practice, and before that served as the Vice President on the Board of Commissioners for the Los Angeles Department of Water and Power.

On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.

On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.