On May 9, the Superior Court of California dismissed California Attorney General Kamala Harris’ first suit against a company for allegedly failing to comply with the state’s Online Privacy Protection Act. California v. Delta Air Lines Inc., No. 12-526741, Order (Cal. Sup. Ct. May 9, 2013). The state alleged that since at least 2010, Delta Airlines operated a mobile application that allows customers to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claimed that the Delta application collects substantial personally identifiable information without providing a privacy policy. The suit sought an injunction and penalties of up to $2,500 for each violation. Reportedly, the court determined that the suit was preempted by the federal Airline Deregulation Act, which prohibits states from regulating certain airline functions, including, according to Delta and the court, the mobile application at issue in this case. The suit against Delta was filed after the AG sent letters to Delta and numerous other mobile application developers and providers advising those entities of their alleged noncompliance with state privacy law, and forms part of a broader enforcement effort by the AG with regard to online and mobile privacy.

On March 27, the Federal Reserve Board presented the findings of a November 2012 online survey of consumers’ use of mobile technology to access financial services and make financial decisions. The report follows a related March 2012 Federal Reserve Board report, and includes the Board’s general findings that (i) mobile phones and mobile Internet access are in widespread use, (ii) the ubiquity of mobile phones is changing the way consumers access financial services, (iii) mobile phones are also changing the way consumers make payments, (iv) security and usefulness concerns continue to be the main impediments to the adoption of mobile financial services, (v) smartphones are changing the way people shop, and (vi) mobile phones are prevalent among unbanked and underbanked consumers. The report points out that the use of mobile phones to make payments at the point of sale has increased more rapidly than the use of mobile phones for banking, and that there is “substantial growth potential” for mobile payments as the ability to make them becomes more widespread.

On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.

On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.

Concurrently, the FTC Read more…

On January 10, California Attorney General Kamala Harris (AG) issued recommended privacy practices for mobile application developers, mobile application platform providers, mobile advertising networks, operating system developers, and mobile carriers. The AG recommends a “surprise minimization” approach, which could include measures to (i) avoid collecting personally identifiable data that are not needed for basic functionality, (ii) make an app’s general privacy policy easy to understand and available before download, and (iii) supplement a legally required general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an application’s basic functionality or that involve sensitive information.  Supplemental policies could include “special notices” delivered in context and “just-in-time,” or short privacy statements made readily available within an application and that highlight potentially unexpected practices and allow users to make privacy choices. The issuance of the recommendations is the latest action by the AG as part of a broader privacy initiative and follows the state’s first mobile application privacy suit filed last month.

On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.

On December 10, the FTC issued a staff report on the privacy disclosures and practices of mobile applications offered for children in certain online application stores. The report provides the results of an FTC survey of the disclosures and links on the promotion page in the application store, on the application developer’s website, and within the application, for hundreds of applications for children. According to the report, most mobile applications failed to give parents any information needed to determine what data is being collected from their children, how it is being shared, and with whom it is being shared. Further, the FTC states that many applications shared certain information with third parties without disclosing that fact to parents, and a number of applications contained interactive features – such as advertising, the ability to make in-application purchases, and links to social media – without disclosing these features to parents prior to download. The report also states that FTC staff is launching multiple nonpublic investigations of certain entities that may have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices in violation of the FTC Act, and the FTC “strongly urges” the mobile application industry to develop and implement best practices to protect privacy, including those recommended in an FTC privacy report issued earlier this year. In a related development, on December 11, the Center for Digital Democracy filed a complaint with the FTC seeking an investigation of one firm for allegedly offering and operating a mobile application in violation of COPPA.

On December 6, California Attorney General Kamala Harris (AG) announced an enforcement action against Delta Airlines for allegedly failing to comply with the state’s Online Privacy Protection Act. This is the first action brought by the AG’s office under this law and follows other efforts by the AG’s office to require enhanced mobile privacy disclosures. In October, the AG’s office sent letters to 30 companies, including Delta, advising those entities that their mobile applications failed to comply with the state privacy law and providing them 30 days to remedy the alleged failure. The complaint alleges that since at least 2010, Delta has operated a mobile application that may be used to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claims that the Delta application collections substantial personally identifiable information but does not have a privacy policy. The suit seeks to enjoin Delta from distributing its application without a privacy policy and penalties of up to $2,500 for each violation.

On October 30, California Attorney General (AG) Kamala Harris announced that her office’s Privacy Enforcement and Protection Unit sent letters to numerous mobile application developers advising those entities of their noncompliance with state privacy law. Specifically, the AG alleges that the targeted mobile application developers failed to post a privacy policy that is reasonably accessible to the consumer, as required by the California Online Privacy Protection Act. Under the state unfair competition law, violation of the Act may result in penalties of up to $2,500 per violation. A violation in this instance is each download of a mobile application that does not properly include a privacy policy. The letters provide thirty-day notice of noncompliance as required by the Act, within which each developer must provide specific plans and a timeline for compliance, or an explanation of why the application is not covered by the Act.

On October 11, the GAO released a report on its examination of how the mobile industry collects location data and the resulting impact on consumers. According to the report, privacy advocates expressed concerns that consumers are generally unaware of how location data is used by third-parties and that consumers could be subject to increased risk of surveillance by law enforcement, identity theft, and threats to personal safety. The GAO examined how companies have applied practices recommended by industry associations and privacy advocates to protect consumers’ privacy while using mobile location data. The report reviews actions taken by federal agencies to provide consumer education and develop industry codes of conduct. The GAO recommends, among other things, that NTIA work with stakeholders to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies’ appropriate actions to protect location data privacy.

On September 27, the U.S. District Court for the District of Nevada followed other federal courts and held that an arbitration clause within the Terms of Use agreement on Zappos.com was unenforceable given that users were neither provided with notice of the agreement nor an opportunity to affirmatively assent to the agreement. In re Zappos.com, Inc. Customer Data Sec. Breach Litig., No. 12-325, 2012 WL 4466660 (D. Nev. Sep. 27, 2012). Customers sued Zappos in several federal district courts for damages resulting from a security breach of the company’s website. After those actions were consolidated, Zappos filed a motion to compel arbitration based on the argument that by using the website the customers accepted and agreed to its Terms of Use, which included an agreement to arbitrate all claims arising from use of the website, and which were available through a hyperlink on each page of Zappos.com. Such hyperlinked Terms of Use are known as “browsewrap” agreements. The court held that despite the broad federal policy in favor of arbitration, the company had provided no evidence that the customers clicked on, viewed, or expressly manifested assent to the Terms of Use agreement, there was no acceptance of the Terms of Use provisions by customers, and thus those provisions, including the arbitration clause, were unenforceable. Moreover, the court held that because Zappos retained the unilateral right to revise the Terms of Use, the contract was illusory and therefore unenforceable. Accordingly, the court denied Zappos motion to compel arbitration.

On September 5, the FTC published “Marketing Your Mobile App: Get It Right from the Start,” a guide to assist mobile application developers in complying with federal advertising and privacy requirements. The Guide provides basic guidance and principles related to truthful advertising and consumer privacy protections. For example, the guide urges application developers to (i) disclose key information in advertising materials clearly and conspicuously, (ii) collect sensitive information only with user’s affirmative consent, and (iii) avoid collecting unnecessary data and ensure the security of any sensitive data that is collected.

On June 15, the National Telecommunications and Information Administration (NTIA) announced that the first meeting of a privacy multistakeholder process will be held on July 12, 2012. The meeting is the first in a series intended to produce a code of conduct that will provide transparency in the handling of personal data by mobile application and services companies. The multistakeholder process derives from the White House’s Privacy Blueprint released in February 2012, which set forth a Consumer Privacy Bill of Rights and designed the multistakeholder process to develop legally enforceable codes of conduct across diverse business contexts.

Recently, the FCC released a request for public comment on the privacy and data security of personal information on mobile devices.  The request focuses on the amount and types of consumer information that may be collected by carriers. For example, the FCC lists a series of factors, including (i) the degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information, (ii) the manner in which the collected information is used, and (iii) the role of third parties in collecting and storing data, and asks which, if any, are relevant to assessing a wireless provider’s obligations under the Communications Act and the Commission’s implementing rules. The FCC will accept public comments for 30 days from publication of the request in the Federal Register. In 2007, the FCC similarly solicited comments and revised its rules under the Communications Act to tighten data security requirements and address pretexting.