On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
On November 21, the U.S. Court of Appeals for the Seventh Circuit held that the federal Telephone Consumer Protection Act (TCPA) does not preempt an Indiana statute that bans most robocalls without exempting calls that are not made for a commercial purpose. Patriotic Veterans, Inc. v. State of Indiana, No. 11-3265, 2013 WL 6114836 (7th Cir. Nov. 21, 2013). A not-for-profit Illinois corporation seeking to use automatically dialed interstate phone calls to deliver political messages to Indiana residents sought a declaration that the Indiana Automated Dialing Machine Statute (IADMS) violates the First Amendment, at least as it applies to political messages, and also is preempted by the TCPA, which expressly exempts non-commercial calls such as political calls from the TCPA’s regulation of autodialers. Overturning the district court’s decision, the Seventh Circuit found that the Indiana statute is not expressly preempted by the TCPA because the plain language of the TCPA’s savings clause states that the federal law does not preempt any state law that prohibits the use of automatic telephone dialing systems and, even if the IADMS is considered a regulation of, rather than a prohibition on, the use of autodialers, the savings clause does not at all address state laws that impose interstate regulations on their use. The court further found that the IADMS is not impliedly preempted by the TCPA because it is possible to comply with the state statute without violating the TCPA, the state statute furthers the TCPA’s purpose of protecting the privacy interests of residential telephone subscribers, and Congress did not intend to create field preemption when it enacted the TCPA. The court, however, remanded the case to the district court to consider whether the statute violates the First Amendment.
Recently, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) continued his committee’s examination of the way data brokers collect and share personal information. The Senator sent a letter to one data broker seeking additional information about the broker’s customer vetting practices and how it shares consumer information with those customers. As the basis for the letter, Senator Rockefeller cited news reports alleging that a company acquired in March 2012 by the data broker receiving the letter had sold data to an identity theft scheme. At least one report suggested that the alleged activity continued after the broker conducted its due diligence and completed the acquisition. The Senator’s letter also poses follow up questions based on the broker’s response to the Senator’s original October 2012 request to numerous data brokers, which the Senator expanded to include other industry participants in September 2013.
On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.
On October 22, the CFPB released the procedures its examiners will use in assessing financial institutions’ compliance with the remittance transfer requirements of Regulation E. Amendments to those regulations, finalized by the CFPB earlier this year, are set to take effect October 28, 2013. In general, the rule requires remittance transfer providers that offer remittances as part of their “normal course of business” to: (i) provide written pre-payment disclosures of the exchange rates and fees associated with a transfer of funds as well as the amount of funds the recipient will receive; and (ii) investigate consumer disputes and remedy errors. The rule does not apply to financial institutions that consistently provide 100 or fewer remittance transfers each year, or to transactions under $15.
The new examination procedures detail the specific objectives examiners should pursue as part of the examination, including to: (i) assess the quality of the regulated entity’s compliance risk management systems with respect to its remittance transfer business; (ii) identify acts or practices relating to remittance transfers that materially increase the risk of violations of federal consumer financial law and associated harm to consumers; (iii) gather facts that help to determine whether a supervised entity engages in acts or practices that are likely to violate federal consumer financial law; and (iv) determine whether a violation of a federal consumer financial law has occurred and, if so, whether further supervisory or enforcement actions are appropriate. In doing so, CFPB examiners will look not only at potential risks related to the remittance regulations, but also outside the remittance rule to assess “other risks to consumers,” including potential unfair, deceptive, and abusive acts and practices and Gramm-Leach-Bliley Act privacy violations. Finally, consistent with other examination procedures published by the CFPB, the examiners are instructed to conduct both a management- and policy-level review as well as a transaction-level review to inform the stated examination objectives.
Also on October 22, the CFPB announced a new tool designed to make it easier for the public to navigate the regulations subject to CFPB oversight. To start, the new eRegulations tool includes only Regulation E, which implements the Electronic Funds Transfer Act and includes the remittance requirements discussed above. Noting that federal regulations can be difficult to navigate, the CFPB redesigned the electronic presentation of its regulations, including by (i) defining key terms throughout, (ii) providing official interpretations throughout, (iii) linking certain sections of the “Federal Register preambles” to help explain the background of a particular paragraph, and (iv) providing the ability to see previous, current, and future versions. The CFPB notes that the tool is a work in progress and that suggestions from the public are welcome. Further, the CFPB encourages other agencies, developers, or groups to use and adapt the system.
On October 16, new rules took effect that require businesses to obtain express written consent before making certain telemarketing calls to customers. The rules arise from a February 2012 Report and Order issued pursuant to the Telephone Consumer Protection Act (TCPA), in which the Federal Communications Commission (FCC): (i) required that businesses obtain prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines, (ii) allowed consumers to opt out of future robocalls during a robocall, and (ii) limited permissible abandoned calls on a per-calling campaign basis. While the consumer opt-out and abandoned calls limitations are already in effect, compliance with the express written consent requirement was not mandated until now. The rules require that the written consent be signed and be sufficient to show that the customer: (i) receives “clear and conspicuous disclosure” of the consequences of providing the requested consent and (ii) having received this information, agrees unambiguously to receive such calls at a telephone number the consumer designates. In addition, the rules require the written agreement to be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” The FCC rule allows electronic or digital forms of signatures obtained in compliance with the E-SIGN Act—e.g. agreements obtained via a compliant email, website form, text message, telephone keypress or voice recording—to satisfy the written requirement. The FCC also removed an exemption that allowed businesses to demonstrate consent based on an “established business relationship” between the caller and customer.
Recently, the California Secretary of State announced that the proponents of a new initiative regarding personally identifying information (PII) may begin collecting petition signatures for their proposed ballot measure. The potential ballot measure would propose a constitutional amendment that would create a presumption that an individual’s PII—including financial or health information—is confidential when collected for a commercial or governmental purpose, and would create a presumption of harm when PII is disclosed without the subject’s authorization. The measure also would require a collector of PII to use all reasonably available means to protect it from unauthorized disclosure. The ballot measure proponents have until February 14, 2014 to collect 807,615 registered voters’ signatures in order to qualify it for the ballot.
Delaware Federal Court Holds No Harm From Third-Party Cookies’ Collection Of Personal Information, Dismisses Broad Consumer Privacy Suit
On October 9, the U.S. District Court for the District of Delaware dismissed a broad, consolidated action against an Internet company alleged to have circumvented an Internet browser’s cookie blocker to collect personally identifiable information (PII) from the browser’s users. In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 12-2358, slip op. (D. Del. (Oct. 9, 2013). The court held that the plaintiffs lacked Article III standing because they had not sufficiently alleged an injury-in-fact The court reasoned that while plaintiffs provided some evidence that the PII at issue has some value to the individual, they did not sufficiently allege that their ability to extract that value was diminished by the alleged collection by a third party. Despite its standing holding, the court continued its analysis and dismissed each of the plaintiffs federal and state privacy claims on the merits. The court held, for example, that the plaintiffs’ claims that the collection of URLs violated the Electronic Communications Privacy Act failed because URLs are not “contents” as defined by that Act. The court also held that the plaintiffs failed to identify any impairment of the performance or functioning of their computers and could not sustain a claim under the Computer Fraud and Abuse Act.
On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied. The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.
On September 23, eight federal agencies, including the Federal Reserve Board, the CFPB, the OCC, and the FDIC, issued interagency guidance to clarify the applicability of Gramm-Leach Bliley Act privacy provisions to reporting suspected financial exploitation of older adults. The guidance states that although the Act generally prohibits a financial institution from disclosing nonpublic personal information about a consumer to any nonaffiliated third party without notifying the consumer and providing an opportunity to opt-out of the disclosure, the Act contains several exemptions that generally allow for the reporting of suspected elder financial abuse, either at the request of a local, state, or federal agency or on the financial institution’s own initiative.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.