I. BEHAVIORAL TRACKING
The Online Interest-Based Advertising Accountability Program recently released six decisions signaling the beginning of the Accountability Program's formal enforcement of the Self-Regulatory Principles for Online Behavioral Advertising. The rules and procedures for the Accountability Program are set by the National Advertising Review Counsel. In August, the Accountability Program began testing various companies' opt-out procedures across several internet browsers. Notably, four of the six companies who were the subject of self-regulatory inquiries had opt-out requests set to expire in one year or less. The Self-Regulatory Principles require opt-outs to remain in effect for at least five years from the date a consumer exercises choice. Companies found in violation of the Self-Regulatory Principals are asked to quickly bring their programs into compliance.
TIP: The Accountability Program has pledged vigorous oversight and enforcement of the Self-Regulatory Principles. If your company uses vendors to help serve targeted ads, or your website serves targeted ads, ensure you and your vendors are in compliance with the self regulatory program offered through aboutads.info. Your company should also consider periodic monitoring of the functionality and usability of your opt-out program across different internet browsers.
TIP: Work closely with your IT team to ensure that you understand the tracking activities that may occur on your websites. Where appropriate, clear disclosures may help lower potential liability in cases like this one.
TIP: Continue to be vigilant in working with your website developers to understand what tracking tools are being employed on your sites, and where necessary, have clear disclosures about those activities.
TIP: Companies should determine if their websites use flash cookies, and if so, should make sure that they have sufficient disclosures about how users can control use of and delete those cookies.
II. ONLINE AND CONSUMER PRIVACY
The Federal Trade Commission has just announced a settlement with Facebook, Inc. in connection with charges by the FTC that Facebook engaged in deceptive privacy practices. The FTC alleged that Facebook did not disclose to users that their Facebook information could be accessed by third parties without the users' explicit authorization. In particular, according to the FTC, although Facebook's privacy controls led users to believe that they could control who could see and access their profile information, platform applications could access user profile information regardless of the user's privacy settings. In addition, the FTC claimed that Facebook's privacy policies stated that applications could only access information related to the purpose of the application. In practice, however, the FTC alleged that applications could access more information than necessary to function. Furthermore, the FTC alleged that Facebook engaged in a violation of the FTC Act when it revised its privacy practices in December 2009. In particular, when Facebook announced its new practices, it claimed that users would have more control over their information. But, it did not disclose that after the revised privacy practices went into effect, they overrode users' previous privacy settings. In addition, contradictory to statements made to users by Facebook, Facebook shared user information with its advertisers without users' consent, to allow advertisers to target advertising to users based on users' profile information. Finally, the FTC claimed that Facebook failed to delete user information after a user deactivated or deleted their Facebook account, and Facebook continued to display photos and videos uploaded by the user, and did not disable third party access to such user information, even after the user deleted or deactivated his or her account, despite promises to the contrary.
The proposed settlement requires Facebook to accurately disclose the extent to which it maintains the privacy of user information, including its collection and disclosure of information, the extent to which a user can control the privacy if his or her information, the extent to which Facebook discloses information to third parties, and the steps Facebook takes to verify the privacy or security offered by third party providers. Furthermore, under the proposed settlement Facebook will be required to obtain a user's express affirmative consent before enacting changes that would override the user's existing privacy preferences, and prohibits Facebook from accessing user information more than 30 days after the user has deleted his or her account. Facebook will also be required to establish and maintain a comprehensive privacy program which addresses the concerns set forth in the FTC's complaint, and for the next 20 years must obtain a third-party audit of such privacy program to ensure compliance with the FTC's order and applicable law. Finally, Facebook will be required to maintain its records for FTC inspection in order to allow the FTC to monitor Facebook's compliance. If Facebook engages in conduct that violates the settlement, Facebook may be subject to fines of $16,000 per violation, per day.
TIP: Websites that collect and store user information should ensure that they are accurately and comprehensively disclosing how user information will be used and disclosed. Companies should also take care when making material changes to privacy practices. The terms of this settlement also serve as a reminder that the FTC expects companies to have in place comprehensive privacy programs, and the mechanisms to ensure compliance with those programs.
TIP: Since it is unlikely that social media sites would fall under an exception to the need to collect verifiable parental consent, ensure that you have taken measures to either block children under 13 or you obtain verifiable parental consent before allowing children to participate in forums where personal information is collected.
A class action lawsuit was recently filed against Internet radio service Pandora for alleged violations of Michigan’s Video Rental Privacy Act. The complaint alleges that although Pandora said users’ profile pages would be accessible only to other registered Pandora users who knew an individual’s “unique-mail address,” Pandora made these records publicly available. The plaintiffs further allege that Pandora integrated users’ profile pages with their Facebook accounts without first obtaining consent from the users. The plaintiffs allege that these activities violate Michigan’s Video Rental Privacy Act, which prohibits the disclosure of information regarding both of customers’ video rental/borrowing history and customers’ sound-recordings rental/borrowing history. The plaintiffs are seeking $5,000 in damages per class member.
TIP: Companies that engage in sharing and tracking of customer information should use caution. Many lawsuits are being filed under a variety of theories. One way to help limit potential exposure is to work with counsel to ensure that proposed information can be shared or tracked. Companies should also review public statements–both privacy policies and advertising copy–to ensure the statements accurately reflect current activities.
In a recent class action lawsuit, an online marketing company was accused of tricking consumers into enrolling into certain membership programs. The District Court for the District of Massachusetts granted the defendants’ motion for summary judgment, reasoning that the plaintiff “cannot now show the necessary connection between the allegedly deceptive materials and her mistaken enrollment such that the defendants would be responsible for the asserted harm.” The court further held that the company’s marketing of the programs was not deceptive. The court reasoned that the on-screen disclosures were “clear and easily understandable by anyone capable of making an online purchase” The court found it persuasive that the plaintiff had to take several affirmative steps to become a member of the programs, including typing her email address and affirmatively pressing the “Yes” button. The court also stressed the fact that the plaintiff received a confirmation screen and separate emails for each program with reminders that if she did not cancel, she would be charged automatically after the trial period ended.
TIP: This case demonstrates that having an opt-in approach with clear and understandable disclosures of all material terms can help to establish that valid online consent has been obtained.
An actress (who filed the complaint as “Jane Doe”) recently sued IMDb.com (and its owner Amazon.com, Inc.) for disclosing her age on the IMDb.com website. IMDb.com attempts to list every production upon which a writer, performer or crew member has ever worked. IMDb.com offers a paid service, called IMDbPro, which provides additional information to paying customers. According to the complaint, the actress subscribed to IMDbPro, and provided her personal and credit card information to pay for the subscription. Shortly after subscribing, the actress alleges that she noticed that her legal date of birth had been added to her public acting profile, revealing that she is much older than she looks. The actress sued for breach of contract, and a violation of Washington’s privacy act. The case is currently pending, and the actress may be compelled by the court to reveal her name.
TIP: This case is a reminder that revealing personal information–including dates of birth-can be a sensitive area for many. Care should be taken to vet data storage, protection and disclosure programs and ensure that they are not only compliant with laws, but that related risks have been considered and managed.
III. MOBILE AND COMMUNICATIONS PRIVACY
According to a complaint filed in the Southern District of California, a bank customer received an unsolicited text message from his bank after inquiring about a personal line of credit. The message indicated that the bank needed to talk to the customer about "your recent application." The customer opted out as directed in the text, and received a confirmation text indicating that the bank would no longer send him text messages. The customer filed suit, alleging that both messages violated the Telephone Consumer Protection Act, since they were sent without his consent. The bank moved to dismiss, and the court denied the motion stating that the appropriate way for the bank to establish that the customer's claims were not founded was a motion for summary judgment, not a motion to dismiss.
This is one of several cases that has been filed alleging that a company has violated the TCPA by sending a confirmation to let a consumer know that an opt-out request was received and would be honored. As we have indicated previously, companies should take steps to ensure that their text message opt-out procedures are compliant with the TCPA.
Industry groups in France recently launched the Pacitel list, a national Do-Not-Call registry that will allow consumers to each add up to six phone numbers. Creation of the list is aimed at curbing unsolicited marketing phone calls to consumers. Participating companies, which account for nearly 80 percent of companies that make telephone sales calls in France, have agreed not to call any of the numbers on the list. Additionally, participants agree to restrict calls to numbers not on the list to certain times of the day. The list is expected to become operational by the end of the year. While the Pacitel list is voluntary at this time, French Parliament is expected to consider a consumer protection law soon that would require all companies to comply with the list.
TIP: Industry groups in France recently launched the Pacitel list, a national Do-Not-Call registry that will allow consumers to each add up to six phone numbers. Creation of the list is aimed at curbing unsolicited marketing phone calls to consumers. Participating companies, which account for nearly 80 percent of companies that make telephone sales calls in France, have agreed not to call any of the numbers on the list. Additionally, participants agree to restrict calls to numbers not on the list to certain times of the day. The list is expected to become operational by the end of the year. While the Pacitel list is voluntary at this time, French Parliament is expected to consider a consumer protection law soon that would require all companies to comply with the list.
IV. DATA BREACH AND DATA SECURITY
As we wrote in January 2010, RockYou Inc., maker of certain social media applications, was sued in California for failure to protect consumers' information, including usernames and passwords. The plaintiff argued that because these combinations were usually a user's email address plus the same password that the user employed for the email account, if this information was accessed by an unauthorized third party, the consumer would be put at risk. In particular, that unauthorized third party could use the information to log into the user's email account and access potentially sensitive information within the user's email inbox. During the case, the Northern District of California noted that RockYou may have been in violation of its website terms of service because it had not encrypted email addresses and login information. This case has now settled, with RockYou agreeing to audit its security systems for the next three years, to pay named plaintiff in the class action lawsuit $2,000, and to pay plaintiff's counsel almost $300,000 in fees.
TIP: When developing a security program for your company, make sure that you consider more than just financial information or social security numbers when determining what should be encrypted or otherwise receive heightened protection. Consider as well information that, if accessed by an unauthorized third party, might put customers in jeopardy.
A federal court in California recently upheld a $1 million verdict against Equifax Information Services. The case involves an individual whose identity was stolen while he was undergoing cancer treatment. Shortly thereafter, he received letters from financial institutions thanking him for credit applications that he submitted. Plaintiff’s thief was charged and convicted with a criminal violation of HIPAA, since the thief was a medical professional at the cancer center where the plaintiff was undergoing treatment. Plaintiff alleged that Equifax also was at fault, and willfully violated the Fair Credit Reporting Act by failing to properly reinvestigate and accurately report the status of the disputed credit card applications, as required by the FCRA. A jury awarded the plaintiff over $1 million in damages. The court found that the evidence presented at trial was sufficient to sustain the award for damages, and punitive damages.
TIP: Companies should carefully consider their obligations to protect sensitive personal information, as they may find themselves accused of mistreatment in the event of a data breach by a third party.
V. WORKPLACE PRIVACY
An administrative law judge recently found that an employer violated the National Labor Relations Act when it fired five employees for posting Facebook comments about a co-worker’s criticism of their work. The co-worker, Lydia Cruz-Moore, told the employees that she was going to tell a manager that they were not doing their jobs correctly. One employee posted a message on her own personal Facebook page regarding the complaint, and other employees, including Cruz-Moore, also posted comments. After Cruz-Moore informed the manager about the postings, the five employees who had posted comments were fired. The administrative law judge found that the employees had engaged in protected activity under the National Labor Relations Act, which guarantees the right of employees to engage in concerted activity for their mutual aid or protection. The judge found that the Facebook comments constituted concerted activity, even though the comments were not directed at the employer and were not intended to change the employees’ working conditions. The judge noted that the National Labor Relations Board has held that employee conversations about their concerns, including concerns about performance reviews or criticism, can be protected. The judge issued an order recommending that the employees be reinstated and offered back-pay and lost benefits.
TIP: Although the contours of what may constitute “protected activity” are still developing, employers should exercise caution in making employment decisions based on employees’ use of social media because such use may constitute concerted activity protected under the National Labor Relations Act.
Governor Jerry Brown recently signed into law a new restriction on the ability of employers to obtain credit reports for employment purposes. The law, California Assembly Bill 22 (“AB 22”), prohibits employers from using credit reports in the hiring or promotion processes. There are exceptions to the prohibition in AB 22, however. Employers may obtain credit reports for prospective or current employees who fall into certain exempt categories, including managerial positions (employees who qualify for the “executive exemption” under California wage and hour law), positions involving regular access to the personal information of others, and positions involving access to confidential or proprietary information of the employer. California joins six other states - Connecticut, Hawaii, Illinois, Maryland, Oregon, and Washington - in prohibiting employers from using the credit history of prospective or current employees in making hiring or employment decisions.
TIP: Beginning on January 1, 2012, California employers may not use credit reports for employment purposes unless the employee position falls into one of eight exempt categories. This prohibition applies to both prospective and current employees.
A proposed Federal Acquisition Regulation rule, published on October 14, 2011 in the Federal Register, would require that federal government contractors who work with government records or personal information complete privacy training. The proposed rule would deny contractors access to the records until they completed the training. The rule would also mandate seven areas the privacy training must cover, including the handling and safeguarding of personally identifiable information, the authorized and official use of a government records system, and restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information. Comments on the proposed rule are due December 13, 2011.
TIP: If the proposed rule is accepted, employers who have federal government contracts must implement privacy training for all employees who come into contact with personal information.
On November 23, 2011, a New York state appeals court found that the Department of Labor (DOL) acted lawfully when the agency’s Office of the Inspector General placed a GPS device on an employee’s car, even though the device tracked the employee outside of work hours. The employee had a long history of work misconduct, and the DOL believed that the employee was leaving work without permission and falsifying time records. The DOL attempted to have a private investigator follow the employee during work hours, but the employee realized he was being trailed. The DOL then placed a GPS device on the employee’s car when it was parked in a lot near his workplace. The GPS device transmitted for a month, and the DOL used this information as evidence for its claim that the employee submitted fraudulent time records. A majority on the state appeals court found that this use of the GPS system was reasonable. Unlike a criminal case, where use of a GPS tracking device would require a warrant supported by probable cause, use of the device by a public employer only required showing that the use was reasonable. The majority found that the use of GPS in this situation was reasonable, as the employee had previously discovered that he was being followed by a private investigator and the data from the GPS was not constantly monitored. Two judges on the court disagreed, however, and said that the GPS was an unconstitutional search and that the scope of the use was unreasonable. The GPS transmitted data outside of work hours, including during the time the employee took a week long vacation with his family. Because a majority of the court found the use of the GPS device was reasonable, the employee could not recover from his employer.
TIP: Employers should carefully consider the laws of their state before electronically monitoring employees, especially if that monitoring may include activities or time outside of the workplace.
If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:
Attorney Advertising Materials
These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.
Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).
© 2011 Winston & Strawn LLP