First Quarter 2012

Follow us @WinstonPrivacy for breaking news on privacy topics.

In This Issue:


 

I. ONLINE AND CONSUMER PRIVACY

A. CLASS ACTION SUITS ALLEGE VIOLATIONS OF CALIFORNIA'S "SHINE THE LIGHT" LAW
B. CDA DOESN’T APPLY TO NAMES AND LIKENESSES IN FACEBOOK’S SPONSORED ADS
C. FTC AND COLLEGE SAVINGS PROVIDER SETTLE OVER TOOLBAR SAFEGUARDS

II. MOBILE PRIVACY AND BEHAVIORAL TRACKING

A. FCC ROBO-CALL REVISION HEIGHTENS "CONSENT" FOR SENDING TEXTS
B. CRUISE LINE SUED IN NY FOR ALLEGED TCPA VIOLATION
C. YOUR SMARTPHONE APP NEEDS A PRIVACY POLICY SAYS CA AG
D. SUPREME COURT RULES GPS TRACKING IS A SEARCH REQUIRING WARRANT
E. FTC REPORT: PRIVACY DISCLOSURES IN KIDS’ MOBILE APPLICATIONS INADEQUATE
F. MOBILE MARKETING ASSOCIATION RELEASES MOBILE APP PRIVACY GUIDELINES

III. DATA BREACH AND DATA SECURITY

A. IL BREACH LAW AMENDMENT IN EFFECT, NEW SECURITY PROVISIONS ADDED
B. CLASS ACTION SUIT FILED OVER ZAPPOS.COM DATA BREACH

IV. FINANCIAL PRIVACY

A. 3RD CIR. RULES FACTA PROHIBITS PRINTING PARTIAL EXPIRATION DATES ON RECEIPTS
B. MA COURT: ZIP CODES PERSONALLY IDENTIFIABLE UNDER CREDIT CARD LAWS

V. WORKPLACE PRIVACY

A. EMPLOYER MAY BE LIABLE FOR SEARCHING EMPLOYEE’S EMAIL ACCOUNT
B. EMPLOYER ACCESS OF EMPLOYEE’S PERSONAL EMAIL ACCOUNT MAY GIVE RISE TO LIABILITY
C. IN IOWA, INVASION OF PRIVACY CLAIM DOES NOT REQUIRE ACTUAL VIEWING OR RECORDING

VI. HEALTHCARE PRIVACY

A. MN AG SUES DEBT COLLECTION AGENCY FOR ALLEGED HIPAA VIOLATIONS

VII. INTERNATIONAL PRIVACY

A. TAIWAN DELAYS PRIVACY LAW IMPLEMENTATION, CHINA LAW EFFECTIVE MARCH 15
B. EU RELEASES FINAL DATA PROTECTION FRAMEWORK
C. NO REQUIREMENT FOR EXTRA CONSENT FOR USE OF GOOGLE ANALYTICS IN IRELAND
D. HAVE YOU READ THE CANADIAN OBA GUIDANCE?
E. GLOBAL MOBILE APP PRIVACY GUIDELINES RELEASED

 


 

Liisa Thomas will be presenting on Understanding The Many Facets Of Social Media And Its Effect On Business Today at New York Law School Advertising And Media Law Group's "Annual Advertising And Media Law Spring Rush."

To register for more information click here.

 

A. CLASS ACTION SUITS ALLEGE VIOLATIONS OF CALIFORNIA'S "SHINE THE LIGHT" LAW

Several companies were sued at the end of last year for violations of California's "Shine the Light" law, which requires companies to take certain notification steps if sharing personal information with third parties for those third parties' advertising purposes. Those steps include having a link on the home page to a disclosure about its sharing practices called "Your Privacy Rights" or "Your California Privacy Rights" (this wording can be added to the to the privacy policy link, such as "Privacy Policy – Your Privacy Rights"). In addition, unless the company gives consumers a choice about having information shared with third parties for the third parties marketing purposes, it must respond once a year to customer inquiries about whether information has been shared for marketing purposes. Among those companies sued (all by the same attorney) were Men's Journal LLC, Conde Naste Publications, CBS Interactive, and Time, Inc. The complaints all allege that the companies violated the law by not having the proper disclosures as required by the Act.

TIP: These cases are the latest in a series of recent privacy-related class actions. They serve as a reminder that companies subject to the Act's jurisdiction, that share information with third parties for those third parties' marketing purposes, should make sure they have the appropriate "Shine the Light" disclosures in place.

[Top]

B. CDA DOESN’T APPLY TO NAMES AND LIKENESSES IN FACEBOOK’S SPONSORED ADS

A putative class action was filed against Facebook alleging that Facebook unlawfully misappropriated the plaintiffs' names, photographs, and likenesses for use in paid "Sponsored Stories" without first obtaining the plaintiffs' consent. A "Sponsored Story" is a paid advertisement that appears on a Facebook page and generally contains another friend's name, profile picture, and a statement that the person "likes" the advertiser (which communicates that the friend has used Facebook's "like" functionality to "like" the advertiser). Facebook moved to dismiss the claim on the grounds that the plaintiffs lack standing to bring the claim and that Facebook is entitled to protection under the Communications Decency Act ("CDA"), which provides immunity for "interactive computer service providers" for content posted to their websites by consumers. The District Court for the Northern District of California denied Facebook's motion, first concluding that the plaintiffs have standing because the case involved the statutory right of publicity and the economic value of an individual's commercial endorsement of a product. The court also indicated that while Facebook is an interactive computer service provider under the CDA, the plaintiffs also allege facts suggesting that Facebook is an information content provider. Specifically, the court pointed to the plaintiffs allegation that Facebook edited user-created content into "a commercial endorsement to which they did not consent."

TIP: It is important to keep in mind that you may not be entitled to immunity under the CDA for user-generated content on your website if you modify or repurpose the content. In addition, advertisers who solicit user-generated content should be careful not to use the content in a manner that exceeds the authorization given by the person who submitted the content.

[Top]

C. FTC AND COLLEGE SAVINGS PROVIDER SETTLE OVER TOOLBAR SAFEGUARDS

The Federal Trade Commission brought an action against Upromise Inc., a company that provided services to consumers trying to save money for college, alleging that the "Turbosaver Toolbar" offered by the company deceptively collected and transmitted consumer personal information. Upromise's Turbosaver Toolbar allowed consumers to identify and select merchants from which the consumer could receive rebates which were then placed into the consumer's college savings account. The Turbosaver Toolbar incorporated a "personalized offers" feature that used consumer browsing information to provide targeted advertising to consumers through the browser. Upromise's privacy statement stated that the company: (1) implemented policies and practices designed to safeguard consumer information; (2) encrypted sensitive information during transmission; (3) that Upromise would use every commercially viable effort to purge their data base of any personally identifiable information; and (4) any personally identifiable information collected "inadvertently" would be removed before transmission.

The FTC's complaint alleged that in practice Upromise's Turbosaver Toolbar collected consumer information such as usernames, passwords, search terms, including information from secure web pages like online banking websites. Furthermore, the FTC alleged that the Turbosaver Toolbar transmitted sensitive personal information such as credit card and financial account information, security codes, and social security numbers without encrypting the information, and as such the information could have been easily compromised if transmitted over unsecured networks. Finally, the FTC alleged that Upromise failed to use readily available, low-cost measures to prevent the unauthorized collection of consumer information, such as testing the Toolbar, and failed to protect consumer information consistent with its representations to consumers.

As part of its settlement, Upromise must destroy all data collected through the Turbosaver Toolbar's personalized offer feature. In addition, Upromise must provide consumers with clear and prominent disclosures regarding its privacy practices, separate from any user license agreement, and obtain the consumer's affirmative consent prior to installation of any similar product. Upromise will also be required to notify any current or previously affected consumers about the type of information collected, how to disable the personalized offers feature and how to uninstall the Turbosaver Toolbar.

TIP: Companies should take appropriate steps when transmitting information, particularly sensitive information. Privacy policies can discuss safeguard measures, but the safeguard measures mentioned should be an accurate reflection of the steps companies take.

[Top]

 


A. FCC ROBO-CALL REVISION HEIGHTENS "CONSENT" FOR SENDING TEXTS

In new rules approved by the FCC on February 15, companies that want to contact consumers through auto-dialed or pre-recorded calls or texts will need to get prior express written consent. For text messages, it appears that obtaining consent can be done through a text from the consumer, provided that the consumer is clearly told what will happen if he or she sends in a text to provide consent in this manner. Consent can also be obtained online (for example, in situations where the company is collecting text message numbers on a website), provided that the consumer is clearly told what will happen if he or she gives consent and unambiguously agrees. Companies will have twelve months from when the rules are published to implement and obtain prior express written consent. During this time, the mobile industry will likely be looking at the revised rules and modifying industry guidance accordingly. The impact the rule change will have on text messages is not the main purpose of the revision, which was intended to bring the rule –as it applies to phone calls- into alignment with the FTC requirements. However, text messages are impacted, since they are interpreted as "calls" under the TCPA, and the FCC notes in its comments to the revised regulation that text messages are covered by the changes. The revision could prove helpful for some, since it will provide clarification on how to obtain “consent,” something that is required under the existing rule (just not specifically defined).

TIP: Examine your current practices for getting consent to send text messages. If your company has a process in place where it clearly explains what messages will be sent to consumers, and has consumers take an affirmative step that could constitute writing under the E-SIGN Act (including sending an electronic writing like a text message) it will likely be prepared for the implementation of the revised rule.

[Top]

B. CRUISE LINE SUED IN NY FOR ALLEGED TCPA VIOLATION

In February 2012 a class action suit was brought against Caribbean Cruise Line alleging violations of the Telephone Consumer Protection Act (TCPA). According to the complaint, the named defendant received a call that used an artificial or pre-recorded voice, indicating that if he stayed on the line, he could take a survey and have a chance to win a free cruise. According to the complaint, if a consumer did stay on the line, he was connected to a representative who promoted the company's hotels. The named defendant had not consented to receiving these calls, and apparently did not have a business relationship with the company. The TCPA and its regulations prohibit making calls using pre-recorded or artificial voices unless, inter alia: (1) the caller and the recipient have a pre-existing business relationship; (2) the call is not "made for a commercial purpose;" or (3) if made for a commercial purpose "does not include or introduce an unsolicited advertisement" nor constitute a "telephone solicitation" (i.e., a call to induce someone to make a purchase). This law is similar, but different from the Telephone Sales Rule, which prohibits pre-recorded sales calls made without permission (a law not cited by the plaintiffs). This new case is still pending, and it appears that a decision will turn on the facts, including whether the subject matter of the call included an advertisement or attempt to sell goods or services.

TIP: If your company has a program in place to call its customers, make sure that you have obtained suitable consent prior to making the calls. Be careful of obligations under both the TSR and the TCPA, and keep in mind that states have their own laws as well. Be particularly careful when vetting a calling program to understand the full subject matter of the calls.

[Top]

C. YOUR SMARTPHONE APP NEEDS A PRIVACY POLICY SAYS CA AG

For companies that have apps for mobile phones, having a privacy policy is now a must in California. In an interesting move, the California Attorney General reached an agreement with what her office is calling "the six companies whose platforms comprise the majority of the mobile apps market." Under the agreement, apps must have a privacy policy, and that policy must be available to users before they download the app. The AG appears to have derived the authority for this settlement from a California law that requires companies with Web sites or online services to conspicuously post their privacy policies. Under the settlement, the parties have agreed to work with the AG to make it possible for the privacy policy to be easily accessible to users in the app stores. The parties have also agreed to implement a complaint process, through which (1) consumers can report apps that do not comply with their stated terms or with the law and (2) the parties will take steps to respond to those reports. The parties will work with the California AG on best practices for mobile privacy policies, and will meet within six months to evaluate mobile privacy generally. This scrutiny of mobile privacy practices follows in the wake of many class action lawsuits, as well as urgings by the FTC that privacy be addressed in the mobile environment.

TIP: If you do not already have mobile privacy policies in place for your smartphone apps, now is the time to develop them. App stores will be requiring you to have and submit copies of those policies, and will be posting them for users in the app store. The policies should be easy to read on a mobile platform, for example by taking a "layered" approach where straight forward statements can be expanded to provide more detailed information.

[Top]

D. SUPREME COURT RULES GPS TRACKING IS A SEARCH REQUIRING WARRANT

The U.S. Supreme Court recently ruled that the government's use of a GPS tracking device on a vehicle constitutes a search, thus requiring a warrant under the Fourth Amendment. In the case, the government had obtained a search warrant to install a GPS tracking device on a drug suspect's vehicle. The warrant authorized installation within ten days of the warrant in Washington D.C., but the agents installed the device on the 11th day, and in Maryland. The vehicle's movements were tracked for 28 days. Using the information gathered, the government secured an indictment of the defendant and others on drug trafficking conspiracy charges. The district court suppressed the GPS data gathered while the car was parked in the defendant's garage, but not information gathered while the car was on public streets. In reaching its decision, the district court found that while on public streets, the defendant had no reasonable expectation of privacy and thus the government did not need a valid warrant. The defendant was convicted, but the court of appeals reversed, concluding that the admission of the evidence obtained by use of the GPS on the public streets was an unauthorized search under the Fourth Amendment. The Supreme Court affirmed the court of appeal's decision, finding that use of a GPS tracking device – even on public streets – constituted a search necessitating a valid warrant.

TIP: This case was much watched and commented on for its interpretation that GPS tracking constitutes a "search." It is unclear whether this decision will have an impact outside of the narrow area of government searches. It does suggest, though, that the traditional interpretation of what is "private" may be expanding. Companies that engage in tracking and monitoring (e.g., as part of mobile advertising strategies) should keep this potential shift in mind.

[Top]

E. FTC REPORT: PRIVACY DISCLOSURES IN KIDS’ MOBILE APPLICATIONS INADEQUATE

The Federal Trade Commission released a report today showing the details of a survey of privacy disclosures and mobile apps for children. The survey results show that neither the app stores nor the app developers provide parents with notice regarding what types of information are collected from children. To create its report, the FTC looked at the Apple App store and Android Marketplace promotion pages, as well as the applications themselves, and determined that most apps offer little to no disclosure regarding what information is collected and how it is used. The report made several recommendations, including encouraging app stores to take responsibility to ensure parents have access to necessary privacy disclosures. The report also recommended that app developers ensure their data practices are made available to parents in simple and short disclosures. The FTC enforces the Children's Online Privacy Protection Rule which requires operators of online services, including mobile apps, to provide notice and obtain parental consent prior to collecting information from children under 13. In the coming months, the FTC indicated that it will be conducting additional reviews to determine if some apps are violating COPPA.

TIP: The FTC has indicated for some time that mobile apps directed to children must comply with COPPA. This report serves as a warning that companies should review relevant apps to ensure that they have compliance steps in place. These steps include obtaining parental consent prior to collecting personal information from children, and having COPPA-compliant notices.

[Top]

F. MOBILE MARKETING ASSOCIATION RELEASES MOBILE APP PRIVACY GUIDELINES

As companies work this year towards creating privacy policies that are clear and comprehensible in the mobile environment, they may find the proposed "Mobile Application Privacy Policy Framework" from the Mobile Marketing Association helpful. The framework recommends content that mirrors what many already have in their privacy policies: (1) what information is collected by the application; (2) if geo-location information is obtained; (3) if third parties have access to information; (4) if information is collected automatically, and/or used for advertising purposes; and (5) what opt-out choices the consumer has. The framework includes proposed wording that could be used in a mobile privacy policy, however the language is long and if followed could make it difficult for a company to have it easily readable on a small screen.

TIP: When developing a privacy policy for the mobile environment, think about how a user will be able to easily and clearly view all of the disclosures in the document. Special formatting may be needed. Also think about disclosures that are specific to the mobile environment, which may not currently be included in your company's standard privacy policy. This includes geo-location tracking.

[Top]

 


III. DATA BREACH AND DATA SECURITY

A. IL BREACH LAW AMENDMENT IN EFFECT, NEW SECURITY PROVISIONS ADDED

Illinois has had a data breach notification law since 2005, but on January 1, 2012, an amendment went into effect. Under this amendment companies must include specific disclosures in their notices to consumers. These notices must be sent if covered information has been breached, as defined by Illinois law. This amendment brings the Illinois law into harmony with the requirements of other states. The new requirements include telling consumers that they can file a police report, how to place a freeze on their credit report (this same requirement exists under Massachusetts law), as well as give contact information for the FTC. In addition, the law now requires vendors that house data on behalf of others to notify those companies in the event of a breach. This, too, exists under the laws of other states. Now, the law also includes data security provisions, mirroring those that exist in other states. In particular, companies that dispose of materials that include covered personal information must do so in a secure manner. This could include shredding the documents for paper material, and erasing electronic media so that it cannot be read or reconstructed. Companies might find this guidance from the Illinois Attorney General’s office helpful.

TIP: For companies that have a nationwide approach to data breach notification and data security, the requirements under Illinois law are not new. They do, however, serve as a reminder to such companies to make sure that they have addressed these requirements. For companies that have taken a more state-by-state approach, they should make sure to take Illinois into account. As other states’ requirements may change, companies may want to consider taking a more national approach.

[Top]

B. CLASS ACTION SUIT FILED OVER ZAPPOS.COM DATA BREACH

A complaint was filed on January 16, 2012 in Kentucky against Amazon.com on behalf of a putative class of some 24,000,000 customers of Zappos.com, which is owned by Amazon.com. The suit alleges that Amazon violated the Fair Credit Reporting Act ("FCRA"), when it allowed a hacker to access part of its internal network and systems, enabling the hacker to gain access to customer personal information such as names and addresses, email addresses, phone numbers, encrypted passwords, and the last four digits of credit card numbers (the hacker did not access the database that stores credit card and other payment data). The complaint was filed less than 24 hours after Zappos sent out a notice to its customers. The complaint alleged that Amazon failed to adopt and maintain adequate procedures to protect such information and limit its dissemination only for the permissible purposes set forth in the FCRA, which also constituted common law invasion of privacy and negligence by not properly securing the servers that stored defendants' personal information. Although the breach did not expose customer's social security numbers, nor did it expose complete credit card information, the complaint nevertheless alleged that class members were harmed, because they would have to take the time to change their passwords on the Zappos.com website as well as their email accounts and any other Web sites where they used the same password. The complaint further alleges that class members are now more susceptible to identity theft, resulting in anxiety, emotional distress, and loss of privacy. In addition to the lawsuit, the Attorneys General of nine states, including Connecticut Kentucky, Florida, Massachusetts, North Carolina, New York and Pennsylvania sent a letter to Amazon seeking additional information about the incident.

TIP: This lawsuit serves as a reminder that class action lawyers and Attorneys General may watch breach notifications closely. Companies can act proactively by putting in place the strong security programs, as are appropriate for the types of information that they maintain. Being prepared to respond in the event of a data breach, not only in the consumer-notification phase, but also in the event of any subsequent inquiries, is also prudent.

[Top]

 


IV. FINANCIAL PRIVACY

A. 3RD CIR. RULES FACTA PROHIBITS PRINTING PARTIAL EXPIRATION DATES ON RECEIPTS

The Third Circuit recently ruled that Tommy Hilfiger U.S.A., Inc. had violated the Fair and Accurate Transactions Act ("FACT Act") by printing the month that the credit card expires (but not the year). The FACT Act provides that merchants who accept credit or debit cards shall not print the "expiration date" of the cards upon any receipt provided to the cardholder at the point of sale. Although the term expiration date was not defined in the statute, Tommy Hilfiger argued that it refers to the date on which the credit or debit card ceases to be valid, thus requiring a simultaneous coexistence of both the month and the year. As such, merely printing "April" or "04" should not constitute a violation of the FACT Act, according to Tommy Hilfiger. The court disagreed, concluding that the FACT Act prohibits merchants from printing the numbers in that field, even if only a part or portion of those numbers are shown. In reaching its conclusion, the court noted that Congress had specifically indicated that retailers could print partial credit card numbers, but it did not mention anything about partial expiration dates. The class action was nevertheless dismissed, as it alleged willful violations of the Act, and the court did not find that Tommy Hilfiger had acted willfully.

TIP: This case suggests that merchants, when printing receipts that fall under the restrictions of the FACT Act, should not include even partial expiration dates.

[Top]

B. MA COURT: ZIP CODES PERSONALLY IDENTIFIABLE UNDER CREDIT CARD LAWS

Following the lead of California courts, a Massachusetts district court recently held that ZIP codes are personal identifiable information under a Massachusetts law that prohibits recording such information on a credit card transaction form. In that case, the plaintiffs alleged that a large national retailer collected and recorded ZIP codes on credit card transaction forms at the time of purchase, and used the ZIP codes in conjunction with other information to obtain plaintiffs’ home addresses to send marketing materials. Despite concluding that ZIP codes fell under the statute, the court nevertheless ordered a dismissal of the case, determining that plaintiffs failed to allege requisite injury resulting from the retailer’s conduct. Interestingly, the court still went through the analysis of whether ZIP codes are subject to the Massachusetts statute which prohibits recording personal information on a credit card transaction form. In determining that ZIP codes should not be collected, the court explained that the statute in question is designed to prevent fraud and protect consumers from identity theft by prohibiting retailers from recording on credit card forms information that could be used to put a consumer at risk (for example, by accessing a credit card account). The court noted that credit card companies may require consumers to provide ZIP codes as verifying information, just like it would with a PIN number. Thus, just as a consumer would be at risk if his or her PIN number was recorded, so, too, would the consumer be at risk if the ZIP code was recorded.

TIP: Massachusetts follows California as the second state to hold that ZIP codes constitute personal information under laws regulating collection such information during a credit card transaction, or recording such information on credit card transaction forms. Similar cases may arise in other states with similar laws. Retailers should thus review their credit card transaction practices carefully to ensure they have appropriate procedures in place.

[Top]

 


V. WORKPLACE PRIVACY

A. EMPLOYER MAY BE LIABLE FOR SEARCHING EMPLOYEE’S EMAIL ACCOUNT

In a case out of the Northern District of California, two employees of the City and County of San Francisco Department of Emergency Communications ("DEC") brought suit against their employer for violation of the Stored Communications Act ("SCA") and state privacy law. DEC provided a bank of computers for employees to use to check their personal email and surf the internet. DEC did not have a policy concerning email privacy or stating that employee emails and email use may be monitored. Somehow, emails from one employee's personal email account, including emails to the second plaintiff, were printed and brought to DEC's HR department, based on a concern that the emails contained confidential information that the employee improperly passed on to others. According to the employee, one of her coworkers or supervisors searched her email inbox and folders to find the emails. According to the employer, the emails were already open, and were found when a coworker or supervisor went through the minimized windows on the computer. The district court found a factual dispute as to how the emails had been found, and so allowed the SCA claim to go forward. Additionally, because there was a factual dispute as to how much privacy the plaintiff could have reasonably expected to have in her emails, especially because the employer did not have a policy pertaining to email privacy or monitoring, the privacy law claim was also allowed to continue.

TIP: Employers should communicate with employees that employees do not have an expectation of privacy in emails sent, stored or received through an employer's email server or using an employer's computer equipment. This could be included in an employee privacy policy, a handbook, or other policy document directed and distributed to employees.

[Top]

B. EMPLOYER ACCESS OF EMPLOYEE’S PERSONAL EMAIL ACCOUNT MAY GIVE RISE TO LIABILITY

In a recent decision from Massachusetts, a principal and teacher who were employed at the same middle school – and had a romantic relationship – were allowed to continue with their invasion of privacy claim against the town and other school employees. After personal and professional disputes between the principal and superintendent of the school district arose, the superintendent began monitoring the principal's school email account, with the help of other school employees. Evidence of a romantic relationship between the principal and teacher was found in emails on the school account, as well as a user name and password for the principal's personal email account. The superintendent and other employees accessed the principal's personal email account using these credentials, where they found more explicit evidence of a relationship. The superintendent terminated both the principal and teacher. Later, a member of the school committee released both the school and personal emails to the press. The district court found that the teacher and principal did not have any privacy interest in the emails on the school account, and dismissed all claims relating to those emails. However, the district court found that there could be a privacy interest in the personal emails, and allowed the invasion of privacy case to go forward based on claims relating to those emails.

TIP: Employers should not access the personal email accounts of employees without permission, even when the username and password information to those accounts is accessible to the employer. Although employees generally have no expectation of privacy in work emails, there may be a higher expectation of privacy in personal emails.

[Top]

C. IN IOWA, INVASION OF PRIVACY CLAIM DOES NOT REQUIRE ACTUAL VIEWING OR RECORDING

Recently, the Iowa Supreme Court allowed an employee to continue with a case against an employer who placed a video camera in a restroom, even though the camera was inoperable where it was placed. The employer had two female assistants, the plaintiff and her co-worker, in his insurance company. The employer found a hypodermic needle in the office's parking lot and suspected that the co-worker was using illegal drugs. He installed a security camera in the office's bathroom, but was unable to see anything on the screen – the camera either showed static or displayed a "no signal" message. The plaintiff discovered the camera the next day and called the police, later filing suit against the employer. The employer moved to dismiss the plaintiff's invasion of privacy claim, arguing that because he was not actually able to record or view the plaintiff, the camera was not an intrusion on her privacy. The court decided that in order to bring a case for invasion of privacy, the plaintiff only needed to show that the camera could have invaded her privacy, not that the employer actually viewed or recorded anything with the camera. In this case, although the camera did not actually record or display images, the court determined that the plaintiff had produced enough evidence for a reasonable judge or jury to determine that the camera was operational and capable of recording activities in the bathroom, and refused to dismiss her case.

TIP: Employers may open themselves to liability if they place cameras in bathrooms or other areas of "intimate activity," even if the employer does not actually watch or record any activity.

[Top]


VI. HEALTHCARE PRIVACY

A. MN AG SUES DEBT COLLECTION AGENCY FOR ALLEGED HIPAA VIOLATIONS

The Minnesota Attorney General recently filed suit against a company that served as both a debt collection agency and revenue cycle management service provider for hospitals, alleging it violated the federal Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act by failing to protect private patient information it obtained through contracts with two Minnesota hospital systems. The complaint alleges that Accretive Health Inc., the debt collection agency/revenue cycle management service provider, failed to implement policies and procedures to, among other things, (a) prevent, detect, contain and correct security violations, (b) ensure appropriate access to electronic protected health information and prevent access by unauthorized workforce members, (c) train workforce members to maintain security of protected health information, (d) identify and respond to suspected or known security incidents and mitigate harmful effects known to it, and (e) limit physical access to electronic information systems. The violations came to when a laptop computer that contained protected health information on roughly 23,500 individuals was stolen from an employee's car. Although the laptop was password protected, its hard drive was not encrypted. The ability for state Attorneys General to bring cases under HIPAA is relatively new, and has not been a power AGs have exercised frequently.

TIP: Business associates of healthcare entities should ensure proper policies and procedures are in place to safeguard such information in compliance with HIPAA and to recognize that the hard drive of a laptop that contains protected health should be encrypted to standards set by the Department of Health and Human Services. We likely will see more enforcement for security failures from state Attorneys General in the future as well as the Department of Health and Human Services.

[Top]

 


VII. INTERNATIONAL PRIVACY

A. TAIWAN DELAYS PRIVACY LAW IMPLEMENTATION, CHINA LAW EFFECTIVE MARCH 15

Taiwan's 2010 Personal Data Protection Act will require data security and data breach notification obligations to the country's existing law: the Computer-Processed Personal Data Protection Act. Following the country's January presidential elections, however, the implementation date of the rules has been delayed. In China, on the other hand, websites will have to follow nationwide rules that, according to sources, require more heightened notice to users about how information will be used. The rules also require consent from users to the collection and sharing of their information. The law is currently only available in Chinese.

TIP: More and more countries are either implementing or considering laws that heighten data security, breach notice, and general notice/choice obligations. Companies that operate internationally should keep these potentially more stringent requirements in mind.

[Top]

B. EU RELEASES FINAL DATA PROTECTION FRAMEWORK

The European Union has released a much-anticipated draft data protection regulation, which would replace the existing EU privacy framework, in place since 1996. Under the current framework, each member state has put into place its own implementing legislation under an EU directive. Under the proposal, there would be both a directive for national legislation, as well as an EU-level regulation on privacy. Key changes from the existing laws would include a requirement to notify local data protection authorities in the event of a data breach. Notice would need to occur as soon as possible (and the proposal indicates that where feasible, it should happen within 24 hours of when the company becomes aware of the breach). The new framework also offers stronger individual protections, like a "right to be forgotten," requiring companies to delete personal information if there are no legitimate reasons to keep it; and a need to get explicit consent if permission is needed for data to be processed. This last protection would impact the use of information for direct marketing or online behavioral advertising, and companies would need to get consent through a clear affirmative action by the individual. This might include an unchecked check-box, but does not include silence or inactivity. The final regulation will proceed to the EU member states for approval, and if approved by the member states would become enforceable two years after the regulation was adopted.

TIP: There is still time before this new EU framework goes into effect, and it may change several times over the next few years. Nevertheless, companies that are subject to EU requirements may want to examine their current practices to get a sense of what steps would need to be taken to come into compliance, in particular with the data breach and consent provisions.

[Top]

C. NO REQUIREMENT FOR EXTRA CONSENT FOR USE OF GOOGLE ANALYTICS IN IRELAND

The Irish Data Protection Agency has clarified that website operators in Ireland using Google Analytics to collect information from website visitors do not need to obtain “explicit separate consent” from visitors. However, according to the Irish DPA, website operators should generally disclose the use of cookies on the website, including the use of analytics technology. The Irish DPA’s clarification comes in response to the implementation of its new rules pursuant to modifications at the EU level about use of cookies. The Irish approach appears to differ from other European countries.

TIP: There is still time before this new EU framework goes into effect, and it may change several times over the next few years. Nevertheless, companies that are subject to EU requirements may want to examine their current practices to get a sense of what steps would need to be taken to come into compliance, in particular with the data breach and consent provisions.

[Top]

D. HAVE YOU READ THE CANADIAN OBA GUIDANCE?

Late last year the Canadian Privacy Commissioner issued online behavioral advertising guidelines, that in many ways mirrors the self-regulatory program in the United States. Companies should, according to the Canadian body, give clear and conspicuous notice about tracking activities over time in order to serve targeted advertising. In addition, companies engaging in such activities should give consumers the ability to opt-out. This notice and choice is a requirement under Canadian federal law, namely the Personal Information Protection and Electronic Documents Act (PIPEDA). In describing notice and choice mechanisms, the Office of the Privacy Commissioner suggests in its guides several steps, namely: (1) making purposes clear through a notice that isn't buried in the privacy policy; (2) sharing this notice at or before collecting information; (3) giving an opt-out preferably at or before information is collected; (4) making sure the opt-out takes effect immediately; (5) limiting collection of information to what is needed; and (6) destroying or de-identifying information after it is no longer needed.

TIP: Following the self-regulatory U.S. program will likely get companies far down the road to addressing Canadian requirements. However, if designing an OBA strategy that will encompass Canadian users, keep in mind that the Canadian privacy law is more fulsome than that in the U.S., and if subject to Canadian jurisdiction, your program should address those requirements.

[Top]

E. GLOBAL MOBILE APP PRIVACY GUIDELINES RELEASED

The GSM Association, which represents mobile carriers worldwide and is headquartered in London, has released guidelines to help mobile app developers create privacy disclosures for their users. The guidelines can be downloaded here from the GSMA website. Under the guidelines, apps should let users know who is collecting information, why, and how it is being used (including if there is any sharing). The guidelines indicate that apps should not secretly access or collect information, that the amount of information should not be excessive, and in some circumstances, active consent should be obtained. The times that consent should be obtained include when information is being used for a purpose not related to the app’s primary purpose, sharing information with third parties, and storing information after it has been used. Active consent is defined as giving a consumer a clear opportunity to agree to a particular use, and should not be the default option. The guidelines address social media as well, and indicate that users should be prompted to register for social networks, that default settings should be “privacy protective,” and tools should be used to deactivate and delete information at a consumer’s election. The guidelines also call for data retention and security measures, and consumer education.

TIP: These guidelines mirror the recent settlement app stores entered into with the California AG, and are a reminder that companies that host apps will need to make sure those apps have privacy policies in place in order for the apps to be approved by the stores. These guidelines provide additional detail about what content to consider including in the apps (especially those designed for the international market), and signal not just app store but carrier commitment to having app-based privacy policies.

[Top]

 


If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

CHICAGO LOS ANGELES

Liisa M. Thomas
(Advertising)

(312) 558-8121

Steven D. Atlee
(Litigation)
(213) 615-1827
Julie Bauer
(Litigation)
(312) 558-5973 Anna S. Masters
(Labor andEmployment)
(213) 615-1711
Monique Bhargava
(Advertising)
(312) 558-3732    
Christine A. Edwards
(Financial Services)

(312) 558-5571

NEW YORK

Brian D. Fergemann
(Advertising)

(312) 558-8024

Virginia R. Richard
(Intellectual Property)
(212) 294-4639
Delilah B. Flaum
(Health Care, Litigation)
(312) 558-8922    
Jason W. Gordon
(Advertising)

(312) 558-6145

PARIS  

Brian L. Heidelberger
(Advertising)

(312) 558-5897

Sébastian Ducamp
(Employment, Litigation)
33 0(1) 53 64 82 08

Mary Hutchings Reed
(Advertising)

(312) 558-5721

Blaise Deltombe
(Employment, Litigation)
33 0(1) 53 64 82 31

Robert H. Newman
(Advertising)

(312) 558-8125

Nathalie Hadjadj-Cazier
(Intellectual Property)
33 (0)1 53 64 81 50
Tim Rivelli
(Litigation)
(312) 558-5817    
Sara Chubb
(Advertising)
(312) 558-7406 SAN FRANCISCO  

Cardelle B. Spangler
(Labor & Employment, Litigation)

(312) 558-7541

David S. Bloch
(Intellectual Property, Litigation)
(415) 591-1452

Marc H. Trachtenberg
(Advertising)

(312) 558-7964

Kimberly Eckhart
(Intellectual Property)
(415) 591-6805
    Jennifer A. Golinveaux
(Intellectual Property, Litigation)
(415) 591-1056
HOUSTON   Becky L. Troutman
(Intellectual Property)
(415) 591-1401
Sheryl Falk
(Litigation)
(713) 651-2615    
  WASHINGTON, D.C.  
LONDON Marion K. Goldberg
(Health Care)
(202) 282-5788
Zoë Ashcroft
(Corporate, Financial)
44 (0)20 7105 0025 Anthony DiResta
(Advertising, Litigation)
(202) 282-5782

Attorney Advertising Materials

These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).

© 2012 Winston & Strawn LLP