Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

UPDATE: FTC Plans Review of YouTube Kids App

Posted in Children, Federal Trade Commission, Privacy Regulation

As we predicted in our post late last month, Google’s YouTube Kids app has attracted more than just the “curious little minds” Google was hoping for.  Yesterday, a group of privacy and children’s rights advocates (including the Center for Digital Democracy and the American Academy of Child and Adolescent Psychiatry) asked the Federal Trade Commission “to investigate whether Google’s YouTube Kids app violates Section 5 of the FTC Act . . . .”

The advocacy group downloaded the YouTube Kids app onto an Android device, and two iOS devices.  It then reviewed and assessed the app as it functioned; watching content Google says caters to children while protecting them from questionable or troubling content.

The advocacy group claims this review identified three features of the app it believes are unfair or deceptive.  First, the group faults Google for offering content “intermixed” with advertising content in a manner the group claims “would not be permitted to be shown on broadcast or cable television” under Federal Communications Commission guidelines.  Second, the group worries that much of advertising violates FTC Endorsement Guidelines because it is user-generated in a way capable of masking relationships with product manufacturers.  Finally, the group claims the advertising content violates the YouTube Kids app’s stated policies and procedures.

Taken together, the advocacy group issues all collapse around the same core argument: very young children (generally under 5 years of age) cannot distinguish between actual content and advertising and that makes them “uniquely vulnerable to commercial influence.”  This argument has a lot of emotional appeal: who wouldn’t want to protect small children?  But the implications of this argument extend far beyond the YouTube Kids app, and would call into question any free, advertising supported video platform, including network television.   As such, it seems like the advocacy groups position face significant First Amendment hurdles.

Although the advocacy group does not (yet) take issues with YouTube Kids’ data collection practices, it does question how the app is able to generate video recommendations.  And its letter to the FTC explicitly asks the Commission to investigate whether or not children are being tracked without verifiable parental consent.

The ball is now squarely in the FTC’s court.  It could launch a non-public investigation regarding the app’s practices, or it could do nothing.   However, as the Commission has recently signaled a renewed interest in protecting children online (including entering a $19 million dollar settlement with Google over children’s in-app purchases last September), it seems likely the Commission will have at least some questions for Google following the advocacy group’s letter.

We’ll be sure to keep you posted.

Video Interview: Discussing Cross-Device Tracking on LXBN TV

Posted in Data Compliance & Security, Federal Trade Commission, Mobile Privacy, Online Advertising

Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN on the subject of cross-device tracking. In the brief interview, I discuss the growing prevalence of cross-device tracking and what the FTC is doing in response.

Privacy Monday – April 6, 2015 – Play Ball! (and other privacy-related bytes)

Posted in Privacy Litigation, Privacy Monday

Not only is it Privacy Monday – it is OPENING DAY!   After this long, long winter … welcome back baseball!

It’s usually an end-of-season tradition for some baseball writers and announcers, but I like to revisit it in the spring for what is ahead “in a green field, in the sun” — one of the greatest odes to the game ever written:

It breaks your heart. It is designed to break your heart. The game begins in the spring, when everything else begins again, and it blossoms in the summer, filling the afternoons and evenings, and then as soon as the chill rains come, it stops and leaves you to face the fall alone. You count on it, rely on it to buffer the passage of time, to keep the memory of sunshine and high skies alive, and then just when the days are all twilight, when you need it most, it stops.   …  It breaks my heart because it was meant to, because it was meant to foster in me again the illusion that there was something abiding, some pattern and some impulse that could come together to make a reality that would resist the corrosion; and because, after it had fostered again that most hungered-for illusion, the game was meant to stop, and betray precisely what it promised.

Of course, there are those who learn after the first few times. They grow out of sports. And there are others who were born with the wisdom to know that nothing lasts. These are the truly tough among us, the ones who can live without illusion, or without even the hope of illusion. I am not that grown-up or up-to-date. I am a simpler creature, tied to more primitive patterns and cycles. I need to think something lasts forever, and it might as well be that state of being that is a game; it might as well be that, in a green field, in the sun.

Read “The Green Fields of the Mind” by A. Bartlett Giamatti here and hear him read it himself here.   Or, watch the epic James Earl Jones monologue from Field of Dreams here.

Enjoy Opening Day!

Now back to your regularly-scheduled Privacy & Security Matters programming — Opperman v. Path Inc.‘s Impact on Privacy Notices Continue Reading

Breaking News: Executive Order Signed Relating to “Significant Malicious Cyber-Enabled Activities”

Posted in Cybersecurity, Security

President Obama today signed an Executive Order granting authority to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions on individuals and entities determined to be “responsible for or complicit in malicious cyber-enabled activities” that result in harms “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”  For purposes of the Executive Order, “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including

  • by remote access;
  • circumventing one or more protection measures, including by bypassing a firewall; or
  • compromising the security of hardware or software in the supply chain.

OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in the Executive Order and designate them for sanctions. Persons designated under this authority will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).   There are no immediate compliance obligations for U.S. companies under this Executive Order, however, once Treasury has made designations pursuant to this authority, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to this Executive Order or any entity owned by such persons.

 

The Executive Order is available here.   OFAC has issued a series of related Frequently Asked Questions here.

 

Responding to Insider Data Theft

Posted in Cybersecurity, Data Compliance & Security, Events and Webinars, Security

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation.  Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss.   Nearly 100 participants joined us for this webinar.

For those who missed the webinar, some of the key takeaways include the following:

  • Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future.  They target customer data, intellectual property, future business plans and embarrassing skeletons.
  • Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
  • Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
  • Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact.  Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
  • The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies.  State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
  • Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.

For a recording of the webinar, click here.

The next webinar — the fourth in our Mintz Levin Privacy Series —  EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers.  We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply.  We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.  The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.

Sign up here to attend.

 

Cross-Device Tracking: The New World

Posted in Data Compliance & Security, Federal Trade Commission, Mobile Privacy, Online Advertising, Uncategorized

Facebook does it.  Google does it.  It’s everywhere in the mobile ad ecosystem.  And your smartphone does it more often than you know, according to a study released on Monday by Carnegie Mellon.

Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading

The FCC and the Uncertain Future of Privacy Oversight for Internet Service Providers

Posted in Federal Trade Commission, Privacy Regulation

The Federal Communications Commission’s (“FCC”) net neutrality proceeding culminated this month with the release of an Order reclassifying broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. Previously, the FCC classified broadband service as a lightly regulated Title I Information Service, while Title II was primarily used to regulate telephone service. This decision by the FCC has two major privacy implications for broadband customers and Internet Service Providers (“ISPs”).

First, as previously reported on this blog, the FCC’s reclassification decision puts in flux the federal agency that has authority to enforce ISP’s privacy policies. Until now, the Federal Trade Commission (“FTC”) has asserted its Section 5 authority over “unfair or deceptive” practices to bring enforcement actions against companies that violate their own privacy policies or fail to adequately safeguard customer data. The FTC has brought dozens of actions over privacy policy violations, and previously declared that it has the authority to do so specifically against broadband providers that violate their published policies. In fact, though not a privacy allegation, the FTC recently used its Section 5 authority to bring an enforcement action against AT&T in its capacity as an ISP for allegedly “throttling” data throughput even when a customer signed up for an unlimited data plan.

But Section 5 of the FTC Act exempts common carriers from FTC oversight of “unfair methods of competition… and unfair or deceptive acts or practices.” With broadband service soon to be regulated as common carriage in light of the FCC’s Order, and broadband ISPs regulatedas common carriers, the FTC will likely lose its enforcement authority over that service to the FCC. In the fall of 2014, FTC Commissioner Maureen Ohlhausen expressed concern over the FTC’s continued ability to protect consumers should the FCC decide to pursue reclassification, and FTC officials, including FTC Chairwoman Edith Ramirez and Consumer Protection Director Jessica Rich, recently reiterated those concerns and called on Congress to eliminate the common carrier exemption. One data security and breach notification bill currently before the House Subcommittee on Commerce, Manufacturing, and Trade would do just that in the limited context of privacy.

Second, broadband service is now subject to the privacy provisions of Title II that protect Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. However, the FCC’s rules implementing those provisions are mostly inapplicable to broadband service as they specifically focus on protecting information related to telephone calls, such as phone numbers dialed and the duration of calls. To resolve this dilemma, the FCC’s Order applies Section 222 of the Communications Act to broadband providers, which prohibits carriers from using or disclosing individually identifiable CPNI without consent except as needed for providing service, but forbears from applying the FCC’s current implementing rules pending further proceedings to adopt new rules that apply specifically to broadband.

Privacy Monday – March 23, 2015: COPPA Refresh

Posted in Children, Privacy Monday, Privacy Regulation

On Friday, the FTC published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions. Specifically, nearly a year after the last update to the “COPPA and Schools FAQs”, the Commission revisited its answers to FAQs M.1, M.2, and M.5 and deleted FAQ M.6 in an attempt to streamline the FAQs to provide further clarity on the key topics of notice and consent, best practices for educational institutions, and the interplay between COPPA and other federal and state laws that may apply in the education space. To access our blog post on the prior update to the COPPA and Schools FAQs please click here. Continue Reading

Tweet Like Email linkedin
Comments Off

Round of 32: Social Media Policies over At-Will Employment

Posted in Uncategorized

If you’ve been following the our sister blog, Employment Matters, then you will understand the headline.   If you have not, you should click over there and check out the tournament action on a Friday afternoon while you are … streaming some other things.   Social Media Policies won out in the Round of 32 over At-Will Employment, but BYOD Policies fell in a buzzer beater to Pregnancy Accommodations.

 

 

Tweet Like Email linkedin
Comments Off

Precedent and the Price Explain Why Target and the Consumer Class Agreed to an Early Data Breach Settlement

Posted in Class Action Litigation, Data Breach, Data Breach Notification, Privacy Litigation, Uncategorized

On March 18, 2015 – just three months after denial of a motion to dismiss consumer claims arising from Target’s 2013 data breach – Target and the consumer class filed papers seeking approval of a settlement.  The proposed settlement agreement creates a  $10 million cash fund to be paid out to class members claiming actual damages arising from the settlement.  Settlement funds will be distributed in a claims-made process to be run by a settlement administrator (the cost of which will be borne by Target).  The maximum claim amount is $10,000.  Claims without supporting documentation are capped at lower dollar amounts.  Unclaimed funds will not revert to Target, but will be redistributed to class members submitting claims or as otherwise directed by the Court.  The settlement also calls for non-cash relief consisting of the adoption of certain data security protection practices and appointment of a chief information security officer.  Finally, class counsel have indicated that they will apply for $6.75 million in attorneys’ fees.

Why the quick settlement?  Continue Reading