Consumer Protection Archives - Page 14 of 24

Consumer Protection

In with the New: 2014 Privacy, Advertising and Digital Media Predictions

by McDermott Will & Emery | Jan 24, 2014 | Advertising & Marketing, Cloud, Consumer Protection, Cybersecurity, Data Transfers/Safe Harbor/Privacy Shield, Mobile Apps

Data privacy and security made the headlines practically daily in 2013. Our second annual Privacy and Data Protection 2013 Year in Review topped 65 pages!

What privacy, advertising and digital media trends will make headlines in 2014? Here are predictions from Of Digital Interest’s U.S. editorial team:

User Tracking Law Enforcement in California: “Amendments to the California Online Privacy Protection Act (CalOPPA) took effect on January 1, 2014 that require every website that is available to California residents to disclose how it responds to Do Not Track signals from web browsers and what third party data collection is occurring on the website. I predict that we will see enforcement activity from the California Attorney General about whether website owners/operators have made disclosures to consumers that not only meet the new CalOPPA requirements but also accurately reflect tracking activities by the website and by third parties.” – Heather Egan Sussman, Partner

No Kid-ding: “January 1 marked the six-month anniversary of the effective date of the amended “COPPA Rule,” which requires businesses to have parental consent before personal information is collected from kids under age 13. Having just approved a parental consent method (in December), I predict that the Federal Trade Commission (FTC) will initiate COPPA enforcement actions related to social media (now that photos and videos are personal information under COPPA) and in mobile apps (now that COPPA covers geo-location data). Perhaps the FTC will start by investigating the app developers to which the FTC sent letters explaining their new COPPA compliance responsibilities last May.” – Julia Jacobson, Partner

Safe Harbor Will Stay Safe: “Last year’s government surveillance accusations made the U.S. Safe Harbor Program a flash point for debate between EU and U.S. data protection regulators. Nevertheless, very few on either side of the Atlantic believe that companies properly certified under the Safe Harbor Program should disrupt data transfers necessary to meet credible business objectives. I predict that the rhetoric will continue, but so will the U.S. Safe Harbor Program, albeit perhaps tweaked in response to the European Commission’s recently-issued recommendations to improve the Progam’s effectiveness. More debate to come in 2014, but, meanwhile, many U.S. companies will continue to view Safe Harbor certification as their preferred approach to E.U. data protection compliance and will continue to implement data protection policies and programs intended to comply with the Safe Harbor Principles.” – Ann Killilea, Counsel

Cloudy Forecast: “The year of 2014 is quickly becoming the year of the mega-sized data breach, with the Target and Neiman Marcus incidents leading the way. Corporate customers have long been aware that cloud offerings present data security concerns, but may not have been as laser-focused on the data breach aspects as they should. I predict that in 2014, as the cloud service market becomes a commercial fact of life, data breach concerns will dominate how customers select and contract with their cloud service providers, and how they implement their incident response plans by including cloud service providers in their preparations.” – [...]

Continue Reading

New COPPA Parental Consent Method Approved by FTC

by McDermott Will & Emery | Jan 10, 2014 | Consumer Protection, Data Privacy

The Federal Trade Commission’s (FTC) amended Children’s Online Privacy Protection Act (COPPA) Rule (16 CFR § 312 et seq.), effective July 1, 2013, allows industry groups and companies to apply for FTC approval of new parental consent methods that aim to provide substantially the same or greater protections for children’s online privacy than the parental consent methods described in COPPA. COPPA requires parental consent to be “verifiable.” Thus, the key to establishing a new parental consent verification method under COPPA is to demonstrate that the authentication process is sufficiently reliable to ensure that the person providing consent is the child’s parent.

To date, three companies have applied to the FTC proposing new consent methods. The first application, filed in June 2013, proposed a social network-based verification method whereby the system would ask a parent’s “friends” on a social network to verify whether the person providing consent is the child’s parent. The FTC rejected the proposal as lacking sufficient proof of reliability. The FTC noted that, although the proposed method requires a minimum number of verifiers and a minimum “trust score,” the proposal failed to establish a particular “trust score” or a particular number of verifiers as adequate for authentication purposes. The FTC viewed the proposed method as involving an emerging technology and requiring further efficacy studies.

Unlike the first application, the other two applications both proposed more conventional knowledge-based authentication (KBA) methods similar to those used by financial institutions and credit bureaus. According to the FTC, these types of KBA methods, when implemented properly, are sufficiently reliable for identity authentication.

The second application, filed in August 2013, proposed a system that requires a child signing up on a website or mobile app to provide the name and email address of a parent. The system would send an email notification to the email address provided by the child that contained a link for the parent to grant consent and provide name, address, birthdate and the last four digits of his/her Social Security number (SSN). Then, the system would verify the parent’s identity by cross-checking the information provided against various consumer databases. If the parent’s identity cannot be verified by the cross-checking process, the system, as the fallback option, would ask the parent to answer a series of knowledge-based personal questions (previous addresses, phone numbers, etc.).

The third application, filed in October 2013, adopted a similar but more rigorous process than the process described in the second application. The third proposed method would use the name, address and last four digits of SSN provided by the parent to locate the parent’s “unique data record” from consumer databases and to generate up to six random questions that the parent must correctly answer for verification to be successful. The parent also would be required to provide a telephone number for the system to call to complete the process. This third application is open to public comment until late January 2014.

On December 23, 2013, the FTC approved the method described in the second application [...]

Continue Reading

The UK ICO’s Vision for the Future

by McDermott Will & Emery | Dec 16, 2013 | Consumer Protection, Data Privacy

The United Kingdom Information Commissioner’s Office (UK ICO), the UK regulator of information rights, has issued a consultation document to get feedback from consumers and stakeholders on the role and impact it should adopt in the future. According to the UK ICO, the main challenges to be faced in the coming years are an increasing workload coupled with funding cuts and the introduction of the European Union data protection reform package.

The UK ICO expects that, going forward, systemic problems will be addressed ahead of individual lapses, with investigations being triggered when a series of complaints from individuals are received in relation to a problem. The UK ICO is also eager to coordinate with other data protection authorities and to encourage the use of trust marks, privacy seals or other methods of certification to bolster individuals’ rights.

The UK ICO plans to publish its findings in March 2014, along with its 2014-2017 corporate plan.

Lights, Camera …Action on Your Website Documents

by McDermott Will & Emery | Dec 12, 2013 | Consumer Protection, Data Privacy, Mobile Apps

Terms and conditions of use and data privacy policies on websites, applications and other online and mobile services (aka “digital services”) are the subject of much discussion and debate among lawyers and lawmakers and in popular culture. A new documentary discussing such terms – descriptively titled “Terms and Conditions May Apply” – examines whether consumers read and/or understand the terms and conditions to which they routinely agree when registering for or using digital services. One humorous example from the film showed that 7,500 people agreed to terms and conditions requiring them to sell their immortal souls to the UK retailer GameStation.

Regardless of whether users take the time to read them, a patchwork of state and federal laws obligates businesses to provide such policies and terms and comply with the representations made in them. In future posts, we will discuss some current best practice trends for these website agreements and policies. In the meantime, every business with an online presence should take the time to make sure they have posted terms and conditions to which they can and do adhere.

Privacy and Data Protection: 2013 Year in Review

by Daniel F. Gottlieb | Dec 10, 2013 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Email/Spam, General Interest, Mobile Apps, Social Media, Text Messaging

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.

Are Your Robocalls Legal? Following Federal Law May Not Be Enough

by McDermott Will & Emery | Dec 5, 2013 | Advertising & Marketing, Consumer Protection, Data Privacy

Last week’s Seventh Circuit ruling in Patriotic Veterans v. State of Indiana confirms that businesses should check both federal and state laws before using automatic dialing systems (ATDS) to deliver prerecorded or synthetic voice messages known as “robocalls”.

The Telephone Consumer Protection Act (TCPA) is a federal law that generally prohibits robocalls to residential telephone lines without the prior express consent of the party receiving the call. However, calls that are not made for a commercial purpose, including calls made for political purposes, are exempt from the TCPA.

The TCPA contains a preemption clause that states “nothing in this section . . . shall preempt any State law that imposes more restrictive intrastate requirements or regulations on, or which prohibits:

the use of automatic telephone dialing systems;
the of artificial or prerecorded or prerecorded voice messages;” (emphasis added)

Notably, the State of Indiana’s Automated Dialing Machine Statute imposes “more restrictive” requirements, because while it does have some limited exemptions, it does not contain the TCPA’s exemption for political calls.

In Patriotic Veterans, an Illinois based non-profit sought to make robocalls for political purposes across state lines to Indiana residents. Not wanting to pay for the live callers that would be required under the Indiana law, Patriotic Veterans filed a complaint in federal court against the State of Indiana and the Indiana Attorney General, seeking a declaration that the Indiana law was, among other things, pre-empted by the TCPA.

The District Court agreed with Patriotic Veterans, holding that the TCPA preempted the Indiana statute and granting Patriotic Veteran’s request for an injunction against enforcement of Indiana’s law with respect to political messages, but stayed the injunction pending the appeal.

The Seventh Circuit Court of Appeals reversed. The Court concluded that there was no express preemption in the statutory language because “the TCPA says nothing about preempting laws that regulate the interstate use of automatic dialing systems. Therefore, we must conclude that they are not preempted. The plain language of the text reinforced by the presumption against preemption prevents this court from looking any further[.]” The Court further concluded that there was no implied preemption for two reasons: (1) the federal regulatory scheme is not so pervasive or dominant as to make clear that Congress intended to occupy the entire legislative field, and (2) it is possible to comply with both laws (even if inconvenient or expensive for Patriotic Veterans).

What Does This Mean for Businesses?

The ruling in Patriotic Veterans further confirms that mere compliance with the TCPA is not enough. Courts are unlikely to strike down state laws that are more restrictive than the TCPA, so it is important for businesses that are developing a robocalling strategy to check the laws of the states where they plan to contact residents. Any such strategy should include a plan to comply with both the TCPA and the applicable state law requirements.

Consumer Data Privacy Update for Marketers, Part 2: New Telemarketing/Text Message Marketing Rules Effective October 16, 2013

by McDermott Will & Emery | Nov 21, 2013 | Advertising & Marketing, Consumer Protection, Data Privacy, Ecommerce, Mobile Apps, Promotions, Sweepstakes & Contests, Text Messaging

The Federal Communications Commission (FCC)’s Report and Order 12-21 (Order 12-21), issued in February 2012, describes revised telemarketing rules that became effective during the past 12 months.

The FCC’s telemarketing rules are issued under the Telephone Consumer Protection Act (TCPA) and apply to a telephone call to a residential landline or wireless number or a text message that is initiated for advertising or telemarketing purposes and uses an “automatic telephone dialer system” (ATDS) or an “artificial or prerecorded” voice message.

The three major changes implemented during the past year are:

(i) Abandoned calls rule effective November 16, 2012: Telemarketers must ensure that no more than three percent of calls answered by a person are “abandoned” (i.e., not answered by the telemarketer within two (2) seconds after the called person answers) during a 30-day calling campaign period;

(ii) Opt-out mechanism effective January 14, 2013: Artificial or prerecorded telemarketing messages must include an automated, interactive mechanism that enables the called person to opt out of receiving future prerecorded messages; and

(iii) Prior express written consent rule effective October 16, 2013: “Prior express written consent” (as described below) of the called person is required[i] for:

telemarketing calls to a wireless telephone number when an artificial or prerecorded message or ATDS is used;
telemarketing text messages sent using an ATDS; or
telemarketing calls to a residential landline telephone number using an artificial or prerecorded message.

“Prior express written consent” means a written agreement signed by the called person that clearly authorizes delivery of advertising or telemarketing messages using an ATDS or an artificial or prerecorded voice message and clearly states that agreeing is not a condition of buying any product or service. A written agreement may be “signed” electronically using any method recognized under the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act) or applicable state contract law. The E-SIGN Act recognizes a signature as an “electronic sound, symbol or process” that is “attached or logically associated with” an agreement and “adopted by a person with the intent to sign.”

Although industry standards have required express opt-in consent for recurring text messaging programs prior to implementation of the FCC’s prior express written consent rule, consent obtained under the old regulatory framework is not sufficient under the new FCC consent rule because (among other requirements) the “agreement” to which the consumer consents (i) must include reference to use of automated technology and (ii) “must be obtained without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.”

Action Step for Marketers: Obtain New Opt-in Consent for Telemarketing and Mobile Marketing

Obtaining new opt-in consent consistent with the requirements of the new FCC consent rule is best practice because the sender bears the burden of proving that it has obtained prior express written consent that meets the FCC standards. Relatedly, implementation of a record-keeping system through which evidence of compliant consent is retained for at least three years (i.e., the statute [...]

Continue Reading

Welcome to McDermott’s Of Digital Interest Blog

by McDermott Will & Emery | Nov 19, 2013 | Advertising & Marketing, Big Data, Consumer Protection, Data Privacy, Social Media

Welcome to McDermott’s Of Digital Interest blog!

The global digital economy continues to rapidly expand and we can only imagine where technological innovation will take us next. Every day companies are developing new and exciting ways to leverage the Internet and digital connectivity to make businesses more efficient, improve individual outcomes, facilitate customer engagement and maximize the power and value of data.

At the same time, privacy, data security, digital advertising and online consumer protection continue to be among the fastest growing areas of the law around the globe. In the digital realm, jurisdictional lines can be crossed in nanoseconds, and this compounds compliance challenges. With more than 50 attorneys in our group around the world, McDermott’s international, multi-disciplinary team of lawyers work hard to keep abreast of important developments and trends so we can help our clients meet those challenges.

This blog is the natural extension of those efforts and it is designed to provide legal professionals and risk managers with practical insights into regulatory developments, industry trends and current issues impacting the digital environment. From major developments in privacy and data security, to new strategies for legitimizing cross-border data transfers, to coverage of hot topics like user tracking and geolocation, and the latest trends in the specialized field of online advertising, internet promotions and beyond, we expect that this blog will serve as a trusted resource for professionals who are responsible for managing data and compliance in the digital age.

We hope you find Of Digital Interest to be both interesting and helpful and we welcome your feedback. If you have questions or topic suggestions, please let us know via the “Contact Us” form or feel free to reach out to one of the editors directly.

Heather Egan Sussman and Rohan Massey
Co-chairs, McDermott’s Privacy and Data Protection Practice

Consumer Data Privacy Update for Marketers, Part 1: Children’s Online Privacy Protection Act Amendments

by McDermott Will & Emery | Nov 19, 2013 | Advertising & Marketing, Big Data, Consumer Protection, Data Privacy, Email/Spam, Mobile Apps, Social Media

New technologies enable marketers to collect and analyze more — and more specific— data than ever before. Marketers can track consumers across the internet and mobile applications, and can deliver advertising based on consumers’ interests inferred from the collected data. In theory, consumer tracking enables marketers to present advertising to consumers who are predisposed to a specific product or service, producing a higher purchase rate and transaction price, and a greater return on investment in marketing activities.

While these new technologies make advertising and marketing more targeted and efficient, they also present new challenges for marketers. Although a majority of consumers understand the “pay with data” model through which websites, mobile applications and other digital services are made available at no cost, they do not want advertisers to track them or to aggregate the tracking data into so-called “big data” databases. Consequently, consumer digital privacy has been the subject of many recent news articles – from lawsuits filed by consumers against email service providers and social media platforms for undisclosed data mining to senatorial requests to data brokers for transparency.

In this four-part series, we will highlight of some recent developments in consumer data privacy law and suggested steps for marketers on how to address them.

Children’s Online Privacy Protection Act Amendments

The Children’s Online Privacy Protection Act (COPPA) is a federal statute enacted in 1998 that requires operators of commercial digital services to provide parental notification and obtain verifiable parental consent prior to collecting personal information from children under 13. To implement COPPA, the Federal Trade Commission (FTC) issued a set of regulations known as the Children’s Online Privacy Protection Rule (COPPA Rule). On December 19, 2012, the FTC released amendments to the COPPA Rule which became effective July 1, 2013.

The amended COPPA Rule enhances online privacy protection for children and makes digital services’ operators more accountable for data collection activities involving children under age 13. Notable for marketers is a new liability standard for third-party service providers. Specifically, effective July 1, 2013:

The operator of “children-directed” (i.e., intended for children under age 13) online or mobile websites and services is strictly liable for actions of independent third parties – including social media plug-ins – on/through its website and mobile services if the third party is acting as its agent or service provider or if the operator benefits by allowing the third party information collection; and
A software plug-in, ad network or similar party that collects information on or through a third-party’s online or mobile website or service now is liable under COPPA if that party has actual knowledge it is collecting personal information on a children-directed platform.

The amended COPPA Rule makes several other key changes to the original COPPA Rule, including:

An expanded definition of personal information to include geo-location information, a child’s photo or audio or video file, screen or user names, and persistent identifiers, such as information held in a cookie, an IP address, a mobile device [...]

Continue Reading

To Track or Not to Track

by McDermott Will & Emery | Nov 13, 2013 | Advertising & Marketing, Consumer Protection, Data Privacy, Mobile Apps, Social Media

October 21, 2013 Digital advertising based on tracking users’ interests and related privacy concerns have been the subject of many recent news articles. What does this mean for businesses? Evolving industry practices and new legislation relating to online privacy and user tracking likely require changes to online privacy practices and policies.

To read the full article, click here.