Privacy & Information Security Law Blog

On April 19, 2017, the FTC announced that it is seeking public comment on proposed changes to TRUSTe, Inc.’s safe harbor program under the Children’s Online Privacy Protection Rule (the “Proposed Changes”). As we previously reported, New York Attorney General Eric T. Schneiderman announced that TRUSTe agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. The Proposed Changes are a result of the settlement agreement between TRUSTe and the New York Attorney General.

On April 4, 2017, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Proposed Regulation of the European Commission for the ePrivacy Regulation (the “Proposed ePrivacy Regulation”). The Proposed ePrivacy Regulation is intended to replace the ePrivacy Directive and to increase harmonization of ePrivacy rules in the EU. A regulation is directly applicable in all EU Member States, while a directive requires transposition into national law. 

On January 23, 2017, the FTC released a Staff Report (the “Report”) on cross-device tracking technology that can link multiple Internet-connected devices to the same person and track that person’s activity across those devices. The Report follows a November 2015 workshop on the same subject and is based on information and comments gathered during that workshop.

On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

On September 27, 2013, California Governor Jerry Brown signed into law a bill amending the California Online Privacy Protection Act (“CalOPPA”) to require website privacy notices to disclose how the site responds to “Do Not Track” signals, and whether third parties may collect personal information when a consumer uses the site. Although the changes to the law do not prohibit online behavioral advertising, this is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

Internet users have expressed increasing concern about efforts to track their online activities. As the online tracking methods used to target advertisements have expanded in both scope and complexity, regulators have taken notice and have begun to act in the online behavioral tracking and advertising space. In an article published in the November/December 2012 issue of IP Litigator, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Melinda L. McLellan, a senior associate on the firm’s Privacy and Data Security team ...

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.

The Digital Advertising Alliance (“DAA”) recently announced that its members will work “to add browser-based header signals to the set of tools by which consumers can express their preferences” not to be tracked online and will work with browser providers to develop “consistent language across browsers…that describes to consumers the effect of exercising such choice.”

This announcement came on the heels of the Obama administration’s release of a framework for a Consumer Privacy Bill of Rights. The DAA’s agreement represents the industry’s attempt to appease consumer privacy concerns in the face of the growth of online advertising. The DAA represents over 400 advertising and technology companies.

On November 17, 2011, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent.

Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation.  In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On July 12, 2011, Stanford Law School’s Center for Internet and Society reported the preliminary results of tests conducted with experimental software designed to detect third-party tracking.  Over the months spent developing “a platform for measuring dynamic web content,” researchers at the Stanford Security Lab analyzed tracking on the websites of Network Advertising Initiative (“NAI”) participants by observing how cookies are altered when a user opts out of behavioral tracking on the NAI website, or enables Do Not Track.

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  First, Senator Rockefeller noted S. 917, the Do-Not-Track Online Act of 2011, a bill he introduced that would allow consumers to tell online companies that they do not want their personal information collected and require companies to honor those requests.  Second, the Senator referenced S. 799, the Commercial Privacy Bill of Rights Act of 2011, legislation introduced by Senators John Kerry (D-MA) and John McCain (R-AZ) that would comprehensively address privacy protection.  Finally, Senator Rockefeller spoke about S. 1207, the Data Security and Breach Notification Act of 2011, which he and Senator Mark Pryor (D-AR) reintroduced.  That bill would impose an obligation on companies to adopt basic security measures to protect sensitive consumer data and require companies to notify affected consumers in the event of a breach.  Senator Rockefeller emphasized several times his committee’s jurisdiction over privacy and data security issues.

On May 9, 2011, Senator Jay Rockefeller (D-WV), the Chairman of the Senate Committee on Commerce, Science and Transportation, introduced the “Do-Not-Track Online Act of 2011” (the “Act”).  The Act instructs the Federal Trade Commission to promulgate regulations that would (1) create standards for the implementation of a “Do Not Track” mechanism that would enable individuals to express a desire to not be tracked online and (2) prohibit online service providers from tracking individuals who express such a desire.  The regulations would allow online service providers to track individuals who do not want to be tracked only if (1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is anonymized or deleted when the service is provided), or (2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.

On February 11, 2011, Representative Jackie Speier (D-Calif.) introduced two pieces of legislation that, in her words, “send a clear message—privacy over profit.” The Do Not Track Me Online Act of 2011 (HR 654), would direct the Federal Trade Commission to promulgate regulations that establish standards for a “Do Not Track” mechanism. The regulations also would require covered entities to disclose their information practices to consumers, and to respect consumers’ choices regarding the collection and use of their information. The bill includes a provision that would allow the FTC to exempt from its regulations certain “commonly accepted commercial practices” such as using consumer information to provide and improve products and services, to comply with law, or to carry out basic business functions like accounting, quality assurance or internal auditing.