From pli’s Course Handbook Communications Law in the Digital Age 2009

From PLI’s Course Handbook

#18947

4

Privacy protection, Safety and Security

A. Proposed Congressional Legislation 3

B. FTC on Self-Regulatory Behavioral
Advertising Principles 9

C. Advertising Trade Groups Release

D. European Regulators Aim to Protect

E. Maine Enacts Law to Restrict Marketing

to Minors 16

F. Google Sees Up and Down Battle in

G. FTC Seeks to Monitor Blogs for Endorsements 19

A. ‘Red Flags Rule’ Set to Take Effect 22

B. Proposed Federal Legislation to Protect
Personal Data, Require Notification 25

C. HIPAA Breach Notification Rule Issued 27

D. Supreme Court Requires a ‘Knowing
Theft’ for Aggravated Sentence 28

E. Social Security Numbers Can Be Guessed 31

F. Massachusetts and Nevada Encryption Laws
Could Become National Standard 34

G. Class Actions in ID Theft and Data Breach Cases 37

H. Hacking: Threats and Consequences 44
III. GOVERNMENT AND PRIVATE SECTOR

SURVEILLANCE AND DATA

MANAGEMENT 52

A. Unclassified Report on U.S. Wiretapping 52

B. Court Challenges to Wiretapping Program 54

C. Emerging Technology to Monitor

D. Google Street View Seen as Privacy Threat 58

E. RFIDs Can Be Tracked 64

F. Videos Lead to Accusations of Breaking

G. Entrusting Google, Amazon With Personal,

H. Bloggers in Court 74

I. Advances in Phone Technology Bring Benefits,

Risks 77

A. Requests for Passwords to Social Networking

Sites 81

B. Be Wary of Writing Reviews on LinkedIn 83

C. Confusion and Abuses of FERPA 85

D. Split Develops in Application of Computer

E. Limits to What Employers Can Know,

F. N.J. Law Would Prohibit Prosecuting

A. EU Regulators Recommend Stricter Rules 97

B. Canada Privacy Commissioner Warns
Facebook To Tighten Privacy Controls 100

C. Reporters’ Use of Social Networking Sites 102

D. Sites Offer a Vehicle for Scams and Viruses 106

E. Court Cases Involving Social Networking Sites 107

F. Chinese Social Networking Sites Go Offline 117
When considering online privacy protection, safety, and security, lawmakers and regulators struggle to keep pace with rapidly emerging technologies that raise new challenges. Balancing traditional notions of privacy and the First Amendment with technological advances is further complicated by the need to consider any proposed oversight in light of international regulatory developments. Any discussion of data privacy and security must address comparable initiatives abroad, both as a means to explore emerging regulatory ideas in this country and to understand the rules that will govern entities such as Google and Facebook, headquartered in the United States, but with users around the globe.
I. DATA COLLECTION AND BEHAVIORAL

ADVERTISING
A. Proposed Congressional Legislation
House lawmakers have announced plans to develop national privacy legislation designed to provide Internet users more control over the information that is being collected about their online activity.¹ Rep. Rick Boucher (D-Va.), chairman of the House Internet subcommittee, the entity leading the legislative effort, believes “consumers are entitled to some baseline protections” from behavioral advertising.² Toward this end, a Senate committee and two House subcommittees have held hearings to learn about the benefits, potential abuses, and privacy concerns arising from Internet use.³ Representatives of Internet service providers (ISPs), online advertisers and consumer groups are among those who have provided insight on the current state of private sector monitoring of Internet use. These individuals and groups have also offered suggestions on what the proposed legislation should include.

The reality that consumers’ online activity can be tracked and fed back to them as targeted advertisements raises privacy concerns, but lawmakers have been urged to take into consideration the benefits consumers, ISPs and online retailers receive from the technology, particularly in a depressed economy. Boucher has tentatively proposed some “baseline” measures. These include an easy-to-find privacy policy alerting consumers to what information is collected about them, how it is used, stored and whether it is sold to third parties, as well as the ability to opt-out, or prevent parties from using the information.⁴

Aside from the privacy implications of DPI, some worry that the technology will enable an ISP to block, or at least slow, the transmission of content that does not help its bottom line finances while letting other traffic take priority. “The thought that a network operator could track a user’s every move on the Internet, record the details of every search and read every e-mail or attached document is alarming,” Boucher said at the outset of a subcommittee hearing on April 23, 2009, on recent developments in consumer privacy. Consumers often do not know information is being collected about them online, and if they do, they often do not know who is collecting it or how it will be used. “In the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish – the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or government agency tomorrow,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a non-partisan research organization.⁶

Internet companies take varying approaches to collecting and using data for targeted advertising. Facebook claims its use of targeted advertising enables the company to offer the social networking site free of charge. Chris Kelly, Facebook’s privacy officer, explained to lawmakers that Facebook uses information in individual profiles, such as someone’s favorite movies, but that this is transmitted to third parties in non-personally identifying form. For example, Kelly said users may see an advertisement for a film screening based on what they list as their favorite movies, but personally identifying information (name, e-mail address and other contact information) will not be given to advertisers. Kelly acknowledged the company may have previously been “inartful in communicating with our users and the general public about our advertising products,” but that “users should choose what information they share with advertisers.”¹¹

Consumers have started to take action when they suspect companies go too far in monitoring their Internet usage to create targeted advertisements. Internet subscribers filed separate class action lawsuits in California federal court against the online advertising companies NebuAd²¹ and Adzilla.²² The subscribers allege that the companies violated their privacy and Internet security rights by monitoring the content of their online activity without their consent in order to produce targeted ads. Scott Kamber, the plaintiffs’ attorney in both cases, said that as these “deceptive tactics” become more common in a slumping economy, “it’s going to be harder for [companies] to explain to a judge that this is appropriate.”²³

These principles incorporate many of the self-regulatory measures advanced by the FTC in its Feb. 12, 2009, report, and in some cases go even further to protect consumer privacy. For example, the principles lay out a generally defined means of enforcement by instituting monitoring programs and requiring a way to collect complaints from the public. “Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies,” the report says. The trade group report flatly prohibits the collection of information about children, and requires consent to collect health and financial data.

Similar to the FTC report, the trade groups would require that consumers be informed information is being collected about them and require their consent to do so. However, it is unclear if the trade groups go as far as the FTC wants by requiring consent to collect all data, including personally identifiable and non-personally identifiable data. The FTC welcomed the report as having “the potential to dramatically advance the cause of consumer privacy,” FTC Commissioner Pamela Jones Harbour said in a statement after the release of the report.²⁶

The principles do not go as far as to require explicit approval of all data collection. Stuart P. Ingis, a partner at Venable LLP, which represents the trade groups, said such a measure would not be feasible. “If you had that as a default, you would wind up undercutting significantly the economic underpinnings for all the stuff the public loves,” Ingis said. “The way, operationally, that would work is every time a consumer’s doing their Web surfing, you’d be requiring them to click through all these options. Consumers would hate that.”²⁷

Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the principles “almost meaningless” and predicted that Congress would pass legislation hemming in information collection by advertisers.”There's very little appetite in Washington today for self-regulation,” said Rotenberg. “People have no idea about how much information is being collected about them online.”²⁸

The groups hope to have the accountability programs in place by the beginning of 2010, which would probably predate any federal legislation. The principles were developed by the American Association of Advertising Agencies, Association of National Advertisers, Council of Better Business Bureaus, Direct Marketing Association, and Interactive Advertising Bureau.

The proposal must be approved by the European Parliament and EU governments in the Council of Ministers before becoming law.³² In July 2009, the UK’s House of Lords EU Committee publicly opposed approving the directive.³³ The committee questioned the two-year limit on a trader’s responsibility for repairing or replacing faulty goods because of a concern it could lead to the production of less durable items. The Committee did not call for the proposal to be scrapped and recognized the need to update EU consumer law. However, it pointed to other factors, such as culture, language, the cost and distance of delivery, as also playing a role in increasing cross-border trade.

Kuneva urged the industry to develop self-regulating principles. In doing so, she raised many of the concerns shared by the FTC and members of Congress, including the inaccessibility of online privacy policies and the lack of clear opt-out systems to prevent the collection of online data. She called for more transparent privacy policies, meaningful opt-in or opt-out options, and clear identification of commercially sponsored messages. Kuneva also expressed concern for times when beneficial targeted advertisements might turn into “pressure,” such as when a person with high cholesterol views on online advertisement for recommended treatment.

On Aug. 19, 2009, the United Kingdom’s Office of Fair Trading announced that it will study the impact on consumers of potentially misleading advertising and pricing of goods and services, with an emphasis on the Internet.³⁵ The study may also look at how personal information is gathered online for use in behavioral advertising. “The way that businesses advertise and price goods and services constantly evolves, and we need to keep up to date on how consumers view these adverts, and the types of advertising and prices which may mislead,” said Heather Clayton, senior director of the office’s Consumer Market Group.³⁶ The office was seeking input from consumer groups and businesses through Sept. 18, 2009, to determine the precise scope of the study.