Expanding Definition of What Constitutes “Personal” Information
The definition of what constitutes “personal information” varies depending on the law in question. This can be confusing – and complicated – when companies are trying to design a comprehensive privacy program. What should be the baseline for the types of information to be protected? What provisions should go into agreements
with vendors who receive potentially personal information? These are only two of the myriad questions that arise.
US laws were focused on the more obviously “sensitive” information like financial and health information, social security numbers, and government ID numbers.
Similar expansions of the definition of personally identifiable information have been seen in other laws, like the amended Children’s Online Privacy Protection Act (COPPA) Rule. We are also seeing similar expansion of what constitutes personal information in data breach laws, where what information constitutes triggering information requires notification to an impacted individual that has moved from the more traditional (financial information, social security numbers, government IDs) to contact information (e.g., breach of user names or passwords). Starting in mid-2014, for example, Florida began to require notification if a user name or password, in combination with a password or security question/answer, was breached. This modification mirrored a similar change to the California breach notice law, which went into effect January 1, 2014.
Evolving Definition of “Personal”
Traditionally, US laws only included “sensitive” information in definitions of “personal” information. The laws then evolved to include “personal” contact information. Going even further are laws that govern or restrict how that information can be used. Examples include CAN- SPAM and the Telephone Consumer Protection Act, and the California Online Privacy Protection Act (CalOPPA) includes in the definition of personally identifiable information “any . . . identifier that permits the physical
or online contacting of a specific individual.” Cal. Bus. Code § 22577(a)(6). In an online environment, this could include identifiers not traditionally thought of as
personal but that are nevertheless used to serve targeted advertising (“contacting” a specific person). As a result
of an amendment to CalOPPA in 2014, companies that engage in these kinds of activities now have heightened disclosure obligations.
Identifiers: Names and addresses,
Online activities, mobile app
Sensitive: SSN, financial, health information
Zip codes, location-based information
1 Attorney advertising materials – © 2015 Winston & Strawn LLP
Changing Enforcement Landscape Outside US
The US has been seen as the jurisdiction that—while lacking one cohesive data protection law—has extensive privacy enforcement. Whether from regulators, the class action bar, or even competitors, privacy deficiencies carry a real risk of litigation in the US. This has traditionally
not been the case in jurisdictions outside of the US, despite the fact that many such jurisdictions do have comprehensive privacy laws. Instead, there has been a culture of working with the regulatory authority to achieve compliance and protection for consumers. This has been changing over the last few years, and 2014 has been no exception to this trend.
Enforcement Increasing Worldwide
Sample 2014 Cases
- Morpheus Theatre Society/Storybook Theatre
Not surprisingly, as in the US, many of the privacy-related cases that have occurred outside of the US have been after a publicized data breach. For example, the Irish Office of the Data Protection Commissioner brought an enforcement action against a private investigative firm, MCK Investigations, and two of its directors for violations of the Irish Data Protection Acts. The Irish privacy office alleged that the company had improperly obtained
personal data from the Department of Social Protection and from the Health Service Executive. It further alleged that the information was improperly disclosed to credit unions.
As in the US, many of the
privacy-related cases that
- Failed to get consent before sending marketing emails
- Information had to be destroyed
- Employee monitoring systems
- Three different companies
- €33,000 total fines
- MCK Investigations
- Illegally obtained PII from Dept. of Social Protection
- KB Kookmin, Lotte Card, NH Bank
- Data loss penalties
- IT manager stole USB drive
- First cookie fines
- Navas Joyeros ( jeweler)
• €5,000 fine
- British Pregancy Advice Service
• £200,000 fine
- Hacker attacked website
have occurred outside of
the US have been after a publicized data breach.
The UK Information Commissioner’s Office has also been active in the data security front. It fined registered charity, the British Pregnancy Advice Service (BPAS), £200,000 following an attack on its website. The attacker
gained access to the personal details of thousands of individuals that had viewed the BPAS website. The ICO found that BPAS had failed to take appropriate technical and organizational measures to prevent unauthorized processing of personal data on its website. On the other side of the globe, the Financial Services Commission in South Korea imposed penalties on three domestic
credit card companies for loss of data due to inadequate supervision and security measures. The three companies, KB Kookmin Co., Lotte Card Co., and the credit card division of NH Bank, were required to stop opening new accounts, extending credit through cash advances and loans, and participating in joint marketing initiatives with partners for a period of three months.
2014 Privacy Year In Review 2
Ongoing Legal Concerns with International Data Flows
Countries around the world are continuing to enact legislation governing the transfer of personal information about their citizens outside of the country. This can pose compliance hurdles for those located in other jurisdictions, and can be especially tricky for multinational operations.
The best known example is, of course, the long-standing EU Privacy Directive, implemented through national legislation in the EU member states. The laws restrict
the transfer of personal information out of the EU to any country whose laws fail to offer “adequate” protection, unless the company transferring the information:
1. Has a model contract in place.
- Has obtained consent from the individuals whose information is being transferred, or
- Has put in place binding corporate rules.
Currently, the European Commission recognizes the following jurisdictions as having laws ensuring an adequate level of protection for personal information:
Binding Corporate Rules
As the FTC gets more active, and as companies give greater scrutiny to their privacy operations, many are reconsidering Binding Corporate Rules. BCRs are rules a company develops—and has approved by an EU data protection authority—that outline how the company will
globally handle personal information. BCRs had often been seen by US companies as too high a hurdle to meet, because in order to get it right, a US company had to intensely scrutinize their global privacy practices. Now that companies are devoting more resources to privacy practices, BCRs as a transfer option seems more reasonable. We are thus seeing a rise in the number of companies considering and pursuing Binding Corporate Rules.
The EU principles continue to prohibit cross-border transfers
EU/US Safe Harbor
except in certain circumstances.
Joining the EU in making it difficult to transfer personal information outside of its borders is Australia. While Australia has had a long-standing restriction on transferring data
For companies located in the US, there is another option, participation in the EU-US Safe Harbor program. Through the program, the US recipient of information from Europe certifies that it meets basic levels of data protection. This method had been viewed as the simplest approach, though making the self-certification was not without risks, as it did subject the company to exposure under the FTC Act. Specifically, failure to adhere to what was indicated in the certification would constitute a deceptive practice, actionable under the FTC
Act (which prohibits unfairness and deception). In 2014 we saw 12 actions from the FTC in this space. These businesses, spanning a variety of industries, settled charges from the FTC that they falsely claimed to hold current certifications under the US-EU Safe Harbor framework.
unless certain measures are in place, in 2014 it amended its privacy law. With respect to cross-border transfers, the law continues to prohibit cross-border transfers except in
certain circumstances. For example, having obtained express consent from the data subject or if the entity believes that the recipient is subject to laws similar to those in Australia. Now, however, instead of also being able to transfer data if the entity “takes reasonable steps to ensure” that the information will be used in accordance with Australian law, this particular exception has been revised to indicate that the transfer can occur under such an exception if the sending (Australian) entity ensures that the receiving (non-Australian) entity “does not breach” Australian law.
3 © 2015 Winston & Strawn LLP
Legal Impact Increasing for Insufficient Data Protection
As we are seeing more and more data breach notifications hit the news, we have seen a rise in class action complaints being filed and an increase in federal and state regulatory scrutiny. Almost all of this scrutiny focuses not on whether the notice about the breach was sufficient. Instead, regulators and class action lawsuits have looked at whether or not the organization had sufficient underlying protection for the information that was breached. In other words: did the lack of protection mean that the company failed to exercise a reasonable duty of care in protecting the information that was breached? Notification poses a very real risk that many will be looking at a company’s full privacy program. We saw a number of cases in 2014 that illustrate just this risk.
For example, the Federal Communications Commission in October proposed a fine against TerraCom Inc. and YouTel America Inc. for alleged failures to protect the personal information of over 300,000 of its customers. According to the FCC, the companies placed personal information on servers that could be publicly viewed on the internet during a six-month time frame. The information included Social Security numbers and drivers’ license numbers. The privacy policies of both companies indicated that mechanisms were in place to safeguard information from unauthorized access. The FCC argued that letting
the information be publicly viewable was both a violation of the Communications Act (which requires carriers to protect information), as well as deceptive and misleading representations around consumer privacy protections (constituting unjust and unreasonable practices). This was the first case the FCC had brought over a data security matter, and it resulted in a $10 million fine.
The FTC has also been very active in this space, having brought over 50 privacy cases to-date. In 2014, it settled with Fandango, LLC and Credit Karma, Inc. over allegations that the companies failed to safely transmit consumers’ sensitive data despite the companies’ representations to the contrary.
Meanwhile, in France, the largest French telephone and internet services company, Orange, was warned by the French data protection authority (CNIL) over a security lapse that led to a breach involving 1.3 million users.
These cases are not always successful. An Illinois state court dismissed several claims against Advocate Medical Group, for example, for failure to satisfy the injury-in-fact requirement for standing. And in Ohio, a class complaint filed after the 2012 breach of Nationwide Mutual Insurance was dismissed.
Class Actions Federal Regulatory Action
State Regulatory Action
2014 Privacy Year In Review 4
Rising Cost and Complexity of Data Breach Notification
Breach Laws Are Going Global
Currently has breach notification law
It is getting increasingly difficult for companies to handle nationwide data breach notifications. There are now 47 states with data breach notification laws (Kentucky became the 47th in 2014), as well as notification laws in DC, Puerto Rico, Guam and the US Virgin Islands. California and Florida both amended their laws in 2014 to expand the definition of what constitutes personal information that would trigger a duty to notify.
And now not only does Massachusetts require that companies have a written data security program, Florida may want to see a copy of it when a company notifies the state that it has suffered a data breach. Iowa also
expanded its data breach notification law in 2014 to cover breaches involving personal information in both electronic and paper formats.
Not only do statutes continue to change in this area, class action activity in 2014 has continued
to be significant. With increased notification obligations, increased class action lawsuits are likely to follow.
5 © 2015 Winston & Strawn LLP
Monetizing Online Tracking Grows to Monetizing Mobile Tracking
For many years, companies that engage in online behavioral advertising have had to address the FTC’s Online Behavioral
Advertising Principles, and similar guidance from the Digital Advertising Alliance—a
self-regulatory group. These guides call on companies to disclose when they engage in tracking consumer behavior across multiple websites (or mobile apps) in order to serve them with targeted advertising content.
In addition, companies should provide consumers with the ability to opt-out of such activities. The DAA provides a mechanism for companies to offer such an opt-out (www. aboutads.info/choices). In 2014, California updated its Online Privacy Protection Act (CalOPPA) to require specific disclosures for those websites that collect personal information about individuals over time and across multiple websites. The law includes in its definition of “personal” information that can be used to re-contact someone online (such as serving them with an advertisement), thus adding California-specific language to the existing DAA disclosure requirements. Included in this language is a description about how sites address website “do not track” signals.
No enforcement actions were brought in 2014 for violations of CalOPPA. However, enforcement actions were brought under the DAA program against, among others, Buzzfeed and Go. The Better Business Bureau’s Accountability Program alleged that the websites failed to provide a required enhanced notice link on all pages where third parties collected data. The Accountability Program, emphasized that while an enhanced notice link in or around an interest-based ad may satisfy a third party’s enhanced link obligation for that specific page, enhanced notices are still required on all other pages where third parties are collecting data.
More activity on the enforcement front for online tracking was also seen in Europe—specifically in Spain. There, the Spanish Data Protection Regulator (AEPD) issued fines to two jewelry companies for violating the Spanish Law of Information Society Services and Electronic Communications, the implementation of the EU’s “Cookie
– and how to deselect individual cookies.
As companies expand their online tracking activities, regulators are increasing their monitoring of these activities. As a result, “compliance sweeps” are being conducted with more frequency. For example, the Global Privacy Enforcement Network (GPEN), a worldwide privacy protection effort that includes the FTC, conducted a sweep that focused on mobile applications. The FTC subsequently issued warning letters to ten data brokers. We are likely to see increased focus both in the US and in Europe on tracking activities, and the sufficiency of both companies’ disclosures around these activities, as well as their provision of consent to users.
As companies expand their online tracking activities, regulators are increasing their monitoring of these activities. As a result, “compliance sweeps” are being conducted with more frequency.
2014 Privacy Year In Review 6
Complex Compliance for Global Email Campaigns
The universe of “spam” laws (i.e., those that govern corporate communications to consumers whether through email, text, or other direct contacts) continued to expand and become more complex last year. The US regulates commercial messages under an “opt-
out” scheme, requiring that each message include a functionality for opting out of all messages that operates for at least 30 days. If the company has not obtained prior express consent to send the consumers commercial email messages, and the message contains advertising content, the email needs to include a disclosure that the message is “Advertising” or an “Advertisement.”
In contrast, many other jurisdictions have adopted an “opt-in” system, thus prohibiting email communications to consumers that have not expressly consented to
receive them. However, most of these jurisdictions permit communications if a consumer would expect them (i.e., if an opt-in can be implied).
Canada’s new Anti-Spam Law (or CASL), however, which went into effect this year, is a true opt-in regime. Subject to various exceptions, CASL requires that commercial electronic messages sent from or accessed from Canada have an express opt-in. And in that opt-in, the company must explain what kind of communications will be sent.
As with other non-US spam laws, CASL applies to more than just emails – in-store computer programs and text messages are also covered – and covers any commercial activity encouraged in such messages, not just where the primary intent of the message is commercial.
Canada saw enforcement in 2014. Alberta’s Office of the Information and Privacy Commissioner released a ruling in June 2014 finding a local theater violated the Alberta Personal Information Protection Act (PIPA) when it used consumer information to send a marketing email without first obtaining consent. Despite the theater’s nonprofit
status, using the email address to disseminate a newsletter promoting the theater’s programming was deemed to be a commercial activity and the adjudicator found no evidence to suggest the theater obtained consent to use the information for such a commercial activity. The theater was ordered to destroy the consumer’s information.
- Directive 2002/58/EC
- CAN-SPAM Act
- Unsolicited Electronic Messages Act
- Spam Control Act
- Act on Regulation of Transmission of Specified Electronic Mail
- Spam Act
- Unsolicited Electronic Messages Ordinance
7 © 2015 Winston & Strawn LLP
Text Communications Consent Complexities
Complying with text message law requirements in the US continued to be complex in 2014. Much of the complexity was a result of a change in the Telephone Consumer Protection Act – which requires affirmative consent for sending auto-dialed calls (including texts) – that went into effect in October 2013. In particular, under the amended FCC Rule for TCPA, companies must get written signed consent to send marketing texts.
In response to the TCPA revision, a flurry of class action litigation ensued in 2014, and the actions do not appear to be abating. For example, a $40 million settlement was
proposed in response to allegations that HSBC Bank NA violated the TCPA by calling consumers for advertising purposes without first obtaining consumer’s prior written consent.
Consent (Affirmative Step)
Text message advertising is also on the radar of the FTC. At the start of the year, the FTC settled with Advert Marketing Inc. over millions of text messages the company sent promising allegedly free merchandise
(the merchandise was not, in fact, free). Towards the end of the year, the FTC then settled with three internet marketing companies (Acquinity Interactive, Revenue Path E-Consulting Pvt, Ltd., and Revenuepath Ltd.) for false “free” offers sent by text. As part of the settlement for sending text messages containing offers deceptive advertised as ‘free’, the companies agreed to pay $10 million in civil penalties. While these cases were brought on the grounds of deception (i.e., under Section 5 of the FTC Act), the FTC emphasized that it will not hesitate to bring cases against text “spammers.”
Under the amended FCC Rule for TCPA, companies must get written
signed consent to send marketing texts.
2014 Privacy Year In Review 8