Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

BEHAVIORAL TARGETING—U.S.

FTC Officer: Marketers Don’t Need Web Tracking (December 23, 2010)
When it comes to online marketing, Internet companies may be able to get more information about customers voluntarily than by using Web tracking, according to incoming FTC Chief Technology Officer Edward Felten. Bloomberg reports on Felten's new position, which begins January 1, and his suggestion that when it comes to consumer information, if advertisers ask Web users directly, "that information may be more accurate than what the company has deduced about the user" through tracking, and users "may have a higher comfort level deciding what information to provide rather than worrying about what inferences might be made from what they've gathered."

BEHAVIORAL TARGETING—U.S.

Poll: Most Web Users Dislike Targeted Ads (December 23, 2010)

A new Gallup poll has found that two-thirds of Americans do not want to receive targeted ads based on their Web surfing habits, The Atlantic reports. Responses to the poll indicated privacy concerns vary generationally, but 67 percent opposed having their Web use tracked for advertising purposes, while 61 percent "care so much about their privacy that they aren't willing to sacrifice it in exchange for more free content paid for by targeted ads." The report notes that "most Internet users would rather pay for content instead and withhold something as seemingly innocuous as their Web browsing history from advertisers."
Full Story

IDENTITY THEFT—U.S.

Medical Employee Charged (December 23, 2010)

Federal investigators have charged a former employee of Michigan's Newland Medical Center and her boyfriend with 15 counts of ID theft and criminal enterprise, reports ClickOnDetriot.com. The former employee reportedly stole cancer patient information and gave it to her boyfriend, who then used the information to get credit cards with which the couple stole hundreds of thousands of dollars in merchandise. According to the report, the FTC Web site recommends steps to take if your identity is stolen, including placing a fraud alert on your credit reports and alerting the police in your community, among others.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Reverse Directory Web Site Under Investigation (December 23, 2010)

Privacy experts are investigating a new Web site that allows people to look up the names and addresses attached to landline and mobile phone numbers to determine whether it breaks any privacy or communications laws, reports The Sydney Morning Herald. The Australian Communications and Media Authority (ACMA) claims the site breaks the Telecommunications Act, but the U.S. developer disagrees and has plans to release a smartphone app in the coming months. David Vaile of UNSW's Cyberspace Law and Policy Centre and vice-chair of the Australian Privacy Foundation says the service carries potential criminal risks and has concerns about the requirement that database users log in with their Facebook account information.
Full Story

HEALTHCARE PRIVACY—U.S.

VA Acknowledges Improper Patient Data Storage (December 23, 2010)

Federal Times reports on Veterans Affairs (VA) facilities found in violation of the department's policy that no patient information be stored on systems outside its firewalls. The most recent incident involved personal information on 878 patients--including patients' full names, dates and types of surgery and last four digits of their Social Security numbers. The data had been shared between VA employees via an online calendar since 2007, and the breach was detailed in a November report to the U.S. Congress. The VA is looking at ways to bring such online tools inside its firewall, the report states, as part of ongoing steps to improve security and privacy.
Full Story

DATA LOSS—UK

Patient Data Compromised (December 23, 2010)

Calderdale and Huddersfield hospital foundation trust has written to 1,500 patients after the theft of a computer containing their personal details, the Guardian reports. The trust has also notified local police about the theft and reports it has increased its security precautions. "At the end of November it was found that part of an electromyography (EMG) machine, a computer which drives it, had been taken from a locked office in the neurophysiology department at Calderdale Royal Hospital," a hospital spokesperson said, noting such patient information as names and dates of birth was included on the password-protected computer.
Full Story

HEALTHCARE PRIVACY—U.S.

Practitioners’ Holiday Wish? Privacy Improvements (December 23, 2010)

HealthLeaders Media reports on healthcare practitioners' holiday wishlists that they had more staff, more time to study HIPAA regulations and a year free of data breaches. A recent Ponemon Institute study revealed that of the 65 hospitals surveyed, 71 percent said they had inadequate resources to prevent and quickly detect patient data loss, the report states. Other wishlist items include a smooth transition to the implementation of electronic health records, an efficient and compliant data encryption program and more safeguards to protect personal health information. "I hope that technology continues to be enhanced to support patient privacy," said Debra Mikels, a healthcare practitioner in Boston, MA.
Full Story

DATA LOSS

Business Cloud Service Breached (December 23, 2010)

Computerworld reports a breach of address book data belonging to customers of Microsoft's Business Productivity Online Suite (BPOS) Standard occurred in the company's data centers in North America, Europe and Asia. The company has stated that the issue was resolved within two hours of being discovered, noting that "a very small number" of illegitimate downloads occurred and it is "working with those few customers to remove the files." A configuration issue made it possible for other customers in the service to download "Offline Address Book information...in a very specific circumstance," Director of BPOS Communication Clint Patterson said.
Full Story

PRIVACY LAW—U.S.

Breach Could Test Tough MA Data Law (December 22, 2010)
The CitySights NY tour company has notified certain state attorneys general that the financial data of more than 100,000 customers was stolen when a SQL injection attack hit one of its Web servers. Among those whose data were exposed are 1,850 Massachusetts residents, causing a threatpost.com report to ask, "Could this be the test case for enforcement of the state's nine-month-old data privacy law?" The breach exposed the names, addresses and full credit card account information including card verification data. "The leak...could prove to be an early test of the nation's strongest data privacy law," the report states.

ONLINE PRIVACY—U.S.

FTC Technologist Talks Do Not Track (December 22, 2010)

In a ClickZ Q&A, the Federal Trade Commission's (FTC) new chief technologist discusses data tracking. Addressing what kind of do-not-track controls the FTC seeks, technologist Ed Felten said one of the FTC's aims is to allow users to opt out of tracking for behavioral targeting purposes, but the opt-out would not apply to first-party tracking for Web analytics purposes. "The FTC report recognizes that site publishers use analytics and audience measurement companies to help improve the publisher's services. As long as these service providers do not use collected data for other purposes, such as combining it with data about the user's behavior on other Web sites, these uses would still be acceptable," Felten said.
Full Story

PRIVACY LAW—INDIA

Powers To Be Established for ID Governing Body (December 22, 2010)

After the introduction of The National Identification Authority of India Bill (NIAI) in the Rajya Sabha earlier this month, privacy concerns persist. The bill will establish the Unique Identification Authority of India (UIDAI) as a legally sanctioned body and set out its powers and functions, The Telegraph reports. UIDAI will assign each citizen a unique identifying number, though legal experts and advocates say UIDAI's plan does not provide enough safeguards for privacy. The Centre for Internet and Society says that the bill fails to protect citizens' rights. "Lots of important details have been left to be defined by the UIDAI," a spokeswoman said.
Full Story

HEALTHCARE PRIVACY—U.S.

What Patient Privacy Path Will HHS Take? (December 22, 2010)

In a report for Modern Healthcare, Joseph Conn reviews possible paths the Department of Health and Human Services could take to protect patient privacy. Conn looks at the Federal Trade Commission's report on privacy and its "calls for a standard of protection that defines privacy as consent" based on the Fair Information Practice Principles (FIPPs). Similarly, he writes, the Commerce Department's recent report calls for guidelines based on "revitalized" FIPPs emphasizing "substantive privacy protection rather than simply creating procedural hurdles," while the President's Council of Advisors on Science and Technology has suggested "data-tagging technology should be used to enable patients' consent and control over their information." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

BT Coming to a TV Near You (December 22, 2010)

As the FTC, Department of Commerce and European regulators continue to scrutinize behavioral targeting on the Web, DirecTV has plans to introduce targeted ads to its 1.9 million television subscribers in the coming year, reports The Wall Street Journal. Under the plan, DirecTV will acquire data from third-party providers to find subscribers that fit advertisers' marketing profiles, the report states. It will then use the set-top box to choose the most appropriate ad for that household. DirecTV said households will be assigned a code number different from their set-top box ID and household attributes will be sent to the company as a blind match. The company also says it will allow subscribers to opt out of the service. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

EFF Co-Founder on Privacy in the Internet Age (December 22, 2010)

On the heels of recent privacy efforts by the U.S. Federal Trade Commission, Commerce Department and technology companies from across the globe, the BBC has published a dialogue with Electronic Frontier Foundation (EFF) Co-founder John Perry Barlow on changes to privacy in this online age and the battle between what governments and organizations know about individuals. Perry Barlow also weighs in with thoughts on how several global corporations do business with regard to privacy and transparency. Individual privacy is eroding, he suggests, adding that it is not "safe to have a world where the individual has no privacy and the institutions go on being private."
Full Story

DATA PROTECTION—U.S.

Opinion: Pay Attention to Data Security (December 22, 2010)

In an editorial, the Honolulu Star Advertiser discusses how the digital age has brought with it the free exchange of data, warning that the "flip side of this coin is that anything that is free tends to be devalued. Information is stolen, and the only ones bearing the burden of that loss are the victims of the data breach, not the ones who let their guard down." The editorial calls for the Hawaii Legislature to correct that imbalance, highlighting the work by the Senate Committee on Judiciary and Labor to present a set of reforms based on a report from the nonprofit Liberty Coalition, which uncovered a recent data breach that affected some 40,000 University of Hawaii students and graduates.
Full Story

DATA PROTECTION—EU & U.S.

Envoy: Agreement Moving Ahead (December 21, 2010)
U.S. Ambassador William Kennard disagrees with European Commissioner Viviane Reding's comments that the U.S. is not committed to a data protection agreement, European Voice reports. The EU and the U.S. agreed earlier this year to negotiate a framework regulating the exchange of personal data. Following a meeting in Washington, DC, earlier this month, Reding said the U.S. "did not seem ready to advance on data protection," stating she expects to know who the U.S. chief negotiator will be before the end of the month to "seriously start the talks." Kennard said the U.S. needs to better understand what EU negotiators want in the agreement to decide who should represent the U.S.

ONLINE PRIVACY—U.S.

MMA Calls for Smartphone Privacy Guidelines (December 21, 2010)

Following media reports about smartphone apps sharing user data, the Mobile Marketing Association (MMA), which represents smartphone advertisers and publishers, is calling for guidelines to better protect users from "intrusive tracking technologies." The Wall Street Journal reports on the MMA announcement that it will begin work on a "comprehensive set of mobile privacy guidelines...to create consistency so marketers know how to act and consumers know what to expect." MMA Global CEO Greg Stuart said the initiative demonstrates the "ongoing commitment to the importance of consumer transparency with regards to privacy issues and data collection." The MMA hopes to address such mobile phone marketing as text messages, e-mail and voice calls, the report states, as well as mobile Web sites and apps. MMA Privacy Committee Co-Chairman Alan Chapell, CIPP, told the Daily Dashboard, "We're optimistic that this initiative will attract a wide variety of stakeholders so that we can address these important issues in a meaningful way."(Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Red Flags Clarification Becomes Law (December 21, 2010)

President Barack Obama has signed the Red Flag Program Clarification Act of 2010 into law, amending the Fair Credit Reporting Act and limiting the Federal Trade Commission's Identity Theft Red Flags Rule. The Hunton & Williams Privacy and Information Security Law Blog reports that the new law limits the application of the Red Flags Rule to exclude creditors "that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person." The change addresses concerns that the rule previously extended to "entities not typically thought of as creditors," such as legal firms and healthcare providers, the report states.
Full Story

PRIVACY LAW—CANADA

Damages Awarded in Erroneous Credit Check Case (December 21, 2010)

TransUnion of Canada will pay $5,000 in damages to a Calgary man whose loan application was turned down after another person's credit history was wrongly passed on to the bank, the Toronto Star reports. Mirza Nammo is the first plaintiff to be awarded damages for a breach of the federal privacy act. Federal Court Justice Russel Zinn found the payback was warranted because of repeated failures by the credit reporting agency to correct the "grossly inaccurate" information quickly and effectively, the report states. Zinn compared a credit check to a strip search, saying it can be "equally intrusive, embarrassing and humiliating."
Full Story

PRIVACY LAW—U.S.

A Bill of Privacy Class-Action Rights? (December 21, 2010)

Forbes examines recent reports from the Department of Commerce and the Federal Trade Commission on consumer privacy, questioning what a "Privacy Bill of Rights for Online Consumers" would actually look like. "One interesting question buried in the 88-page report is whether, if this framework is established, people should have the right to pursue class-action lawsuits against companies that violate the law or if enforcement should be limited to action by the FTC," Kashmir Hill writes in the Forbes report. There has been disagreement over private rights of action, the report states, and Hill suggests that during the comment period, "that question will inspire some heated responses..."
Full Story

PERSONAL PRIVACY

Study: Education Lacking on Smart Meters (December 21, 2010)

When it comes to smart meters, consumers are not being adequately informed about their capabilities and the way they will affect privacy. That's according to a new Ponemon study, "Perceptions about Privacy on the Smart Grid," which polled 509 U.S.-based adults and found that 54 percent of those surveyed did not receive information about or know they had a smart meter until after installation. Smart meters will measure home energy usage, in some cases down to the appliance level. The privacy concerns consumers noted were misuse of personal information by the government (53 percent) and failure to protect personal information.
Full Story

DATA LOSS—U.S.

Stolen Laptop Contained Health Info (December 21, 2010)

Dean Health System and St. Mary's Hospital sent letters to 3,288 of their surgical patients on Saturday telling them their data was compromised when a laptop was stolen from a doctor's home last month, reports the Wisconsin State Journal. The doctor put the patient information on her personal computer against hospital policy, said a Dean spokeswoman. According to the spokeswoman, the data did not include Social Security numbers, addresses, phone numbers or financial information. The organizations are offering affected patients a free year of identity theft service and up to $20,000 in reimbursements for expenses from resolving any ID theft issues, states the report.
Full Story

ONLINE PRIVACY

Internet Identities Have Nowhere To Hide (December 21, 2010)

In a report for The New York Times, Jenna Wortham retells a personal experience where a stranger tracked her online using her various Internet profiles to ask the question, "As digital identities become increasingly persistent across the Web, is it still possible to reinvent oneself online?" As one expert points out in the report, "As we casually go about our business, we are leaking all kinds of data that someone can piece back together." The report looks at entrepreneurs trying to build "some layers of anonymity back into the Web" and suggests the possibility that "the demands of a digital lifestyle have set a larger cultural transition into motion." (Registration may be required to access this story.)
Full Story

PRIVACY—HONG KONG

Commissioner: Privacy Office Should Prosecute (December 20, 2010)
Privacy Commissioner Allan Chiang feels that privacy-related prosecutions should be left to his office, reports rthk.hk. Speaking at an RTHK program, Chiang said that resource limitations prevent the police from making privacy offenses a high priority. This, and the fact his office has the expertise means that his office should be given the power to prosecute, he said.

ONLINE PRIVACY

Some Apps Are Watching You (December 20, 2010)

Your smartphone may be intelligent--knowing all about your contacts, locations and other information--but it is not good about keeping that knowledge to itself. That's according to a report in The Wall Street Journal that found about half of smartphone apps studied share users' personal information "widely and regularly." The investigation determined that apps share such information as unique IDs, phone location and even gender or other personal details without users' knowledge or consent, the report states. "In the world of mobile, there is no anonymity," a Mobile Marketing Association spokesman said, noting that when it comes to a smartphone, it is "always with us. It's always on." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Blumenthal: Legal Action Possible (December 20, 2010)

Connecticut Attorney General and U.S. Senator-Elect Richard Blumenthal says his office may take legal action against Google, Inc., based on the company's refusal to turn over personal data it inadvertently collected from WiFi networks, The Wall Street Journal reports. Last week, Blumenthal and the Connecticut Department of Consumer Protection sent a civil investigative demand to Google seeking the data. But Friday's deadline passed, and their demands were not met. "I am disappointed by Google's failure to comply with my information demands," Blumenthal said in a statement. "We will review any information we receive and consider whether additional enforcement steps--including possible legal action--are warranted." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Parliament To European Commission: Protect Privacy (December 20, 2010)

OUT-LAW News reports on the European Parliament's call for stricter online advertising rules giving Web users more control of their privacy. The European Parliament has adopted a resolution asking the European Commission to introduce rules requiring Internet companies to disclose behavioral advertising and give users the right to opt out, expressing "serious reservations about the use of sophisticated technologies in advertising systems to track users' activity." Parliament is calling on the commission to "update, clarify and strengthen its guidelines on the implementation of the Unfair Commercial Practices Directive," the resolution states, and create a labeling system based on the European Privacy Seal "certifying a site's compliance with data protection laws."
Full Story

PRIVACY LAW—U.S.

Google Seeks Dismissal of Class Action (December 20, 2010)

Google says its collection of personal data off of WiFi networks earlier this year broke no laws, and the company is asking a district court judge for dismissal of a potential class-action lawsuit related to the activity, MediaPost News reports. In a filing last week with the U.S. District Court James Ware in San Jose, CA, the company said, "It is not unlawful under the Wiretap Act to receive information from networks that are configured so that communications sent over them are 'readily accessible to the general public.'"
Full Story

ONLINE PRIVACY

Browsers Boosting Privacy Options (December 20, 2010)

Mozilla says the next version of its Firefox Web browser will include technology to let users cloak their online activities, Agence France-Presse reports. The updated software will be released in the first part of next year, according to Mozilla Chief Executive Gary Kovacs. "Where I go on the Internet is how I live my life; that is a lot of data to hold just for someone to serve me ads," Kovacs said. Microsoft, too, will increase privacy options in its Internet Explorer browser, the report states, including a feature "to help keep third-party Web sites from tracking your Web behavior." An MIT Technology Review article asserts that this would be a "step in the wrong direction for privacy on the World Wide Web."
Full Story

ONLINE PRIVACY

Navigating Permission Requirements Across Borders (December 20, 2010)

"Privacy and data protection have been major talking points throughout 2010," The Next Web reports in a review of data protection issues of the past year and the ongoing struggles of aligning privacy and permission with regulations that vary from state to state, nation to nation and continent to continent. The report looks at differences in privacy regulation from the U.S. to the EU and beyond. For social networks and online companies, one of the key challenges is "there is no global privacy law," and even with privacy policies "already longer than the U.S. Constitution," the report questions, can such sites "cater to the hundreds of different laws across the lands?"
Full Story

PRIVACY LAW—U.S.

President Appoints Two to Privacy Oversight Board (December 17, 2010)

President Barack Obama has begun appointing members to the Privacy and Civil Liberties Oversight Board, CNET News reports. The president's first two nominees are Jim Dempsey, vice president of the Center for Democracy and Technology, and Elisebeth Cook of the law firm Freeborn and Peters. "President Obama has nominated two outstanding and well-qualified individuals," Alan Charles Raul of Sidley Austin told the Daily Dashboard. "I hope the Senate will act quickly to confirm their nominations and that the president will nominate a chairman and two other members very soon." The oversight board was created in 2004 on the recommendation of the 9/11 Commission to help advise and oversee the Administration's efforts to fight terrorism while protecting the rights of Americans. It languished in 2008 following legislative changes. This week's nominations are "an important first step to reestablishing the privacy board," Raul said.
Full Story

PRIVACY LAW—U.S.

Commerce Report Draws Praise, Criticism (December 17, 2010)

Reuters reports on the U.S. Commerce Department report, released yesterday, that calls for the creation of a Commerce Department privacy office, enforceable codes of conduct for industry and a federal breach notification law. While some have described the call for a Commerce privacy office as a "conflict of interest" others have lauded the department for its initiative. Privacy expert Peter Swire, said, "...it is high time to have this sort of leadership position" in the executive branch. Federal Trade Commission Chairman Jon Leibowitz described the report as "a welcome addition to the ongoing dialogue about protecting consumers' privacy."
Full Story

DATA PROTECTION—GERMANY

Resolution Sets Minimum Qualifications for DPOs (December 17, 2010)

The German data protection authorities responsible for the private sector--the Düsseldorfer Kreis--issued a resolution pertaining to company data protection officers (DPOs), the Hunton & Williams Privacy and Information Security Law Blog reports. The resolution sets out minimum expertise requirements for DPOs and addresses their independence within the organizations for which they work. The resolutions come after inspections revealed a "generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act." Under the resolution, DPOs should have a general command of data protection law, the blog states, including comprehensive knowledge of the Federal Data Protection Act.
Full Story

HEALTHCARE PRIVACY

Doctors on Facebook: Survey Shows Concerns (December 17, 2010)

Doctors with Facebook profiles should be mindful of the privacy settings in order to avoid potential pitfalls with patients, according to a study published in the Journal of Medical Ethics. CNN Health reports on the study, which polled 200 residents and fellows at Rouen University Hospital in France last year, the majority of whom had a Facebook profile. About half of the respondents indicated that they felt the doctor-patient relationship would be changed if the patient had unrestricted access to the doctor's profile, the report states. Deven McGraw of the Center for Democracy and Technology said young doctors are facing a dilemma familiar to many professionals--the merging of social and professional boundaries.

Full Story

PRIVACY LAW—U.S.

Case Against Starbucks Gets the Go-Ahead (December 17, 2010)

The 9th Circuit Court in Seattle, WA, ruled on Tuesday that Starbucks employees whose names, addresses and Social Security numbers were on an unencrypted laptop stolen in 2008 have grounds to sue the company for negligence, reports Courthouse News Service. A district court had dismissed the case saying it did not meet state requirements for injury but that it did have federal standing. The plaintiffs alleged that though they hadn't lost any money, the time taken to monitor their credit and the stress of the possibility of identity theft amounted to an injury. The federal appellate panel agreed. "Here, plaintiffs-appellants have alleged a credible threat of real and immediate harm," wrote judge Milan Smith for the court.
Full Story

PRIVACY LAW—U.S.

Commerce Report Calls for Privacy Office, Federal Breach Notification Standard (December 16, 2010)
The Commerce Department released its online privacy green paper today, National Journal reports. The report calls for the creation of a Commerce Department privacy office and recommends a federal data breach notification law that would preempt state laws. "A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance and allow businesses to develop a strong, nationwide data management strategy," the report states. The paper also recommends the development of Fair Information Practice Principles. The department is soliciting comments on the paper.

BEHAVIORAL TARGETING—EU

Parliament Approves Resolution (December 16, 2010)

The European Parliament on Wednesday approved a resolution calling for increased attention to targeted advertising on the Internet, The Sofia Echo reports. The resolution calls for consumers to receive clear and comprehensive information about how their data are collected and used, the report states, adding that the data should be used "only by explicit agreement by the consumer." The resolution also calls for special protections for children and the creation of an advertising literacy program. "We must reflect upon some very simple values: respect for privacy, protection of the most vulnerable, because we know very well that children are among the most vulnerable to 'behavioral advertising,'" the resolution states.
Full Story

DATA LOSS—U.S.

CDPH Loses Employee, Patient Data in Mail (December 16, 2010)

The California Department of Public Health (CDPH) announced that it is missing a magnetic tape containing sensitive personal and medical information on up to 2,550 staff and residents of Southern California skilled nursing facilities, reports HealthLeaders  Media. The tape--which was lost in the U.S. mail--holds e-mail addresses, investigative reports and background information on employees, as well as some medical diagnoses and Social Security numbers. "Everything we do out of this office was on the tapes," said CDPH's Kevin Reilly. The report says the state requires offices to use a private courier for sensitive information, but sometimes protocol was not followed at this office. The CDPH is notifying all those affected, and, according to the report, it may incur state fines.
Full Story

DATA PROTECTION—U.S.

Audit Reveals Vulnerabilities in State Systems (December 16, 2010)

A covert penetration test conducted by the Colorado State Auditor has found that the state government networks and computers are at "high risk" of compromise, infosecurity.com reports. The test "identified a significant number of serious vulnerabilities in the state's networks and applications that would likely provide a malicious attacker with unauthorized access to the public's data." The audit penetrated "thousands of individuals' records...containing confidential data," the report states. It also found that more than half of state agencies have not submitted information security plans to the state Office of Cyber Security despite the July 15, 2009 statutory deadline.
Full Story

PRIVACY LAW—U.S.

Woman Pleads Guilty to Accessing Student Loan Files (December 16, 2010)

An Illinois woman says it was curiosity that led her to view the student loan files of hundreds of individuals while working within the Federal Student Aid Division of the Department of Education. Charlotte M. Robinson pleaded guilty in court this week to unauthorized computer access, according to a Department of Justice press release. She will be sentenced on February 22. Robinson admitted to repeatedly viewing the confidential student loan records of musicians, actors, family members, friends and others, even though she had no official reason to do so.
Full Story

DATA LOSS—U.S.

OSU Notifying 760,000 of Data Exposure (December 16, 2010)

The Ohio State University is notifying 760,000 individuals that hackers may have accessed their personal information after officials discovered unauthorized activity on a university server, The Columbus Dispatch reports. "We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected," said Provost Joseph Alutto. School officials expect to spend up to $4 million in investigative and credit-protection costs. Alutto said the university is "committed to maintaining the privacy of sensitive information and continually works to enhance our systems and practices to reduce the likelihood of such events occurring."
Full Story

CHILDREN’S PRIVACY—U.S.

Dear Santa, Please Protect My PII (December 16, 2010)

According to WTAM, more than 60 Web sites have been registered in Santa's name, giving kids the opportunity to e-mail Santa directly. But Sue McConnell of the Cleveland Better Business Bureau warns parents to check out these sites before allowing kids to use them. McConnell advises not to give out any personal information, especially addresses, and to check privacy policies to find out who is asking for the information, how it will be used and who it will be shared with, if anyone. The report suggests that, to protect against spam and viruses, users could set up an e-mail address specifically for that site.
Full Story

PRIVACY LAW—U.S.

Sixth Circuit Says E-mail Protected by Fourth Amendment (December 15, 2010)
A Sixth Circuit Court of Appeals ruled this week that e-mail is protected by the Fourth Amendment and that the government must have a search warrant to intercept and read e-mails, according to an Electronic Frontier Foundation media release. In its decision in U.S. v. Warshak, the court said that, like traditional forms of communication, e-mail "requires strong protection." Tanya Forsheit, CIPP, of the InformationLawGroup, told the Daily Dashboard that this is "another great example of how it takes the courts and the law years to catch up with technology." As noted by the Sixth Circuit, said Forsheit, 'given the fundamental similarities between e-mail and traditional forms of communication, it would defy common sense to afford e-mails lesser Fourth Amendment protection.' And yet the law is just now getting there." Forsheit says privacy professionals and lawyers play an essential role in educating the courts and legislators on changes in technology and what those changes mean for privacy in this country.

PRIVACY—HONG KONG

Commissioner Under Fire for PR Spending (December 15, 2010)

Privacy Commissioner Allan Chiang Yam-wang is facing criticism for spending up to HK$250,000 to hire a public relations firm, the South China Morning Post reports. "This is totally unnecessary and a waste of money," said the vice-chairwoman of the Democratic Party. Chiang said he commissioned the firm's services "to provide strategic input and execution support for the exercise (of the consultation of privacy law), from November 1 to December 31, 2010. The firm has been contacting lawmakers and rights groups on behalf of the commissioner's office to arrange meetings to review the Personal Data (Privacy) Ordinance, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

EC Asks UK About Fingerprinting (December 15, 2010)

The European Commission, acting on the concerns of the Article 29 Working Party, wants to know more about Britain's collection of schoolchildren's fingerprints, The Telegraph reports. More than 3,000 schools in the UK are using fingerprint technology to deduct students' lunch payments and loan books, for example. In a letter to British authorities, the commission wrote, "We should be obliged if you could provide us with additional information both regarding the processing of the biometric data of minors in schools, with particular reference to the proportionality and necessity in the light of the legitimate aims sought to be achieved, and the issue concerning the availability of judicial redress."
Full Story

PRIVACY LAW—U.S.

Vermont Petitions SCOTUS on Rx Law (December 15, 2010)

The State of Vermont has petitioned the U.S. Supreme Court to review a Second Circuit Court of Appeals decision striking down the state's prescription confidentiality law, according to an Electronic Privacy Information Center media release. The Second Circuit overturned the 2007 law last month in a split decision, saying it constituted "an impermissible restriction of commercial speech." In the request for appeal filed yesterday, Vermont's attorney general emphasized the importance of consistency across state boundaries, pointing out that 26 states are considering prescription confidentiality laws.
Full Story

DATA THEFT

Feds Find Common Link in Data Theft (December 15, 2010)

More details have emerged in the theft of McDonald's customer data. The Register reports that FBI agents are looking into similar events that may have originated with a marketing services provider based in Atlanta. FBI special agent Stephen Emmett said, "The breach is with Silverpop (Systems), an e-mail service provider that has over 105 customers." Emmett added that the breach "appears to be emanating from an overseas location."
Full Story

HEALTHCARE PRIVACY—U.S.

Dept. of Health Sends Data to Wrong Recipients (December 15, 2010)

On Tuesday, the Connecticut Department of Health accidentally sent e-mails containing personal data to an unknown number of recipients. The e-mails contained names, phone numbers, appointment dates and regional office locations of clients enrolled in a program administered by the state Department of Public Health, reports The Hartford Courant. The breach occurred during an upgrade of the department's appointment scheduling system, and the information was intended to go to regional offices. "We're still trying to determine how many people it may have gone out to," said a health department spokesperson. "All we know right now is that it went beyond where it was supposed to."
Full Story

PRIVACY LAW—U.S.

The Evolution of Privacy Breach Litigation (December 15, 2010)

On the Concurring Opinions blog, Sasha Romanosky outlines a pattern that has emerged in privacy breach litigation over the past several years. Citing existing analyses on the topic, Romanosky characterizes three types of breach lawsuits--the classic "you lost my data" suits, where the plaintiffs must prove they have been harmed; the "intentional disclosure" suits, where "the legal focus shifts from the plaintiff's harm to the defendant's behavior," and the increasingly common "unauthorized collection" suits, where plaintiffs claim that organizations "knowingly and willfully collected their personal information." The categories "tell an interesting story of how the landscape of privacy breaches and breach litigation is evolving," Romanosky writes.
Full Story

ONLINE PRIVACY

Do-Not-Track Commentary Continues (December 14, 2010)
Commentary continues on the possibility of a do-not-track mechanism for the Internet that would allow users to opt out of having their browsing activities collected and used, with some asserting that such a system would "begin to erode the foundations of the Internet," and others insisting that "We have to fear the complete and permanent loss of our right to read and think in private." In a recent broadcast of National Public Radio's "On the Media," those from many sides of the debate shared their views. Meanwhile, an MIT Technology Review article proffers that one recently announced feature to limit tracking is a "step in the wrong direction for privacy on the World Wide Web."

ONLINE PRIVACY—NEW ZEALAND

NZ Commissioner Concludes WiFi Investigation (December 14, 2010)

The Privacy Commissioner of New Zealand has concluded her investigation into Google's collection of data from WiFi networks while photographing cities for its Street View feature. Privacy Commissioner Marie Shroff said that the company breached New Zealand privacy law when it collected the content of people's communications and has acknowledged that it "went about things the wrong way." Shroff said she is "pleased that Google has taken full responsibility for the mistakes it made here and that it has improved its practices to prevent future privacy breaches. This includes training their staff better and checking new products carefully before they're released."
Full Story

DATA THEFT—IRELAND

More Details on GAA Breach (December 14, 2010)

More details have emerged about the Gaelic Athletic Association (GAA) data exposure involving the personal information of more than 500,000 members. The Journal reports that a former employee of a company that ran the GAA database was arrested in connection with the stolen data but was released without charges. The thief sent copies of the GAA's member database to Ireland's data protection commissioner and the UK Information Commissioner's Office (ICO). The ICO said in a statement that it is "working closely with the Police Service of Northern Ireland and the Data Protection Commission in the Republic of Ireland" to learn more.
Full Story

PRIVACY LAW—EU

Hustinx Emphasizes Accountability (December 14, 2010)

Europolitics reports on plans to hold European institutions accountable for respecting the obligations of data protection laws. On Monday, European Data Protection Supervisor (EDPS) Peter Hustinx adopted a policy paper that sets a framework where the EDPS "monitors, measures and ensures data protection compliance in the EU administration." To date, the EDPS has taken a non-punitive approach. The new framework is designed to encourage proactive compliance by cracking down on those who flout the law.
Full Story

PRIVACY LAW—CANADA

Stoddart Discusses Career (December 14, 2010)

The Globe and Mail recently sat down with Privacy Commissioner Jennifer Stoddart to discuss her career, her interest in the rights of women and the investigation she conducted as privacy commissioner that captured the attention of companies and regulators worldwide. Stoddart will continue in her role for another three years after being reappointed by Prime Minister Stephen Harper last week. She told The Globe and Mail the Internet privacy battle "is not over yet, because it is such a fast-changing world." The report suggests that Stoddart might seek greater enforcement powers for the Office of the Privacy Commissioner.
Full Story

PRIVACY LAW—PHILIPPINES

Bill To “Sharpen the Country’s Competitive Edge” (December 14, 2010)

The author of data protection legislation is confident that its passage will help solidify the Philippines' position as a global leader in business process outsourcing, a sector that is expected to produce hundreds of thousands of new jobs in the region over the next five years, Inquirer.net reports. "We are absolutely confident that more companies around the world will subcontract their business support jobs to Philippine providers once the proposed Act Protecting Individual Personal Data in Information and Communications Systems is decreed," said House Deputy Majority Leader Roman Romulo. "This will sharpen the country's competitive edge in BPO activities, besides reinforcing consumer trust and user confidence in electronic commerce," he said.
Full Story

DATA LOSS—U.S.

Data Cards Missing from AZ Medical Center (December 14, 2010)

Mountain Vista Medical Center in Mesa, AZ, has informed 2,284 endoscopy patients that their data was contained on compact memory cards that were discovered missing on October 13, reports The Arizona Republic. The cards hold names, dates of birth, genders and hospital medical record numbers of patients receiving endoscopy procedures between January of 2008 and October 2010. Though there was no financial data on the cards, the medical center warned patients to monitor their credit for fraudulent charges. The center has made changes to its security procedures and retrained all endoscopy unit employees on security and confidentiality.
Full Story

PRIVACY LAW—EU

Hustinx Outlines New Enforcement Approach (December 13, 2010)
European Data Protection Supervisor (EDPS) Peter Hustinx today adopted a policy paper that outlines a more robust approach to enforcement of data protection matters, according to an EDPS press release. The paper sets out a framework where the EDPS "monitors, measures and ensures data protection compliance in the EU administration," emphasizing the principle of accountability. "Holding the EU institutions accountable...is a crucial first step in fostering data protection in practice," Hustinx said, adding, "However, this must be backed up by a framework for dealing with those institutions and bodies that continue to fail to meet the required standards and demonstrate poor compliance records."

PRIVACY LAW—U.S.

Everything Old New Again? (December 13, 2010)

With a nod to the year 1890, when Samuel D. Warren and Louis D. Brandeis wrote their seminal article, "The Right to Privacy," The New York Times explores how more than one hundred years later, technological developments continue to pressure personal privacy. "The laws haven't really kept pace with the unbelievable developments," says Jessica Rich, a deputy director at the Federal Trade Commission (FTC). The FTC released a report this month that calls for better privacy protections for consumers. Although over time congress has passed sector-specific privacy statutes, "Maybe now it's online privacy's turn to have more of a direct regulatory intervention," says Professor William McGeveran of the University of Minnesota Law School. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

AG Sends Subpoena, Plaintiffs Bring Suit (December 13, 2010)

Connecticut Attorney General and U.S. Senator-Elect Richard Blumenthal has subpoenaed Google to force the company to turn over the data it collected from unsecured WiFi networks earlier this year while photographing cities for its Street View feature, San Jose Mercury News reports. "We need to verify what confidential information the company surreptitiously and wrongfully collected and stored," Blumenthal said on Friday when announcing that he sent a civil investigative demand to the company. He said that although authorities in other jurisdictions have been able to review the data, the company has refused to share it with his office, according a report in The Hill. Meanwhile, plaintiffs in Texas have filed suit against Google for its data collection activities.
Full Story

DATA LOSS—CANADA

Veteran’s Medical File Contains Data of Others (December 13, 2010)

A Navy veteran reviewing his medical file was surprised to find that its contents included sensitive personal information about other military personnel, the Canadian Press reports. The Department of Defence is investigating. "It's just ridiculous that all this information is misfiled, that I have all these guys' information," said Wayne Finn of Nova Scotia, adding "I shouldn't have it." NDP veterans affairs critic Peter Stoffer has asked for federal Privacy Commissioner Jennifer Stoddart's input on the issue. The news comes weeks after the Canadian government settled with another veteran on charges that it improperly shared his information among bureaucrats.
Full Story

HEALTHCARE PRIVACY—U.S.

PCAST: “Universal Exchange Language” Needed (December 13, 2010)

A White House report published last week calls for the government to adopt a "universal exchange language that allows for the transfer of relevant pieces of health data while maximizing privacy." In "Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward," the President's Council of Advisors on Science and Technology (PCAST) calls for the Office of the National Coordinator for Health IT and Centers for Medicare and Medicaid Services to create definitions and descriptions to be included in requirements for meaningful use of electronic health records, according to Government Health IT. PCAST believes that doing so will speed the electronic exchange of patient records.
Full Story

PRIVACY LAW—U.S.

The Kerry Bill: A Preview (December 13, 2010)

The Hunton & Williams Privacy and Information Security Law Blog outlines a privacy bill to be introduced in the next congress by Sen. John Kerry (D-MA). The bill "aims to establish a regulatory framework for the comprehensive protection of individuals' personal data and authorizes rulemakings by the Federal Trade Commission," the report states. The bill would make Fair Information Practice Principles "universally applicable" to certain organizations and authorizes the FTC to create a co-regulatory safe harbor program. "The legislation sets forth sufficiently broad definitions for 'personally identifiable information' and 'sensitive personally identifiable' that grant the FTC the discretion and flexibility to construct a list of more specific data categories," the report states.
Full Story

DATA LOSS

McDonalds, Walgreens Notifying Customers of Data Theft (December 13, 2010)

McDonald's is notifying customers that certain personal details have been exposed by thieves who broke into a database, WalletPop reports. The breach involves information customers offered when signing up for promotions including ages, phone numbers, e-mail addresses and physical addresses, the report states. According to the company, "Law enforcement officials have been notified and are investigating this incident." McDonald's is warning customers not to respond to requests for financial information. Walgreens is sending similar notifications to its customers.
Full Story

PRIVACY LAW—U.S.

House Approves Social Security Protection Act (December 10, 2010)
The U.S. House of Representatives this week approved legislation designed to reduce identity theft by better restricting the access to and use of Social Security numbers, according to a press release from Sen. Dianne Feinstein's office. Feinstein (D-CA) introduced the Social Security Protection Act of 2010 along with Sen. Judd Gregg (R-NH). It now heads to President Barack Obama for signing. "Social Security numbers are among Americans' most valuable but vulnerable assets," said Feinstein. "Identity theft is a serious concern for all consumers, and we should make every effort to protect personal information."

ONLINE PRIVACY

Web Companies Explore Do-Not-Track Tools (December 10, 2010)

While Microsoft has announced plans to add a do-not-track tool to Internet Explorer, Mozilla is brainstorming creating built-in controls for its Firefox users. Microsoft's new feature was announced on the heels of the Federal Trade Commission (FTC) recommendation that browsers adopt do-not-track technology. Forbes reports on FTC Commissioner Julie Brill's remarks Tuesday at the IAPP Practical Privacy Series in Washington, DC, where she noted, "If the browser vendors and advertisers do not come up with a robust framework, I, for one, will endorse congress to pass do-not-track legislation."
Full Story

ONLINE PRIVACY—U.S.

History Sniffing” Spurs Lawsuits, FTC Reaction (December 10, 2010)

When researchers exposed their discovery that some Web sites have been using an online security flaw to track what other sites their users have been visiting, "class action-lawyers and the government took notice," Forbes reports, citing recent lawsuits filed in New York and California related to alleged "history sniffing" on the Web. Federal Trade Commission (FTC) Bureau of Consumer Protection Director David Vladeck has said the FTC is meeting with browser companies to make sure the glitch is fixed, the report states. "We're on the lookout for other techniques companies are using to surreptitiously collect information about users," Vladeck said.
Full Story

SOCIAL NETWORKING

South Korea Latest To Call for Facebook Changes (December 10, 2010)

Within days of a demand by South Korea's telecoms regulator for changes to Facebook's privacy policy, the world's largest social network has announced it has launched new mobile privacy controls. "The Korea Communications Commission joins an international chorus of criticism over Facebook's handling of personal information," the Financial Times reports, noting, "Authorities in Canada and Germany have been among the most vocal." The Korea Communications Commission has said the way the social network notifies users about the collection of personal information and gathered their consent remains "inadequate." Facebook has 30 days to submit a compliance plan, the report states, or could face fines or other actions.
Full Story

DATA LOSS—U.S

60,000 UW-Madison ID Cards Hacked (December 10, 2010)

University of Wisconsin-Madison discovered on October 26 that hackers accessed records containing identification cards that included names, photos and ID numbers of former students, faculty and staff members, reports the Wisconsin State Journal. The ID numbers had embedded in them the Social Security numbers of the card owners. "Before privacy was taken as seriously as it is today, a student's Social Security number was embedded inside that ID card number," a UW-Madison representative said. A university investigation suggests that the information has not been downloaded or used inappropriately, but, the report states, the identities of the hackers remain unknown.
Full Story

PERSONAL PRIVACY—U.S.

License To Sue? (December 10, 2010)

A transgender woman has filed a claim against the California Department of Motor Vehicles (DMV) on allegations that a DMV clerk improperly used a state database to send her a personal letter criticizing her sex change, the Associated Press reports. She is seeking damages for invasion of privacy and violation of civil rights. The DMV declined to comment, but a spokesperson confirmed that employees are prohibited from contacting customers about non-business matters, the report states.
Full Story

DATA LOSS—IRELAND

GAA Confirms Data Exposure (December 10, 2010)

The Gaelic Athletic Association (GAA) has notified clubs that the personal details of more than 500,000 members have been exposed in a data breach, the Irish Times reports. The Office of the Data Protection Commission is investigating the breach, which compromised a GAA database. The details exposed include birthdates, medical conditions, telephone numbers and e-mail addresses, among other data. The GAA has established an information line for those affected.
Full Story

PRIVACY LAW—EU & U.S.

From DC: Reding Discusses Protecting Privacy (December 9, 2010)

In an interview with The Washington Post, EU Justice Commissioner Viviane Reding discusses guarding personal information. When asked why the EU favors legislation over voluntary action by companies, Reding said, "Protection of individuals is not the question of voluntary action. For us, it is written in our charter of fundamental rights that everyone has the right to the protection of their data." The move by some companies toward do-not-track mechanisms "is the right direction, and what is important is that industry has understood it can't ignore privacy concerns," she said. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—CANADA

Commissioner Launches Air Travel Audit (December 9, 2010)

The Vancouver Sun reports on the Office of the Privacy Commissioner's air travel security audit focusing on the government agency in charge of passenger screening. The aim of the review is to determine whether the Canadian Air Transport Security Authority is following through on promises made to minimize privacy intrusions of new airport scanners, the report states. "We want to go back and see what's happening a year later--if the commitments made by the government have been followed up," Privacy Commissioner Jennifer Stoddart said. The audit, which is expected to be published next fall, will also look at the use of other technology, such as airport surveillance cameras.
Full Story

PRIVACY LAW—U.S.

Locke Discusses Forthcoming Report (December 9, 2010)

U.S. Commerce Secretary Gary Locke said that in its soon-to-be-released report on Internet privacy, his department may propose voluntary standards or "a scheme that Congress may want to look at," Bloomberg reports. In an interview earlier this week, Locke said that while data protection is important for consumers, "It's also critical for U.S. businesses because people's lack of trust that their information will be safe, or that their personal habits will be kept private, is one of the major hurdles preventing the expansion" of electronic commerce. The Commerce Department's report will come on the heels of the just-released FTC report on Internet privacy. Robert Belair of Arnall Golden Gregory LLP told the Daily Dashboard that both reports "are important thought leadership contributions. For lots of reasons, the U.S. will continue to take a pluralistic, sectoral approach to privacy protection. The FTC will be at the forefront, but major roles will, undoubtedly, be played by the new Consumer Financial Protection Bureau, the Department of Commerce, the Federal Communications Commission, the Department of Homeland Security, the Department of Health and Human Services, and don't forget the states. Privacy professionals know this and know how to help their companies successfully navigate this complicated and sometimes treacherous terrain."
Full Story

ONLINE PRIVACY—U.S.

Advocates Call for Broader View of Data Mining (December 9, 2010)

One advocacy group is calling for a broader definition of data mining, Nextgov reports. The Constitution Project is recommending an expanded definition that would "require reporting on a greater number of programs." While data mining has security uses, the report notes that critics are concerned that the collection and retention of data violates privacy, due process and free speech rights. Discussing the definition of data mining, Department of Homeland Security CPO Mary Ellen Callahan, CIPP, said, "My reservation would be--to expand the definition of data mining to cover all activities (would extend it) to essentially every time you set up a database."
Full Story

PRIVACY—CANADA

Commissioner’s Reappointment Confirmed (December 9, 2010)

Prime Minister Stephen Harper has announced the reappointment of Privacy Commissioner Jennifer Stoddart for a three-year term, effective immediately. The reappointment was recently approved by parliament, according to an announcement from the Office of the Prime Minister. When he nominated Stoddart for an additional term in November, Harper described her as bringing "considerable expertise in privacy protection issues and a deep understanding of the importance of open and transparent government." Stoddart will continue in the post she has held since December 2003, overseeing compliance with the Privacy Act and the Personal Information Protection and Electronic Documents Act. 
Full Story

PRIVACY—ASIA PACIFIC

APPA Forum Ends, New Members Welcomed (December 9, 2010)

The Asia Pacific Privacy Authorities (APPA) forum concluded on Wednesday in Auckland, New Zealand, with members affirming their commitment to continued collaboration on international data protection issues. According to the Office of the New Zealand Privacy Commissioner, this year's meeting was one of the largest so far, and Privacy Commissioner Marie Shroff said, "it was pleasing to welcome three new members: Mexico, the United States and Queensland." Shroff added that continued collaboration "will strengthen our ability to get the best possible outcome for the public's privacy rights." The APPA has also established a working group on technology issues.
Full Story

DATA LOSS—U.S.

NASA Investigation Shows Security Holes (December 9, 2010)

An internal investigation has revealed "significant weaknesses in the sanitization and disposition processes" at NASA space and research centers, V3.co.uk reports, resulting in the release of 10 computers containing confidential data. While NASA policy states all computers that have stored NASA data must be wiped prior to being "reassigned, transferred or discarded," the report states, the investigation found managers at some sites were not informed if computers failed sanitization verification testing and, on some occasions, no testing was conducted. "In addition, we found computers at the Kennedy disposal facility that were being prepared for sale on which NASA internet protocol information was prominently displayed," the report said.
Full Story

ONLINE PRIVACY—U.S.

Opinion: What Would You Pay for Web Privacy? (December 9, 2010)

Jack Shafer writes for Slate on the Federal Trade Commission's support for do-not-track technology to give Web users privacy protection choices online as well as the legislative push to mandate such a privacy setting. However, he writes, "even after you take all the recommended cookie-crushing precautions and turn on the 'private browsing' features of your browser, you can still be tracked," describing the ways "seemingly innocuous" information can identify users. Instead, he suggests the time has come to "build a browser from the ground up" that users pay for to guarantee the level of privacy they want, just as they would with a home security system.
Full Story

CONSUMER PRIVACY—U.S.

FTC Commissioner Discusses New Report at PPS (December 8, 2010)

Speaking at the IAPP Practical Privacy Series in Washington, DC, FTC Commissioner Julie Brill discussed the value of privacy and the commission's recent report, Protecting Consumer Privacy in an Era of Rapid Change: A Framework for Businesses and Policymakers. Brill noted, "the right to make informed choices about when to give up something of value--be it money or privacy" is the touchstone of the report. In the Hogan Lovells Chronicle of Data Protection, Christopher Wolf highlights Brill's comments at this week's event, including the concept that if the online industry does not adopt its own do-not-track mechanism, the next step may be legislation.
Full Story

ONLINE PRIVACY—U.S.

Microsoft Unveils Do-Not-Track Feature (December 8, 2010)

As discussions of do-no-track legislation continue, The New York Times reports that Microsoft's Tracking Protection feature will let users limit the ability of third-party companies to track them online. While some experts question whether individuals will actually make use of the feature, FTC Chairman Jon Leibowitz has praised the company "for taking a critical step toward providing consumers with more choice about who can track their online browsing," adding, "Just as important, this announcement proves that technology is available to let consumers control tracking." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SOUTH KOREA

Regulator: Social Network Violates Privacy Protections (December 8, 2010)

A South Korean regulator has announced that Facebook has breached the country's data privacy laws, IDG News reports. The Korea Communications Commission (KCC) has also criticized the social network's handling of personal information as well as its privacy policy, stating that the company needs to improve how it acquires user consent. "Facebook violates the regulations on protection of privacy in information networks," according to the KCC, which has said Facebook now has 30 days to respond to the complaint.
Full Story

PRIVACY LAW—U.S.

Online Merchant Sues Bank Over Breach (December 8, 2010)

An Arizona online merchant is seeking class-action status in U.S. District Court for its lawsuit claiming U.S. Bank failed to protect it and others from thieves who had breached the bank's credit card database, reports the Star Tribune. The lawsuit alleges Minneapolis-based U.S. Bank knew of and covered up a breach of its security systems, failed to notify customers about the breach and recouped the money from fraudulent charges by pulling it from merchants' accounts. According to the report, U.S. Bank said potential damages could exceed the $5 million threshold required under the Class Action Fairness Act of 2005. A lawyer for U.S. Bank said the case is "wholly without merit."
Full Story

PRIVACY LAW—EU & U.S.

Data Protection Talks To Move Forward (December 8, 2010)

UPI has reported that European officials are moving ahead with plans to approach U.S. counterparts on data protection issues. EU ministers have said they have approved the start of talks on privacy protection issues tied to crime and terrorism prevention activities, the report states. "Protection of personal data is a fundamental right for EU citizens," said EU Justice Commissioner Viviane Reding, adding, "Today's decision gives us the green light to negotiate a solid and coherent agreement with the United States which balances enforceable rights for individuals with the strong cooperation we need to prevent terrorism and organized crime."
Full Story

DATA LOSS—JAPAN

Leak Exposes Foreign Residents’ Personal Information (December 8, 2010)

The Hunton & Williams Privacy and Information Security Law Blog reports on the release of a book containing Tokyo Metropolitan Police Department anti-terrorism documents leaked on the Internet in October. The 469-page book contains the unedited personal information of foreign residents being monitored by Japanese authorities, the report states, and also includes names of police officers involved in the cases as well as individuals who are cooperating with police investigations. A court has halted sales of the book after several affected individuals demanded legal action to prevent further damage.
Full Story

PRIVACY LAW—EU

EU Considers Shortening Data Retention Periods (December 7, 2010)
As European Data Protection Supervisor Peter Hustinx calls for a clear demonstration of the necessity for the Data Retention Directive, EurActiv reports the European Commission may look to shorter data retention periods. "The evaluation we are currently waiting for is the moment of truth for the Data Retention Directive," Hustinx said last week. "Evidence is required that it constitutes a necessary and proportionate measure. Without such proof, the directive should be withdrawn or replaced by a less privacy-invasive instrument which meets the requirements of necessity and proportionality." EU Internal Affairs Commissioner Cecilia Malmström has said, "We may need to agree on more harmonized, and possibly shorter, retention periods."

PRIVACY LAW—U.S.

Senator Proposes Airport Scanner Law (December 7, 2010)

Although the Transportation Safety Administration (TSA) maintains that full-body airport security scanners do not store travelers' images, New York Sen. Charles Schumer proposed legislation on Sunday to make illegal the distribution or recording of images taken by the scanners, reports The Wall Street Journal. The bill aims to allay concerns about misuse of images by TSA employees or others. Under the legislation, offenders could face fines of up to $100,000, one year in prison or both, the report states. "This law sends a loud and clear message to the flying public; not only will we do everything we can to protect your safety, we will also do everything we can to protect your privacy," said Schumer. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Study: Popular Sites “Sniffing” Web Histories (December 7, 2010)

While a recent lawsuit accuses an adult Web site of computer fraud for allegedly "history sniffing" its users' Web activity, researchers at the University of California, San Diego, are spotlighting the use of "history sniffing" to track user activity online, eWeek reports. In an analysis of 50,000 popular Web sites, the researchers found that 485 "are capable of inferring browser history data, 63 of which are transferring that data to their network. In addition, 46 sites were actively participating in history sniffing," the report states. One of the report's authors suggests that "the bigger surprise was that there is an entire industry that has grown around this practice--behavioral analytics."
Full Story

SSN PRIVACY—U.S.

Report Calls for Abolishment of SSN Use (December 7, 2010)

The U.S. needs to do a better job protecting the identities of its military personnel, according to a former Army intelligence officer who wrote a report that shines a light on the pervasive use of military members' Social Security numbers as identifiers. Lt. Col. Gregory Conti, now a West Point professor, writes that "Service members and their families are burdened with a work environment that shows little regard for their personal information." He says the military needs to abandon the practice, The New York Times reports. Military officials say they are working to address the problem. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

New Committee Chair Could Impact Developments (December 7, 2010)

A vote is expected today on the new chairmanship of the House Energy and Commerce Committee, and its results are "bound to have implications for online advertisers," ClickZ reports. Republican Reps. Joe Barton, Cliff Stearns, Fred Upton and John Shimkus are running for the chairmanship. Both Barton and Stearns have been active in online privacy matters. However, "While much legislator interest in online advertising and data privacy, including a pending privacy bill sponsored by Rep. Bobby Rush, has originated in the commerce committee, it is unclear how much attention the committee will pay to privacy issues during the next congressional session," the report states.
Full Story

DATA LOSS—U.S.

Employee Fired for Exposing County Records (December 7, 2010)

A long-term Mesa County, CO, IT employee was fired after a data breach exposed secure law enforcement files and personal information, including some belonging to people who reported crimes, reports KJCT. Last April, while preparing for new software at the sheriff's office, the employee moved hundreds of thousands of files to an unsecure FTP site. Police believe the breach was a mistake, but the data was online and unsecure for almost a month, and "IP addresses locally, nationally and internationally have hit this Web site," said Sheriff Stan Hilkey, whose office is working with the FBI's Cyber Security division on the case and recommends that people who may be affected sign up for fraud alerts with all three credit bureaus.
Full Story

HEALTHCARE PRIVACY—U.S.

PHR Providers: Privacy Is Paramount (December 7, 2010)

Personal health record (PHR) providers believe they have a system that is more privacy-focused than federal law covering electronic patient records, Modern Healthcare reports. At a recent meeting on PHR privacy and security with the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, PHR providers suggested that while the federal Health Insurance Portability and Accountability Act allows patient information to be shared without consent for "treatment, payment and other healthcare operations," some PHR providers "create a privacy environment in which secondary use of a patient's healthcare information is not permitted," the report states. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

U.S. Bank Monitors a Concern for EU (December 6, 2010)

The New York Times explores the concerns among U.S. allies in Europe over monitoring of international banking transactions for potential terrorist activity. The report looks at the history of the program from its roots in the September 11, 2001, terrorist attacks to its halt by EU members back in February and the European Parliament's vote in July to restart the program after concessions that promised greater European oversight. While U.S. officials have valued the monitoring program "because it allowed them to trace the transactions of suspected terrorist financiers while including 'robust' privacy protections," many in Europe continued to favor more "stringent privacy protections," the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suit Targets Online “History Sniffing” (December 6, 2010)
A lawsuit filed against an adult Web site for "history sniffing" is the latest to take aim at gathering Internet users' information, The Wall Street Journal reports. The suit alleges the site "violated cybercrime and consumer-protection laws by using surreptitious technology to harvest information" about the plaintiffs' Web activity. According to the FTC's David Vladeck, "In theory, history sniffing could be used to get extensive information regarding the domains or even sub-domains the consumer had visited." Meanwhile, a number of online companies have agreed to settle suits alleging they used technology commonly known as Flash Cookies to "essentially hack into a person's machine without their knowledge," the report states. (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Reaction Focuses on Do Not Track (December 6, 2010)

Reaction continues to the Federal Trade Commission's report on online privacy, released last week, with a New York Times editorial describing it as "a first step toward better privacy protection." But the enthusiasm of some is tempered by the concerns of others. Some industry experts question the feasibility of introducing the do-not-track mechanism endorsed by the report, while others warn that such a mechanism could "limit the ability for companies to monetize the Internet." The NYT describes such claims as overblown, saying, "Giving Americans the choice to opt out of data tracking does not mean everybody will." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Police: No Charges for WiFi Collection (December 6, 2010)

Australia Federal Police (AFP) has concluded its investigation into Google's collection of payload data off of unsecured WiFi networks, determining that the company may have breached the Telecommunications (Interception and Access) Act (TIA) but "evidence exists to suggest that the potential breach of the TIA by Google was inadvertent." The Age reports that the AFP will not bring criminal charges against the company given the inadvertent nature of the breach and "the difficulty of gathering sufficient evidence required for an examination of potential breaches." In announcing the decision on Friday, the AFP said that it was satisfied in the undertakings the company gave following the privacy commissioner's investigation of the activity earlier this year.
Full Story

PRIVACY LAW—U.S.

TX Court Rules State Workers’ Birthdates Private (December 6, 2010)

Overturning past trial and appellate court decisions, the Texas Supreme Court ruled on Friday that state employees' birthdates are private information, saying the employees' privacy interest "outweighs the negligible public interest in disclosure here." The Houston Chronicle reports that the state comptroller took the attorney general and The Dallas Morning News to court in order to protect the privacy of about 144,000 state employees. The News says that birthdates are vital in order to positively identify people and freedom of information advocates are calling the ruling a "big blow to the public's right to know what's going on." 
Full Story

PRIVACY—EUROPE

All Eyes on Technology, Privacy Frontiers (December 6, 2010)

The FINANCIAL reports on last month's IAPP Europe Data Protection Congress in Paris drawing experts in the field "as new technologies lead us to reconsider existing privacy concepts and boundaries," highlighting international industry and regulatory experts who took part in the event. From cloud computing to global standards to privacy by design, an array of experts weighed in on key privacy issues, the report states. Looking forward, "It is important to properly combine law, policy and technology in order to properly understand and implement privacy within today's global ecosystem of business," ICC E-business and IT Telecoms Commission Vice Chair Joseph Alhadeff noted during the event. 
Full Story

HEALTHCARE PRIVACY—U.S.

Advocates: OPM Database Could Be Vulnerable (December 6, 2010)

The Office of Personnel Management (OPM) plan to launch a research database of federal employees' medical insurance claims is raising concerns among privacy advocates, employee unions and consumer groups, The Washington Post reports. The OPM has said the claims data will help find ways to lower costs, improve quality and fight fraud, but privacy advocates and other critics are worried about the database becoming a "repository of sensitive information that could be vulnerable to privacy breaches." As Harley Geiger of the Center for Democracy and Technology put it, "We're talking about a government database with health diagnoses, payment information and procedures." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

House Drills Down on Do Not Track (December 3, 2010)

At a hearing on Capitol Hill yesterday, the House Energy and Commerce Committee's subcommittee on consumer protection explored the potential of a do-not-track mechanism that would let consumers opt out of targeted advertising and data collection, The Wall Street Journal reports. Lawmakers heard testimony on the technological feasibility of such a mechanism, its potential impact on the economy and how to enforce it, among other factors. "We need to be mindful not to enact legislation that would hurt a recovering economy," said Rep. Ed Whitfield (R-KY). Federal Trade Commission (FTC) Consumer Protection Bureau Chief David Vladeck said his agency has the means to implement do not track, but that congress needs to give the FTC more authority for enforcement. Senator-Elect Richard Blumenthal (D-CT) and Rep. Ed Markey (D-MA) both announced plans to introduce do-not-track legislation in the 112th Congress. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Data Miners To Tell Customers What They Know (December 3, 2010)

A group of online tracking companies is building a service set to launch in January that will let consumers see what they know about them, The Wall Street Journal reports. The Open Data Partnership "is the first of its kind in the fast-growing business of tracking Internet users and selling personal details about their lives," the report states, and "will allow consumers to edit the interests, demographics and other profile information collected about them" or choose not to be tracked at all. "The government has told us that we have to do better as an industry to be more transparent and give consumers more control," said a spokesman for the initiative. "This is a huge step in that direction." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—ISRAEL

Court Dismisses Data Retention Case (December 3, 2010)

The Tel-Aviv district court has ruled that mobile phone subscribers do not have a general right to have their phone records deleted. Cellular providers maintain and store a record of calls made by subscribers, including phone numbers of calls made and received, call durations and call dates and times. "The court viewed phone records retention as a potential threat to an individual's privacy," Dan Or-Hof, CIPP, of Pearl Cohen Zedek Latzer, tells the Privacy Advisor. "However, the court further ruled that data retention embodies advantages and benefits as well...The court ruled that the plaintiff did not prove, or even argue, that defendants used the records in a manner inconsistent with the registered purposes of their databases."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

U.S. Officials Question EU Data Restrictions (December 3, 2010)

The Wall Street Journal reports on a statement by U.S. aviation security officials raising concerns about EU restrictions on the sharing of passenger data among security agencies. The restrictions reflect heightened sensitivity to passenger privacy concerns, David Heyman of the Department of Homeland Security and Vicki Reeder of the Transportation Security Administration told the Senate Transportation Committee on Thursday, suggesting such restrictions deny "one of the most powerful tools we have for identifying risks to our aviation system...Among our remaining challenges is the false notion that privacy and data protection standards in the United States and the European Union are irreconcilable." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senate Approves Exemptions to Red Flags Rule (December 3, 2010)

The senate has approved legislation to exempt certain businesses from the Identity Theft Red Flags Rule, BankInfoSecurity reports. The bill--S3987--is expected to be brought up on the house floor next week, according to Morrison Foerster partner Andrew Smith, who detailed the measure on yesterday's Privacy Tracker call. The amendment would exempt professional service providers such as doctors, lawyers and retailers from the rule; only actual creditors would be subject to it. Subscribers can hear Smith's full analysis in the recorded audio of this month's Privacy Tracker call, which will be available soon on the Privacy Tracker Web site.
Full Story

DATA PROTECTION—INDIA

Survey Says Privacy Is Biggest Challenge for BPOs (December 3, 2010)

A recent study by KPMG and the Data Security Council of India surveyed 50 Indian business process outsourcing organizations (BPOs) and found that while most have undertaken the processes needed to address the data security and privacy governance needs of their clients, this remains their biggest challenge, reports The Economic Times. The study also found that 70 percent of respondents feel that the main threats to data security are internal, and half are negotiating contracts to put liability on their clients for data vulnerabilities in the clients' realm. The BPO industry has grown to nine times its size in the past 10 years and is expected to grow to $225 billion by the year 2020, according to the report.
Full Story

PRIVACY LAW—U.S.

Law Enforcement Pushes for Cell Phone Data Access (December 3, 2010)

CNN reports on law enforcement agencies' push to track suspects via cell phones and GPS technologies without a warrant. The 3rd Circuit U.S. Court of Appeals in Philadelphia, for example, is examining a 2008 case in which the government asked for court permission, without showing probable cause, to obtain cell phone tracking information for a drug investigation, the report states. After a U.S. Magistrate judge required a warrant be obtained, an appeals court affirmed the decision, noting, however, that the exercise should be used sparingly. The Justice Department continues to push for warrantless tracking information.
Full Story

ONLINE PRIVACY—U.S.

Early Reaction to Report Runs Gamut (December 2, 2010)
The Wall Street Journal reports on the Federal Trade Commission staff report on Internet privacy released yesterday. The report calls for increased transparency and simplified consumer choice and endorses the creation of a do-not-track mechanism that would let consumers opt out of targeted advertising and data collection. FTC Chairman Jon Leibowitz said the report makes recommendations for best practices and is "not a template for enforcement." Early reaction to the report runs the gamut--from praise to rejection to additional questions. In a statement, Sen. John Kerry (D-MA) lauded the report and proposed allowing for "FTC approved safe harbor programs" to aid enactment of its proposals. (Registration may be required to access this story.)

PRIVACY LAW—EU & U.S.

Concerns Abound Over Data Storage, Processing (December 2, 2010)

"Sensitive data concerning European citizens and companies is not safe in the U.S., legal experts warn." That's according to a Computerworld report questioning the storage and processing of data from Europe in the U.S. According to the report, many U.S. companies are "wrongfully claiming they are certified to store and process data from Europe," prompting Sophie in 't Veld of the European Parliament to call for the European Commission to rectify the situation. The report looks at the EU-U.S. Safe Harbor principles, suggesting, "the safety of this harbor is not absolute...The rules and policies of Safe Harbor are as soft as butter and there's no oversight."
Full Story

PRIVACY LAW—U.S.

Red Flags Exemptions Expected (December 2, 2010)

On today's Privacy Tracker call, Andrew Smith of Morrison Foerster discussed the senate's approval of a bill that would amend the Identity Theft Red Flags Rule to limit those who are subject to it. The amendment--S3987--would exempt professional service providers such as doctors, lawyers and retailers from the rule; only actual creditors would be subject to it. Smith said the legislation has been sent to the House of Representatives and it is expected to be brought up on the floor next week. Those close to the legislation "think this has a very good chance of being signed into law," Smith said. Privacy Tracker subscribers can hear Smith's full analysis in the recorded audio of the call, which will be available soon on the Privacy Tracker Web site.
Full Story

PRIVACY LAW—GERMANY

Interior Minister Reveals Draft Internet Law (December 2, 2010)

On Wednesday, German Interior Minister Thomas de Maizière revealed a draft law to tighten rules on Internet privacy that combines self-regulation with new rules making it illegal to gather certain kinds of information, reports Deutsche Welle. De Maizière said that while he's not interested in limiting the opportunities available on the Internet, he considers it "a particularly serious invasion of privacy rights" when sites "publish data that has been aggregated with commercial interests in mind" and which "yield a comprehensive personality of travel profile," states the report. Data protection commissioners criticized the draft law, saying it does not go far enough--especially regarding self-regulation.
Full Story

PRIVACY—NEW ZEALAND

Commissioner’s Report Finds Complaints on the Rise (December 2, 2010)

The number of complaints Privacy Commissioner Marie Shroff's office received increased by 172 from the previous year. That's according to the office's annual report, released this week, which also found that the main areas of concern were Google's collection of data for Street View and competitions and surveys by New Zealand Post, Stuff.co.nz reports, and that more than 7,000 enquiries were made by the public seeking privacy advice. There continue to be concerns surrounding electronic health records and the collection of health information to be stored in databases in addition to New Zealanders' use of social networking sites. Other challenges to privacy involving government information sharing are being addressed, the report states. 
Full Story

PRIVACY LAW—CANADA

Commissioner: Credit Checks Broke Law (December 2, 2010)

Alberta Privacy Commissioner Frank Work has found that Alberta Justice broke the province's privacy laws and the Maintenance Enforcement Program (MEP) violated the Freedom of Information and Protection of Privacy Act after running unauthorized credit checks on 25 MEP employees, the Edmonton Sun reports. Work said the department has agreed an error was made, and he is satisfied the proper steps have been taken to prevent it from happening again, the report states. The investigation was launched when employees with the MEP lodged complaints about unauthorized credit checks that were part of a 2009 internal investigation involving forged checks.
Full Story

ONLINE PRIVACY—U.S.

FTC releases privacy report (December 1, 2010)
The U.S. Federal Trade Commission has released its long-anticipated staff report on consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” is the culmination of the FTC’s “privacy rethink” project and includes preliminary recommendations. "The report appears to address the key themes that [the commission] previously had indicated would be covered,” said Hunton & Williams partner Lisa Sotto. “Industry leaders undoubtedly will pay close attention to the FTC's pronouncements.”

ONLINE PRIVACY—U.S.

Committee To Discuss Do-Not-Track (December 1, 2010)

American Public Media explores plans for a do-not-track list in a text report and radio program on online privacy. "Shop at an online store, and the store may track you," the report suggests, highlighting the push for a do-not-track list online to mirror the federal do-not-call telemarketing list. Meanwhile, the makers of Web browser Firefox are exploring their own mechanism to allow users to avoid being tracked online. The House Commerce, Trade and Consumer Protection Subcommittee is scheduled to discuss the feasibility of establishing a do-not-track list at a hearing on Thursday.
Full Story

PRIVACY LAW—U.S.

FTC Settles Children’s Privacy Case (December 1, 2010)

The Federal Trade Commission (FTC) has reached a settlement with EchoMetrix on charges it violated federal law by failing "to adequately inform parents using its Web monitoring software that information collected about their children would be disclosed to third-party marketers." EchoMetrix has agreed not to use or share information collected except to allow registered users access to their accounts, an FTC release states, and will destroy information transferred to its marketing database. "Companies need to make clear disclosures about how they are going to use and share personal information they collect online--even more so when that information relates to children," said David Vladeck of the FTC.
Editor's note: Privacy Tracker subscribers, the Echometrix settlement will be discussed in more detail during tomorrow's monthly call.
Full Story

HEALTHCARE PRIVACY—U.S.

Advocates Ask FTC for Health Marketing Changes (December 1, 2010)

Four consumer advocacy groups have filed a complaint with the FTC calling for regulations on the marketing of medications and health-related products online, Gov Info Security reports. The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum recently filed the 144-page report, which calls for privacy protections to reduce consumer threats presented by health marketing techniques such as behavioral targeting based on medical conditions; monitoring of online conversations on social media by marketers, and medical condition Web sites that appear independent but are sponsored by drug manufacturers. The groups are asking that the FTC work with the Food and Drug Administration to develop marketing policies, among other actions.
Full Story

PRIVACY LAW—U.S.

Class-Action Suit To Move Forward (December 1, 2010)

A federal judge has approved the filing of a class-action lawsuit against the state of Florida for selling the drivers' license data of about 30 million residents to an Internet marketing company, the Associated Press reports. According to the plaintiffs' attorney, Howard Bushman, the sales violate a federal statute banning the disclosure of personal information from drivers' licenses. Bushman claims the state released addresses, dates of birth and possibly Social Security numbers. The report says a Tallahassee judge ruled earlier this month that all affected drivers can become members of the suit.
Full Story

HEALTHCARE PRIVACY—U.S.

Health 2.0 Debate Ongoing (December 1, 2010)

The Economist has opened an online debate allowing people to weigh in on whether "any loss of privacy" by digitizing healthcare would be "more than compensated for by the welfare gains from increased efficiency." Peter Neupert of Microsoft Health Solutions defends the idea, saying, "Consumers must trust that the organizations they are engaged with are accountable and will respect--and protect--the privacy of their data." While Deborah Peel, founder of the advocacy group Patient Privacy Rights, argues, "There are strong indications that the social benefits of EHR systems will be blunted unless comprehensive and meaningful privacy protections are built in upfront."
Full Story

PRIVACY LAW—U.S.

Suit Fingers Companies for Alleged Info Sharing (December 1, 2010)

Three companies are being sued by a Virginia resident for alleged privacy violations, MediaPost News reports. Rapleaf, Facebook and Zynga have been named in the suit, recently filed in federal district court in San Jose, CA. The plaintiff claims that the "Defendants inappropriately and unlawfully transmitted sensitive personally identifiable information...to third parties." The suit follows others that were filed after reports that the companies transmitted users' information to advertisers via referrer headers. One legal expert says it is not clear whether the transmissions violated the Stored Communications Act, as the plaintiff alleges, but says the breach of contract claim "might be easier to prove."
Full Story

FTC releases privacy report (December 1, 2010)

The U.S. Federal Trade Commission has released its long-anticipated staff report on consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” is the culmination of the FTC’s “privacy rethink” project and includes preliminary recommendations.

"The report appears to address the key themes that [the commission] previously had indicated would be covered,” said Hunton & Williams partner Lisa Sotto. “Industry leaders undoubtedly will pay close attention to the FTC's pronouncements.”

One of the major themes of the 122-page report is the need to reduce the burden on consumers by simplifying choice, embracing privacy-by-design principles and making privacy policies more consistent across the board. 

“We need to greatly simplify consumer choice,” FTC consumer protection director David Vladeck said while previewing the report at a Consumer Watchdog event in Washington, DC, this morning.

Morrison & Foerster partner D. Reed Freeman, CIPP, commented on the breadth of the report, noting that it applies to online and offline data and encourages companies to adopt the full panoply of Fair Information Practice Principles, among other proposals. Freeman says it will be important to determine to what extent the report’s recommendations are enforceable by Section 5 of the FTC Act.

Freeman also noted that the commission left open the issue of whether, when and under what circumstances consent should be opt in or opt out, as well as whether or when opt in would be appropriate for practices involving sensitive data.

There has been much speculation about the commission’s position on the viability of a do-not-track mechanism, designed to let consumers opt out of having their browsing activities monitored.  In its report, the FTC supports the idea of such a system, but does not propose to develop or implement one of its own.

"The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads," the report says. "Commission staff supports this approach, sometimes referred to as 'Do Not Track.'"

In this regard, “The commission…wisely left the door open to either legislative or self-regulatory solutions,” said Jules Polonetsky, CIPP, co-chair of the Future of Privacy Forum. “The industry should act quickly to explore and...