Privacy Policies Now a Must for Mobile Apps

The National Law Review recently published an article, Privacy Policies Now a Must for Mobile Apps, written by Tanya L. CurtisLeonard A. Ferber, and Doron S. Goldstein of Katten Muchin Rosenman LLP:

Katten Muchin

 

California has long been a leader in privacy legislation. That position was strengthened recently when the California Attorney General filed a first-of-its-kind lawsuit against a company for its failure to include a privacy policy with a smartphone application. The lawsuit, filed on December 6 against Delta Airlines, alleges that the airline violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application. This action by the state of California has broad implications to anyone developing or distributing mobile apps.

Background

In 2004, California enacted the California Online Privacy Protection Act (CalOPPA)requiring commercial operators of websites and online services to conspicuously post detailed privacy policies to enable consumers to understand what personal information is collected by a website and the categories of third parties with which operators share that information. CalOPPA provides that “an operator shall be in violation of this [posting requirement] only if the operator fails to post its policy within 30 days after being notified of noncompliance,” and if the violation is made either (a) knowingly and willingly or (b) negligently and materially. In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

While CalOPPA does not define an “online service” or specifically mention “mobile” or “smartphone” applications, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.” In light of this interpretation, in 2011 the Attorney General’s office contacted the six leading operators of mobile application platforms in an attempt to improve mobile app compliance with CalOPPA. In February 2012, the Attorney General reached an agreement with these companies on a set of principles designed to ensure that mobile apps include a conspicuously posted privacy policy where applicable law so requires (such as in California), and that the policy appear in a consistent location on the app download screen.

Delta markets its Fly Delta mobile app though various online “app stores.” Among other things, the Fly Delta app allows customers to check in to flights, rebook cancelled flights and pay for checked baggage. Delta has a website that includes a privacy policy, but that policy did not mention the Fly Delta app or the types of information collected from the app.

The Case

In October, the California Attorney General’s office sent letters to a number of mobile application makers, including Delta, that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta either forgot about or ignored the letter, and the Attorney General filed suit.

The complaint stated that the Fly Delta application did not have a privacy policy within the application itself or in the app stores from which the application could be downloaded. The complaint also noted that, while Delta’s website has a privacy policy, the policy does not mention the Fly Delta app or the personal information collected by the app, and is not reasonably accessible to consumers who download the app. Since Delta failed to respond to the October letter, the Attorney General charged the airline with violating California law by knowingly and willfully, or negligently and materially, failing to comply with CalOPPA. And, in a separate charge under a provision of CalOPPA not requiring 30 days’ notice of noncompliance, the Attorney General alleged that Delta failed to comply with the privacy policy posted on its own website, in that the Fly Delta app does not comply with that policy. The complaint asks for damages of $2,500 for each violation, presumably for each download.

What You Need to Know

While California is currently unique in applying its privacy law to mobile applications, many states look to California, as a leader in this area, for guidance. CalOPPA applies to any “operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service…” In light of California’s large population, the practical effect of CalOPPA is that an overwhelming number of online businesses (including mobile app developers) must comply with it.

It is now clear that virtually all mobile or smartphone app makers, as well as companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. The actions of the California Attorney General also make it clear that there is a cost to noncompliance. Such accessibility can be achieved either by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s or developer’s overall web privacy policy.

©2012 Katten Muchin Rosenman LLP

‘Get-Rich-Quick’ Systems Penalized by FTC to Tune of $478 Million

As part of the Federal Trade Commission’s ongoing efforts to shut down scams that target financially vulnerable consumers, a U.S. district judge has issued a $478 million judgment at the request of the FTC against the marketers of three get-rich-quick systems that the agency says are used for deceiving consumers. The order is the largest litigated judgment ever obtained by the FTC.

The judgment was awarded against companies and individuals who marketed the schemes, titled “John Beck’s Free & Clear Real Estate System,” “John Alexander’s Real Estate Riches in 14 Days,” and “Jeff Paul’s Shortcuts to Internet Millions.”

Nearly a million consumers paid $39.95 for one of these “get-rich-quick” systems, and some consumers purchased personal coaching services, which cost up to $14,995. According to the FTC complaint filed in June 2009, one system was marketed to consumers with the promise that consumers could “quickly and easily earn substantial amounts of money by purchasing homes at tax sales in their area ‘free and clear’ for just ‘pennies on the dollar’ and then turning around and selling these homes for full market value or renting them out for profit.”

The FTC said that nearly all the consumers that bought the systems lost money.

The FTC’s suit alleged violations of the Federal Trade Commission Act, based on the defendants’ representations in connection with the advertising, marketing, promoting and sale of the systems. The FTC also alleged that the defendants’ violated the Telemarketing Sales Rule through their marketing to consumers.

Two of the individual defendants, Douglas Gravnik and Gary Hewitt, were held jointly and severally liable for the monetary part of the judgment. The judge also imposed a lifetime ban from infomercial products and telemarketing against Gravnik and Hewitt. Gravnik and Hewitt indicated that they are likely to appeal the order to the extent it imposes a lifetime ban. A third individual, John Beck, is responsible for $113.5 million of the judgment.

In its case, the FTC filed 30 consumer declarations detailing consumers’ experiences with the defendants’ products. The defendants objected to many of these declarations on various grounds, including hearsay, relevance, and the best evidence rule among other objections, but these objections were all overruled.

The defendants also objected to the use of a survey by the FTC that showed that less than 0.2 percent of consumers who purchased the defendants’ system made any profits and only 1.9 percent of consumers who purchased coaching material made any revenue. The defendants moved to exclude all evidence relating to the survey on the ground that the pre-notification letter “poisoned the well in such a way as to invalidate whatever survey finding the FTC obtained” and argued that the manner in which the survey was conducted rendered the results unreliable. The court found that the survey was performed under accepted principles used by experts in the field and was admissible.

The court granted summary judgment for the FTC , finding that the defendants made material misrepresentations that were either false or unsubstantiated. The court pointed out that the materials provided by the defendants to consumers taught consumers how to purchase tax liens and certificates, but these purchasers do not obtain title to the property and thus were not “purchasing” the homes as the advertising materials stated.

The court also granted summary judgment on the Telemarketing Sales Rule allegations. The basis of the defendants’ argument was that the violations were isolated and should not be the basis for liability. The court found that there was no dispute that the defendants’ telemarketers repeatedly initiated calls to consumers who asked the defendants not to contact them. The FTC also produced “overwhelming” evidence that the defendants lacked a meaningful compliance program or any written procedures in place to comply with the regulations.

Jeffrey Klurfeld, director of the FTC’s Western Region, stated in a press release that “This huge judgment serves notice to anyone thinking of using phony get-rich-quick schemes to defraud consumers. The FTC will come after you if you violate the law.”

In this case, the FTC had already completed its surveys when it went to court. Trial judges will often be very impressed with FTC surveys and will grant judgment to the agency in nearly every case. Therefore, it is critical that a company that is being targeted by the FTC obtain counsel at the earliest possible stage, before the agency files anything in court. Counsel should be ready to vigorously defend the client’s marketing practices with techniques such as the use of countersurveys and customer testimonials and expert testimony, before the FTC files in court.

© 2012 Ifrah PLLC

Cyber Attacks Hit Major Banks. Is Your Business Next?

Roy E. Hadley, Jr. and Joan L. Long of Barnes & Thornburg LLP recently had an article regarding Cyber Attacks published in The National Law Review:

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the “biggest cyber attacks they’ve ever seen.” As this CNN Money article points out, the websites “have all suffered day-long slowdowns and been sporadically unreachable for many customers.”

According to security experts, the “denial of service” attacks, which began on Sept. 19, are the largest ever recorded.

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business?

The CNN Money article can be read in its entirety clicking on the link below.

CNN Money – “Major banks hit with biggest cyberattacks in history

© 2012 BARNES & THORNBURG LLP

Apple Shareholders Request Information From Board on Privacy/Security Risk

The National Law Review recently published an article, Apple Shareholders Request Information From Board on Privacy/Security Risk, by Amy Malone of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

 

This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks.  The proposal, which is available here, was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one million Unique Device IDs could place the company’s growth opportunities at risk.

The shareholder proposal references a recent study conducted by Carnegie Mellon University’s Cylab that made various recommendations to boards including, annual reviews of privacy and security programs to gage effectiveness and identify gaps and requiring regular privacy and security reports from management.   The interest in privacy and security as risk management issues at both the shareholder and board level is increasing. A recent study conducted by Corporate Board Member & FTI Consulting, Inc. surveyed 11,340 corporate directors and 1,957 general counsel regarding legal risks on their radar.  For the first time in the 12 years since the study has been conducted, data security was noted as the most prevalent concern among both directors (48 percent) and general counsel (55 percent). This level of concern has almost doubled in the last four years. For instance, in 2008, only 25 percent of directors and 23 percent of general counsel identified data security as an area of great concern.  Moreover, 33 percent of general counsel surveyed believe their board is not effective at managing cyber risk. This is one of the lowest ratings among the 13 risk management areas surveyed.

When asked whether their company had a plan in place to manage a data breach should one occur, only 42 percent of directors said their company had a formal Incident Response Plan. Twenty-seven percent responded that their company had no such plan and 31 percent were uncertain.  Despite acknowledging such unpreparedness, 77 percent of directors and general counsel still believe their company is prepared to handle a data breach. There is a serious concern, however, given the disconnect between having written response plans and the perception of preparedness.   Apple shareholders are recognizing that disconnect and apparently want to ensure that its Board has adequately addressed it.  The proposal will be voted on at Apple’s 2013 Annual Meeting.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Consumer Financial Services Basics – ABA Conference

The National Law Review is pleased to bring you information regarding the upcoming Consumer Financial Services Basics Conference sponsored by the ABA:

When

October 08 – 09, 2012

Where

American University

Washington College of Law

Washington, DC

Program Description

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.Program FocusThis program will explain each of the major sources of regulation of consumer financial products in the context of the regulatory techniques and policies that are the common threads in a complex pattern, including:

  • Price regulation and federal preemption of state price limitations
  • Truth in lending and disclosure requirements
  • Marketing, advertising and unfair or deceptive conduct
  • Account servicing and collections
  • Regulating the “fairness” of financial institution conduct
  • Data security, fraud prevention and identity protection
  • Consumer reporting: FCRA & FACT Act
  • Fair lending and fair access to financial services
  • Remedies: regulators and private plaintiffs
  • Regulatory and legislative priorities for 2012 and beyond

Who Should Attend…The learning curve for private practitioners, in-house lawyers and government attorneys to understand the basics and changes to CFS law is very steep. This program is a great way to jump up that curve for:

  • Private practitioners with 1-10 years of experience who focus on CFS products or providers
  • In-house counsel at financial institutions and non-bank lenders
  • Government attorneys, in financial practices regulatory agencies
  • Compliance officers (who may be, but need not be, attorneys)

Consumer Financial Services Basics – ABA Conference

The National Law Review is pleased to bring you information regarding the upcoming Consumer Financial Services Basics Conference sponsored by the ABA:

When

October 08 – 09, 2012

Where

American University

Washington College of Law

Washington, DC

Program Description

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.Program FocusThis program will explain each of the major sources of regulation of consumer financial products in the context of the regulatory techniques and policies that are the common threads in a complex pattern, including:

  • Price regulation and federal preemption of state price limitations
  • Truth in lending and disclosure requirements
  • Marketing, advertising and unfair or deceptive conduct
  • Account servicing and collections
  • Regulating the “fairness” of financial institution conduct
  • Data security, fraud prevention and identity protection
  • Consumer reporting: FCRA & FACT Act
  • Fair lending and fair access to financial services
  • Remedies: regulators and private plaintiffs
  • Regulatory and legislative priorities for 2012 and beyond

Who Should Attend…The learning curve for private practitioners, in-house lawyers and government attorneys to understand the basics and changes to CFS law is very steep. This program is a great way to jump up that curve for:

  • Private practitioners with 1-10 years of experience who focus on CFS products or providers
  • In-house counsel at financial institutions and non-bank lenders
  • Government attorneys, in financial practices regulatory agencies
  • Compliance officers (who may be, but need not be, attorneys)

Consumer Financial Services Basics – ABA Conference

The National Law Review is pleased to bring you information regarding the upcoming Consumer Financial Services Basics Conference sponsored by the ABA:

When

October 08 – 09, 2012

Where

American University

Washington College of Law

Washington, DC

Program Description

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.Program FocusThis program will explain each of the major sources of regulation of consumer financial products in the context of the regulatory techniques and policies that are the common threads in a complex pattern, including:

  • Price regulation and federal preemption of state price limitations
  • Truth in lending and disclosure requirements
  • Marketing, advertising and unfair or deceptive conduct
  • Account servicing and collections
  • Regulating the “fairness” of financial institution conduct
  • Data security, fraud prevention and identity protection
  • Consumer reporting: FCRA & FACT Act
  • Fair lending and fair access to financial services
  • Remedies: regulators and private plaintiffs
  • Regulatory and legislative priorities for 2012 and beyond

Who Should Attend…The learning curve for private practitioners, in-house lawyers and government attorneys to understand the basics and changes to CFS law is very steep. This program is a great way to jump up that curve for:

  • Private practitioners with 1-10 years of experience who focus on CFS products or providers
  • In-house counsel at financial institutions and non-bank lenders
  • Government attorneys, in financial practices regulatory agencies
  • Compliance officers (who may be, but need not be, attorneys)

AntiSec Hackers Strike Again

An article by Cynthia J. Larose of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding AntiSec Hackers was recently published in The National Law Review:

 

AntiSec – the hacker group that is the “merger” of Anonymous and Lulzsec – claims to have obtained the unique device identifiers (UDIDs) from 12 million Apple iPhone and iPad users by breaching an FBI computer, and have published more than 1 million of them.

Details of the hack can be found at ZdNet , Slateand The Washington Post.According to the hackers, the alleged hack was intended to publicize the existence of some kind of secret FBI tracking project, also raising an embarrassing question of security for the FBI.

If you want to check whether your Apple UDID was in the compromised file, The NextWeb has developed a nifty quick check tool that you can see here.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

How Many Calories is in that Burger? PPACA Makes Sure you know.

The National Law Review recently published an article by Molly Nicole Lewis of McBrayer, McGinnis, Leslie and Kirkland, PLLC regarding The Food Industry and The Patient Protection and Affordable Healthcare Act:

 

We all occasionally grab a quick bite on the go. With fall in full swing, and our schedules filling up, it is much more tempting to drive through and pick up dinner rather than slaving over the stove after a non-stop day. Consider this:  What if the menu was labeled with calorie information and you could see that the Hardee’s Thickburger you wanted to order contained 910 calories.  A healthy caloric intake for an average person is 2000 calories per day – that’s also stated on the menu.  The burger just became ½ of your daily allotment of calories. That information would definitely prompt anyone to reconsider their choices.

Menu labeling, as outlined in the Patient Protection and Affordable Health Care Act (PPACA), might actually change the way we eat, when we eat out!  That is exactly what the National Restaurant Association and the National Association of Convenience Stores is grappling with.  In the wake of the Supreme Court upholding the PPACA, it is not just the medical and insurance communities buzzing. The food industry is wadding through their own set of new rules regarding how they present their product and interact with consumers.

As outlined in Section 4205, nutritional menu labeling is required for chain restaurants across the country. The provisions include labeling requirements for restaurants and food vendors, with 20 or more outlets. Calories have to be posted on menus and menu boards, including drive-thru menus. Display tags with additional information, including fat, saturated fat, carbohydrates, sodium protein, and fiber must be available in writing, upon request. Vending machine companies that operate at least 20 machines are also subject to these requirements. For buffet-style or self-serve restaurants, a sign must be placed adjacent to each food and beverage item listing calories per item or serving.  There are some exceptions that will not require calorie disclosure. Items not listed on the menu such as condiments, daily specials or temporary offerings. If an item appears on the menu less than 60 days per calendar year, or a test market items appears on a menu for less than 90 days, they are both exempt.

The Food and Drug Administration (FDA) considered Section 4205 effective immediately. However, without detailed guidance from the FDA, these provisions cannot be required.  The final FDA regulations are expected by the end of 2012.  Industry implementation would become effective six months after publication, in early 2013.  If a restaurant that is not required to comply with Section 4205, voluntarily registers with the FDA and follows the federal disclosure guidelines, they are not subject to any state or local nutrition disclosure requirements.

There is more at stake here then complying with disclosure regulations. For owners and operators in the food industry there are real costs to be considered. The new menu requirements alone will demand printing new menus and menu boards. Nutritional analysis may have to be performed to accurately report the information to the consumer. All of these added expenses could mean thousands in unbudgeted expenditures, and will result in consumer behavioral changes where the full financial impact cannot be determined – until after the fact.

It is interesting to contemplate how each of us will react to menu labeling. Will it help change the health of our country? The jury’s still out, but we are eagerly anticipating the verdict.

© 2012 by McBrayer, McGinnis, Leslie & Kirkland, PLLC