Tag: privacy

California Continues to Shape Privacy Standards: Song-Beverly Act Extended to Email Addresses

Womble Carlyle

 

Executive Summary: California retailer restricted from requiring a customer email address as part of a credit card transaction. We knew that asking for zip codes is intrusive personal questioning, and now asking for email has been added to the list.

California’s Song-Beverly Credit Card Act (Cal. Civ. Code Sec. 1747 et seq.) (“Song-Beverly Act” or “Act”) restricts businesses from requesting, or requiring, as a condition to accepting credit card payments that the card holder provide “personal identification information” that is written or recorded on the credit card transaction form or otherwise. “Personal identification information” means “information concerning the cardholder,other than information set forth on the credit card, and including, but not limited to, the card holder’s address and telephone number.” The California Supreme Court has previously ruled that zip codes are also “personal identification information” under the Song-Beverly Act. See Pineda (Jessica) v. Williams-Sonoma Stores, Inc., 2011 Cal. LEXIS 1502 (Cal. Feb. 10, 2011).

Recently, a United States federal district court in California expanded “personal identification information” to include email addresses in a decision denying retailer Nordstrom’s motion to dismiss claims it violated the Song-Beverly Act. The plaintiff sued Nordstrom for collecting his email address as part of a credit card transaction at one of its California stores in order to email him a receipt, then subsequently using his email address to send him frequent, unsolicited marketing emails. See Capp v. Nordstrom, Inc., 2013 U.S. Dist. LEXIS 151867, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013).

Raising a case of first impression under California law, Nordstrom claimed that email addresses are not “personal identification information” under the Song-Beverly Act, so the Act did not apply. The court disagreed with Nordstrom and found the opposite based on the California Supreme Court’s earlier ruling in Pineda. Nordstrom’s argument that email addresses can readily be changed, unlike zip codes, and consumers can have multiple email addresses was not persuasive. The court held that an email address regards a card holder in a more personal and specific way than a zip code. Unlike a zip code that refers to the general area where a card holder works or lives, email permits direct contact with the consumer and implicates their privacy interests. The court concluded that the collection of email addresses is contrary to the Song-Beverly Act’s purpose to guard against misuse of personal information for marketing purposes. In particular, the plaintiff’s allegation that his email address was collected to send him a receipt and then used to send him promotional emails directly implicates the protective purposes of the Act as interpreted in Pineda.

Pineda held that zip codes are personal information for purposes of the Song-Beverly Act, and therefore a brick and mortar retailer violated the Act when it requested and recorded such data. In the Pineda decision, the California Supreme Court found that zip codes, like the card holder’s address expressly called out as “personal identification information” under the Act, were unnecessary to completing the credit card transaction and inconsistent with the protective purpose of the Act. This is especially true when a zip code is collected to be used with the card holder’s name in order to locate the card holder’s address, permitting a retailer to locate indirectly what it is prohibited from obtaining directly under the Act.

Nordstrom also argued that the plaintiff’s claims under the Song-Beverly Act were preempted by the federal “Controlling the Assault of Non-Solicited Pornography and Marketing Act” (better known as the CAN-SPAM Act), but the court disagreed. While the CAN-SPAM Act contains a preemption provision, it only preempts state laws that regulate the manner in which email messages are sent and their content, both of which are not regulated under the Song-Beverly Act.

Retailer tip: The federal court issuing this most recent decision recommends waiting to request an email address (or a zip code) until after the consumer has the receipt from their credit card transaction in hand, and then sending the consumer emails only in conformance with the CAN-SPAM Act.

In the wake of Pineda, retailers faced class action lawsuits for requesting consumer zip codes at check out. This new decision could have a similar effect.

Article by:

Of:

Womble Carlyle Sandridge & Rice, PLLC

New Online Privacy Policy Requirements Take Effect January 1, 2014

VedderPriceLogo

 

California Online Privacy Protection Act (CalOPPA)

Owners of websites, online services or mobile applications (apps) that can be accessed or used by California residents should ensure their compliance with the new amendments to the California Online Privacy Protection Act of 2003 (CalOPPA) by the law’s January 1, 2014 effective date.  The borderless nature of the Internet makes this law applicable to almost every website or online service and mobile application.  Accordingly, companies should review and revise their online privacy policies to ensure compliance with the new law and avoid potentially significant penalties.

Previously, CalOPPA required the owner of any website or online service operated for commercial purposes (an “operator”) that collects California residents’ personally identifiable information (PII) to conspicuously post a privacy policy that met certain content requirements, including identifying the types of PII collected and the categories of third parties with whom that information is shared. The new law requires that companies subject to CalOPPA provide the following additional disclosures in their privacy policies.

  • How an operator responds to “do not track” signals from Internet browsers and any other mechanism that provides consumers a choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites and online services.  A company may satisfy this requirement by revising its privacy policy to include the new disclosures or by providing a clear and conspicuous hyperlink to a webpage that contains a description of any program or protocol the company follows to provide consumers a choice about tracking, including the effects of the consumer’s choice.
  • An affected company must disclose to users whether third parties may collect PII about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.

The California law does not require that operators honor a user’s “do not track” signals. Instead, operators must only provide users with a disclosure about how the website or mobile app will respond to such mechanisms. “Do not track” mechanisms are typically small pieces of code, similar to cookies, that signal to websites or mobile apps that the user does not want his or her website or app activities tracked by the operator, including through analytics tools, advertising networks, and other types of data collection and tracking practices.  Further, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General recently stated that the required disclosures should not be limited to tracking simply for online behavioral advertising purposes, but those disclosures must extend to any other purpose for which online behavioral data is collected by a business’s website (e.g., market research, website analytics, website operations, fraud detection and prevention, or security).

A violation of the law can result in a civil fine of up to $2,500 per incident. The California Attorney General maintains that each noncompliant mobile app download constitutes a single violation and that each download may trigger a fine.

Given that most company websites will have California visitors, companies should consider taking the following steps to ensure compliance with the CalOPPA amendments by January 1, 2014:

  • Identify the tracking mechanisms in place on your company’s websites and online services, including (a) the specific types of PII collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and how the website responses responds to “do not track” signals by seeking input from those familiar with your website, including (i) technicians and developers who understand the mechanics of how the website operates, including how it responds to “do not track signals,” (ii) financial and marketing personnel who understand how user PII is monetized, and (iii) any other stakeholders who access or handle user PII.
  •  Review the practices of any third parties that have the ability to track users on your website. To draft the new disclosures, you will need to understand how those third parties track your users and whether they are capable of doing so before or after the users leave your service.
  • Incorporate the information identified above to modify your online privacy policy to include the required behavioral tracking disclosures.
  • Retain the prior version of the policy in your records, including the date on which each version was posted to the site. The new version should have an updated effective date to distinguish it from the previous version.

Expansion of California’s Data Breach Notification Requirements

Under another new law taking effect on January 1, 2014, California will expand its data breach notification requirements by adding new types of information to the definition of “personal information” under California Civil Code §§ 1798.29 and 1798.82. The new law requires notification if a California resident’s personal information is compromised, and, as with CalOPPA, the breach notification requirements apply regardless of the location of the organization that sustains the breach.  Therefore, to the extent that your business collects and retains California residents’ PII, then the amended California breach notification law would apply.

Previously, the California law required notification of a data breach in the event of the unauthorized access to or disclosure of an individual’s name, in combination with that individual’s (i) Social Security number, (ii) driver’s license or California ID number, (iii) account, credit or debit card number, together with a security or access code, (iv) medical information, or (v) health information, where either the name or the other piece of information was not encrypted. Under the new definition, “personal information” will also include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Accordingly, if your business or organization collects this type of information, then it should consider undertaking the following proactive measures to reduce the risk and magnitude of a potential data breach:

  • Periodically and systematically delete nonessential personal information. By deleting obsolete PII and other sensitive information, businesses can significantly reduce the risk of a breach.  Retaining such obsolete legacy PII serves no business purpose, but only adds unnecessary exposure and potential liability.
  • Conduct a PII inventory and perform a risk assessment of your security measures.  Identify what PII is being collected by your organization, where it is retained, who has access to the PII and  the security measures to protect the PII.  Ensuring that sufficient protections are in place may not prevent every incident, but they can reduce the possibility of an incident occurring in the first place and limit the disruption to your business if there is a breach.
  • Limit the disclosure of PII to third parties only when necessary to provide services or products. You can be equally responsible for a data breach notification if the person or entity who experiences the data breach was a third party who received PII from you. Any vendor or third party with whom you share PII should contractually represent and warrant that they have in place certain standards for protecting that information and agree to indemnify your company for any loss that results from a breach.

 

Article by:

Of:

Vedder Price

Google Must Face Most Claims in Keyword Wiretap Class Action

MintzLogo2010_Black

If you were on Google’s home page yesterday at the office, you probably spent more time than you care to admit playing the “help the letter ‘g’ hit the piñata” game that Google created for its 15th birthday.

For Google, that might be a welcome distraction from very bad news it received from the Northern District of California.  U.S. District Court Judge Lucy Koh denied in part Google’s motion to dismiss a 2010 claim in which users accuse Google of violating various state and federal laws by scanning the content of user emails for purposes of creating user profiles and directing targeted advertising, thus allowing a putative class action suit against the search (and everything else online) giant to proceed.

Judge Koh’s order (full text can be found here), is significant in its handling of a number of Google’s arguments, but the rejection of a particular line of argument is understandably receiving much of the attention. In its Motion to Dismiss, Google argued that its practice of scanning emails is not a violation of the Federal Wiretap Act because, among other reasons, Gmail users and non-Gmail users have consented to the interception of emails.   Google’s consent argument was two-fold.  First, it argued that Gmail users had “expressly consented” to having their emails scanned by agreeing to its Terms of Service and Privacy Policies, which every Gmail users is required to do.  Second, it argued that non-Gmail users have “impliedly consented” to the practice by sending an email to a Gmail user, because at that time those non-users understood how Gmail services operate.

Judge Koh rejected both of Google’s consent arguments, holding that the Court “cannot conclude that any party – Gmail users or non-Gmail users – has consented to Google’s reading of email for the purposes of creating user profiles or providing targeted advertising.”  The Court dug into the multiple iterations of Google’s Terms of Service and Privacy Policies that have been in place since 2007, and found that the policies did not explicitly notify users that Google would intercept emails for the purposes or creating user profiles and targeting advertisements.  The Court discussed a number of sections of Google’s policies where users allegedly consented to the practice of scanning emails for advertising purposes, and in each case found that the policies either described a different purpose for scanning emails (such as filtering out objectionable content) or were unclear when describing what kind of information would be intercepted (using descriptions like “information stored on the Services” or “information you provide”).  The Court further held that Google’s current policies (which were put in place on March 1, 2012) are equally ineffective at establishing consent.  Finally, the Court rejected the argument that non-Gmail users had impliedly consented to the interception of emails, noting that accepting Google’s theory of implied consent would “eviscerate” laws prohibiting interception of communications.

Judge Koh’s denial of Google’s Motion to Dismiss is the latest reminder that when it comes to privacy policies and terms of use, how you write something can be as important as what you write.  We will have more on the various issues discussed in Judge Koh’s order over the next few days.

Article By:

 of

Brain Spray and the Law

Womble Carlyle

Now that we can capture and use the signals emitted by human brains, we should consider whether brain signals are public property. If your face and voice become available to the public through use, is the same true for your thoughts, when they can be read by others?

Several recent news items have illustrated the progress humans have made in understanding the brain’s workings and harnessing an active brain for practical purposes. For example, this week, Duke University researcher Miguel Nicolelis used microchips and the internet to connect the brains of two mice on different continents, so that the thoughts of one can influence the actions of the other. Much of Dr Nicolelis’s work involves creating an exoskeleton that a paralysed person could operate with brain signals.

Similarly, University of Pittsburgh researcher Andrew Schwartz has been working since 2006 to find ways for a person to control a robotic arm with only brain signals. In February 2013, surgeons implanted four microchips in a paralysed patient’s brain that translate her brain’s signals into movement in robotic equipment. 60 Minutes and ABC News showed a video of the Pittsburgh patient feeding herself ice cream through brain signals to a robotic arm.

Such scientific work involving directed brain signals seems like science fiction, but the technology is available right now, and will only improve over time, and soon will be available commercially. Right now, the most rudimentary brain-driven technology can be purchased. High-end toy emporium Hammecher Schlemmer sells a “Telekinetic Obstacle Course” that use focused brain waves to manoeuvre a ball through an obstacle course. The game comes with a headband to read your brain signals and then wirelessly transmit those signals to the game’s air fan, which increases or decreases speed depending on your signal, blowing a foam ball around an obstacle course.

For example, Australian scientist and entrepreneur Tan Le, the founder of Emotiv Lifescience, has created a headset that serves as an interface for reading the wearer’s brainwaves, making it possible to control virtual and physical objects with directed thoughts. Eventually the headset will be conditioned for diagnostic use, but current products using the brain-interface headset for videogames, allowing users to drive virtual race cars with their concentrated thoughts.

Modern science has identified two types of “brain spray”, or signals that can be harnessed from outside of a person’s skull. The first is the directed thoughts described in the examples above, where certain voluntary brain signals, created by the subject concentrating on a goal or action, are read and translated by either a device worn by the subject or by microchips placed in the subject’s head. Research into this field, including US government funded research by DARPA, may lead to practical solutions allowing wounded veterans or other people with disabilities to grasp, drive, walk and talk again.

This type of brain spray will lead to legal concerns. For example, if a wounded soldier is offered a limb that responds to his thoughts, the company providing the limb will want to capture information from the electronics that capture brain signals, both for understanding and improving the equipment and for monitoring its use. Could a disabled person say “no” to the company who was offering a newly functional life, or would he be forced to sign away his brain spray for benefit of science and a company providing the equipment.

We all know that our signals from laptops and smartphones are captured by any number of companies – telephone signal providers, hardware manufacturers, app developers, banks and payment businesses – when we undertake actions or transactions over the internet. There is no reason that the same rules would not apply to our directed thoughts when our computing devices are controlled by focused brain signals. Google is already testing computing in the form of eyeglasses that could easily be equipped to read such brain spray and turn it into both action and data. Our thoughts would be available to our service providers.

The other brain spray that can be captured and turned to practical use is translation of brain activation signals currently read by functional magnetic resonance imagining machines (fMRI). These signals are more intrusive than the focused brain signals described above, because the fMRI provides pictures of what part of a human brain is activated by situations or stimuli. The fMRI pictures can easily be interpreted as triggers for various emotions. Because certain emotions trigger activity in specific parts of the brain, fMRI brain spray comes close to showing what the subject is feeling about the situation he is in.

Scientists currently read and interpret the emotional and logical meanings of fMRI signals from the human brain. In a 2008 article for Atlantic Monthly, Jeffrey Goldberg submitted himself to brain readings where scientists used MRI scanning to observe which areas of Goldberg’s brain reacted to certain images. The scientist showed Goldberg pictures of personal, political and cultural figures, recording his brain’s involuntary reactions with the MRI machine and noting when his brain activated in areas indicating affection and affinity for certain pictures (Goldberg’s wife and Bruce Springsteen) and revulsion at other pictures (Osama bin Laden).

This technology is attractive to corporations wanting to know how to stimulate your urge to buy their products and to see how you react to their advertising. However, do you want companies to know this much about you? Current law holds that if you have no reasonable expectation of privacy, then you cannot stop anyone from harvesting information from you. For example, when you are out on the public roads or when you walk up to an Automated Teller Machine at the bank, you are subjecting your appearance, your facial expressions and even your body itself, to scrutiny, photography, recordation and information capture by other people (or the bank) who share your public space.

If your appearance, your voice, and even your DNA is available to everyone in public (many US courts allow police to collect a suspect’s DNA in public places without a warrant), then why would this rule not extend to your brain spray when you enter the public area at a time that mobile fMRI technology or other brain signal capture technology is commercially available? Exposing your brain signals in public may be no different from exposing your face or your voice at the same time. Why would you have a reasonable expectation of privacy in your brain spray when you know it can be read by anyone with the right equipment? Many will argue that once your body is in a public space, then it can be read by the government or business in any way that they are able.

If there were limits to the use of this technology to read your exposed brain signals, situational rules would have to be developed. For example, when fMRI technology is cost-effective and practical to use from a distance, should you automatically submit to brain scanning just by walking into a certain store, casino, bank or government building? Will companies provide notice before scanning you? Will the scan data be linked to your credit card purchases to identify you, linked to the uniform identifier in your smartphone, or linked to RFID tags in the products you buy?

This technology also has national security applications for interpreting malice in sensitive situations. The government may be able to read a suspect’s brain activity to identify intent to act before the crime takes place, scanning banks and airports for signs of potentially criminal intent. But our criminal law is based on punishment for actions, not thoughts or intentions. Everyone has intemperate thoughts of anger, frustration and fantasies of outrageous exploits, but people manage to keep those ideas in their heads and not act on them. How much do you want the government to know about your unfiltered thoughts, once those thoughts can be read from outside your head?

Once the technology is widely available, anyone could use its invasive and interpretive powers. Employers may examine their workers for hostile thoughts toward management or sympathetic thoughts toward labour organisers. Colleges can probe their applicants’ level of enthusiasm for learning. The military could test for signs of homosexuality in recruits without asking or telling. Lawyers and investigators in divorce cases would have a new avenue to examine unfaithful behaviour. How quickly would enthusiastic opposition dig up the thought crimes of political candidates?

Our laws are inadequate for addressing these issues or protecting the privacy of our brain spray. Current privacy law in the United States would not prohibit harvesting brain spray and would not even require an individual’s permission to do so. The current American privacy laws relating to reading your biometric measurements and physical condition only apply to body signs taken for health care purposes.

If a hospital records your blood type or your DNA to test for disease, those records are private and you have the right to keep them from being used for other purposes. However, a reading of your body, including your DNA and your brain spray, is not protected from transmission or sale between companies if the reading was taken for security, marketing or intelligence purposes. The recorded thoughts showing your excitement at the perfect little black dress or those used to power your prosthetic arm may be transferred to anyone. The law leaves you vulnerable.

Brain spray is the ultimate prize in the larger security and privacy debate concerning what personal facts may be captured by commercial or governmental interests. Why bother asking you what you think about a politician or a product when a company can read it directly from your brain? Without legal change, finding out who really loves “mom”, apple pie and America could soon be as simple as a head examination.

Originally published March 22, 2013 in the International edition of Intellectual Property Magazine Online

Article By:

 of

China’s First-Ever National Standard on Data Privacy – Best Practices for Companies in China on Managing Data Privacy

Sheppard Mullin 2012

Companies doing business in China should take careful notice that China is now paying more attention to personal data privacy collection. This would be an opportune time for private companies to internally review existing data collection and management practices, as well as determine whether these fall within the new guidelines, and where necessary, develop and incorporate new internal data privacy practices.

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries.

What should companies look for when examining existing data privacy and collection policy and practices? As the Guidelines provide for rules on collecting, handling, transferring and deleting personal information, these areas of a company’s current policies should be reviewed.

“Personal Information”

What personal information is subject to the Guidelines? The Guidelines define “personal information” as “computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person.”

“General” and “Sensitive” Personal Information

The Guidelines makes a distinction on handling “general” as opposed to “sensitive” personal information. Sensitive personal information is defined as “information the leakage of which will cause adverse consequences to the subject individual” e.g. information such as an individual’s identity card, religious views or fingerprints.

Consent Required

If an individual’s personal information is being collected, that individual should be informed as to the purpose and the scope of the data being collected; tacit consent must be obtained- the individual does not object after being well informed. With “sensitive” personal information being collected, a higher level of consent must be obtained prior to collection and use; the individual must provide express consent and such evidence be retained.

Notice

Best practices dictate a well-informed notice be given the individual prior to collection of any personal information. The notice should clearly spell out, among other items, what information is being collected, the purpose for which the information will be used, the method of collection, party to whom the personal information will be disclosed and retention period.

Cross Border Transfer

The Guidelines further limit the transfer of personal information to any organization outside of P.R. China except where the individual provides consent, the government authorizes the transfer or the transfer is required by law. It is unclear as to which law applies where transfer is “required by law”- PRC law or law of any other country.

Notification of Breach

There is a notification requirement. The individual must be notified if personal information is lost, altered or divulged. If the breach incident is material, then the “personal information protection administration authority.” The Guidelines, however, do not define or make clear this administration authority is here.

Retention and Deletion

Best practices for a company is to minimize the amount of personal information collected. Personal information once used to achieve their intended purpose should not be stored and maintained, but immediately deleted.

The Guidelines may not be binding authority, but at a minimum sets certain standards for the collection, transfer and management of personal information. Especially for companies operating in China, the Guidelines is a call to action, and for implementation of best practices relating to data privacy. Companies should take this opportunity to assess their data privacy and security policies, review and revise customer information intake procedures and documentation, and develop and implement clear, company-wide internal data privacy policies and methods.

Article By:

 of

Privacy Funny

The National Law Review is pleased to bring you this funny brought to our attention by Cynthia LaRose of Mintz, Levin, Cohn, Ferris, Clovsky, and Popeo PC: