Government Agency Regulation
Consumer Protection Issues
In recent years, the Federal Trade Commission has actively asserted its authority to challenge Internet privacy policies and practices that may be “unfair and deceptive” and thus violate Section 5(a) of the FTC Act.
Fair Information Practices Act
In 1998, the FTC announced four elements necessary to protecting consumer privacy:
- Notice to consumers about what personal information is collected and how it is used;
- Choice for consumers about whether and how their personal information is used;
- Security of personal information; and
- Access for consumers to their own personal information to ensure accuracy.
In addition, the FTC declared that consumers should have an effective mechanism to enforce these fair information principles. In a number of cases, the FTC has brought enforcement actions against Web site operators based on suspect data collection practices.
FTC Privacy Agenda
Under the Bush Administration, FTC Chairman Timothy Muris has de-emphasized new privacy legislation but has promised that the FTC will step up its enforcement of existing rules and regulations as part of the agency’s “Privacy Agenda.” The Commission’s Privacy Task Force is directed to scrutinize products and services that tout privacy features, promises made in privacy policies or under the European Union Safe Harbor program, and the use of sensitive financial and medical data or personally identifiable information regarding children. Muris has also held out the possibility that federal regulators will seed lists with names to monitor promises made to consumers.
FTC and Wireless Privacy
The FTC is also actively monitoring emerging issues in wireless privacy. It released a summary and update of the proceedings of its December 2000 workshop titled “The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues.” The report noted that while self-regulatory groups have already established guidelines that address some of the wireless privacy issues, FTC staff concluded that more guidance might be helpful to companies seeking to implement them. The report stated that the FTC will continue to monitor the development of new wireless services, along with the privacy, security, advertising, and other consumer protection issues they raise. See http://www.ftc.gov/bcp/reports/wirelesssummary.pdf.
Selected FTC Actions Under Section 5 of the Federal Trade Commission Act
- In the Matter of Microsoft Corp., File No. 012 3240 (Fed. Trade Comm’n Aug. 8, 2002). Microsoft represented to consumers that it would maintain and protect the privacy and confidentiality of personal information transmitted to Microsoft when signing up for its .NET Passport and Passport Wallet Services. Moreover, Microsoft represented that it would not maintain personal information of Passport users beyond what was disclosed on its Web site and would provide parents with control over the information collected in connection with its Passport Kids service. The FTC determined that Microsoft was not maintaining the level of security, privacy and control represented on its Web site. The FTC subsequently approved a proposed consent decree requiring Microsoft to, among other things, increase privacy, security and control and certify as to such every two years for the next 20 years via independent auditors.
- In the Matter of Eli Lilly and Company, File No. 012 3214 (Fed. Trade Comm’n Jan. 18, 2002). An inadvertent disclosure of customer medical information by Eli Lilly and Company led to an enforcement action by the FTC for violation of the “security” prong of the fair information practices. The FTC charged the company with unfair and deceptive trade practices after an Eli Lilly employee neglected to suppress the email addresses of 669 prozac users when emailing them a newsletter that they had requested. The complaint alleged that Eli Lilly had deceived consumers when it failed to maintain the data security promises it made in its privacy policy. The settlement requires Eli Lilly to implement physical, administrative and technical security programs, appoint a security officer to oversee the programs, and research and analyze its data security practices on an ongoing basis. See also In the Matter of Eli Lilly and Company, Docket No. C 4047, 2002 FTC LEXIS 22 (Fed. Trade Comm’n May 8, 2002), wherein the Court issued an order in conformance with the terms of the above settlement agreement.
- FTC v. Robert Stout, Civ. Action No. 99-5705 (D.N.J. 2001), File No. X000 122 (Fed. Trade Comm’n Aug. 24, 2001). The FTC settled a suit brought against a group of spammers who gathered consumers’ personal information, including credit card numbers, by sending emails falsely stating that the Children’s Online Privacy Protection Act required consumers to register their information or lose access to Internet newsgroups. Under the terms of the settlement, defendants must not misrepresent any material facts, including that consumers are required to register or provide personally identifiable information in order to access newsgroups or the Internet, or that defendants represent state or federal government officials. The terms also include a host of compliance and monitoring requirements.
- FTC v. Amazon.com and Alexa Internet, (Fed. Trade Comm’n May 25, 2001). The FTC decided not to take action against Amazon.com and its subsidiary Alexa Internet. The agency initiated its investigation based on complaints that alleged that the company’s Alexa Web navigation service and zBubbles comparison shopping service collected personally identifiable information, despite a privacy policy that stated that data collected would remain anonymous. The FTC noted that Alexa had changed its privacy policy, that the product was no longer on the market, and that Amazon had settled a class action lawsuit on the matter. See http://www.ftc.gov/os/closings/staff/amazonalexa.pdf.
- FTC v. Amazon.com, Fed. Trade Comm’n Ruling (Fed. Trade Comm’n May 24, 2001). The FTC ruled that Amazon did not violate federal law prohibiting unfair and deceptive trade practices. The FTC launched the investigation after receiving a joint petition from two privacy watchdog groups. Amazon altered its privacy policy to allow it to share customer data with other companies so long as the customer did not object to the practice. Amazon’s earlier privacy policy stated that it did not share information and that customers could opt-out of any data sharing that might occur in the future. The FTC found that the current policy did not materially conflict with the previous one. See http://www.ftc.gov/os/closings/staff/amazonletter.htm.
- FTC v. Toysmart.com, Civ. Action No. 00-11341-RGS (D. Mass. 2000). The FTC filed a complaint against Toysmart alleging that Toysmart disclosed, sold, or offered for sale personal customer information despite a privacy policy that stated the information would never be shared with third parties. The FTC case settled in July 2000 when Toysmart consented to an order that prohibited the sale of Toysmart’s personal customer information except to a family-oriented Web site that was willing to purchase the entire Toysmart business and agree to the terms of the order. In August, however, the federal bankruptcy judge in charge of Toysmart’s bankruptcy proceedings dismissed the agreement between Toysmart and the FTC as premature. The fate of the list was finally determined in January of 2001, when the bankruptcy judge approved Disney’s $50,000 offer to purchase the list and destroy it. See subsection (2)(h)(7), below.
- FTC v. ReverseAuction.com, Inc., Civ. Action No. 00032 (D.D.C. 2000), File No. 002 3046 (Fed. Trade Comm’n Jan. 6, 2002). According to the FTC complaint, ReverseAuction registered with eBay and agreed to comply with its privacy policy and user agreement, but then harvested personal user information from eBay users and spammed these users in violation of eBay’s privacy policy. The message allegedly contained a deceptive subject line that indicated that the recipient’s eBay password was about to expire. The case settled when ReverseAuction consented to an order that prevented it from sending deceptive emails in the future. In addition, the order required ReverseAuction to notify all eBay customers who were allegedly spammed, telling them that eBay did not know about or consent to the spamming and that their eBay passwords were not about to expire. Finally, ReverseAuction was required to post its privacy policy on its Web site and to delete eBay users’ information from its database.
- Worldwidemedicine.com et al., Civ. Action No. CV-S-00-0861-JBR (D. Nev. July 6, 2000), File No. 992 3245 (Fed. Trade Comm’n 2000). The FTC filed a complaint alleging deceptive trade practices against a group of online pharmacies for, among other practices, misrepresenting the security and encryption used to protect consumers’ information and sending spam to 11,000 customers indicating that the customers’ credit cards were going to be billed for $50 for “Y2K Remediation” (a charge for which the pharmacies had no legal authority). The case settled when the pharmacies consented to an order that barred future misrepresentations about the security and encryption of the pharmacies’ sites and about the pharmacies’ use of customers’ credit cards. The settlement also required the pharmacies to post a privacy policy on their Web site and prohibited the pharmacies from selling or using the information collected from consumers without express authorization.
- In the Matter of GeoCities, File No. 9823015 (Fed. Trade Comm’n Aug. 13, 1998). In one of its first privacy actions, the FTC charged Web site host GeoCities with misrepresenting its online personal information collection practices. GeoCities consented to an order under which it would post on its site a Privacy Notice, telling consumers what information was being collected and for what purpose, to whom it would be disclosed, and how consumers could access and remove the information. GeoCities also agreed to obtain parental consent before collecting information from children 12 and under and to provide a link from its site to consumer privacy information on the FTC’s site. The consent order was approved on Feb. 5, 1999. See http://www.ftc.gov/os/1998/9808/geo-ord.htm.
- In the Matter of Guess?, Inc., File No. 022 3260 (Fed. Trade Comm’n July 30, 2003). Through its Privacy and Security policies, Guess represented that it would use personal information provided by users to “create a more personalized and entertaining experience.” Guess also represented that security measures were in place to protect all personal information from unauthorized access. The FTC determined that the Guess Web site, including users’ confidential information, was vulnerable to foreseeable attacks from third parties attempting to obtain access to customer information. The FTC further found that Guess was responsible for this vulnerability because it failed to “implement reasonable and appropriate measures to secure and protect the databases that support or connect to the website.” The FTC ordered Guess to implement a comprehensive information security program, including designating employees responsible for information security, identifying internal and external security risks, and monitoring and adjusting this program to maintain its effectiveness. Guess was also ordered to certify its compliance with this order via independent auditors every two years for the next 20 years.
Regulation of Information from Kids – Children’s Online Privacy Protection Act
Overview
Congress enacted the Children’s Online Privacy Protection Act of 1998 (“COPPA”) to govern online collection and use of information from children under the age of 13. 15 U.S.C. §§ 6501 et. seq. (2002). On October 20, 1999, the FTC issued rules for the implementation of COPPA. In general, these rules require commercial Web sites that are “directed” to children, or that have actual knowledge that children under the age of 13 are using those sites, to obtain “verifiable parental consent” before collecting personal information from children online. These rules took effect on April 21, 2000.
Application
The rules define the “operator” of a Web site broadly as any commercial Web site or online service that collects or maintains personal information from or about its visitors, including persons or entities “offering products or services for sale through that website or online service.” Note that “collecting” information includes any activity that enables children to make personal information publicly available, including message boards or chat rooms.
Directed to Children
In determining whether a Web site is “directed to children,” the FTC will consider the following factors:
- Subject matter;
- Visual or audio content;
- Age of models;
- Language used on the site;
- Advertising and promotions featured on the site;
- Use of animated characters or child-oriented activities and incentives; and
- Evidence of the site’s intended audience and actual audience composition.
Notice and Consent
“Verifiable parental consent” means any reasonable effort, taking into account the available technology, to ensure that – prior to the Web site collecting any information from a child – a parent has notice of the site’s data collection practices and consents to any collection, use or disclosure of his or her child’s personal information. The FTC has specifically approved obtaining consent by phone or facsimile. Email alone is generally not considered sufficiently “verifiable.”
Recognizing that electronic consent and authentication technology has not yet been widely adopted, the FTC provisionally approved a sliding scale approach for obtaining parental consent. See 16 C.F.R. 312. Originally set to expire on April 21, 2002, the FTC extended this mechanism until April 21, 2005. During this period, Web site operators may use an email from a parent, coupled with various additional steps, to obtain parental consent to collect children’s information for internal use only. Web site operators must go beyond using email to obtain parental consent if they plan to share children’s information with third parties.
Effect of Failure to Comply
The rules authorize the FTC to bring enforcement actions and impose civil penalties (including monetary penalties) for violation of COPPA and the implementing rules.
FTC COPPA Compliance Monitoring
In addition to the enforcement actions below, the FTC’s monitoring of COPPA compliance continues. In April 2002, the FTC published a survey of Web site COPPA compliance based on a survey conducted in April of the previous year of 144 Web sites targeting children. The results were mixed. While 90 percent of Web sites posted privacy policies, most of the Web sites surveyed were not in full COPPA compliance. For example, only 52 percent of Web site operators disclosed that they were prohibited from conditioning a child’s participation in an activity on unnecessary disclosure of information. Less than 42 percent disclosed parents’ right to refuse further collection of information by the operator. The survey did not investigate the actual data practices of the canvassed sites. See [1].
COPPA Safe Harbor Program
COPPA includes a provision enabling organizations to submit self-regulatory guidelines to the FTC. If the FTC approves the guidelines, compliance will provide a safe harbor from COPPA enforcement. The FTC has approved applications from the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc., ESRB Privacy Online, and TRUSTe. See http://www.ftc.gov/privacy/safeharbor/shp.htm.
Selected COPPA Enforcement Actions
(1) U.S. v. Mrs. Fields Famous Brands, Inc., Civ. Action No. 2:03cv205 (D. Ut. 2003). The FTC brought suit against defendant Mrs. Fields for the collection of personal information from over 84,000 children under the age of twelve as part of defendant’s online “birthday clubs.” In collecting this personal information, including first and last names, street addresses, email addresses and dates of birth, Mrs. Fields did not notify or obtain verifiable consent from any parent or guardian prior to collection. Mrs. Fields also failed to provide a means for parents to review or delete the information collected from their children. The FTC and Mrs. Fields entered into a settlement consent decree whereby Mrs. Fields must, among other things, pay $100,000 in civil penalties and comply with rules enacted by the FTC under COPPA.
(2) U.S. v. Hershey Foods Corp., Civ. Action No. 4:03cv350 (M.D. Penn. 2003). In the first instance of the FTC challenging a company’s method of obtaining parental consent, the FTC alleged that while Hershey did attempt to obtain parental consent, Hershey failed to implement a procedure reasonably calculated to ensure that a parent or guardian, as opposed to other persons, filled out consent forms prior to collecting personal information from children. Moreover, the FTC alleged that Hershey proceeded to collect such personal information even where parental consent forms were not submitted. The FTC and defendant Hershey entered into a settlement consent decree whereby Hershey must, among other things, pay $85,000 in civil penalties and comply with rules enacted by the FTC under COPPA.
(3) U.S. v. American Pop Corn Co., Civ. Action No. C024008DEO (N.D. Iowa 2002). The FTC brought suit against American Pop Corn Co. for obtaining information from children on its Web site (i) without providing sufficient notice on what information it collects, (ii) without informing parents as to what information it collects from their children, (iii) without obtaining verifiable consent from parents before collecting children’s information, (iv) without providing reasonable means for parents to review the personal information collected, and (v) with a condition that required children participating in activities offered on their Web site to disclose information more personal than was necessary to participate. American Pop Corn settled for, among other things, a $10,000 fine, deletion of all children’s personal information collected from April 21, 2002, to the date of the decree, and a requirement that the company post a link to the FTC’s COPPA Web site.
(4) United States v. The Ohio Art Co., Civ. Action No. 027203 (N.D. Ohio 2002); File No. 022-3028 (Fed. Trade Comm’n 2001). In its sixth COPPA law enforcement action, the FTC brought suit against The Ohio Art Company, makers of Etch-A-Sketch, for obtaining children’s information without parental consent. The FTC alleged that the company failed to provide notice or obtain consent from parents. The FTC also charged the company with collecting more information than was necessary for children’s participation when it collected the dates of birth of more than 2,500 children so it could randomly select ten Etch-A-Sketch toy birthday present winners. The Ohio Art Company agreed to pay $35,000 as part of the settlement with the FTC.
(5) United States v. Lisa Frank, Inc. (E.D. Va. 2001), File No. 012-3050 (Fed. Trade Comm’n Oct. 1, 2001). The FTC filed suit against Lisa Frank, Inc., alleging that the company violated COPPA because the company Web site failed to secure parental consent before collecting children’s information, failed to provide direct notice to parents of its privacy practices and failed to clearly, completely or understandably disclose its practices in its privacy policy. The complaint alleged the Web site targeted girls under the age of 13 and sought registration information from them including contact information, date of birth, name and favorite color. Under the terms of the Consent Decree, the company was ordered to pay a $30,000 fine, delete all the personal information it had gathered in violation of COPPA, and submit to various COPPA compliance and reporting requirements.
(6) U.S. v. Bigmailbox.com, Inc., Civ. Action No. 01-605-A (E.D. Va. 2001); U.S. v. Looksmart; Civ. Action No. 01-606-A (E.D. Va. 2001); and U.S. v. Monarch Services, Inc., Civ. Action No. AMD 01 CV 1165 (D. Md. 2001). The FTC filed complaints against Bigmailbox, Looksmart and Monarch, alleging collection of personally identifying information from children under 13 without parental consent in violation of COPPA. Specifically, the complaints alleged that the sites collected the children’s personal information for their own internal uses, enabled children to publicly reveal their personal information online without obtaining parental consent and, in the case of Bigmailbox, provided children’s personal information to third parties without parental consent. The cases settled when the defendants consented to an order that required them to delete all personal information collected in violation of COPPA and to post a privacy policy in compliance with COPPA. In addition, each company was required to pay a civil fine of between $30,000 and $35,000.
(7) FTC v. Toysmart.com, Civ. Action No. 00-11341-RGS (D. Mass 2000). In its first COPPA complaint, the FTC alleged that Toysmart’s collection of personal information from children violated the Act. The case settled in July 2000 when Toysmart consented to an order requiring Toysmart to destroy or delete all information collected in violation of COPPA. See subsection (1)(d)(6), above.
Regulation of Financial Information — Gramm-Leach-Bliley Act
Overview
The Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq. (“GLB”), governs financial information. See also 16 C.F.R. §§ 313.1 et seq. Among its requirements are the following:
(1) Financial institutions – broadly defined to include some non-banking institutions – must insure the confidentiality and security of customer records and information.
(2) Such institutions must disclose to customers their policies and practices for disclosing nonpublic personal information to affiliates and non-affiliates. The disclosure must occur at the time the relationship is established and thereafter on a yearly basis.
(3) Such institutions must notify their customers before disclosing nonpublic personal information to a non-affiliated third party and give the customers an opportunity to opt out.
(4) Financial institutions must also provide appropriate safeguards to protect customers’ personal information. See 16 C.F.R. §§ 314.1 et seq. (“FTC Safeguard Rule”).
GLB Cases
- Trans Union LLC v. Federal Trade Comm’n, Civ. Action No. 00-2834 (D.D.C. 2001), aff’d, Trans Union LLC v. Federal Trade Comm’n, No. 01-5202 (D.C. Cir. 2002). Several credit reporting agencies filed suit against the FTC claiming that the GLB privacy regulations violated the credit reporting agencies’ First Amendment rights. The Court held that the FTC’s rules, which prevent the credit reporting agencies from selling personal information (including names, addresses and Social Security numbers) to third parties without a consumer’s permission, are a “permissible construction” of the GLB. The appellate court further affirmed the trial court’s ruling that a credit reporting agency constitutes a “financial institution” for the purposes of the GLB privacy regulations.
- FTC v. Information Search, Inc., Civ. Action No. AMD 01-1121 (D. Md. 2001); FTC v. Guzzetta, Civ. Action No. 01-2335 (E.D.N.Y. 2002); and FTC v. Garrett, Civ. Action No. H-01-1255 (S.D. Tex. 2001). The FTC brought suit against and successfully secured settlements from three information brokers who allegedly used deceptive practices – called “pretexting” – to obtain consumers’ confidential financial information. Filed in three different U.S. district courts, the suits alleged that the brokers used false pretenses, fraudulent statements, and impersonation to illegally gain access to information such as bank balances. The information was allegedly offered for sale for fees up to $600. The complaints charged the defendants with violations of the GLB and violations constituting unfair and deceptive trade practices and unjust enrichment. Under the settlement agreements, two defendants agreed to pay $2,000 each while the third agreed to a suspended fine of $15,000.
Regulation of Patient Medical Records — Health Insurance Portability and Accountability Act
Overview
On December 20, 2000, then-President Clinton and HHS Secretary Shalala released the first-ever set of national standards to protect the privacy of personal health records. The privacy regulation was modified by the Bush Administration and HHS in August 2002. The final rule is found at 45 C.F.R. Parts 160, 162, and 164. Full compliance by April 14, 2003, was required of all covered entities except small health plans, which have until 2004 to comply. The standards, which implement requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), apply to all individually identifiable health information that is created by health care providers, health plans and health care clearinghouses, whether on paper, in electronic form or orally communicated. Use of health data which does not identify an individual remains unrestricted. The HIPAA privacy rule includes six principles:
(1) Consumer Control. Consumers have the right to see a copy of their medical records, the right to request a correction to those records and the right to notice of a covered entity’s privacy policies.
(2) Accountability. The rule establishes civil monetary penalties of $100 per violation, up to $25,000 per year, for violations of a patient’s right to privacy. It also creates criminal penalties of up to $250,000 in fines and imprisonment for up to ten years for improper disclosure of protected health information, obtaining protected health information under false pretenses and obtaining protected health information with the intent to sell, transfer or use it for commercial or personal gain or malicious harm. The regulations do not provide for a private right of action.
(3) Boundaries. With few exceptions, the consumer’s health care information should be used for health purposes only, including treatment and payment. Covered entities may, but are not required to, obtain written consent from consumers before disclosing health care information for medical purposes. Health plans and health care providers are required to provide patients with written notice of their privacy policies at the time of enrollment and must make a good faith effort to obtain written acknowledgment of receipt of the notice. Written authorization must be obtained for a covered entity to use or disclose personal health information for non-health-care related purposes such as marketing.
(4) Exceptions. Several exceptions to the rule permit disclosure of health care information for particular national priority activities, including law enforcement, public health, and avoiding serious threats to an individual’s health or safety. In addition, incidental disclosures are not considered violations of the regulation, as long as the entity is otherwise in compliance with the regulation’s standards.
(5) Business Associates. Covered entities entering into contracts with “business associates” must ensure that those associates also protect personal health information. All covered entities other than small health plans have until April 14, 2004, to bring existing contracts into compliance.
(6) Preemption. The rule only preempts state laws that are in conflict with the federal standards or provide less strict privacy protections. It does not preempt state laws that are more protective of patient privacy.
HIPPA Cases
(1) In re Drkoop.com Inc., No. LA01-47426-TD (Bankr. S.D. Cal. 2002). Drkoop.com collected private medical information on 1,000,000 of its online customers. Pursuant to its then current bankruptcy proceedings, Drkoop.com agreed to keep such records confidential even from potential buyers of the company unless its customers consented to release. Eventually, Drkoop.com agreed to destroy all personal, medical and financial information except for the email addresses of its customers. Prior to transferring such emails to its eventual buyer, Vitacost.com, Drkoop.com agreed to allow customers to opt out, notice of which was provided via email.
(2) Association of American Physicians and Surgeons, Inc. v. U.S. Department of Health and Human Services, No. H-01-2963 (S.D. Tex. 2002). Based on lack of ripeness, the court declined to rule on a challenge to a rule implemented under HIPAA by the Department of Health and Human Services (“HHS”). Plaintiff AAPS contended that the HHS medical privacy regulations provided unlimited access to patient medical records and thereby violated their privacy rights, exceeded HHS’ authority under HIPAA, and violated the First, Fourth, and Tenth Amendments of the U.S. Constitution. The court stated that AAPS failed to show that the HHS rule was inconsistent with the clear statutory language of HIPAA.
(3) S.C. Med. Ass’n v. Thompson, 327 F.3d 346 (4th Cir. 2003). The South Carolina Medical Association, an organization representing health care providers, filed suit seeking to have several provisions of HIPAA declared unconstitutional. The court rejected those claims, holding that HIPAA appropriately guided agency action rather than impermissibly delegating state legislative power. In addition, the court found that regulations promulgated pursuant to HIPAA were not beyond the scope of authority granted by the Act, and were not impermissibly vague.
Regulation of Customer Proprietary Network Information
Under federal law, telecommunications carriers have a duty to protect the confidentiality of Customer Proprietary Network Information, or CPNI. See 47 U.S.C. § 222, and the FCC implementing rules at 47 C.F.R. §§ 64.2001-2009. The implementing rules contain a variety of provisions mandating record-keeping for marketing campaigns, employee CPNI training, and high level oversight and certification to the FCC of CPNI compliance.
The term “customer proprietary network information” means—
- (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;
except that such term does not include subscriber list information.
The main thrust of the CPNI rules is a requirement that carriers provide notice to consumers regarding the use of their CPNI and that they obtain prior approval for use and disclosure of CPNI by an opt-out or opt-in method, depending upon the circumstances. The CPNI rules also allow for disclosure "as required by law." For example, the Stored Communications Act can require disclosure to the government of CPNI information.