Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Aeton Law Partners LLP : Hartford, Middletown, Glastonbury

The FTC released its 122 page Privacy Report today.  This Report has been anticipated for some time. The FTC Chairman, Jon Leibowitz, summed up the purpose behind the FTC's involvment in data privacy and security with release of the Report stating:

Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.

The Report is issued as "A Proposed Framework For Business and Policymakers."  The Report is intended to "inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy."  It is also intended to be a framework for how companies should address privacy. 

The biggest news making aspect of the Report is the endorsement of a Do Not Track system that would permit consumers to limit or control the amount of information given to advertisers that track consumers' online behavior.  This would be similar to the Do Not Call registry. 

For an excellent review of this far reaching Report, and its implications, read this post on the Privacy and Security Law Blog.  For more information on the Do Not Track and online behavior tracking aspects of the Report, here is a post from Electronic Frontier Foundation.  In the days ahead, there will be many more blog posts about the Report.

For now, if you are a company that collects data for online behavior tracking or stores personally identifiable information (PII such as name, address, ss#, date of birth, etc),  this Report should be reviewed albeit with the understanding that it is a proposed framework and will not be a final report until sometime in 2011.  The Report will be subject to much debate and critical comment, but might also serve as a best practices guide post. 

My general take away points from the Report are that the FTC: 

• Endorses a Do Not Track system
• Expects privacy policies to be based on notice and choice for consumers
• Opines that many companies "do not adequately address consumer privacy"
• States privacy policies should reflect the level of sensitivity of the data it seeks to protect
• Wants companies to promote consumer privacy throughout development of its services and products or adopt "privacy by design"
• Wants Companies to make it easier for consumers to understand privacy policies and data collection
• Wants consumers to have more choice on opt in or opt out for data collection

The FTC will take public comment on the Report (click here) until January 31, 2011.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I have written several posts on risk management and litigation arising out of social networking or media websites such as Facebook, Twitter and LinkedIn. Dan Schwartz's Employment Law Blog includes coverage of a variety of concerns with use of social media and the need for internal policies and procedures.  While Dan's blog covers employment law and this blog covers business litigation, social media ends up a frequent topic on both blogs.  In fact, you can read about social media on legal blogs across the country covering litigation, intellectual property, privacy, defamation, and the first amendment.  

Some say social media is a fad so why the extensive coverage on legal blogs?  The facts is that as the use of social media continues to grow and involve massive numbers of users, so does the risk of litigation and potential for numerous other legal issues.   To see some staggering statistics on social media,  check out the link to this video I came across on Tyson Snow's blog Social Media Esq. The video is by Erik Qualman, the author of socialnomics.  Here is a link to the video on YouTube (social media revolution 2 refresh).

If you want a real world example of social media's growing impact on the legal industry, consider Citigroup (Citi).  Citi posted on its website a job listing for Associate General Counsel.   The Citi job is not for auditing, compliance, or litigation.  Instead, in what may be a new trend, the Citi job is for Associate General Counsel-Social Media Attorney.   Citi is not alone.  Clorox also sought out an attorney to oversee its social media programs. I expect more companies will follow with new stand alone social media attorney positions.

The responsibilities posted for the Citi position give business owners a snap shot of the potential areas for concern. As posted on its website:  

The Citi Social Media Attorney will be responsible for the legal oversight of social media in three spheres:

 

A.        Citi-sponsored media such as company websites, Twitter accounts, and   YouTube;

B.        Social media interaction between Citi and the public/third parties; and,

C.        Employee participation in social media, as site user and/or site administrator.

The specific duties of the Citi Social Media Attorney provide a glimpse of the need for management of a vast array of legal areas.  The duties for the Citi job include:

Advertising, Intellectual property, Information privacy/data security including specifically relevant sections of Lanham Act; Copyright Act as amended by Digital Millennium Copyright Act;  FTC Act and Guides (including recent Endorsements/Testimonials Guidelines); rights of publicity/privacy; promotions law; defamation law; Communications Decency Act.

 

In my view, Citi has smartly recognized that managing social media does not fall into a traditional field of law such as advertising or intellectual property alone, but rather overlaps several areas that can rapidly change.  As such, proper management of social media issues for a large company likely requires a dedicated position.  This could be a sign of a new practice area or niche: the Social Media Attorney. Either way, it certainly confirms that business and employment attorneys need to understand these areas of law to address the risks clients face as the use of social media continues to grow.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

That was the question posed in an email newsletter I received today from the International Association of Privacy Professionals.   I am a member of this group out of personal interest and to to stay on top of issues related to privacy laws and technology.   One of the benefits of belonging to this group is that I get email newsletters with summaries of new laws, regulations, and lawsuits dealing with privacy issues from all over the world. 

Today's email posed the question in the title of this post and featured an article from the New York Times by Natasha Singer called "Shoppers Have No Secrets."   The article details the technology of "behavioral tracking" by retail and advertising businesses and how the Federal Trade Commission (FTC) is playing catch up when it comes to regulating this technology.

Online behavioral tracking has been a hot button issue for both businesses and privacy rights groups for a few years.  Natasha's article lists several types of new tracking to include:

• Cameras that can follow you from the minute you enter a store to the moment you hit the checkout counter, recording every T-shirt you touch, every mannequin you ogle, every time you blow your nose or stop to tie your shoelaces.
• Web coupons embedded with bar codes that can identify, and alert retailers to, the search terms you used to find them.
• Mobile marketers that can find you near a store clothing rack, and send ads to your cellphone based on your past preferences and behavior.

The article is a very good summary of the issue and has links to advocacy groups on both sides of the debate.  The article also highlights the differences between European and US based privacy laws. In general, the EU is far more advanced and stringent when it comes to personal data protection. 

In the US, the FTC publishes guidelines and takes enforcement action under its authority to regulate unfair trade.  There are also the states' Attorney Generals and class action and individual lawsuits.  Nevertheless, to answer the question I posed in this post, it is clearly a "NO" in the US.   Data protection laws will not catch up to new technology. At least, not anytime soon.

So, should Connecticut businesses ignore consumer privacy issues?    Not if the business wants to stay ahead of the game and out of litigation over privacy violations.   The FTC and state Attorneys General still have broad enforcement powers to regulate unfair trade.  Also, individual consumers continue to bring lawsuits over these issues.  

For Connecticut businesses, it is a good idea or best practices to implement  a policy related to protection of consumer data, preferences, and personal identifiers.  I have posted some tips about these issues before.  If you are looking for "do it yourself" resources, another good place to start is the FTC guidelines on behavioral tracking or its Guide for Business in protecting personal information. 

Of course, by the time you implement a privacy plan for today's technology, it will be time to start updating it for what tomorrow brings.  Good thing I get an email to remind me.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Each state generally has some type of consumer protection or trade protection law that seeks to prohibit and punish unfair conduct and deceptive acts in trade or commerce.   Most states, including Connecticut, model their laws after section 5 of the Federal Trade Commission Act.  Section 5 of the FTC Act prohibits unfair or deceptive acts and unfair competition in the marketplace. 

Connecticut's Unfair Trade Practices Act (commonly referred to as CUTPA by attorneys and judges), is codified at Connecticut General Statutes section 42-110b.  CUTPA states, in relevant part, that:

(a) No person shall engage in unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.

(b) It is the intent of the legislature that . . . the courts of this state shall be guided by interpretations given by the Federal Trade Commission and the federal courts to Section 5 . . . .

(c) The commissioner may . . .establish by regulation acts, practices or methods which shall be deemed to be unfair or deceptive. . . Such regulations shall not be inconsistent with the rules, regulations and decisions of the federal trade commission and the federal courts . . .

(d) It is the intention of the legislature that this chapter be remedial and be so construed.

CUTPA's provisions can be far reaching for businesses and consumers.  For example, under section 42-110g, attorneys who successfully prove a CUTPA violation in Connecticut business litigation may be able to recover attorneys fees, punitive damages, and costs for their clients.  CUTPA's provisions also provide for the ability of attorneys to bring class action lawsuits in Connecticut for unfair or deceptive acts. Additionally, courts can order injunctive relief or other equitable remedies for CUTPA violations.

CUTPA's provisions may be enforced by the various State's Attorneys and the Attorney General, such as the AG's recent lawsuit against Net Health over its loss or exposure of personal identifiers (date of birth, social security number) of Connecticut residents.  Private citizens and businesses may also bring actions for unfair competition or deceptive acts under CUTPA, including class action lawsuits such as the recent case against AT&T over Internet access.

To establish a violation of CUTPA, attorneys in Connecticut have to prove that their clients suffered "any ascertainable loss of money or property, real or personal, as a result of the use or employment of a method, act or practice prohibited by section 42-110g. . ." Generally speaking, this requirement means Connecticut attorneys have to show that their clients sustained damages as a result of an unfair or deceptive act in trade or commerce. 

To determine what constitutes an unfair or deceptive act, Connecticut courts specifically refer back to the Federal Trade Commission and what is commonly referred to as the "cigarette rule."  The cigarette rule defines what type of conduct may qualify as unfair and deceptive justifying an award of compensatory or punitive damages.   This rule dates back to 1964 and comes from legislative policy making by the Federal Trade Commission concerning requirements for warning labels on cigarette packages. 

 The three prongs of the cigarette rule are as follows:

1. whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise-in other words, it is within at least the penumbra of some common law, statutory, or other established concept of unfairness;
2. whether it is immoral, unethical, oppressive, or unscrupulous;
3. whether it causes substantial injury to consumers, [competitors or other business persons]. . . .

All three criteria do not need to be satisfied to support a finding of unfairness. A practice may be unfair because of the degree to which it meets one of the criteria or because to a lesser extent it meets all three.

It is important to note that not every act or conduct that might seem to fit the criteria will be a violation of CUTPA. For example, generally speaking, mere negligent acts or simple breaches of a contract do not constitute unfair or deceptive acts under CUTPA. It is also important to note that some conduct automatically violates CUTPA or is considered a per se violation, such as failure to follow the Home Improvement Act or to register a trade name.

There are many nuances to CUTPA and the above is only a brief summary. Any business or consumer trying to determine whether they were damaged by conduct constituting a violation of CUTPA should contact a business litigation attorney or the Attorney General's office.

• Email This
• Print
• Comments
• Trackbacks
• Share Link