Privacy

Subscribe to Privacy via RSS

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

In December 2013, the United Kingdom’s Information Commissioner’s Office (ICO) issued “Privacy in Mobile Apps–Guidance for App Developers.”1 According to the ICO, the guidance is not only relevant for apps used on mobile devices such as smartphones and tablets, but also for “other devices using similar app technology, for instance living-room devices such as smart TVs or games consoles.”

The guidance is addressed to organizations developing apps for the UK market, regardless of their location. However, it addresses key EU privacy issues and may be useful for any organization developing apps for individuals located in the European Union (EU). In addition, the ICO guidance should be read together with the opinion on mobile apps issued by the Article 29 Working Party (the body of European data protection regulators) in March 2013, a summary of which we have provided here.2 Listed below are the key takeaways and recommendations from the guidance.
Continue Reading UK Information Commissioner’s Office Issues Guidance for App Development

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification

On October 22, 2013, the Federal Trade Commission (FTC) announced a proposed settlement of a case against Aaron’s, Inc., a national rent-to-own retailer with more than 1,800 locations in 48 states, having alleged that Aaron’s knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers.
Continue Reading National Rent-to-Own Company Settles FTC Charges of Enabling Computer Spying by Franchisees

In recent years, data-driven marketing has spread across numerous sectors of the economy. While the industry provides many benefits and conveniences for consumers by lowering the cost of products and services and helping businesses better capture customer preferences, privacy advocates and legislators are pushing for increased government regulation over companies known broadly as “data brokers.”
Continue Reading GAO and Senate Commerce Committee Release Studies Calling for Increased Oversight and Regulation of “Data Broker” Industry

The Federal Trade Commission (FTC) announced on December 5, 2013, that Goldenshores Technologies, LLC and its managing member, Erik M. Geidl, agreed to a proposed settlement over claims that Goldenshores, through its “Brightest Flashlight Free” mobile application, violated Section 5(a) of the FTC Act prohibiting unfair or deceptive acts and practices affecting commerce by failing to disclose that the app transmitted user data, including precise geolocation information and persistent identifiers, to third parties such as advertising networks. Under the settlement, Goldenshores must provide just-in-time disclosures outside of the privacy policy and obtain affirmative express consent from users before collecting, using, or disclosing geolocation information. The settlement agreement (referred to here as “the order”) was subject to public comment through January 6, 2014. The FTC will now decide whether to reach a final settlement with Goldenshores.
Continue Reading FTC Settlement with Flashlight App Requires Extensive Disclosures Outside of the Privacy Policy to Collect and Share Geolocation Information