Regulatory

FTC Issues Carrier Billing Recommendations to Protect Consumers Against Mobile Cramming

By Lixian Hantover on October 15, 2014

On July 28, 2014, the Federal Trade Commission (FTC) issued a staff report on “mobile cramming”—the unlawful practice of placing unauthorized third-party charges on mobile phone accounts. The report recommended five best practices primarily directed to mobile carriers but at times also directed to merchants and billing intermediaries. This report follows a number of FTC enforcement actions to combat mobile cramming, as well as a May 2013 mobile cramming roundtable convened by the FTC and attended by industry participants, consumer advocates, and regulators. Following the roundtable, the four largest mobile carriers said that they would discontinue most “Premium SMS” billing, in which a consumer purportedly authorizes a third-party charge by texting a five or six-digit number. Nonetheless, the report emphasized that the consumer protection principles embodied in its recommendations apply to any form of carrier billing (i.e., charging a good or service directly to a mobile phone account), including direct carrier billing.
Continue Reading FTC Issues Carrier Billing Recommendations to Protect Consumers Against Mobile Cramming

The Wyndham Rulings and the FTC’s Leadership on Data Security Enforcement

By Edward Holman & Joseph Molosky on July 15, 2014

Posted in Cybersecurity, Regulatory

Despite reaching settlements with more than 50 organizations on data security issues since the late 1990s, no organization seriously challenged the Federal Trade Commission’s (FTC’s) authority to bring such cases until FTC v. Wyndham Worldwide Corp. made headlines in 2012¹ The case brought rampant speculation from the privacy and data security community on the likely outcome and potential impact on a number of issues, ranging from the FTC’s enforcement authority to national and state data security laws. Recent rulings rejecting Wyndham’s motions to dismiss may not break new ground for the FTC, but the commission’s ability to overcome the first challenges to its data security enforcement authority are significant and continue the agency’s trajectory as the country’s leading data security enforcer.²
Continue Reading The Wyndham Rulings and the FTC’s Leadership on Data Security Enforcement

FCC Clarifies That Consent May Be Provided by Intermediary for Informational Text Messages

By Tonia Klausner, Tracy Shapiro & Joseph Molosky on July 15, 2014

Posted in Privacy, Regulatory

On March 27, 2014, the Federal Communications Commission (FCC) addressed an outstanding petition¹ seeking guidance for compliance with the “prior express consent” requirement of the Telephone Consumer Protection Act (TCPA) for informational text messages.² In a declaratory ruling, the FCC provided clarification of this requirement, and specifically addressed whether an intermediary may provide such consent. The FCC agreed with group texting service GroupMe, Inc. that, consistent with the TCPA, intermediaries may convey consent provided by others to receive informational text messages.³ However, the FCC made clear that companies ultimately remain liable where intermediaries fail to obtain the required consent. The ruling demonstrates a current trend at the FCC to allow businesses communicating with consumers by text message some flexibility while navigating the TCPA’s increasingly complex requirements.
Continue Reading FCC Clarifies That Consent May Be Provided by Intermediary for Informational Text Messages

EU Data Protection Regulators Issue Several Opinions on Key EU Data Protection Issues

By Christopher Kuner & Cédric Burton on July 15, 2014

Posted in European Union, Regulatory

The body of European data protection regulators known as the Article 29 Working Party (WP29) has been exceptionally prolific lately. In April 2014, WP29 adopted no less than five opinions and issued a number of other statements and letters on various topics. While not directly binding, WP29’s publications offer insight into the regulators’ views, which are generally a good indication of how the regulators will seek to apply the law.

In this article, we provide an overview of the most important documents issued. We discuss Opinion 5/2014 on anonymization,¹ Opinion 6/2014 on legitimate interests as a basis for processing,² the letter to Commissioner Viviane Reding on data transfers from the EU to the U.S.,³ and the letter to the Council of the EU on the one-stop-shop mechanism.⁴
Continue Reading EU Data Protection Regulators Issue Several Opinions on Key EU Data Protection Issues

FTC Continues Its Aggressive FCRA Enforcement and Ninth Circuit Lowers Standing Threshold in FCRA Cases

By Wendell Bartnick on July 15, 2014

Posted in Privacy, Regulatory

Data may well be the asset of the 21st century, but selling access to certain data about individuals may raise the risk of attracting unwanted attention from both regulators¹ and class action litigants. As organizations collect more types of data about consumers, they are more likely to have data that may constitute “consumer report” data under the Fair Credit Reporting Act (FCRA).² Organizations that try to monetize such data by selling access to consumer profiles can easily run afoul of the FCRA.

This article discusses recent Federal Trade Commission (FTC) enforcement actions against two background check companies that allegedly failed to avoid the FCRA trip wires and face a combined $1.5 million in fines.³ The FTC aggressively enforces the FCRA and violations commonly occur due to a failure to create and implement adequate policies and procedures. This article also explains how the U.S. Supreme Court may review the Ninth Circuit’s recent decision to join other federal appellate courts in making FCRA class action lawsuits easier to bring for plaintiffs. Given the appellate courts’ interpretations of the FCRA, plaintiffs likely will increasingly make FCRA claims in an effort to obtain compensation for alleged general privacy violations. Any organization that sells access to data profiles about individuals is advised to determine whether it must comply with the FCRA and, if necessary, implement policies and procedures that meet the FCRA’s requirements.
Continue Reading FTC Continues Its Aggressive FCRA Enforcement and Ninth Circuit Lowers Standing Threshold in FCRA Cases

Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

By Matthew Staples & Jonathan Adams on July 15, 2014

Posted in Cybersecurity, Privacy, Regulatory

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),¹ has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.² If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,³ and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

The Data Advisor