Regulatory

Subscribe to Regulatory via RSS

In early May, Theodore Moss, the CEO of online background-check provider Crimcheck.com, received a letter from the Federal Trade Commission (FTC) notifying him that “recent test-shopping contacts” had indicated that his company was possibly selling consumer information unlawfully.1 Crimcheck.com provides background-check services to businesses conducting employment screenings for potential job candidates.2 Such companies, often referred to as “data brokers,” collect and compile information on individual consumers, drawing from public sources such as court databases and consumer credit records to piece together profiles of individuals’ financial, retail, recreational, and criminal behaviors.3 But it is precisely that assembling of detailed information on individuals—even information compiled from public sources—that can trigger provisions of the Fair Credit Reporting Act, prompting the FTC to take a closer look at how these companies collect and use consumer information.
Continue Reading Policing Privacy: Undercover FTC Staff “Test-Shop” Data Brokers to Identify FCRA Violators

Telecommunications carriers must take precautions to protect call and location data stored on customers’ devices, according to the Federal Communications Commission (FCC).1 As discussed in a prior WSGR Eye on Privacy article,2 the FCC reacted to the carriers’ use of Carrier IQ to collect customers’ call information, despite its data security vulnerabilities. The FCC sought public comment on whether this type of data collection should fall within the agency’s authority under the Communications Act of 1934, as amended. After reviewing public comments, the FCC issued a Declaratory Ruling concluding that carriers must provide safeguards for certain types of data that carriers cause to be stored on their customers’ devices directly or through their agents. This security requirement applies to data transferred to carriers’ systems as well as data stored on the consumers’ devices.
Continue Reading FCC Actions Clarify That Mobile Data Security Rules Apply to Data on Devices

Congress enacted the Telephone Consumer Protection Act (TCPA)1 on December 20, 1991, to address certain telephone and facsimile marketing practices that Congress found to be an invasion of consumer privacy. In general, and among other things, the TCPA prohibits unsolicited fax advertisements and automated or prerecorded calls (interpreted to include text messages) to cellular telephones or other devices for which the consumer would bear the cost of the call.2 Congress vested the Federal Communications Commission (FCC) with authority to issue regulations implementing the TCPA. Pursuant to that authority, the FCC has issued a series of detailed and complex rules and regulations interpreting and implementing the statute’s requirements.
Continue Reading TCPA Update: Recent Decisions and Significant Upcoming Change to TCPA Rules

New Self-Regulatory Guidance Joins Other Privacy and Transparency-Related Considerations for Participants in the Mobile Ecosystem

On July 24, 2013, the Digital Advertising Alliance (DAA), comprised of the largest media and marketing trade associations in the U.S., released new guidance regarding mobile and other devices (Mobile Guidance).1 The Mobile Guidance explains how the DAA’s existing Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles)2 and Self-Regulatory Principles for Multi-Site Data (MSD Principles)3 (together, the DAA Principles) apply to companies operating in the mobile ecosystem. It sets forth specific requirements for the collection and use of precise location information, as well as two new categories of data: “cross-app data” and “personal directory data.”
Continue Reading Digital Advertising Alliance Releases Guidance on the Application of Its Self-Regulatory Principles to the Mobile Environment

A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of “business associates” and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, “covered entities”). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the “HIPAA Rules”) that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve “business associates,” defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:

  1. expanded the definition of “business associate” and
  2. placed the obligation of HIPAA compliance directly on business associates.

Continue Reading Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations

Mobile and social media marketing are on the rise.1 With that in mind, the Federal Trade Commission issued new guidance for advertisers on how to make effective mobile and other online disclosures. Entitled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,”2 the guidance provides an update to the FTC’s 2000 publication on the same topic. The revised guidance is intended to address the expanding use of smart phones and social media marketing, where small screens and character limitations pose challenges for companies making advertising claims.3 Although the guidance itself is not law, the FTC cautions that these disclosures are required by the laws it enforces.
Continue Reading FTC Issues New Guidance for Disclosures in Online Advertising