ThinkstockPhotos-87341406-webThis article is the first in a series of articles that will discuss the importance of privacy and data security considerations in the transactional context.

Data privacy and data security continued to capture headlines and boardroom attention in 2014, as the EU “right to be forgotten” ruling, the Sony cyberattack,1 new laws and lawsuits, and investor pressure on executives and boards regarding cybersecurity issues 2 provided continued worries for legal departments, executives, and directors.3 The ongoing coverage of these incidents has caused many legal departments, executive teams, and boards of directors to become more familiar with data privacy and security risks. Many businesses are taking steps to reduce their risk exposure by reviewing and enhancing their privacy and data security programs, ensuring that they maintain appropriate cyber insurance, and working with service providers, vendors, customers, and employees to minimize the likelihood of becoming the next target of a cyberattack or class action litigation.
Continue Reading Privacy and Data Security in Transactions: What’s the Deal?

During the past decade, there has been an explosion in class action litigation under the Telephone Consumer Protection Act (TCPA),1 a well-intended statute meant to address abusive telemarketing practices. As of late, many of these suits are based on calls or text messages to cell phones. The TCPA prohibits non-emergency calls (interpreted by the FCC to include text messages) to a cell phone made using an “automatic telephone dialing system” without the prior express consent of the called party.2 A perceived ambiguity in what type of equipment qualifies as an “automatic telephone dialing system” has fueled these litigation fires and has led to hundreds of cases being filed against companies that do not use telemarketing equipment but communicate with their users or facilitate their users’ communications via text message. An end to the litigation explosion in this area may be just around the corner as federal appellate courts consider the issue.
Continue Reading Appellate Courts to Address What Constitutes an “Automatic Telephone Dialing System” Under the TCPA

On July 28, 2014, the Federal Trade Commission (FTC) issued a staff report on “mobile cramming”—the unlawful practice of placing unauthorized third-party charges on mobile phone accounts. The report recommended five best practices primarily directed to mobile carriers but at times also directed to merchants and billing intermediaries. This report follows a number of FTC enforcement actions to combat mobile cramming, as well as a May 2013 mobile cramming roundtable convened by the FTC and attended by industry participants, consumer advocates, and regulators. Following the roundtable, the four largest mobile carriers said that they would discontinue most “Premium SMS” billing, in which a consumer purportedly authorizes a third-party charge by texting a five or six-digit number. Nonetheless, the report emphasized that the consumer protection principles embodied in its recommendations apply to any form of carrier billing (i.e., charging a good or service directly to a mobile phone account), including direct carrier billing.
Continue Reading FTC Issues Carrier Billing Recommendations to Protect Consumers Against Mobile Cramming

Federal regulators released guidance in the first half of 2014 that should provide comfort to businesses that are considering sharing information relating to cybersecurity risks with other companies and the government. Although these advisory opinions are nonbinding and do not carry the force of law, they provide strong indications of the priorities of the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) with respect to facilitating the ability of businesses to engage in cybersecurity risk mitigation. Notably, under the recent guidance, the federal regulators suggest that antitrust and electronic communications privacy concerns, which may have previously made businesses hesitant to share certain information relating to cybersecurity risks, should not preclude business-to-business or business-to-government information sharing that is tailored to mitigate these risks.
Continue Reading Federal Agencies Reduce Barriers to Cyber Threat Information Sharing

In August 2014, the Federal Trade Commission (FTC) published a staff report that evaluates the consumer disclosures made by a number of popular mobile shopping applications and makes recommendations to the providers and users of those apps.1 The FTC staff did not address or find any fault with app platforms, like Google Play or Apple’s App Store, with respect to the consumer disclosures of those apps. This report follows the FTC staff’s March 2013 mobile payment report that recommended mobile payment providers convey clear policies regarding fraudulent and unauthorized charges, encouraged all stakeholders to raise consumer awareness about mobile payment security, and stressed the applicability of its general privacy recommendations to companies in the mobile payment marketplace.2
Continue Reading FTC Recommends Improved Transparency and Security in Mobile Shopping Apps

ThinkstockPhotos-488600674-webIn keeping with its position as the nation’s leader on privacy issues, the state of California recently enacted significant new laws on student privacy and education data. The Student Online Personal Information Protection Act (SOPIPA) sets forth a variety of restrictions on how operators of online services offered in schools can use and disclose student information, and requires operators to implement reasonable security measures to protect student data. A separate law (A.B. 1584) sets forth privacy requirements for providers of digital storage services and educational software used in schools. A final law (A.B. 1442) establishes privacy requirements for companies that collect students’ social media information on behalf of schools. The laws were signed by Governor Jerry Brown on September 29, 2014.
Continue Reading California Enacts Landmark Student Privacy Laws