The European data protection regulators, the Article 29 Working Party (WP29), recently issued two guidance papers which clarify the data protection legal framework applicable to the Internet of Things (IoT) and to the use of device fingerprinting. Both opinions underline WP29’s current focus on data-driven innovations. This article highlights the key takeaways from these two opinions.
Continue Reading EU Data Protection Regulators Issue Guidance on the Internet of Things and Device Fingerprinting
California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes
Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended by the California Attorney General’s Office in its 2013 Data Breach Report. The Attorney General’s Office recently published its 2014 Data Breach Report, and its recommendations provide insight into the office’s enforcement priorities. The recommendations may also find their way into California law.
Continue Reading California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes
Privacy and Data Security in Transactions: What’s the Deal?
This article is the first in a series of articles that will discuss the importance of privacy and data security considerations in the transactional context.
Data privacy and data security continued to capture headlines and boardroom attention in 2014, as the EU “right to be forgotten” ruling, the Sony cyberattack,1 new laws and lawsuits, and investor pressure on executives and boards regarding cybersecurity issues 2 provided continued worries for legal departments, executives, and directors.3 The ongoing coverage of these incidents has caused many legal departments, executive teams, and boards of directors to become more familiar with data privacy and security risks. Many businesses are taking steps to reduce their risk exposure by reviewing and enhancing their privacy and data security programs, ensuring that they maintain appropriate cyber insurance, and working with service providers, vendors, customers, and employees to minimize the likelihood of becoming the next target of a cyberattack or class action litigation.
Continue Reading Privacy and Data Security in Transactions: What’s the Deal?
Appellate Courts to Address What Constitutes an “Automatic Telephone Dialing System” Under the TCPA
During the past decade, there has been an explosion in class action litigation under the Telephone Consumer Protection Act (TCPA),1 a well-intended statute meant to address abusive telemarketing practices. As of late, many of these suits are based on calls or text messages to cell phones. The TCPA prohibits non-emergency calls (interpreted by the FCC to include text messages) to a cell phone made using an “automatic telephone dialing system” without the prior express consent of the called party.2 A perceived ambiguity in what type of equipment qualifies as an “automatic telephone dialing system” has fueled these litigation fires and has led to hundreds of cases being filed against companies that do not use telemarketing equipment but communicate with their users or facilitate their users’ communications via text message. An end to the litigation explosion in this area may be just around the corner as federal appellate courts consider the issue.
Continue Reading Appellate Courts to Address What Constitutes an “Automatic Telephone Dialing System” Under the TCPA
FTC Issues Carrier Billing Recommendations to Protect Consumers Against Mobile Cramming
On July 28, 2014, the Federal Trade Commission (FTC) issued a staff report on “mobile cramming”—the unlawful practice of placing unauthorized third-party charges on mobile phone accounts. The report recommended five best practices primarily directed to mobile carriers but at times also directed to merchants and billing intermediaries. This report follows a number of FTC enforcement actions to combat mobile cramming, as well as a May 2013 mobile cramming roundtable convened by the FTC and attended by industry participants, consumer advocates, and regulators. Following the roundtable, the four largest mobile carriers said that they would discontinue most “Premium SMS” billing, in which a consumer purportedly authorizes a third-party charge by texting a five or six-digit number. Nonetheless, the report emphasized that the consumer protection principles embodied in its recommendations apply to any form of carrier billing (i.e., charging a good or service directly to a mobile phone account), including direct carrier billing.
Continue Reading FTC Issues Carrier Billing Recommendations to Protect Consumers Against Mobile Cramming
Federal Agencies Reduce Barriers to Cyber Threat Information Sharing
Federal regulators released guidance in the first half of 2014 that should provide comfort to businesses that are considering sharing information relating to cybersecurity risks with other companies and the government. Although these advisory opinions are nonbinding and do not carry the force of law, they provide strong indications of the priorities of the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) with respect to facilitating the ability of businesses to engage in cybersecurity risk mitigation. Notably, under the recent guidance, the federal regulators suggest that antitrust and electronic communications privacy concerns, which may have previously made businesses hesitant to share certain information relating to cybersecurity risks, should not preclude business-to-business or business-to-government information sharing that is tailored to mitigate these risks.
Continue Reading Federal Agencies Reduce Barriers to Cyber Threat Information Sharing