In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to promote the free flow of information in ways that are consistent with both privacy and security. Two reports were published on May 1, 2014, in response to this charge, one focusing on policy and big data (the “Policy Report”)1 and the other complementing and informing the Policy Report with a focus on technology and big data (the “Technology Report”).2

Both reports acknowledge that there is no one definition of “big data.” However, big data is differentiated from data historically collected about individuals (“small data”3) in two ways: big data’s quantity and variety, as well as the scale of analysis that can be applied to big data. And, while both reports view big data as potentially providing great benefits to the economy, society, and individuals, they also identified its potential to cause significant harm.
Continue Reading President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

Data may well be the asset of the 21st century, but selling access to certain data about individuals may raise the risk of attracting unwanted attention from both regulators1 and class action litigants. As organizations collect more types of data about consumers, they are more likely to have data that may constitute “consumer report” data under the Fair Credit Reporting Act (FCRA).2 Organizations that try to monetize such data by selling access to consumer profiles can easily run afoul of the FCRA.

This article discusses recent Federal Trade Commission (FTC) enforcement actions against two background check companies that allegedly failed to avoid the FCRA trip wires and face a combined $1.5 million in fines.3 The FTC aggressively enforces the FCRA and violations commonly occur due to a failure to create and implement adequate policies and procedures. This article also explains how the U.S. Supreme Court may review the Ninth Circuit’s recent decision to join other federal appellate courts in making FCRA class action lawsuits easier to bring for plaintiffs. Given the appellate courts’ interpretations of the FCRA, plaintiffs likely will increasingly make FCRA claims in an effort to obtain compensation for alleged general privacy violations. Any organization that sells access to data profiles about individuals is advised to determine whether it must comply with the FCRA and, if necessary, implement policies and procedures that meet the FCRA’s requirements.
Continue Reading FTC Continues Its Aggressive FCRA Enforcement and Ninth Circuit Lowers Standing Threshold in FCRA Cases

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

On January 15, 2014, the Federal Trade Commission (FTC) announced that Apple, Inc. had agreed to pay a minimum of $32.5 million in full refunds to consumers to settle allegations that the company was billing customers for purchases that children made from the company’s App Store without parental consent.1 According to the FTC, since at least 2011, thousands of children had unwittingly racked up significant App Store charges without their parents’ knowledge because the company’s billing procedures allowed users to incur unlimited in-app charges for a 15-minute window after downloading new software onto a device.2
Continue Reading Apple Agrees to Refund at Least $32.5 Million to Settle FTC Complaint Alleging That It Charged Kids’ In-App Purchases Without Parental Consent

In December 2013, the United Kingdom’s Information Commissioner’s Office (ICO) issued “Privacy in Mobile Apps–Guidance for App Developers.”1 According to the ICO, the guidance is not only relevant for apps used on mobile devices such as smartphones and tablets, but also for “other devices using similar app technology, for instance living-room devices such as smart TVs or games consoles.”

The guidance is addressed to organizations developing apps for the UK market, regardless of their location. However, it addresses key EU privacy issues and may be useful for any organization developing apps for individuals located in the European Union (EU). In addition, the ICO guidance should be read together with the opinion on mobile apps issued by the Article 29 Working Party (the body of European data protection regulators) in March 2013, a summary of which we have provided here.2 Listed below are the key takeaways and recommendations from the guidance.
Continue Reading UK Information Commissioner’s Office Issues Guidance for App Development

The Federal Trade Commission’s (FTC’s) enforcement actions for claims of compliance with Safe Harbor privacy frameworks by U.S. companies have increased significantly over the past few months. In the first two months of 2014 alone, the FTC announced settlements with 13 U.S. companies over allegations that the companies falsely claimed they held current certifications under the U.S.-EU Safe Harbor Privacy Framework.1 The FTC’s focus has not been limited to the EU framework, as three of the settlements include claims that the companies falsely represented holding current certifications under the U.S.-Swiss Safe Harbor Privacy Framework.
Continue Reading FTC Steps Up Enforcement of Safe Harbor Compliance Claims