On October 22, 2013, the Federal Trade Commission (FTC) announced a proposed settlement of a case against Aaron’s, Inc., a national rent-to-own retailer with more than 1,800 locations in 48 states, having alleged that Aaron’s knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers.
Continue Reading National Rent-to-Own Company Settles FTC Charges of Enabling Computer Spying by Franchisees

In recent years, data-driven marketing has spread across numerous sectors of the economy. While the industry provides many benefits and conveniences for consumers by lowering the cost of products and services and helping businesses better capture customer preferences, privacy advocates and legislators are pushing for increased government regulation over companies known broadly as “data brokers.”
Continue Reading GAO and Senate Commerce Committee Release Studies Calling for Increased Oversight and Regulation of “Data Broker” Industry

The Federal Trade Commission (FTC) announced on December 5, 2013, that Goldenshores Technologies, LLC and its managing member, Erik M. Geidl, agreed to a proposed settlement over claims that Goldenshores, through its “Brightest Flashlight Free” mobile application, violated Section 5(a) of the FTC Act prohibiting unfair or deceptive acts and practices affecting commerce by failing to disclose that the app transmitted user data, including precise geolocation information and persistent identifiers, to third parties such as advertising networks. Under the settlement, Goldenshores must provide just-in-time disclosures outside of the privacy policy and obtain affirmative express consent from users before collecting, using, or disclosing geolocation information. The settlement agreement (referred to here as “the order”) was subject to public comment through January 6, 2014. The FTC will now decide whether to reach a final settlement with Goldenshores.
Continue Reading FTC Settlement with Flashlight App Requires Extensive Disclosures Outside of the Privacy Policy to Collect and Share Geolocation Information

California Governor Jerry Brown recently signed into law A.B. 370,1 which amends the California Online Privacy Protection Act2 (CalOPPA) to require certain operators of websites and other online services to disclose how they respond when a visitor’s web browser sends a “Do Not Track” signal. The bill also requires operators to disclose the data collection practices of certain third parties operating on the website or online service. Because this law affects every person or company that operates a website or online service that collects personally identifiable information from California consumers, it impacts companies beyond California’s borders. The law takes effect on January 1, 2014.
Continue Reading California Amends CalOPPA to Require Do-No-Track Disclosures

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Continue Reading Breach Notification: Timing Is Everything

A trial court in the Seventh Circuit recently dismissed a data breach class action case against Barnes & Noble (B&N) due to the plaintiffs’ failure to allege actual or imminent injuries.1 This is one of the first data breach cases following the U.S. Supreme Court’s recent decision about pleading actual damages in Clapper v. Amnesty Int’l USA.2 The trial court relied on Clapper to dismiss the case rather than follow Seventh Circuit precedent, which may have allowed the case to continue. Clapper appears to provide defendants with a strong defense in data breach cases.
Continue Reading Barnes & Noble Dodges Suit over PIN Pad Data Breach