New Self-Regulatory Guidance Joins Other Privacy and Transparency-Related Considerations for Participants in the Mobile Ecosystem

On July 24, 2013, the Digital Advertising Alliance (DAA), comprised of the largest media and marketing trade associations in the U.S., released new guidance regarding mobile and other devices (Mobile Guidance).1 The Mobile Guidance explains how the DAA’s existing Self-Regulatory Principles for Online Behavioral Advertising (OBA Principles)2 and Self-Regulatory Principles for Multi-Site Data (MSD Principles)3 (together, the DAA Principles) apply to companies operating in the mobile ecosystem. It sets forth specific requirements for the collection and use of precise location information, as well as two new categories of data: “cross-app data” and “personal directory data.”
Continue Reading Digital Advertising Alliance Releases Guidance on the Application of Its Self-Regulatory Principles to the Mobile Environment

At a May 9, 2013, hearing, the California Superior Court dismissed the lawsuit that California Attorney General Kamala Harris filed against Delta Airlines in December 2012.1 As reported in the January 2013 issue of Eye on Privacy,2 the state’s lawsuit alleged that the company’s “Fly Delta” mobile application (app) violated the California Online Privacy Protection Act (CalOPPA) by failing to provide required privacy disclosures.3 The AG sought enforcement of CalOPPA through California’s Unfair Competition Law (California UCL).4 According to the AG, Delta violated CalOPPA by “fail[ing] to conspicuously post a privacy policy in its Fly Delta app” despite the AG’s earlier written notice of non-compliance, and because the Fly Delta app failed to comply with the privacy policy posted on Delta’s website.5 The court dismissed the action based on its conclusion that the state law claim was preempted by the Federal Airline Deregulation Act of 1978 (ADA).6
Continue Reading Delta Wins Dismissal of California AG Mobile App Privacy Action

One of the most common and effective defenses raised by privacy class action defendants has been lack of standing. Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”1 In other words, the plaintiff must have suffered some actual harm, or face an imminent risk of suffering a concrete injury. Frequently, class action plaintiffs have been unable to establish standing based on alleged injuries from the unauthorized exposure of personal information. The recent U.S. Supreme Court case of Clapper v. Amnesty International USA2 may have strengthened the standing shield for defendants even more.
Continue Reading Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions

A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of “business associates” and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, “covered entities”). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the “HIPAA Rules”) that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve “business associates,” defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:

  1. expanded the definition of “business associate” and
  2. placed the obligation of HIPAA compliance directly on business associates.

Continue Reading Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations

On April 2, 2013, the European data protection regulators (the “Article 29 Working Party” or the “WP29”) issued a 70-page opinion providing guidance on how to comply with the core EU data protection principle of “purpose limitation.”1 This opinion gives a good indication of how EU regulators would apply their national data protection law to specific processing activities such as email marketing, behavioral advertising, profiling, and tracking of user behavior and big data. It is relevant for companies of all sizes, including non-EU-based companies, offering online services to users in the EU, since the EU regulators tend to take a broad approach regarding the applicability of EU data protection law.2 This article addresses certain aspects of the opinion.3
Continue Reading European Regulators Opine on “Purpose Limitation” Principle – What Constitutes “Compatible Use” in the Context of Big Data?

Mobile and social media marketing are on the rise.1 With that in mind, the Federal Trade Commission issued new guidance for advertisers on how to make effective mobile and other online disclosures. Entitled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,”2 the guidance provides an update to the FTC’s 2000 publication on the same topic. The revised guidance is intended to address the expanding use of smart phones and social media marketing, where small screens and character limitations pose challenges for companies making advertising claims.3 Although the guidance itself is not law, the FTC cautions that these disclosures are required by the laws it enforces.
Continue Reading FTC Issues New Guidance for Disclosures in Online Advertising