Federal Trade Commission

Written by Ernie Cooper 

The Federal Communications Commission (“FCC”) has adopted new rules that require companies to obtain prior express written consent from consumers before calling them with prerecorded telemarketing “robocalls.”  For the most part, the new robocall rules adopted by the FCC simply mirror similar rules adopted by the Federal Trade Commission (“FTC”) in 2008, meaning that most companies making prerecorded telemarketing calls will presumably already be in compliance.  However, companies such as banks, telephone companies, and airlines, which are exempt from FTC regulation, will now need to comply with the written consent and related requirements as adopted by the FCC.  FCC rules on calls to wireless phones apply to both voice calls and text messages.

 The new Robocall Rules adopt a requirement already in FTC rules that prerecorded calls must include an automated means to allow called parties to opt out of future telemarketing calls.  The FCC also matched FTC rules on measuring compliance with telemarketing dropped call standards to minimize the number of consumers getting “dead air” calls.

Different from the FTC rules, and therefore a new requirement for all companies engaged in telemarketing, is the FCC requirement that callers obtain prior express written consent from wireless phone users for telemarketing calls made using automatic telephone dialing equipment (i.e., an “autodialer”), even if the calls are not prerecorded.

Informational and other calls that do not involve telemarketing can continue to be made under current rules for consent for calls made to wireless phones and without consent for calls made to residential (“wireline”) phones.  The rules also do not apply to calls made by or on behalf of a tax-exempt nonprofit organization.    As a result, prior written consent is not required for autodialed calls that do not advertise a product or service, including calls by nonprofits or for political purposes.  Also, the new restrictions do not apply to informational calls that may be commercial in nature, such as calls from an airline informing passengers that their flights have been delayed or calls from a bank informing a customer of fraudulent charges to her account.

 The Robocall Rules impose some key new requirements.  Continue reading……

  Continue Reading FCC Adopts Rules Requiring Written Consent for Telemarketing “Robocalls”

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” —  Federal Trade Commission Chairman Jon Leibowitz

The Federal Trade Commission (FTC) has announced the long-rumored proposed consent decree with Facebook, settling allegations in a complaint that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement comes ahead of Facebook’s planned IPO this spring and carries no financial penalties.  Importantly for Facebook, the settlement does not force Facebook to revert back to its system prior to December, 2009.  Early Facebook users will remember that in those days, users could keep things and people they “liked” completely private.

Let’s take a look at what the settlement does provide.  It imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information.  Surprisingly, it appears that Facebook did not have such a program.

The settlement also requires that Facebook (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree.

Continue Reading FTC: Facebook “Deceived” Consumers by Failing to Keep Privacy Promises

Update:  Post from Daily Online Examiner blog.

If you’re a power Facebook user, you are likely tired of the constant changes to privacy settings.  At last count, the most recent change was the 13th.    This report may make your day.

 The Wall Street Journal reports this afternoon  (registration required) that Facebook is finalizing a proposed settlement with the Federal Trade Commission over charges that FB engaged in “deceptive behavior” when making those changes to its privacy settings.   The article quotes people familiar with the situation:

The proposed settlement – which is awaiting final approval from agency commissioners – would require Facebook to obtain “express affirmative consent” if Facebook makes “material retroactive changes,” some of the people said.

Written by Julie Babayan

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has approved a data security bill by a voice vote, moving it to the full Energy and Commerce Committee for consideration.  The Secure and Fortify Electronic Data (“SAFE Data”) Act would establish national rules for securing data containing personal information, as well as requirements for notifying affected individuals in the event of a breach.  The rules would apply to any person engaged in interstate commerce who possesses data containing personal information related to that commercial activity.

Under the legislation, the Federal Trade Commission (“FTC”) would implement and enforce the regulations, and state attorneys general or other state officials would also have enforcement authority to bring civil actions.  The bill would preempt state information security and breach notification laws, but not state consumer protection laws or state trespass, contract, tort, or fraud law.

Chair of the subcommittee, Rep. Mary Bono Mack (R-CA), noted in a press release that the legislation builds on information that the subcommittee examined during recent hearings, which focused on this year’s data breaches at Sony and Epsilon.  The subcommittee also approved an amendment striking the FTC’s authority to use its Administrative Procedure Act rulemaking process to modify the bill’s definition of “personal information,” which the bill defines as an individual’s first name or initial and last name or address or phone number in combination with a social security number; a driver’s license or other similar identification number on a government document; financial account number or credit card or debit card number and any required security code.


Written by Stu Eaton

In a settlement announced by the Federal Trade Commission (“FTC”) on June 27, 2011, Teletrack, Inc. agreed to pay $1.8 million to settle FTC charges that it violated the Fair Credit Reporting Act (“FCRA”) by selling consumer reports to marketers without a “permissible purpose.”  Teletrack sells credit reports and other services to businesses, such as pay day lenders, that use those credit reports to determine whether to offer credit to financially distressed customers. 

According to the FTC’s complaint, Teletrack created a marketing database, which included information on customers that applied for credit with its service, and sold that information to marketers.  The FTC alleged that such applications for credit, and by extension the marketing database that aggregated them, were credit reports under because they contained information about consumers’ creditworthiness.  One FTC Commissioner explained that “[t]he fact that a consumer has applied for a payday loan is credit report information protected by the FCRA.”   

Under the FCRA, it is illegal for a consumer reporting agency like Teletrack to sell a credit report without a “permissible purpose.”   Teletrack was subject to liability because marketing is not a “permissible purpose.”  Although Teletrack is in the credit reporting business, this settlement should serve as reminder all business that collect and sell consumer information.  The FCRA’s provisions may apply to any business that regularly “assembles or analyzes” consumer credit information and then provides that information to third parties for a fee.  See 15 U.S.C. 1681(d).  With such a broad definition, many business may be engaging in activities regulated by the FCRA and not be aware of it.

Our Friday feature is back!

  •  FTC Imposes Largest Civil Penalty Ever for Violation of Children’s Online Privacy Protection Act (COPPA) – Magic Kingdom Subsidiary Pays Up

The Chairman of the Federal Trade Commission, Jon Leibowitz, said:  It’s the law, it’s the right thing to do, and, as today’s settlement demonstrates, violating COPPA will not come cheap.

Amidst allegations that a major online game developer – a subsidiary of Disney Enterprises, Inc. – illegally collected and disclosed personal information from hundreds of thousands of children under age 13, the FTC yesterday released a consent judgment against Playdom, Inc. and one of its executives imposing a $3 million dollar civil penalty – the largest civil penalty ever for violation of COPPA.

According to the FTC complaint, Playdom, Inc., a developer of online multiplayer games, and the company’s Chief Executive Officer, Howard Marks, operated approximately 20 online virtual world websites that enabled users to access online games and other activities.  The FTC alleged that in over 1.2 million instances, defendants collected, used or disclosed the personal information of children in violation of COPPA.  Specifically, the complaint asserted that the defendants (1) collected children’s personal information and enabled children to publicly disclose their personal information through personal profile pages and community forums, which contradicted statements made by the defendants in their privacy policy, (2) used a privacy notice that “did not clearly, completely, or accurately” disclose all of the defendants’ information collection, use and disclosure practices for children, (3) failed to provide parents with a direct notice of their information practices prior to the collection, use and disclosure of children’s personal information, and (4) did not obtain verifiable consent from parents prior to such information processing, as required by the FTC rules implementing COPPA.

More reading:

Mercury News

Bloomberg News

  • Lawrence, Massachusetts Alley Reveals Hundreds of Illegally Dumped Personal Records

When you see a story like this, the reaction is “There oughta be a law!”   In this case, there is.   Despite the Massachusetts law (M.G.L 93H) establishing standards for “proper” disposal of records containing personal information – and setting civil penalties for “improper” disposal —  a public alley in Lawrence, Massachusetts is the resting place for many garbage bags overflowing with sensitive personal information and dumped papers in clear view, including blank checks, Social Security cards, and patient records from a doctor’s office.  According to published and broadcast reports, after discovery of the dumping, many of the bags had been removed from the alley by unknown persons.  Lawrence officials are still investigating – but there has been no comment from the Massachusetts Attorney General’s office (charged with enforcing the Massachusetts statute) on the matter.

  • PIN Pad Tampering Probe at Michaels Craft Stores Expands

Texas-based arts and crafts store Michaels announced that besides Chicago, PIN pads in 19 additional states were tampered with. Michaels released a statement on May 4 stating its Chicago-area customers should monitor their accounts as a result of PIN pad tampering in area stores.

Although Michaels identified less than 90 PIN pads that were affected, it removed 7,200 similar PIN pads from stores nationwide as a cautionary measure. It intends to replace the removed PIN pads within 15 days. The company again urged customers to monitor their bank accounts and to inform their financial institutions if they discover unusual activity.

The states affected are Colorado, Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, North Carolina,  New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

More reading – BankInfoSecurity

Written by Stu Eaton

Our ongoing effort to summarize the comments (see post here) filed in response to the FTC’s Privacy Framework continues this week as we focus on the Telecommunications and Media industry.  The bulk of the comments came from the telecommunications industry, including key players such as AT&T, Verizon, the National Cable and Telecommunication Association (“NCTA”) and CTIA- The Wireless Association (“CTIA”).   As a whole, the telecommunications industry’s comments focused on the following four issues:  

  • Continued industry self-regulation based on best practices identified by the FTC; 
  •  Ensuring that any framework is competitively neutral; 
  • Maintaining the distinction between PII and Non-PII; and 
  • Consumer notice and choice (including “Do Not Track”).

 More detail on each topic after the jump.


Continue Reading Review of Telecom/Media Industry Comments to FTC’s Privacy Framework

Written by Stu Eaton

In our continuing effort to summarize the more than 400 comments posted in response to the FTC’s Privacy Framework, we have organized our summaries into the following five industry groups: Retail/Promotion/Advertising; Software/Technology; Telecommunications/Media; Privacy Advocates/Government; and Financial Services/General Business.

This week we reviewed the comments posted by companies and trade groups in the Retail, Promotion and Advertising sector.   Despite a large number of comments which covering a broad range of topics, the industry’s comments as a whole focused on the following eight issues of concern:

  • Continued use of self-regulation and education as the primary enforcement vehicle;
  • How online advertising benefits consumers and the economy;
  • Regulation of non-personally identifiable information;
  • Implementation of a “do not track” mechanism;
  • The lack of a flexible criteria for determining “commonly accepted” practices that do not require consent;
  • Continued use of “opt-out” as the preferred method of consent;
  • The FTC’s proposal that online marketers allow consumers to access and correct marketing data; and
  • The FTC’s proposal to limit data retention periods.

A detailed discussion of the industry comments for each of these topics is discussed after the jump.

Continue Reading FTC Privacy Framework: Comments from the Retail/Promotion/Advertising Industry

As we’ve discussed here since December (here, here), the Federal Trade Commission has been in a public comment period for its Privacy Framework.  The comment period closed last Friday, and more than 400 comments were filed by individuals, government agencies (both US and international) and industry groups and representatives.   Over the next few days, we’ll review and summarize the comments received.


Written by Stu Eaton

Massachusetts Attorney General Martha Coakley filed a comment letter with the FTC, on behalf of the Attorneys General of fourteen other states[1] (the “States”).  The States’ comment focused on three of the questions raised in Appendix A the Privacy Report regarding: (i) whether companies should provide substantive privacy protections in addition to those set forth in the report; (ii) the scope of the definition of sensitive information and sensitive users; and (iii) whether the FTC should explore additional protections in the context of social media services.

The States’ also argued that any federal laws or regulations protecting consumer privacy should not preempt states from enforcing their own laws and regulations.  As you’ll recall, Massachusetts has one of the toughest set of data security regulations in the country.

Notably absent from the proceedings was the California Office of Privacy Protection, which said it lacked the resources to prepare a comment but, after being contacted by Mintz Levin, explained that it approved of the FTC’s apparent effort to resurrect the forgotten Fair Information Practice Principles that would provide consumers with meaningful choices and more control over personal information by limiting the collection and use of that information.

Details of the AG’s letter after the jump. 


[1]               Attorneys General from the following states were also signatories to the letter: Arizona, Illinois, Indiana, Iowa, Montana, Nevada, New Mexico, New York, North Dakota, Rhode Island, Tennessee, Vermont, Virginia and Washington.

Continue Reading Federal Trade Commission receives large number of public comments

The Federal Trade Commission’s public comment period on its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, has closed.   The FTC received over 300 comments during the extended comment period, including several states.

It is looking more likely that some form of privacy regulation — either at the FTC or Congress — will develop in 2011.   Several bills have been introduced in this Congress and both the FTC and the Commerce Department are working on their proposals.   “Self-regulation,” the mantra of the online advertising industry, may no longer be a viable option, unless industry acts and acts quickly to provide consumers with the level of choice and transparency that the FTC’s Privacy Framework outlines.

In fact, FTC Chairman Jon Leibowitz today recommended exactly that in an interview with Multichannel News, posted here.  “I guess I would say that the business community really has it in its hands to avoid regulation, it just has to step up to the plate,” he said.