Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)

 

Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard.  The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm.   What does this mean for privacy enforcement?   Read on. Continue Reading FTC Plants A Flag With LabMD Ruling: What This Means for Enforcement

Questions of Authority – who will be the federal regulatory cop on the privacy beat?  FTC?   FCC?  Privacy, Data Security Jurisdiction Questions to the Forefront in 2015

Written by Christopher Harvie

As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.

Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm.    The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices.  Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device.  Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint.  The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case. Continue Reading On the Seventh Day of Privacy, federal agencies gave to me…..

This afternoon, the Federal Trade Commission (FTC) unanimously rejected requests from industry organizations to delay the July 1 date for compliance with the amendments to the Children’s Online Privacy Protection Act (COPPA).    In its response letter, the Commission noted that the updated rule has been in the works for three years and the July compliance date was announced last December, giving industry enough time to prepare.

According to the letter,

The Commission appreciates that some of your members will need to make changes to their business practices in order to comply with the amended Rule. At the same time, we note that all stakeholders have had sufficient opportunity to raise issues and articulate their concerns, the [statement of basis and purpose] provides sufficient guidance regarding the obligations the amended Rule will impose on COPPA-covered entities, and the more than six-month time period between issuance of the amended Rule and its effective date is adequate. Moreover, petitioners have not raised any concrete facts to demonstrate that a delay is necessary. In light of these factors, combined with the Congressional mandate to protect the privacy of children under the age of 13 and the Commission’s commitment to “[e]nsure that COPPA continues to meet its originally stated goals to minimize the collection of personal information from children and create a safer, more secure online experience for them,” the Commission finds no basis for delaying the effective date of the amended Rule.

 

During the six-month period the Commission noted, FTC staff have conducted numerous meetings and consultations with organizations and individual businesses on how to ensure compliance with the new rule.  The FTC also recently issued an updated set of FAQs for businesses and parents.

 

UPDATE — The Federal Trade Commission has published its promised COPPA FAQs here.   

 

Volley #1 Trade Associations to FTC:  Please Delay!

The long-awaited amendments to the Children’s Online Privacy Protection Act (COPPA) have been the subject of much discussion and debate.  Last week, Federal Trade Commission (FTC) Chairwoman Edith Ramirez received letters from 19 trade organizations, including the Interactive Advertising Bureau, the Application Developers Alliance, the Toy Industry Association, and the Direct Marketing Association, urging the FTC to consider a six (6) month extension of the effective date for the amendments to the Children’s Online Privacy Protection (COPPA) Rule (the “Amendments”), pushing out the effective date from July 1, 2013 to January 1, 2014.

The common concern voiced by these trade organizations in their letters to the FTC is the inability of their members to comply with the Amendments by July 1, since they claim that the Amendments significantly expand the scope of COPPA and the obligations of the covered entities. The Toy Industry Association described compliance with the Amendments by July 1 as a potentially “monumental task,” the Direct Marketing Association noted in its letter to the FTC that the “final amendments released in December 2012 contained several unanticipated material changes from previous versions” that “significantly impact the long standing business model that [companies subject to COPPA] have relied upon in planning the capabilities of their products and services since COPPA’s inception”, and the Application Developers Alliance stated in its letter that “the changes create significant new obligations for app developers and their partners that are still not well understood.” The request for extending the effective date to January 1, 2014 is based on the argument that a longer timeline for implementation will provide more time for the industry to understand the effect of the Amendments, to implement and quality-check the changes necessary to comply (both internally and with respect to third party relationships), and to overall assure widespread compliance with the Amendment.

Volley #2 — Consumer Advocacy Groups:  Don’t Delay!

This week, several consumer privacy and children advocacy groups  — including the Center for Digital Democracy, Common Sense Media, Consumer Watchdog, and the Electronic Privacy Information Center (collectively, “Advocacy Groups”) — wrote to Commissioner Ramirez to oppose the compliance delay requested by the trade associations. Noting  that the FTC process of amending COPPA began in 2011 and included industry participation and input (with the Amendments being issued in December 2012) and that industry has had sufficient time to adjust their business practices and make the necessary changes for compliance, the Advocacy Groups characterized the compliance delay as unwarranted and harmful to children. The Advocacy Groups urged the FTC to remain firm on the July 1 enforcement date as a delay would “undermine the goals of both Congress and the FTC.”

No word from the FTC yet on any of these requests, however, the Commission is expected to release further guidance on compliance with the Amendments in the form of FAQs .

 

Written by Amy Malone

There is much going on at the Federal Trade Commission (FTC)  these days, particularly in the privacy arena.  In addition to the settlements discussed below, today the White House confirmed that President Obama will nominate Edith Ramirez as Chair of the FTC, replacing outgoing Chairman Jon Leibowitz.

Path Settlement:

Path, a social networking app, agreed to settle charges that it violated children’s privacy and deceived users by collecting personal information from their mobile address books.

The FTC complaint charged Path with three counts of violating the FTC Act.  The first and second counts stem from the “Add Friends” feature provided on the app.  This feature gives users the option to add friends from their mobile address book, Facebook account or to invite them by e-mail.  In reality, if the information was available, the app always collected and stored personal information from the user’s mobile contact list, including name, address, telephone number, e-mail address and date of birth, regardless of what option the user chose.

The Path privacy policy said the only information that was collected without the user’s consent was IP address, operating system, browser type, address of referring site, and site activity information.   The two counts alleged that the practice of collecting personal information from the address book was deceptive because the practice was contrary to the representations that Path made in the privacy policy and it did not give user’s a meaningful choice in regards to the collection of their personal information.

The third count addressed children’s privacy and Path’s violation of COPPA.  When users registered for the site, they were required to provide email address, first name, last name and optionally, they could provide gender, date of birth and phone number.  If the user told Path that they were under 13 Path did not contact parents and obtain consent prior to collecting personal information, as required by COPPA.  Approximately 3,000 children identified as being under 13 and were using app, which allowed them to keep and share a personal journal and pictures with up to 150 friends.

Path explained on its blog that prior to the FTC charges they had updated their systems to automatically reject users under 13 and had suspended under age accounts that had been created.

In the settlement, Path agreed to pay an $800,000 fine and to undergo biennial privacy assessments for 20 years.  In addition, they agreed to “clearly and prominently disclose…the categories of information from the user’s mobile device that will be accessed and/or collected” and to establish and maintain a comprehensive privacy program.

HTC America

More recently, HTC America, a Taiwanese manufacturer of Android and Windows mobile devices, agreed to settle charges with the Federal Trade Commission (find the settlement here) in the first case against a mobile device manufacturer.  The agreement requires HTC to take actions that include implementing patches to fix security vulnerabilities on millions of mobile devices.

According to the FTC, HTC engaged in unfair practices and failed to provide “reasonable and appropriate” security in the design of the software used on their mobile devices.  The FTC alleged in the complaint that HTC’s overall practices, including security training, program development and implementation, software testing and risk assessment procedures were inadequate, resulting in serious vulnerabilities being introduced to over 18 million devices.  These major issues arose from customizations made by HTC that allowed third-party applications to access large amounts of sensitive data from consumers without the consumers’ knowledge.  How did this happen?

(1)  Permission re-delegation.  This happens when an application that has not received permission to access data piggybacks off the user permission provided to another application (in other words, you give application A the key to your data and they hand that key off to application B without your knowledge).  The FTC alleges that apps were surreptitiously tracking users and committing text-message toll fraud (hacker uses the phone to send text messages to a number that charges the user for delivery of the message).

(2)  Application installation vulnerability.  HTC pre-installed a custom application on the Android devices that could download and install apps without users’ knowledge.  According to the FTC this vulnerability “undermine[d] all protections provided by Android’s permission-based security model.”

(3)  Insecure communications. This is a big one.  Since 2010, HTC has installed customer support and trouble-shooting loggers on about 12.5 million devices.  These loggers collected sensitive information such as, contents of text messages, phone numbers of contacts, GPS location data and web browsing history.  This information should be sent using secure communications mechanisms (such as the Android inter-process communications mechanism), but HTC failed to do so, which allowed any third-party app with access to the internet to communicate with the logger and access the sensitive information.

(4)  Debug code. Developers use this code to test the functionality of applications.  HTC used the debug code to record whether the interface on the mobile devices was properly sending information requested by the network operator.  Generally, there is nothing wrong with this practice, but HTC failed to deactivate the code before shipping the devices off for sale.  As a result, all the information was written to the Android system log and was accessible to any third-party apps that had permission to read the system log.  Users may give third-parties permission to read the log in certain situations (e.g. to trouble-shoot application crashes), but those applications should never have had access to the plethora of sensitive information that was collected.

These security failures exposed consumers to risks such as having malware placed on their devices that could record and transmit information entered into the device (e.g. financial account numbers and passwords, medical information, text messages and photos).

The settlement with HTC requires the company to provide patches to consumers to fix the security issues, accurately represent their security practices to users (i.e. don’t tell users you provide protections that you don’t actually provide), develop a comprehensive security plan and submit to biannual program audits for next 20 years.

What the HTC Settlement Means for Your Business

What does this settlement mean for you?  Well, the FTC Business Blog has outlined key takeaways that include:

(1)  Data security. Data security. Data security.  Businesses need to understand and focus on data security.  Now is the perfect time to conduct risk assessments and determine the strength and weaknesses of your network and physical security measures.  Have you implemented and maintained reasonable data security measures such as using secure transmission mechanisms when sending sensitive data?  Please remember, providing adequate security is an on-going process and you need to continue to review and make improvements to address the challenges you face.

(2)  Review your privacy policy and ensure your policy accurately describes your information collection and sharing practices.  The FTC charged that HTC made security and data collection representations that were not true.  Similarly, in another case that was settled this week, the FTC charged Compete, Inc. with violating the Federal Trade Commission Act by failing to disclose the extent of the information collected.  In the settlement with Compete, the FTC required the company to, among other things; obtain consumers’ express consent before collecting any data from its software downloaded onto consumers’ computers. There are numerous cases where the FTC brought charges because the company misrepresented its data collection practices in its privacy policy (see our other blog posts here, here and here) and you don’t want to be their next target, so review your practices and describe them accurately in your policy.

(3)  Glitches happen, so be prepared to provide patch updates when necessary.

(4)  Do your homework and listen to researchers, marketers and savvy users if they report issues concerning your product or service.  The FTC said that if HTC listened to those sources it could have moved faster to solve the reported problems.

Although the FTC has targeted mobile privacy issues over the last year, (see Path settlement, FTC’s guidance on mobile privacy disclosures and the upcoming public forum on threats to mobile devices) these issues go far beyond mobile devices—software security (or lack there of) can put any business at risk.

 

As we continue our “new year, new look” series into important privacy issues for 2013, we boldly predict:

Regulatory Scrutiny of Data Collection and Use Practices of Mobile Apps Will Increase in 2013

Mobile apps are becoming a ubiquitous part of the everyday technology experience.  But, consumer apprehension over data collection and their personal privacy with respect to mobile applications has been growing.   And as consumer apprehension grows, so does regulatory scrutiny.  In 2012, the Federal Trade Commission (FTC) offered guidance to mobile app developers to “get privacy right from the start.”    At the end of 2012, the California Attorney General’s office brought its first privacy complaint against Delta Airlines, Inc., alleging that Delta’s mobile app “Fly Delta” failed to have a conspicuously posted privacy policy in violation of California’s Online Privacy Protection Act.  And also in December, SpongeBob Square Pants found himself in the middle of a complaint filed at the FTC by a privacy advocacy group alleging that the mobile game SpongeBob Diner Dash collected personal information about children without obtaining parental consent.

In 2013, we expect to see new regulatory investigations into privacy practices of mobile applications.   Delta was just one of 100 recipients of notices of non-compliance from the California AG’s office and the first to be the subject of a complaint.  Expect to see more of these filed early in this year as the AG’s office plows through responses from the lucky notice recipients.   Also, we can expect to hear more from the FTC on mobile app disclosure of data collection and use practices and perhaps some enforcement actions against the most blatant offenders.

Recommendation for action in 2013:  Take a good look at your mobile app and its privacy policy.   If you have simply ported your website privacy policy over to your mobile app – take another look.  How is the policy displayed to the end user?  How does the user “accept” its terms?  Is this consistent with existing law, such as California, and does it follow the FTC guidelines?  

 

 

Written by Amy Malone

The Center for Digital Democracy (CDD) filed a complaint yesterday asking the Federal Trade Commission (FTC)  to investigate violations of the Children’s Online Privacy Protection Act (COPPA) by Nickelodeon and mobile app-maker PlayFirst.

The CDD alleges that the mobile game SpongeBob Diner Dash collects personal information about children, including full names, e-mail addresses and online identifiers, without obtaining parental consent, as required under COPPA.

The online identifiers collected by the app, such as unique device identifiers and device tokens, allow the app to track the behavior of the child and send push notifications to them.  These types of online identifiers are considered personal information under COPPA.

This is the second complaint the CDD has filed with the FTC concerning COPPA violations in the last two weeks.  The previous CDD complaint asked the FTC to investigate the Mobbles app for gathering and sharing the precise location of children without obtaining parental consent.  Both apps were quickly ripped from the app store following the complaints.

In a letter accompanying its new complaint the CDD states that SpongeBob Diner Dash and Mobbles are representative of the widespread disregard of COPPA requirements.  Earlier this month the FTC reported that of the 400 children’s apps that it surveyed 59% shared geolocation, device ID or phone numbers with developers or third parties, but 80%  failed to disclose any information about their privacy practices, including whether parental consent was required.

Proposed amendments to COPPA have been the subject of much discussion and comment over the past year.  According to a release from the Federal Trade Commission today, the final amendments are scheduled to be released tomorrow in a press conference at noon.   The press conference can be viewed live via webcast at the US Senate Commerce Committee website.

Written by Adam Veness

Wyndham Hotel & Resorts LLC (“Wyndham”) has filed a Motion to Dismiss the Federal Trade Commission’s (the “FTC”) Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008.  More information about the FTC’s Complaint can be seen in an earlier blog post here.

The Wyndham counter-volley takes an interesting approach.  In its Motion, Wyndham argues that the FTC lacks authority under Section 5 of the FTC Act to regulate data security standards.  Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Notably, Wyndham does not dispute that the FTC may bring enforcement actions against companies that make “deceptive” statements to consumers, i.e., misleading statements in a company’s privacy policy.  Wyndham contends, however, that the FTC is overextending its authority to regulate “unfair” acts or practices by attempting to regulate data security standards for the private sector.

As an example, Wyndham lists various statutes that grant the FTC explicit authority to regulate data security standards in specific contexts:

  •  The Fair Credit Reporting Act – imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
  • The Gramm-Leach-Bliley Act – mandates data-security requirements for financial institutions; and
  •  The Children’s Online Privacy Protection Act – requires websites to establish and maintain reasonable procedures to protect the confidentiality and security of information gathered from children.

Wyndham asserts that the FTC’s authority to regulate data security standards is limited to specific circumstances, and that Section 5 of the FTC Act does not provide the FTC with the broad authority upon which it relied in bringing its enforcement action against Wyndham.

As further support for its claim, Wyndham cites the FTC’s Report to Congress in 2000 (the “Report”).  In the Report, the FTC admitted that it “lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites, or portions of their Web sites, not directed to children.”  What’s more, in the Report, the FTC asked Congress to enact broader legislation requiring websites to “take reasonable steps to protect the security of the information they collect from consumers” and “provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.”

The implications of Wyndham’s Motion are far-reaching.  Indeed, if the court finds for Wyndham and dismisses the FTC’s enforcement action, the FTC will likely have a tough road ahead when attempting to settle future claims with companies that have suffered from data breaches as a result of inadequate data security standards.  Such a ruling for Wyndham could potentially provide enough ammunition to prompt Congress to step in and grant the FTC the authority that it requested over a decade ago in the Report.  Wyndham’s Motion brings to light a possible gap in the FTC’s authority to regulate data security standards, despite all of the settlements that the FTC has made with companies on the basis of that authority.

This is an argument worth watching.  Stay tuned.

Written by Amy Malone

The FTC has finally released details of their settlement with Google, including the hefty price tag of $22.5 million, the highest fine ever slapped on a violator of an FTC consent order. The Internet giant was charged with breaking the terms of the consent order they entered into last year by misrepresenting how users could opt out of having certain cookies dropped on their browser.

A majority of Google’s earnings is generated through online advertising, some of which is targeted at online users through the use of third party cookies.  Those third party cookies are “dropped” from an advertising network on a user’s Internet browser (e.g., Internet Explorer, Firefox, Safari) which then allows that network to track information such as what sites the user visits and this allows targeted ads to be sent to the user.   Some users prefer not to receive targeted advertisements, and there are ways for them to opt out of having these types of cookies dropped on their Internet browsers.

The Safari Problem. According to the FTC complaint, when Safari (a browser provided by Apple) users visited the Google “Advertising Cookie Opt-out Plugin” page they were told that if they left the Safari default settings on they didn’t have to do anything else because those settings prevent third party cookies from being dropped.  Safari’s default settings prevent third party cookies from being dropped except in limited circumstances such as when a site uses a “form submission,”  used in situations such as online purchases when a user enters information like an email address. It’s important to note that once Safari accepts a third party cookie from a site it accepts all cookies from that site.   In this case Google communicated with the Safari browser saying it was generating a form submission, but in reality Google was dropping a cookie from DoubleClick, their advertising network. Once the cookie was set, Safari then accepted all cookies from DoubleClick and  DoubleClick sent targeted advertisements to those users.  Google managed to circumvent the Safari settings and do exactly what they said they were not doing.

Google denies the allegations in the FTC complaint, but has agreed to pay the fine.   According to the FTC’s statement they have enough reason to believe Google violated the order and assessing the fine is in the public interest. The FTC asserts that this penalty helps ensure that Google will abide by the consent order and provides a “strong message” that the FTC is paying attention to consent orders and those that misstep will be brought to task “quickly and vigorously”.

The FTC has been busy on other fronts.   A cross-post from Mintz Levin’s Employment Matters blog describes a recent $2.5 million settlement agreement reached with online background check provider, HireRight, for violations of the Fair Credit Reporting Act.