Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Judith L. Harris and Amy S. Mushahwar.

The Federal Communications Commission (FCC) acted today to tighten its rules under the Telephone Consumer Protection Act (TCPA) and conform them, to the extent possible, with the more stringent rules already in place at the Federal Trade Commission (FTC) under the Telephone Sales Rule (TSR). This change will hit hardest entities such as banks which are not subject to FTC jurisdiction, and do not have more stringent compliance programs already in place. Although the FCC’s order has not been released and no information is available yet as to the details of how the revised rules will operate and exactly to what calls they will apply, the following four points are clear:

1. Prior express WRITTEN consent will now be required before making any telemarketing robocall (using an autodialer or a prerecorded message) to a consumer; electronic signatures will be acceptable as evidence of written consent and this change will not apply to purely informational calls (“such as those related to school closings and flight changes.”);

2. The “established business relationship” will be eliminated as an exception to the prior written consent requirement that currently applies in the case of wireline calls;

3. An automated opt-out mechanism will have to be included in each robocall to facilitate a consumer’s ability to withdraw prior consent; and

4. The rules governing abandoned or “dead air” calls will be tightened, including through stricter time limits and by changing those limits to apply to each separate marketing campaign, rather than allowing the limits to be averaged over different calling campaigns, as is currently the case.

We are awaiting further details on exactly how these rules will be applied and when they will become effective. In the interim, please contact the authors of this article or the Reed Smith attorney with whom you normally work.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Debra H. Dermody, Gavin P. Eastgate and Michelle Mantine.

On January 24, 2012, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification with respect to both the size-of-transaction and size-of-person tests.

The revised HSR thresholds will apply to all transactions that close on or after the effective date, which is 30 calendar days following publication of the adjusted thresholds in the Federal Register. Publication will occur shortly, and the effective date will be in late February.  Click here to learn more about the Adjusted HSR Thresholds for 2012.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Paul J. Jaskot, and Frederick Lah.

On September 15, Barnes & Noble ("B&N") acquired several of Borders’ intellectual property assets, including a database of customer information, as part of Borders' bankruptcy auction.  The sale of those assets hit a potential roadblock on Thursday, though, when a New York bankruptcy judge refused to approve the transaction, saying that he needed more time to think about the potential privacy concerns. This decision came on the heels of a Report issued by a court-appointed ombudsman who recommended certain privacy restrictions to be taken with respect to the customer information.

The Report recommended, among other restrictions, that B&N obtain the affirmative consent of affected consumers before transferring the personal data and that it treat consumer information pursuant to Borders' privacy policy in effect at the time of its collection. Borders' first privacy policy, published in 2006, provided that it will "only disclose [customer] email address or other personal information to third parties if you expressly consent to such disclosure." (emphasis in original text)

The Report also cited to letters the ombudsman received from 25 State Attorney Generals and the FTC expressing concern over the transfer of personal information in connection with the sale. The FTC's letter recommended than any transfer of personal information take place only with the consent of Borders' customers or with significant restrictions on the transfer and use of the information. Those recommended restrictions included: (i) Borders agreeing not to sell the customer information as a standalone asset; (ii) the buyer's line of business be substantially similar to that of the old owner; (iii) the buyer expressly agreeing to be bound by the terms of Borders' privacy policy; and (iii) the buyer agreeing to obtain affirmative consent from consumers for any material changes to the policy. The FTC further stated that any transfer of customer information could contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.

B&N responded to the Report by filing a statement with the bankruptcy court. In the statement, B&N denied knowing that the ombudsman was planning to make recommendations or that he had corresponded with the FTC and the Attorney Generals. B&N characterized the Report's restrictions as "overreaching and unnecessary" and said that implementation of the restrictions "would materially reduce the value of the customer list." While B&N did agreed with some of the restrictions, it rejected others, particularly that Borders obtain opt-in consent for the transfer of personal data and that B&N treat consumer information pursuant to the Borders' privacy policy in effect at the time of its collection. According to B&N, it would be completely unrealistic to expect customers to affirmatively respond to a request from Borders since Borders "has gone out of business." Further, to treat consumer data pursuant to Borders' privacy policies at the time of its collection would be, according to B&N, "administratively difficult, if not impossible, and would likely have the perverse effect of harming consumers through confusion and lack of a straightforward method for them to understand how their information is being used." B&N said the transaction is "at risk."

This is certainly not the first time that would-be buyers of information-based assets have faced FTC or judicial scrutiny and concerns about the privacy implications of such a transfer. For example, last year, a former publisher of a magazine and dating website for gay youth had declared bankruptcy, which resulted in the dispute over ownership of various business assets, including the subscriber database. The FTC warned that any transfer or use of the database could potentially result in a violation of the FTC Act. The New Jersey Bankruptcy Court eventually ordered the buyer to destroy the subscriber database.

Similarly, in 2000, the FTC brought an action against Toysmart, in which the Commission sued an online toy retailer which had filed for bankruptcy and sought to auction the personal information it collected from customers. The Commission eventually entered into a settlement with Toysmart allowing the transfer so long as the buyer adhered to certain restrictions, many of which were similar to the ones recommended in the FTC's letter to Borders.

In today’s information age, consumer information is essential to business efficiency and can be a very valuable asset for those companies who are forced to liquidate their assets to mitigate debt (as evidenced by the $13.9 million dollar price tag B&N agreed to pay for the IP assets). While databases containing consumer information can be valuable, transferring such databases can be a risky process, subject to judicial and regulatory scrutiny. This case teaches us that companies looking to perform these transfers need to be mindful of the privacy implications involved in the process. Reed Smith can help companies that are contemplating such transactions, whether in a bankruptcy proceeding or a negotiated transaction, with evaluating the transferability of those assets and identifying and analyzing associated risks — before the government or another third party does.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Chris Cwalina.

In her new article, "The Intersection of Consumer Protection and Competition in the New World of Privacy," Federal Trade Commissioner Julie Brill cautions that the pursuit of privacy may conflict with the pursuit of a competitive market. Commissioner Brill's article, published in the Spring Edition of Competition Policy International, notes that the Federal Trade Commission's role is to protect consumers from many types of market failures. The FTC strives to protect consumers from unfair and deceptive information collection and use practices. But, at the same time, the FTC protects consumers from collusive and other anti-competitive behaviors. Commissioner Brill identifies a potentially problematic range of privacy enhancements which could, paradoxically, harm consumers by stifling competition. In this position, Commissioner Brill goes further than the FTC's preliminary white paper, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010 Privacy Report).

For example, Commissioner Brill asserts that self-regulation to date has been "slow and inadequate". This mirrors criticisms in the 2010 Privacy Report. But Commissioner Brill goes on to posit that dominant companies can misuse privacy self-regulation to stifle market entry by new competitors. The Commissioner does not describe in any detail the manner in which such an anti-competitive plan would be carried out. Presumably, the cost in money or time of complying with the industry's self-regulation would prove prohibitive for fledgling businesses, while just a "cost of doing business" for better capitalized industry leaders. There may also be a concern that existing businesses, which already hold stockpiles of consumer information, would erect barriers to data collection which would affect new enterprises disproportionately.

Commissioner Brill also raises the competitive concern that privacy regulation not unfairly benefit new entrants. "Indeed," she recognizes, "some more established data brokers and other information firms believe it is much easier for their newer competitors to design privacy protections into their new business models and new forms of communications than it is to retrofit old systems to meet the realities of today's privacy concerns."

Until now, a strategic analysis of the competitive impact of privacy regulation has not been an FTC priority. Indeed, in her Article, Commissioner Brill notes that she writes only for herself, and is not reflecting the views of the Commission or the other Commissioners. Still, taken in conjunction with Commissioner Roach's recent opinion that the Google Buzz settlement may have been a strategic ploy by Google to create insurmountable regulatory barriers to entry, it is safe to say the FTC is increasingly wary of privacy regulation being misused for private ends. Advocates of self-regulation, as well as those seeking to advance or defeat governmental regulation, must be prepared to explain why their privacy regulation or self-regulation proposals are consistent with a vigorous free market. Advocates of industry self-regulation already know that the FTC has criticized efforts to date and here is another hurdle that must be addressed before self-regulation is deemed by the FTC to be robust enough and workable.

Given how extremely easy it is to transfer information as an asset between corporate forms, and from one area of the world to another, the prospect for strategic resistance to or abuse of privacy regulation by companies around the world is substantial. Commissioner Brill performs a service by injecting a note of economic realism into the ongoing debate about how information can and should be regulated in the 21st century.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reed Smith Attorney Amy Mushahwar was recently interviewed by IT Business Edge on the McCain-Kerry Bill. According to Amy, "if enacted, the bill would expand the Federal Trade Commission’s jurisdiction to include telecommunications companies for privacy matters. Typically, telecom companies would not be within the FTC’s jurisdiction." To see the complete interview, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Judy Harris, Chris Cwalina, Paul Bond, and Amy Mushahwar.

We've been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the releases and providing prompt insights for your review.  Below, please find a link to the reports, our most recent digests and our aptly timed teleseminar that occurred on the very day that the Department of Commerce released its privacy green paper.

On December 1, 2010, the Federal Trade Commission issued its long-awaited 123-page preliminary report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. The report is the most important and comprehensive guidance the FTC has ever issued in the privacy arena, and it has the potential to dramatically overhaul the way businesses think about privacy. More importantly, the document sets the stage, potentially, for a very different regulatory framework in Washington. For more detailed information on the FTC Report click here.  Comments are due on this report by January 31, 2011.

On December 16, 2010, the U.S. Department of Commerce issued its initial policy recommendation in a green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework .  The Commerce green paper issued by the specially established Internet Task Force at the Department of Commerce lends another voice to the privacy debate and attempts to create a universal privacy baseline. While the report makes no recommendations to cover specific industry sectors that are addressed by existing privacy regulations, such as, healthcare, financial services and education, it is clear that the Department of Commerce would like to lead the regulatory agenda in the online privacy overhaul that is expected in 2011.  Check back here over the next few days for a more detailed look into the report.  Comments are due on this report by January 28, 2011. 

We addressed both reports in yesterday's teleseminar by privacy counsel Mark Melodia, Chris Cwalina, Paul Bond and Amy Mushahwar,  even though our team was still digesting the Commerce item that was released only hours before the teleseminar.  Our team described how the reports may apply to your business and provided a view from Washington regarding the complex regulatory and legislative road that may lie ahead for data privacy and cyber security issues. Feel free to listen to an audio recording of the event while watching the slide show.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, "Industry must do better."

• Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible".
• The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one's information "out there," and/or "fear of being monitored". The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
• Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

• The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is "of decreasing relevance". Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device."
• The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
• The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
• The report distinguished between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not "commonly accepted data practices". Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company's privacy policy that would apply to data collected under a prior policy.
• The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with "reasonable access" to their data.
• Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
• The report also endorses a "Do Not Track" mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services".

The FTC's full report is available here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link