FTC Beat
Dec 13
2012

FTC Report Faults App Developers on Data Collection From Kids

The Federal Trade Commission released a report on December 10, 2012, that concluded that mobile apps targeted at children were collecting large amounts of data from children and sharing their information with advertisers without disclosing their practices.

The FTC report examined 400 leading apps designed for kids that were sold in the mobile stores run by Apple and Google. The agency said it is launching an investigation to determine if certain mobile apps developers have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices.

The FTC’s authority over children’s mobile apps comes from laws that prohibit unfair and deceptive acts of commerce, as well as from COPPA, which requires operators of online services for children under 13 to get consent from parents before collecting and sharing personal information, among other requirements.

The report itself does not call for regulatory changes. However, the FTC is reviewing COPPA to determine if it needs to be updated, and is expected to announce updates soon COPPA was enacted in 1998, and FTC officials say the law needs to be changed to reflect the growing prominence of mobile apps and social networking sites used by children. The regulations under COPPA have not been substantially revised since its introduction. COPPA sets forth specific requirements for websites aimed at children, but its guidance on mobile technology is far less clear.

The FTC proposed updating COPPA, but it has been met with pushback thus far from technology companies. The proposed changes could significantly increase the need for children’s sites and apps to obtain parental permission to collect certain types of data, including device IDs, photos, and voice recordings. FTC officials have also emphasized that they consider the exact location of a mobile device to be personal information that would require parental permission to collect.

The FTC report noted that it was particularly concerned with the collection of a user’s device ID, which is a string of letters or numbers that identifies each mobile device. Nearly 60 percent of the mobile apps that the FTC reviewed transmitted the device ID. Some of those apps then shared that ID with an advertising network or other third party, including some apps that disclosed the phone number and location of the device. Additionally, more than half the apps also contained interactive features such as advertising or in-app purchases that were largely undisclosed to parents.

Only 20 percent of the apps reviewed in the report disclosed any information about the app’s privacy practices. FTC Chairman Jon Leibowitz said, “Our study shows that kids’ apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents.”

This week’s report serves as further notice to all mobile app developers that the FTC is monitoring the mobile app market.  App developers, particularly developers that are targeting children, need to review their compliance with FTC guidelines, as well as their overall truth-in-advertising and data privacy policies, to make sure their apps are complying. The FTC has made clear that it will take enforcement actions against industry participants and will continue to aggressively pursue action in the future.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

Dec 07
2012

California Attorney General Flexes Muscle on Mobile Privacy: AG Sues Delta for Lack of Privacy Policy on Mobile Application

Yesterday, California’s Attorney General Kamala Harris filed the state’s first suit under California’s Online Privacy Protection Act.  The lawsuit, against Delta Air Lines, followed the Attorney General’s warning letters to Delta and many other companies in October to post privacy policies with their mobile apps to inform users of what personally identifiable information is being collected and how the information is used by the company (previously covered by FTC Beat here).

California’s Online Privacy Protection Act mandates that commercial operators of websites and online services, including mobile and social apps, conspicuously post a privacy policy if they collect personally identifiable information from California residents.  In addition to posting a privacy policy, operators must abide by the promises and representations made in those policies.

In the complaint against Delta, the AG contends that Delta has operated a mobile app called “Fly Delta” since at least 2010.  Individuals can use the Fly Delta app to check in for flights, view reservations, rebook  flights, pay for checked baggage, and access a user’s frequent flyer account, among other actions.  The California AG alleges that the Fly Delta app lacks a privacy policy, despite the fact that
Delta’s app collects substantial amounts of personal information, including full names, telephone numbers, email addresses, photographs, and geo-locations.  According to the complaint, “Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed, or sold.”  The AG asserts that Delta’s conduct violates the Online Privacy Protection Act and California’s Unfair Competition Law.

Delta will, of course, have a chance to defend itself and could argue that its general website policy covers its mobile applications.  Many companies maintain a general privacy policy that covers their website, their mobile applications, and even their social networks.   The complaint acknowledges Delta’s website privacy policy though contends that it is not “reasonably accessible to consumers of the Fly Delta app” and that the app collects different information than is collected through the website.

The lawsuit seeks an injunction to prevent Delta from distributing its application and requests penalties of up to $2,500 for each violation (in other words, each time the app is downloaded).   According to the complaint, the Fly Delta app “has been downloaded by consumers millions of times since October of 2010 without the conspicuously posted privacy policy required by” the Online Privacy Protection Act. The Attorney General’s action in filing the lawsuit demonstrates that she intends to follow through on her earlier warnings to companies to ensure their compliance with the Online Privacy Protection Act.  Other companies who received similar warning letters included Open Table and United Continental.

Companies offering mobile apps and commercial websites should ensure that they post and abide by privacy policies when they are collecting personal information.  Further, if a general privacy policy is meant to cover a company’s app, it should so state and it would be prudent for it to be easily accessible through the mobile app.   The California Attorney General’s lawsuit against Delta is a sure sign that California will continue to follow through on its efforts to mandate compliance with its Online Privacy Protection Act, and other states may follow California’s lead.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

related practices at ifrah law:
Data Privacy
Dec 03
2012

FCC Ruling Permits Confirmation Text Messages for ‘Opt-Out’ Customers

The Federal Communications Commission recently ruled that companies may send a one-time text message confirming a consumer’s opt-out of texts without violating the Telephone Consumer Protection Act (“TCPA”), and potentially facing large class action lawsuits.

This pro-business ruling represents a victory for SoundBite, the company that sought a declaratory ruling from the FCC, as well as for other businesses that use mobile texting to communicate with customers. Many businesses (including SoundBite) are facing class actions under the TCPA for sending this type of confirmatory message.

The TCPA prohibits, among other things, autodialed calls to mobile phones, unless the sender has received prior express consent from the recipient for such calls. The FCC has ruled that text “calls” are covered by this prohibition. Thus, under the TCPA, an autodialed call that sends a text to a mobile phone without prior express consent (irrespective of the type of message) is prohibited. The TCPA provides for FCC and state attorney general enforcement as well as private litigation. Plaintiffs’ lawyers have latched onto the TCPA for several years and have recovered substantial amounts in judgments and settlements.

SoundBite sends text messages on behalf of a number of companies that have obtained express consent to send texts to particular wireless subscribers, including banks, utilities, and retailers. SoundBite follows the Mobile Marketing Association’s best practices which include the transmission of a text message to a subscriber confirming that subscriber’s request to opt-out of receiving future messages. When a consumer opts-out of receiving future text messages, a one-time reply is sent back (usually within minutes) via text confirming receipt.

While many of the FCC’s rulings on the TCPA have not been viewed as business-friendly, this latest ruling represents a victory for businesses. Several large associations and businesses filed in support of SoundBite’s petition, including the American Bankers Association and the Consumer Bankers Association. SoundBite also had the support of the National Association of Consumer Advocates. The parties argued that confirmation messages are, in fact, consumer-friendly as they provide important information to the consumer to let him or her know that the opt-out was received and the messages will stop.

The FCC concluded that, as long as prior express consent of the receiving party exists before sending any messages, a one-time text confirming an opt-out request does not violate the TCPA: “We conclude that a consumer’s prior express consent to receive text messages from an entity can be reasonably construed to include consent to receive a final, one-time text message confirming that such consent is being revoked at the request of the consumer.”

Importantly, the FCC stated that these opt-out texts may only confirm the opt-out request and may not include any marketing or promotional information (or an attempt to convince the consumer to reconsider his or her opt-out) and can be the only additional message sent to the consumer after the receipt of the opt-out request. In addition, if the confirmation message is sent more than five minutes after the opt-out, the burden will fall on the sender to demonstrate that the delay was reasonable. The FCC also asserted that it will monitor consumer complaints and take action if senders are using confirmation texts as an additional opportunity.

Businesses that receive threats of TCPA lawsuits for confirmatory texts will now be able to use this FCC ruling in their defense. Plaintiffs may challenge the FCC’s interpretation of the strict statutory language, however, as they have done in other instances. Organizations wishing to use confirmatory opt-out texts should review the FCC’s ruling and ensure that their confirmations comport with the FCC’s guidance, especially regarding timing and ban on advertising and promotional messages

Ifrah Law is a leading white-collar criminal defense firm that focuses on e-commerce.

related practices at ifrah law:
E-Commerce
Nov 20
2012

CFPB, FTC Announce Crackdown on Deceptive Mortgage Advertising

On November 19, 2012, the Federal Trade Commission and the Consumer Financial Protection Bureau announced that they have launched a new coordinated effort to protect consumers, focusing on mortgage advertisements that they say are deceptive.

The CFPB and the FTC worked together to review roughly 800 mortgage ads. These ads were produced by entities involved in different aspects of the mortgage process, including mortgage brokers and lenders, lead generators, real estate agents, home builders, and others. The ads were featured on a wide range of media including newspaper, direct mail, email and social media.

The agencies stated that some of these ads had specifically targeted the elderly and veterans.

The letters warned the recipients that they may be in violation of the Mortgage Acts and Practices Advertising Rule (MAP Rule) that took effect in August 2011, which prohibits misleading claims concerning government affiliation, fees, costs, interest rates, payment associated with the loan, and the amount of cash or credit that is available to the consumer. The MAP Rule does not apply to traditional banks, meaning today’s actions affect only non-banks.

The FTC and the CFPB both have enforcement authority over non-bank mortgage ads under the MAP Rule. The agencies stressed that as part of the initiative they are working together to assure that consistent standards are applied across agencies. The agencies will conduct separate investigations focused on different targets to better utilize their resources and avoid double-teaming businesses.

“Working together and applying consistent standards to all types of clients in all types of ads is a very important means of making sure that mortgage advertisers are on notice that they have to comply with the law,” said Thomas Pahl, the assistant director of the FTC’s Division of Financial Practices.

The FTC and the CFPB issued more than 30 warning letters to mortgage advertisers, warning them that their advertisements may be deceptive. Both agencies stated that they have also opened formal investigations into other advertisers that may have committed more serious violations of the law. Violators of the MAP Rule can be subject to civil fines.

“Misrepresentation in mortgage products can deprive consumers of important information while making one of the biggest financial decisions of the lives,” CFPB Director Richard Cordray stated. “Baiting consumers with false ads to buy into mortgage products would be illegal.”

The review of the advertisements revealed several different types of claims that regulators could possibly find misleading, including ads that suggested that a company was affiliated with a government agency, ads that guaranteed approval and offered low monthly payments without discussing the conditions of the offers, and ads offering a low fixed mortgage rate without discussing significant loan terms.

The announcement shows that the FTC and the CFPB are taking an aggressive and proactive look at companies that offer products in the financial services sector. Companies that offer mortgage and other consumer lending products should know that the FTC and the CFPB are paying special attention to them and that their advertisements need to comply with federal regulations.

Ifrah Law is a leading white-collar criminal defense firm that focuses on online fraud and abuse.

Nov 13
2012

Congress Continues to Examine Data Brokers’ Practices

The chairmen of the Congressional Bipartisan Privacy Caucus just released the responses they received from nine major data brokers whom they queried in July about how each broker collects, assembles and sells consumer information to third parties. In their responses, the nine companies — Acxiom, Epsilon, Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Merkle and Meredith Corp. – generally asserted that they were not data brokers. Some companies claimed they analyze data rather than broker it. Copies of the brokers’ responses and the original letters can be found here.

Interestingly, several of the brokers acknowledged obtaining their data from social networks such as LinkedIn and Facebook, in addition to telephone directories, government agencies, and financial institutions.

The legislators issued a joint statement in which they noted shortcomings in the brokers’ answers, stating that “many questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers.”

Members of Congress have indicated that they will continue to scrutinize the data brokerage industry. Issues of particular concern for the legislators include: the sale of personal information to third parties for targeted advertising, the gathering and selling of information relating to children and teenagers, and the lack of transparency in data brokers’ practices and available information. The Privacy Caucus has expressed concern that many Americans do not know how the industry operates and that controls may be lacking for individuals over their own information.

The FTC has already called on Congress to address data brokers’ practices through legislation. In March, the FTC advocated for legislation to “address the invisibility of, and consumers’ lack of control over, data brokers’ collection and use of consumer information.” We anticipate continued review of data brokers by Congress and federal agencies including the FTC. Companies in the data compilation business should continue to monitor ongoing proceedings.

It should be noted, however, that not all companies that gather personal information actually “broker” it in a manner that raises concern. Some companies compile information and remove identifying data before providing it to third parties; other companies gather information under contract for a business with whom a consumer has an existing business relationship – as a means to promote better customer service by tailoring offerings that will be of interest to consumers generally or to a particular consumer. Many consumers have indicated a willingness to receive these types of tailored offerings.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

Nov 12
2012

Policing the Wide, Wild New World of Biometrics

Progress in the world of biometrics should cause us all to shudder. Cameras in public locations can now employ facial recognition to direct advertising to us based upon an assessment of our age, sex, and other characteristics. Cameras can determine our reaction to and engagement in video games and movies. It sounds a bit like a world composed of two-way mirrors. But instead of shuddering, we sometimes knowingly, sometimes carelessly, support the technology – and other data collection practices – through our online and commercial activities.

How many of us constantly update and tag our Facebook pages with pictures of us and our loved ones and where we’ve been? How many take advantage of product/service discounts by scanning our smart phones and “liking” products on Facebook? How many of us are now buying into dating apps and social apps that are based on facial recognition technology? The fact is that much of our data can be, and is being, collected and we consumers (especially in the United States) seem to have no problem with it, even volunteering for it.

Perhaps fortunately, some regulators are stepping in and keeping a watchful eye on these developments and looking for ways to curb the potentially nefarious use of consumer data. The FTC and its Division of Privacy and Identity Protection recently published its list of best practices for companies who use facial recognition technologies. The publication, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” underlines important concerns about being able to identify anonymous individuals in public and about attendant security breaches such as hacking. The FTC’s proposed best practices include the following:

• Companies should maintain reasonable data security protections to prevent unauthorized information “scraping” of consumer images and biometric data.
• Companies should maintain appropriate retention and disposal practices.
• Companies should consider the sensitivity of information when developing facial recognition products and services, e.g., they should avoid placing signs in sensitive areas, such as bathrooms, locker rooms, health care facilities, or places where children congregate.
• Companies using digital signs capable of demographic detection should provide clear notice to consumers that the technologies are in use, before consumers come into contact with the signs.
• Social networks should provide users with clear notice – outside of a privacy policy – about how the feature works, what data it collects, and how it will use the data.
• Social networks should provide consumers with (1) an easy-to-find, meaningful choice not to have their biometric data collected and used for facial recognition; and (2) the ability to turn off the feature at any time and delete any biometric data previously collected.
• Companies should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data in a materially different manner than they represented when they collected the data.
• Companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent.

The guidelines come only a few months after the FTC’s March 2012 Privacy Report (“Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”) and are a logical follow-on to the report. They incorporate the Privacy Report’s core principles: privacy by design, simplified consumer choice, and transparency. These principles and guidelines are a step in the direction of responsible data collection and responsible technological advancements.

We should point out that neither the Privacy Report nor the Best Practices in Facial Recognition are binding or enforceable as they do not fall under FTC’s legal authority. And the FTC prominently makes this disclaimer, noting that the guidelines are merely recommendations without the force of law. It is clear, however, that the FTC is appropriately preparing to assume enforcement authority, should Congress pursue privacy legislation (something the FTC recommends in the Privacy Report). That is obvious from the mere fact that the agency has established a Privacy and Identity Protection Division.

Companies that are developing or seeking to employ biometrics – or that employ other data collection practices – would be well advised to pay attention to the FTC’s recommendations. The guidelines provide insight into how an enforcement authority is likely to approach biometrics and other data collection practices. The guidelines also provide a framework for responsible use of consumer data. And even though consumers currently seem passive or dismissive about biometrics and data collection, it would take just one scandal or highly publicized incident for public opinion to change. Companies will benefit in the long run by building good will among consumers.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

related practices at ifrah law:
Data Privacy
posted in:
Privacy
Nov 08
2012

Why Is CFTC Planning to Appeal Judge’s Ruling in Dodd-Frank Case?

The Commodity Futures Trading Commission (CFTC) is apparently going to appeal a U.S. district judge’s ruling that had overturned its decision to impose limits on the number of contracts that commodity traders can hold.

The CFTC had found that under the recently passed Dodd-Frank law, which amended the Commodity Exchange Act of 1936, it now need not make a finding of “necessity” before it puts forth a rule to impose these position limits. It had ruled, in fact, that it was mandated by Congress to set limits and that it had no discretion to choose not to impose such limits.

The swaps and derivatives industries, however, challenged the CFTC’s interpretation in U.S. District Court for the District of Columbia. The industries contended that even under the Dodd-Frank amendments, the agency must find that it is “necessary and appropriate” to set position limits. In other words, for each given commodity, it would need to show that there was a risk of dangerous speculation.

On September 28, U.S. District Judge Robert Wilkins rejected the CFTC’s position. He sent the rule back to the CFTC for further consideration, just two weeks before the limits were set to take effect. He said that Dodd-Frank did not give the agency a “clear and unambiguous mandate” to set position limits without showing they were necessary in each instance.

The law, wrote Judge Wilkins, requires “that the Court remand the rule to the agency so that it can fill in the gaps and resolve the ambiguities.”

One would think that the agency would accept this direction from the judge and come up with an interpretation of the Dodd-Frank law that would indeed fill in gaps and resolve ambiguities. That is what an agency is supposed to do.

Now, however, according to Reuters and other reports in early November, there appears to be a CFTC majority – three of the five commissioners — in favor of appealing Judge Wilkins’ decision to the U.S. Court of Appeals for the D.C. Circuit.

It seems odd to us, at the very least, that the agency is insisting on an interpretation of the Dodd-Frank law that strips it of all discretion and requires it to set position limits for dozens of commodities without a finding that the limits are going to be helpful to police the markets and limit excessive speculation. Especially now that a judge has ruled that Congress didn’t unambiguously decide to tie the agency’s hands, why pursue this appeal?

Ifrah Law is a leading white-collar criminal defense firm that focuses on financial services.

related practices at ifrah law:
Financial Services
Nov 02
2012

Judge’s Ruling on Antitrust Complaint Has Implications Far Beyond the .xxx Domain

A recent decision by a federal judge in California has brought ICANN’s broad authority over the domain name system once again into question. Manwin Licensing International – perhaps the most lucrative provider of online adult-oriented content – brought an antitrust action against ICANN arising from the establishment of the .xxx top-level domain and the award of the registry contract for .xxx to ICM Registry. Manwin claimed, among other things, that because ICANN’s registry contract with ICM contains no restrictions on the price ICM may charge for its services (while providing for an enhanced fee to be paid by ICM to ICANN) and ICM is insulated from competition on renewal, the award of the contract violated the Sherman Antitrust Act.

In any antitrust case, the plaintiff must establish a “relevant market” that it can show is adversely affected by the anticompetitive actions. Here, Manwin sought to establish that the relevant markets affected by ICANN and ICM were the markets for affirmative registrations (i.e., the lack of an adequate economic substitute for .xxx domain names) and for defensive registrations (i.e., the need for trademark holders to protect their marks by registering .xxx names, for instance, playboy.xxx). The court made short work of Manwin’s claim with respect to the affirmative registration market, pointing out that domain names in other generic TLDs (gTLDs) are an adequate economic substitute for .xxx registrations. Indeed, the court pointed out that one of Manwin’s own websites – youporn.com – is the most popular free adult video website on the internet. Thus, the .com gTLD, among others, provides a perfectly adequate (if not superior) substitute to a .xxx registration.

However, the court was not so forgiving as to the defensive registration market. It held that Manwin adequately identified an adversely affected market in defensive registration because Manwin asserted that trademark owners and registrants of domain names in other gTLDs were compelled to register domain names in the .xxx TLD for defensive or blocking purposes, to protect their marks or other domain names from a loss of goodwill, prevent consumer confusion, or prevent association with adult entertainment. The court found no economic substitute for this market, as, it found the “only way to block a name in the .xxx TLD is to register a name in the .xxx TLD.” Therefore, the antitrust case will proceed with respect to the defensive registration market.

This decision has enormous potential consequences to the domain name registration market, particularly with the coming roll-out of new gTLDs. By way of example, one of the applied-for new gTLDs is .hotel. While Marriott has a very popular website located at marriott.com (as do Hyatt at hyatt.com, Hilton at hilton.com, etc.), these hoteliers may feel compelled to register their corresponding names and trademarks in the .hotel TLD, to protect against cybersquatters.

Compounding the problem, particularly for those with famous marks, is the issue of “typosquatters” who may register common misspellings of the mark in the new gTLD (such as marriot.hotel). Thus, the defensive registration market identified by Manwin has implications that extend far beyond the .xxx TLD — although .xxx has its own unique challenges not found with more mundane gTLDs, as the .xxx TLD’s association with adult content and pornography has the very real potential to tarnish otherwise unrelated marks. Imagine, for instance, pepsi.xxx (probably bad) versus pepsi.hotel (probably innocuous). Whether the existence of this case will cause a delay in the launch of the new gTLDs remains to be seen. It would seem that ICANN would proceed cautiously, as an adverse ruling might lead to a requirement that the registry contracts for gTLDs found to violate antitrust laws be unwound. Time will of course tell.

However, in the end, while Manwin seems to have hit upon a soft spot in ICANN’s shield, its claims ultimately seem overblown and contrary to the rights enjoyed by trademark owners and domain name registrants with respect to .xxx registrations. Setting aside blocking/sunrise rights that were afforded to trademark owners in advance of the public rollout of the .xxx TLD, trademark owners have extraordinary rights with respect to infringing domain names registered in .xxx. A trademark owner has available to it three means of challenging an infringing domain name registered in the .xxx TLD. These are the Rapid Evaluation Service (RES), the Charter Eligibility Dispute Resolution Policy (CEDRP), and the Uniform Dispute Resolution Policy (UDRP).

The RES provides a quick take-down process for infringing registered word marks or personal names of individuals. If an RES claimant shows that the domain name is identical or confusingly similar to a registered word mark that the claimant owns and uses, that the registrant has no rights or legitimate interests in the disputed domain name, and that the domain name was registered and is either being used in bad faith or cannot possibly be used in good faith, the domain name is directed to a page which states that the domain name has been deactivated. Temporary take-downs pending a final decision may be effected within two business days.

Trademark owners may also initiate a CEDRP proceeding, which will be handled by NAF, to challenge .xxx domain names that are being used in violation of the Adult Entertainment Industry eligibility requirements for the .xxx TLD (for instance, the example of pepsi.xxx, above). If the trademark owner is successful in a CEDRP proceeding, the offending domain name registration will be cancelled.

In addition, a trademark owner may initiate a UDRP proceeding with respect to a .xxx domain name registration, just as it might for an infringing domain name in any other TLD. Such a proceeding might result in the cancellation or transfer of the offending domain name – though if the registrant is not engaged in the adult entertainment industry, the domain name will not resolve.

In the meantime, since the Court’s ruling allowing Manwin’s case to proceed, ICM Registry has filed a counterclaim against Manwin, asserting antitrust and trade libel claims, amongst others. In the end, this battle promises to have consequences that extend far beyond the .xxx world in which it is clothed.

Ifrah Law is a leading white-collar criminal defense firm that focuses on online fraud and abuse.

related practices at ifrah law:
Online Fraud and Abuse
posted in:
Internet Law
Oct 31
2012

Why California AG’s Online Privacy Crackdown Makes a Big Difference

Companies that run websites must comply with laws and rules requiring the maintenance of personal privacy. While federal requirements such as those applicable to financial privacy and children’s privacy gain significant attention, website and app developers also should pay careful attention to state privacy requirements. State regulators are monitoring websites and apps for compliance with their privacy mandates.

Given the open nature of the Internet, companies and Web developers, as a practical matter, need to comply with the strictest state privacy requirements — since they can assume that their sites will be accessed from all the states.
So the recent letters sent by California Attorney General Kamala Harris to 100 companies and mobile app developers (including Delta, United Continental and Open Table), asking them to bring their privacy policies in line with California state law, are highly relevant to anyone whose Web site is going to be accessed in California.

In these letters, Harris gave companies and developers 30 days to come up with a plan to comply with the California privacy law, or tell her why it does not apply to a particular app. After the 30 days are up, Harris will apparently sue the firms or developers that aren’t complying, with a potential fine of up to $2,500 each time the app is downloaded.
The letters target companies that do not “have a privacy policy reasonably accessible for consumers” for their apps.

“Protecting the privacy of online consumers is a serious law enforcement matter,” Harris said in a statement. “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”

According to a press release from Harris, the letters “are the first step in taking legal action to enforce the California Online Privacy Protection Act, which requires commercial operators of online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy.”

Earlier this year, Harris helped create an agreement among the seven leading mobile and social app platforms to improve privacy protections for those who use apps on their smartphones, tablets, and other electronic devices. According to her release, these companies – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy.

The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

We must emphasize that anyone who makes apps and websites available to consumers must comply with state as well as federal requirements. The California actions will only be the beginning.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

related practices at ifrah law:
Data Privacy
posted in:
Privacy
Oct 25
2012

Report From an Energized WIPO Conference in Geneva

Each October, the World Intellectual Property Organization (WIPO), a United Nations agency, hosts at its Geneva, Switzerland, headquarters about 50 participants from around the world for a two-day conclave to discuss recent developments and issues surrounding domain name trademark disputes. This conference brings together, in one place (as an added bonus, scenically overlooking Lake Geneva and the French Alps) representatives of domain name registrars and registries, and lawyers from every corner of the globe to discuss the Uniform Dispute Resolution Policy (UDRP), which governs disputes between domain name registrants and trademark owners in most generic top-level domains (gTLDs).

With ICANN’s roll-out of new gTLDs imminent, the UDRP is likely about to experience increased use and importance, as cybersquatters will doubtless target brand owners whenever and wherever possible in the new gTLDs.

The UDRP is not without its faults — but, in general, it provides brand owners with a fast, relatively inexpensive and effective means to shut down domain names that are registered to take advantage of the goodwill attached to their trademarks. At this year’s conference, as with those in years past, the most hotly contested issues involve domain names that  resolve to “criticism” websites. It is with these issues that legal and cultural differences on the borderless Internet intersect and conflict. Many (but certainly not all) representatives from the United States see these issues through the lens of freedom of speech, while participants from elsewhere have no such point of reference. These cases come in two basic flavors.

First, there are the “trademark sucks” sorts of cases (the ubiquitous “suck sites”), and second, there is the more harmful “trademark.com” cases, which then resolve to a site critical of the trademark owner.

Suck site cases are less harmful because there is less risk of initial interest confusion – the likelihood that an Internet user would type the name into his or her browser thinking that the site belonged to the trademark owner. But in this era of the Internet in which search engines drive a great deal of traffic, such sites can cause great harm. However, a small consensus seems to lean toward finding that such domain names are not infringing.

The more hotly contested issue continues to be the trademark.com (including typos, hyphenations and other close variants of the trademark) cases. First Amendment considerations make it very difficult for a trademark owner to retrieve these domain names, when used for noncommercial purposes, in U.S. courts; in other parts of the world, this is not the case. But one UDRP panelist from the United States pointed out that the UDRP process is not a governmental act, and therefore he believes (correctly, I think) that the UDRP should pay no heed to these considerations. At bottom, U.S. trademark owners facing such situations should consider pursuing UDRP cases, understanding that even if they prevail, if the case ultimately lands in court, the likelihood of a successful outcome is diminished.

Other topics discussed included the new proposals for Rights Protection Mechanisms (RPMs) associated with the new gTLDs. While many of these RPMs remain in the discussion stages, they promise to bring to the fore new opportunities for trademark owners to protect their trademarks against cybersquatters who begin infringing in the new gTLD space. A good summary of all of the RPMs can be found here. The most interesting among these is the proposed Uniform Rapid Suspension System, which may bring about a means to temporarily suspend a name (that is, redirect the domain name to a web page revealing the suspension) in an expedited fashion. The devil will be in the details, as the costs and specifics of the proposed program are still up in the air. ICANN, WIPO and the other stakeholders are working on the details, and if implemented, this has the potential to provide trademark owners with another tool to combat those who damage their brands.

WIPO’s conferences are always first class and informative, and the opportunity to hear from and confer with talented, knowledgeable (and opinionated) domain name lawyers from around the world is always a pleasure and a privilege. I was able to meet and work with people from all over the world –from a representative of the Tanzanian registry, to brand managers from Sweden, to IP lawyers from China and Taiwan. And from it, we all are better able to serve our clients who do business on the Internet, which knows no national boundaries.

Ifrah Law is a leading white-collar criminal defense firm that focuses on e-commerce.

related practices at ifrah law:
E-Commerce
posted in:
Internet Law
Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, healthcare, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen, David Deitch, and associates Rachel Hirsch, Jeff Hamlin, Steven Eichorn, Sarah Coffey, Nicole Kardell, Casselle Smith, and Griffin Finan. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts