The memorandum issued the following recommendations:

Data Breach Guidance to Agencies

The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.

Development of Universal Police Report for Identity Theft Victims

Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and  allows streamlining of investigations.

Extending Restitution for Victims of Identity Theft

The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.

Reducing Access of Identity Thieves to Social Security Numbers

All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.

Developing Alternative Methods of Authentication Identities

The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.

Improving Data Security in the Government

The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”

Improving the Agencies’ Ability to Respond to Data Breaches in the Government

Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.

Summary

In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Recommendations of the Identity Theft Task Force, September 2006

FTC and Fair Information Practices

The Federal Trade Commission developed a set of guidelines to govern the collection, use, maintenance, and disclosure of personal information in order to protect personal privacy. While the principles in themselves are not law, they have been incorporated into many privacy laws which allow the principles to be enforced. The Gateway Learning Company was found to be in violation of the first two principles, notice and consent.

The Fair Information Practice Principles require:

• Notice to the individual regarding the privacy policies of the organization including how information is used and any disclosure to third parties. Notice must also be provided to the individual for any alteration in the privacy policies.
• Consent from the individual regarding the use of their information for secondary uses and its disclosure to third parties.

Allegations

The FTC brought the following allegations against the Gateway Learning Company:

• That they violated their own privacy policies by renting personally identifiable information (PII) collected from customers to third parties without the customer’s consent.
• That they violated their own privacy policies by renting personal information (age/gender) about children under the age of 13 to third parties without the customer’s consent.
• They committed unfair trade practices by retroactively applying a new privacy policy to information collected under the old privacy policy.
• They committed unfair trade practices by failing to provide adequate notice to consumers regarding privacy policy changes.

The Privacy Policies in Question

The original privacy policy stated:

We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.

It also stated the following regarding children’s personal information:

The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.

We may in the future offer products to be used by children online, some of which may require you to enter additional information such as a child’s age, gender or reading ability in order to deliver a quality experience. A child’s participation in such a program will be entirely at your discretion. Again, no personally identifiable information about children under 13 years of age will be shared with any third party for an purpose whatsoever.

It also stated the following regarding changes to the privacy policy:

If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by email. You will then be able to opt-out of this information usage by sending an email to: webmaster@hop.com. You should also check this privacy policy for changes.

In April, 2003 the Gateway Learning Company violated its privacy policies by disclosing, name, address, telephone numbers, purchasing history, and the names and ages and genders of the customer’s children with telemarketers and direct mail marketers.

On June 20, 2003 a new privacy policy was placed in effect:

The new privacy policy did not alter its policies regarding the use of children’s personal information or providing notice regarding changes to the policy. It did however change the policies regarding sharing information with third parties.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at webmaster@hop.com with the word do-no-share in the subject line.

Despite their stated privacy policies, no email was sent or special notices posted to the website to alert customers to a change in the policies.

On July 17, 2003 another revised policy was posted:

The new policy changed the process for opting out of third party disclosures.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at do-not-rent@hop.com with your full name in the subject line. Please be sure to include your first name, last name, address, city, state, zip code and phone number to ensure we can process your request. We will process your request promptly. Please be aware that  you may receive another contact before your name removal takes effect. We regret any inconvenience this may cause.

The new policy also changed its statement regarding children’s privacy.

The Site is not targeted to children, and we not knowingly collect personally-identifiable information from children under the age of 13 on this site. We do not sell products for purchase by children; we sell children’s products for purchase by adults. This site is entirely aimed at adults.

FTC Consent Agreement

After investigations, the FTC found the Gateway Learning Corporation to have used unfair and deceptive trade practices and brought enforcement actions against the company. The Consent Agreement was the settlement reached to resolve the issue.

Bar on Misrepresentation

The bar on misrepresentation reinforces the rules regarding the Fair Information Practice principles which the company had violated. Under the agreement, Gateway Learning was banned from:

• Misrepresenting the use of collected information including whether it is sold, rent, or loaned to third parties
• Misrepresenting whether information about children under the age of 13 will be disclosed to third parties
• Misrepresenting how customers will be notified by changes to privacy policies
• Misrepresenting how the company will collect, use or disclose information

Ban on Disclosure of Personal Information to Third Parties

The ban on disclosure reinforced the protection of privacy for consumers whose personal information was collected prior to June 20, 2003 when the privacy policy was changed. The ban requires:

• Express, affirmative (opt-in) consent of the individual prior to the disclosure of any information to third parties
• The new privacy policies may not be applies to information collected prior to the June 20, 2003 policy change without the express affirmative consent of the individual.

Maintenance of Relevant Documents

This part of the agreement set up a way to ensure compliance for a period of 5 years. Under this provision, Gateway Learning must provide the FTC with the following documents:

• A copy of each different privacy statement or communication including the date, full text, URL and graphics
• A copy of the document sent to consumers to obtain their express affirmative consent and any documents provided by customers confirming their consent
• All invoices, communications and documents that relate to the disclosure of personally identifiable information to third parties.

Delivery of Order

This part of the agreement dealt with the administrative task of ensuring enforcement in the work force.  The Gateway Learning companies was required to deliver a copy of the FTC agreement to all present and future employees with managerial responsibility related to the subject matter of the order.

Reporting

This part of the agreement requires Gateway Learning to notify the FTC 30 days before a corporate change which might affect compliance with the order. It also required Gateway Learning to file a report with the FTC setting forth their compliance within 60 days of service of the order and periodically after that, as requested.

Duration

Unless otherwise indicated, the order terminates after 20 years. Each violation of the final order may result in a civil penalty of up to $11,000

Fine

Gateway Learning was fined $4,608 which was the total profits received from the renting of personal information.

In Conclusion:

The Gateway Learning Case holds a significant place in privacy law because it demonstrated that the Federal Trade Commission is willing to pursue and enforce privacy violations. Since the Gateway Learning Case the FTC has continued to enforce privacy issues, especially any violations of the Children’s Online Privacy Protection Act which protects the personal information of children.

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Summary

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

What is Choice/Consent?

Choice/Consent is the second of five Fair Information Practices published by the FTC to guide the collection, use and disclosure of personal information. The FTC states,“At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”

There are two forms of consent exercised by individuals.

Opt-in requires the affirmative consent of the individual. The user must take action to allow a business to process their information and provide a product or service. For example, a user may visit a website and submit their email or check a box with their registration to receive the site’s email newsletter.

Opt-out requires the implicit consent of an individual. Since a user has not taken action to stop the processing of their information, they are said to give implicit (unspoken or assumed) consent. When a user receives marketing messages in their mailbox they no longer wish to receive, they may unsubscribe from the newsletter. This is consider opting-out.

The use of the choice/consent mechanism as the main regime for protecting personal information has been widely criticized. It is believed that many consumers are not aware or educated enough in privacy law to understand their rights and ability to control information.

Secondary Use of Information

The FTC defines secondary use as “uses beyond those necessary to complete the contemplated transaction.” Companies are required by law to state in their privacy policies any secondary uses of information including whether it may be disclosed to third parties.

The control of personal information with regard to marketing is the most common implementation of choice/consent. It is used to control the receipt of marketing messages, the use and disclosure of information to third parties, and the collection of information through cookies in order to create tailored advertising. Though the disclosure of information may be necessary to complete a transaction with a company, an individual is allowed to object to any and all secondary use or disclosure of their information.

Mandatory vs. Optional Data Collection

Mandatory is any information that is necessary to complete the immediate transaction. Optional information includes any information an entity may wish to collect about an individual for internal purposes, but is not required to complete the immediate transaction. In a web form, mandatory field must be filled in before the form can be submitted. Optional fields may be left blank or unanswered and the form will still process. By completing optional information fields, an individual is giving their consent to the collection and use of such information.

Businesses practicing responsible information privacy will limit the collection of information, especially that which is optional because the more information collected, the greater the risk to privacy.

Choice/Consent and Regulations

The CAN-SPAM Act of 2003 regulates email marketing messages in the U.S. In addition to content regulations, the CAN-SPAM Act requires all marketing messages to have an unsubscribe mechanism at the bottom and that consumer requests be honored with ten days.

The European Data Directive addresses consent in Article 7 which requires data subject consent for the processing of data, though consent is not required for a few, specific situations. It is also addressed in Article 14 which guarantees the data subjects right to object to the processing of data. Furthermore, Article 8 requires the explicit consent of a data subject to process sensitive information such as racial or ethnic origins, political or religious beliefs, sexual orientation, health information, or trade union membership.

Almost all data protection laws allow individuals the opportunity to make choices regarding the use of their personal information.

In Conclusion:

Choice/Consent deals with an individual’s ability to control the use of their information. Because, as of now, the choice/consent regime is the major framework for protecting privacy in many industries, it is the duty of the consumer to read privacy practices and make informed decisions regarding how they wish their information to be used.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles: Choice/Consent (I.E.ii)
• Privacy Considerations Online including choice and consent, secondary use of data and mandatory vs. optional information. (III.B.c.i-iii.)

What is Safe Harbor?

In 1995, the E.U. implemented a comprehensive law, the Data Protection Directive, which created strong standards and principles governing the use and protection of data. Any data transferred within the E.U. or the European Economic Area would be protected under the law. However, personal data transferred to other countries would not be guaranteed the same protection. The Data Protection Directive restricts the transfer of data with other countries unless they meet a comparable level of data protection.

Data protection in the United States, which is more commonly known as information privacy, is governed by a number of sectoral laws that protect data within specific industries, ie: HIPAA protects personal health information, FACTA protects personal information in the financial sector. The U.S. has no central or comprehensive data protection regime and therefore, the E.U. finds data protection in the U.S. to be inadequate.

To facilitate unrestricted, data transfer between the United States and the European Union, the Safe Harbor agreement was created to allow U.S. companies the opportunity to raise their level of data protection and achieve “adequate” status, thus meeting the restriction rules for onward transfer to third parties under the E.U. Data Directive.

The Benefits of Safe Harbor Compliance

In 2000, when the Safe Harbor agreement was developed between the E.U. and the U.S., data transfers accounted for over $ 300 Billion dollars in trade. Safe Harbor allows such exportation and importation of data to continue while still protecting the personal data of European citizens. Though the Safe Harbor agreement requires stricter privacy standards for U.S. companies, than is required by U.S. law it is really to the benefit of both sides that such an agreement exists.

Participating U.S. companies enjoy the privilege of the Safe Harbor Agreement which demands that all E.U. member states allow unrestricted data transfers with any and all Safe Harbor certified participants. This means that certified companies may not be denied transfers by individual data controllers or Data Protection Authorities according to their own agendas.

Furthermore, complaints brought against a U.S. entity by European citizens regarding the protection of their personal data are heard in U.S. courts and the Safe Harbor program is under U.S. enforcement.

Safe Harbor also eliminates the need, or grants automatic approval for, data transfers creating a more cost and time efficient system. Companies may choose not to join the Safe Harbor agreement and make individual agreements or model contracts with a Data Protection Authority, but this may increase the time and energy needed to allow for the unrestricted transfer of data.

How Does a Company Become Safe Harbor Compliant?

The Safe Harbor program is voluntary. In order to participate, an entity must complete a self certification process annually with the Department of Commerce. To do this a company may join a self regulatory privacy program such as the BBB online, which audits companies to review their privacy policies and business operations to provide certificates of compliance with Safe Harbor. Or an entity may choose to create their own self-regulatory privacy policy which adheres to all Safe Harbor principles. Furthermore, the entity must publicly state in their privacy notice that they are Safe Harbor compliant.

The Safe Harbor Principles

The following principles must be included in a Safe Harbor compliant privacy policy.

Notice

• The data subject must be notified about the purposes for which personal information is collected and used.
• The data subject must be notified about contact methods to file inquiries and complaints.
• The data subject must be notified about the types of third parties to whom personal information may be disclosed.
• The data subject must be provided with their choices and means of limiting disclosure of their personal data.
• Notice should be provided at the time when information is first collected or shortly thereafter and must be provided before data is processed or disclosed.

Choice

• The data subject must be able to opt-out of third party disclosures.
• The data subject must be able to opt-out of secondary usage of information.
• The data subject must give affirmative consent (opt-in) for the disclosure or use of sensitive information.

Onward Transfer

• All third parties to whom data may be transferred must follow the Safe Harbor principles or Data Directive compliant. The same level of protection must be guaranteed no matter how many times data is transferred.

Security

• Entities that process data in any stage of its life cycle (collection, use, analysis, storage) must take reasonable measures to protect against data loss, destruction, misuse and unauthorized access.

Data Integrity

• Data may only be processed or used as it is related and proportional to the purposes for which it was originally collected.
• An entity should take reasonable steps to ensure data is accurate, timely and complete.

Access

• Data subjects must be able to view the information an organization holds about them.
• Data subjects must be able to correct, add to, or delete inaccurate information.

Enforcement

• A recourse mechanism must be in place for data subjects to file complaints, have disputes investigated, and resolved.
• An entity must have a mechanism to verify that the stated privacy policy and business operations are compliant with the Safe Harbor agreement. Audits should be completed annually.
• It is the obligation and responsibility of the entity to remedy any problems with compliance in a timely fashion.

Enforcing Safe Harbor

U.S. compliance with Safe Harbor is largely self regulated. Entities may choose to complete self verification of compliance and investigate complaints internally. Companies also have the option of using private, third party dispute resolution mechanisms, that have gained a reputation of trustworthiness to verify their compliance and investigate disputes.

Some well known, third party dispute resolution service providers include:

• The Better Business Bureau Online
• The Direct Marketing Association
• The Entertainment Software Rating Board

Third party dispute resolution providers are self regulated and not certified by the Department of Commerce or the FTC. Therefore, it is the legal responsibility of the entity to choose a program that is Safe Harbor compliant.

Though, Safe Harbor has not been strictly enforced in the past, there are regulations within the privacy and trade law to punish violators. Misuse of the Safe Harbor agreement can qualify as “unfair or deceptive trade practices” under Section 5 of the Federal Trade Commission Act. The FTC may take action against offenders including conducting formal hearings, and issuing cease and desist or temporary restraining orders. Failing to comply with an FTC order may carry a penalty of up to $11,000 for every day of continued violation and any entity that knowingly violates an FTC rule may be subject to the same penalty.

Safe Harbor in the News

Historically, the FTC has done very little to enforce Safe Harbor compliance. However, that has begun to change. In August 2009, the FTC publicly announced a suit against a California based company, Balls of Kryptonite, which purposely misled UK consumers to believe it was an E.U. company by using a .co.uk domain address. Furthermore, the company stated in its privacy policy that it was Safe Harbor compliant though no certification had ever been filed.

Then, in October 2009, the FTC filed settlement complaints against six multinational companies that had lapsed in their compliance but failed to alter their privacy policies to notify data subjects of the change. The recent enforcement has sent the message to business owners that the FTC may no longer rely on private, self-regulation to provide adequate enforcement. Since Safe Harbor compliance requires a public statement in privacy notices stating participation in the program, the FTC needs only to compare their current list of Safe Harbor participants with the privacy notice of an entity to gain evidence of unfair or deceptive trade practices. There is also speculation that the audits may be conducted in the future for companies with current certifications, to verify full compliance with all Safe Harbor regulations.

Data protection, especially with regard to onward transfer, continues to remain a significant issue in International politics. In the first week of November 2009, the United States and European Union, recognizing the weaknesses in current regulation, joined together to create a common set of principles to govern the transfer of personal data. That same week, privacy representatives from around the world met in Madrid for the International Data Protection and Privacy to create a universal standard of privacy and data protection, in the hopes of eventually creating a universal data protection law.

In Conclusion:

Companies wishing to conduct legal and successful business on a multinational level must be concerned with the protection of data both when it is transferred to and from the United States. Agreements, like Safe Harbor, allow the United States and the European Union to continue a mutually beneficial trade relationship, however, the agreement alone does not guarantee data protection. Participating U.S. companies need to ensure Safe Harbor compliance to build trust in their organization, as well as in the program to allow such agreements to continue in the future, despite the differing approaches the U.S. and the E.U. take regarding data protection.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles (Foundations I.E) including Notice, Consent, Access, Security, and Quality
• Privacy and Data Protection Regulation (Foundations: I.F) including Onward Transfer, Safe Harbor, and the E.U. Data Protection Directive

The Federal Trade Commission and State Attorneys General enforce federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP).  One recent example was the State of Maine’s consumer protections, which are more restrictive than the federal laws with respect to cigarette labeling.  The State brought suit against a tobacco manufacturer for violating the state’s deceptive trade law, which the manufacturer argued was out of line due to the Federal Cigarette Labeling Act.  The Supreme Court decision upheld the State’s right to pass more restrictive legislation, pointing out:  

Neither the Labeling Act’s pre-emption provision nor the Federal Trade Commission’s actions in this field pre-empt respondents’ state law fraud claim. Pp. 5–20. 

 (a) Congress may indicate pre-emptive intent through a statute’s express language or through its structure and purpose. See Jones v. Rath Packing Co., 430 U. S. 519, 525. When the text of an express pre-emption clause is susceptible of more than one plausible reading, courts ordinarily “accept the reading that disfavors pre-emption.” 

The rationale in (a) requires express language for a federal law to negate a State’s right to create more restrictive legislation.  The first citing by the high court becomes the contentious issue for House Bill H.R. 2221, proposed by Illinois Representative Bobby Rush.  The bill tackles several tough interstate commerce issues, placing the FTC in charge of disposal regulations for obsolete or abandoned paper records containing personal information, breach notifications and verification requirements for information brokers.  Section 6 of the so-called Data Accountability and Trust Act includes a provision reading:

 (a) …This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–

1. requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
2. requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.

(b) Additional Preemption-

1. IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. 

This would strike several of the state privacy and notification laws (possibly including California’s SB 1386), stripping the State’s rights and growing Washington’s power.  It also bars the State Attorneys General from bringing suit, possibly in an effort to avoid a double jeopardy situation.  There are numerous case studies of the FTC and State Attorneys General working hand-in-hand for consumer protection; why this law tries to hamstring the situation is a bit of a mystery.

One more interesting note on Representative Rush’s proposal – the bill also places an encryption exemption on breach notification.  As we noted in a recent post on corporate disposal policies, hackers and researchers seem to notice protection missteps and use them to bypass security provisions just like encryption.

The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

The law has a 10 year lifespan, which should be a decent requirement before the Advanced Encryption Standard (AES), currently the de-facto encryption standard (and as yet to be compromised), ages beyond its effectiveness.

Update: President Obama’s May 20th, 2009 Memorandum on the Subject of Preemption and State’s Rights quotes Justice Brandeis saying, ”[i]t is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Regulatory Authorities (CIPP: I.A.c) including: The Federal Trade Commission
• Enforcement of U.S. Privacy and Security Laws (CIPP: II.B.d, I.A.c) including: Unfair and Deceptive Trade Practices (UDTP), and enforcement powers under the FTC Act section 5 
• Privacy and Data Protection Regulation (Foundations: I.F.a, I.F.b) including: Sectoral legal framework 
• National data protection regimes (Foundations: I.F.b) including: State’s Rights 
• Specific Privacy and Security laws (CIPP: I.B.g) including: Breach notification
• Information Security (Foundations: II.C) including: Encryption

One item receiving only cursory treatment: End User License Agreements (EULAs).  At the initial peak of the Peer-to-peer file sharing in 2004, the FTC solicited input from industry through one of their workshops.  Several points brought up during that conference surrounded EULAs and how file sharing products such as eDonkey and Gnutella included quite extensive licenses.  This resulted in recommendations such as search-ability and slide bars to avoid hiding potential monitoring or questionable privacy practices within agreement.  In the FTC’s Guidance for Dot Com Disclosures the name of the game is visibility :

Making the disclosure available somewhere in the ad so that consumers who are looking for the information might find it doesn’t meet the clear and conspicuous standard.

This could easily carry over to the EULA.  It has been recently speculated by those in the gaming industry that the FTC could place begin regulating licenses.  Apparently, even though most software and service providers are legitimately creating the agreements without deceptive intent, they are difficult to understand for the typical consumer.  Then there are those that simply aren’t cooperating.  Is it time to limit the “legal-ese” and construct simple, plain language agreements?

“This is the industry’s last chance to get self-regulation right,” said Leslie Harris, President and CEO of the Center for Democracy & Technology. “The FTC report makes clear that the industry’s own efforts in this area have fallen short and must do more.”

The FTC held a “Behavioral Advertising” Town Hall in November 2007.  According to the FTC, Behavioral Advertising “is the practice of tracking an individual’s online activities in order to deliver advertising tailored to his or her interests.”  There are obvious privacy concerns with this sort of practice, as in order to create an individualized advertisement experience, a profile must be created.  That profile obviously incorporates some sort of marker, whether its a user name, cookie, serial number, or some other factor.

Will regulation foster better practices, similar to the Deceptive Trade Protections offered by the FTC, or will it simply mire the industry in more compliance quagmire?

This may have something to do with WalMart, Yahoo and Microsoft’s music services threatening pulling the plug on their DRM servers.  Customers purchasing a good (digital music) with known limitations of use (no mp3/music file copying) and no expiration date suddenly were told their investments would be worthless.  This seems perfectly in line with the announced purpose: “improve disclosures to consumers about DRM limitations”.

As a CIPP, privacy professionals should understand the FTC’s Congressionally appointed powers under the FTC Act to protect consumers, enforcing corporate promises on matters such as privacy and suitability of purpose through Section 5 of the Act.  The FTC typically brings action against unruly corporations under deceptive trade practices, with a variety of fines, process controls and reporting requirements.

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Conclusion:

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)