United States: Senator Markey And Representative Barton Reintroduce Do Not Track Kids Act (The Download - November 2013)

Last Updated: November 28 2013

Edited by Stuart P. Ingis and Michael A. Signorelli

HEARD ON THE HILL

Senator Markey and Representative Barton Reintroduce Do Not Track Kids Act

On November 14, 2013, the Do Not Track Kids Act (S. 1700 and H.R. 3481) was introduced in both chambers of Congress by Sen. Edward Markey (D-MA), Sen. Mark Kirk (R-IL), Rep. Joe Barton (R-TX), and Rep. Bobby Rush (D-IL). The bill's authors have cited increased use of the Internet by kids and teens as creating a need for the legislation. In 2011, Sen. Markey, who was then in the House, and Rep. Barton first introduced the bill in the House, where it stalled. Although now serving in separate chambers, these original sponsors have enlisted new co-sponsors from across the aisle to introduce a bipartisan bill in both the House and the Senate. The purpose of the bill is to amend the Children's Online Privacy Protection Act of 1998 ("COPPA") to include further restrictions for Internet companies seeking to collect and disclose children's and teens' personal and location information.

Unlike COPPA's current coverage, which applies to children age 12 and under, the Do Not Track Kids Act would expand the law to cover teens age 15 and under. The bill would prohibit Internet companies from collecting and disclosing personal information from kids (without parental consent) and from teens (without their consent). Consent from parents (on behalf of their children) and teens would also be required before online behavioral advertisements could be displayed. Additionally, the bill would create a "Digital Marketing Bill of Rights for Teens" limiting the collection of certain personal information. Another provision would create an "Eraser Button," which is a tool that parents and children could use to eliminate personal information made publicly available on the Internet.

House Bipartisan Working Group Continues Discussion on Privacy

On November 14, 2013, the Bipartisan Privacy Working Group of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade ("Working Group") held a second meeting to discuss the growing information-sharing capabilities and connectivity of consumer devices, known as the Internet of Things ("IoT"). The Working Group heard from representatives from industry and a former top official from the Federal Trade Commission. During this meeting, the Working Group participants discussed how the IoT could affect the average consumer through the integration of their household appliances, medical devices, and other "smart" items for everyday use. Participants also examined the extent to which any existing or proposed privacy laws could impact innovation within the IoT space.

On November 20, 2013, the Working Group held its third meeting on consumer privacy issues. The Working Group heard from the Direct Marketing Association ("DMA"), consumer interest groups, and a representative of the academic community. At this meeting, the DMA discussed the results of a new academic study that demonstrated the value of data to the U.S. economy. The DMA reported that data-driven marketing generates an estimated $156 billion annually and fueled more than 675,000 new jobs in 2012.

AROUND THE AGENCIES

Federal Trade Commission Holds Workshop on "Internet of Things"

On November 19, 2013, the Federal Trade Commission ("FTC") hosted "the Internet of Things" ("IoT") Workshop to explore potential consumer privacy and security concerns involving the flow of data across new technologies. "IoT" is a term that describes the exchange of data enabled by everyday devices. Industry stakeholders and consumer advocates came together to discuss both the impact increased connectivity will continue to have on privacy and lifestyles and ways to ensure personal data is protected. Panel topics included "The Smart Home," "Connected Health and Fitness," "Connected Cars," and "Privacy and Security in a Connected World."

Chairwoman Edith Ramirez began the workshop with opening remarks that highlighted the benefits and ramifications that the IoT can have for consumers. She noted that while the workshop would shed light on benefits and risks associated with increased connectivity of everyday devices, the FTC's ultimate goal was to address how to allow for continued use of devices in a manner that overcomes privacy and security issues. She identified three core elements of the FTC guidelines for privacy in the collection of data: (1) privacy by design; (2) simplified consumer choice; and (3) transparency. Chairwoman Ramirez concluded by encouraging companies to follow these guidelines when dealing with the collection of data to ensure consumers are informed and protected.

FTC Commissioner Maureen Ohlhausen also addressed the workshop. She commented on the potential the IoT has to benefit consumers and stated that the best approach the FTC can take regarding consumer privacy concerns is "informed action" —namely, (1) conducting policy research and development, (2) educating consumers and businesses, and (3) using traditional enforcement tools.

Jessica Rich, Director of the FTC's Bureau of Consumer Protection, delivered closing remarks, urging industry to take the lead to rethink the framework and to place privacy and data security at the forefront of new products. She concluded by stating that the FTC is not proposing new regulations on this matter, but is preparing a report (that will include some best practices) covering the workshop and related issues.

Federal Trade Commission to Hold Workshop on "Native Advertising"

The Federal Trade Commission's ("FTC") "Native Advertising" Workshop will take place on December 4, 2013. The workshop will serve as a platform to explore possible guidelines for "native advertising." While the FTC has not yet defined native advertising, some examples of the practice include sponsored posts and editorials on websites and social networks.

As advertising increasingly takes on different forms across websites and mobile applications, the FTC is exploring the issue to determine how advertising and publishing companies use disclosure methods to ensure consumers are informed and protected. During the workshop, industry stakeholders, consumer advocates and government regulators are expected to share best practices, regulatory approaches, and research to help develop a framework where native advertising can operate.

Government Accountability Office Report on Information Resellers and the Need for an Enhanced Consumer Privacy Framework

On November 15, the Government Accountability Office ("GAO") released a report to the public on information resellers with regard to the current consumer privacy framework. The report, carried out at the request of Sen. Rockefeller (D-WV), is titled "Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace." The GAO advised Congress to find a balanced approach by enhancing current privacy laws while ensuring that "any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord."1

The GAO stated that prescribed federal law altogether and separately, do not address the changes in technology and many do not meet the widely accepted Fair Information Practice Principles ("FIPPs"). The GAO also voiced concerns about new technologies and practices (e.g., mobile devices and online behavioral advertising) used by marketing and other entities that collect personal information, sometimes without the consumer being aware of how the data is being used. The report explained that the GAO's purpose in the study was to address three elements: "(1) privacy laws applicable to consumer information held by resellers, (2) gaps in the law that may exist, and (3) and views on approaches for improving consumer data privacy."2

The GAO listed several privacy laws it identified as limited in adequately governing marketing practices with regard to the collection of data and some as not meeting FIPPs, including the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accounting Act (HIPAA), Children's Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA), Driver's Privacy Protection Act (DPPA), Family Educational Rights and Privacy (FERPA), Video Privacy Protection Act (VPPA), and Section 5 of the Federal Trade Commission Act.

National Institute of Standards and Technology Releases Draft Preliminary Cybersecurity Framework

On October 22, 2013, the National Institute of Standards and Technology ("NIST") released the draft Preliminary Cybersecurity Framework ("Framework") for critical infrastructure. The Framework was developed in accordance with Executive Order 13636 of February 12, 2013 concerning improving critical infrastructure cybersecurity. The Framework seeks to create a voluntary program that could supplement existing cybersecurity programs. The voluntary framework may apply to those organizations declared to be part of a critical infrastructure sector. The Executive Order described these sectors as ones that are "so vital to the United States that [their] incapacity or destruction...would have a debilitating impact on security, national economic security, national public health or safety[.]"3 A few of the sectors that the Department of Homeland Security has identified as critical infrastructure sectors are communications, financial services, energy, and information technology.

The Framework presents a three-part approach to cybersecurity consisting of the "Framework Core," the "Framework Profiles," and the "Framework Implementation Tiers." The Framework Core sets forth details for identifying risks in the context of an organization's business. The Core breaks this task into four elements: Functions, Categories, Subcategories, and Informative References. Functions are meant to organize cybersecurity risks at a high level. The five Functions are:

  • Identify: This function is where organizational assets and data are identified and risk assessment is done.
  • Protect: This function is where an organization decides how best to safeguard the identified assets from cyber threats.
  • Detect: This function is where an organization develops the ability to discover cybersecurity events.
  • Respond: This function is where an organization decides on plans of action to respond to a cybersecurity event.
  • Recover: This function is where an organization creates and implements procedures to restore critical infrastructure services after a cybersecurity event. Within each Function are a set of Categories and Subcategories that cover specific aspects of the function, such as Access Controls and Asset Management. Each category also contains citations to relevant Informative References, such as NIST standards.

The second part of the Framework is the Framework Profiles.

The Profiles are tools an organization can use to track its progress toward cybersecurity goals. By creating both a current and target profile an organization can see its areas of strength and weakness, and devote resources to where they are most needed. Finally, an organization ranks its progress toward its goals using the Implementation Tiers, ranging from Partial (1) to Adaptive (4), and revises these profiles as time goes on.

One notable addition to the Framework is an appendix discussing privacy and civil liberty protections. Earlier drafts of the Framework had been criticized for lacking details on such protections.

IN THE COURTS

Court Dismisses Class Actions Challenging Use of Third-Party Cookies on Safari Browsers

On October 9, 2013, a federal district court dismissed all of the legal claims raised against four online advertising companies in 25 putative class action cases consolidated as In Re Google Inc. Cookie Placement Consumer Privacy Litigation. The cases alleged that consumer plaintiffs' Safari browsers were set to block third-party cookies, but that code embedded in the defendants' advertisements enabled them to place third-party cookies on the plaintiffs' devices. The consolidated complaint charged the defendants with violations of three federal statutes: the Electronic Communications Privacy Act (or "Wiretap Act"), the Stored Communications Act ("SCA"), and the Computer Fraud and Abuse Act ("CFAA"). Plaintiffs also alleged violations of several California state laws against one of the defendants.

The Court, consistent with previous federal decisions involving the use of browser cookies, first held that the plaintiffs lacked standing to bring suit because they failed to allege that they had been injured. The Court found that, even if the defendants had collected plaintiffs' personally identifiable information via cookies, this would not establish that plaintiffs were thereby deprived of the value of the information. The Court went on to reject plaintiffs' arguments that they had standing based on defendants' alleged violations of their privacy rights protected by the Wiretap Act, SCA, CFAA, and California state laws. In a detailed decision, the Court ruled that the defendants' alleged cookie practices did not violate any of these laws.

U.S. District Court Holds Email Address Is Personal Identification Information under Song-Beverly: Capp v. Nordstrom, Inc.

On October 21, 2013, the U.S. District Court for the Eastern District of California determined that the California Supreme Court would likely deem an email address "personal identification information" under California's Song-Beverly Credit Card Act ("Song-Beverly," or the "Act"), at Cal. Civ. Code § 1747.08(b). Capp v. Nordstrom, Inc., No. 2:13-cv-00660- MCE-AC, (E.D. Cal. Oct. 21, 2013). The status of email addresses under Song-Beverly was a question of first impression for the court, which made the determination as part of denying defendant Nordstrom's motion to dismiss a class action lawsuit.

The court also concluded that Nordstrom did not meet its burden to show that the plaintiff's Song-Beverly claim is preempted by the federal CAN-SPAM Act.

Section (a) of Song-Beverly prohibits merchants from requiring cardholders to provide "personal identification information" as a condition to accepting a credit card for payment. Section (b) defines "personal identification information" as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number" (emphasis added). The plaintiff alleged that Nordstrom, Inc. ("Nordstrom") and other unnamed codefendants asked the plaintiff to provide his email address during a credit card transaction in order to send the plaintiff an electronic receipt, but then the defendants used the e-mail address to send the plaintiff unsolicited marketing materials in violation of the Act.

Relying on the California Supreme Court's ruling in Pineda v. Williams-Sonoma Stores Inc., 54 Cal.4th 524, 246 P.3d 612, (Cal. 2011), that "personal identification information" includes ZIP codes, the district court in Capp reasoned that the statutory phrase "concerning the cardholder" encompasses an email address because an email address "pertains to or regards a cardholder in a more specific and personal way than does a ZIP code" by permitting direct contact with and implicating the privacy interests of a cardholder, rather than simply referring to the general area in which a cardholder lives or works. Moreover, the court determined that this interpretation is "consistent with the statute as a whole and statute's purpose."

MARKETPLACE DEVELOPMENTS

Revised Payment Card Industry Data Security Standard Released

Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) was published in early November, three years after the previous update to the standard. The new standard is due to take effect on January 1, 2014, but companies will generally have until December 31, 2014, to come into compliance. Some revisions to the standard, which may require more transition time, will not require compliance until July 1, 2015.

Enforced by the major payment card brands, PCI DSS sets detailed mandates for the security of payment card information that apply to all companies that process credit card data. Verification requirements differ depending on the scale of a company's card processing operations. According to the PCI Security Standards Council, the self-regulatory body that administers PCI DSS, Version 3.0 is generally intended to provide covered companies with more flexibility, promote education and training, and make card security a "business as usual" effort rather than one focused on annual assessments. Some changes are aimed at tackling potential causes of data security breaches, such as malware and password weaknesses. At the same time, the changes are intended to provide more specificity about how compliance with the standard should be evaluated.

Of note for smaller businesses, PCI DSS Version 3.0 clarifies that the use of a compliant payment application does not relieve a merchant of its own PCI DSS obligations; rather, the PCI DSS review should include review of the application's configuration and implementation. The revised standard provides guidance on how to assess PCI DSS compliance for companies that use third-party service providers to store and process card data or to provide other security-related services.

INTERNATIONAL

Article 29 Working Party Weighs In On Cookie Consent Mechanisms

The European Union (EU) Article 29 Working Party recently released an opinion setting forth "practical" guidance for obtaining consent to the use of cookies or similar technologies across the EU.4 The amended 2002 ePrivacy Directive, adopted in 2009, required all EU Member States to implement a local law mandating that websites obtain consent prior to placing cookies or other technologies on a user's device. Member States slowly passed these local laws over the past few years, resulting in a range of different obligations for websites operating across the EU.

Now, the Article 29 Working Party has provided guidance intended to set forth requirements to make a website legally compliant across all Member States. This guidance has four elements:

  1. Specific Information: Consent must be specific and based on appropriate information. The Guidance makes clear that notice should be "clear, comprehensive, and visible" at the time and place where consent is sought, such as the website's homepage. Information must include the purpose(s) of the cookies and, if relevant, details about third party cookies used on the site. Also, the cookie expiration date and any choice mechanism must be explained.
  2. Timing: By law, consent must be given before cookies are set or read.
  3. Active Behavior: Websites must present clear and comprehensive information to users on how they may signify consent. This should appear on the page where users start their browsing experience. Different tools to obtain consent could include "splash screens, banners, modal dialog boxes, browser settings etc." Browser settings are appropriate where the website operator is "confident" that the user is fully informed and has actively configured their browser in response. The Guidance also supports use of a positive action or active behavior, such as clicking a button or link, or ticking a box. The Guidance makes clear that any user who enters a website and is shown information on cookies, but does not undertake an active behavior, has likely not consented to the use of cookies.
  4. Real Choice—Freely Given Consent: Users must have the opportunity to freely choose to accept or decline some or all cookies. Granularity in choice is recommended, and the Guidance recommends that websites refrain from using consent mechanisms that only provide an option to consent without further choice. This choice should extend to "tracking cookies," used for online behavioral advertising, and the website should obtain "unambiguous consent" to this type of cookie.

Footnotes

1 U.S. Government Accountability Office, Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, GAO-13-6633, at 46 (September 2013), available at http://www.gao.gov/assets/660/658151.pdf

2 Id. at GAO Highlights.

3 Exec. Order No. 13,636, 78 FR 11739 (February 19, 2013).

4 Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.