A few weeks ago, we blogged about the White House’s “Privacy Framework,” including the so-called “Privacy Bill of Rights.” As we noted, the vast majority of personal data collected by U.S.-based businesses about their customers and potential customers remains largely unregulated. There are a few big exceptions to that statement, though, and none bigger than the regulatory scheme that governs the collection and distribution of credit reporting information. The Fair Credit Reporting Act (FCRA), as amended to include the Fair and Accurate Credit Transactions Act (FACTA), tightly controls how and what information about a consumer’s credit can be collected, by whom it may be collected (Consumer Reporting Agencies, or “CRAs”), how and with whom it can be shared by CRAs, and the purposes for which the information can be used. Most significant, the FCRA scheme gives consumers two things they don’t currently have with regard to just about any other type of data that may be collected about them – access and the right to accuracy. You have the right to at least one free copy of your credit report every year (and in reality, several more than one free copy are available). And, if you find information that is inaccurate, you have the right to have it corrected. This right to “Access and Accuracy” is one of the core privacy principles in the White House’s new Privacy Framework. [Read more →]

In 1994, before the advent of smartphones, 4G, and other technology advances that have become ubiquitous, the U.S. Congress passed the Driver’s Privacy Protection Act (“DPPA”).  The statute protects drivers from having information from their motor vehicle record disclosed without a legitimate, enumerated purpose.  The reason lawmakers enacted the DPPA was not to protect against identity theft, as we might suspect in today’s context, but to prevent stalkers and harassers from exploiting the local department of motor vehicles to locate their victims.

Although the DPPA is pretty straightforward and fairly limited in its application, it is used more often than one might expect.  For instance, it has been asserted in class action lawsuits, such as suits by consumers against retailers that collect the driver’s license number of anyone seeking to return merchandise. It has also been used as the basis for a challenge to Kyleigh’s law, a New Jersey statute that forces drivers holding permits or provisional licenses to purchase and display a $4 pair of decals on the front and rear license plates of their cars.  And consumers have even used it as a basis for claims that entering DOB data into a liquor store cash register when checking IDs in connection with alcohol sales violates the DPPA.

So we thought we’d ask and answer the question – what exactly does the DPPA prohibit, and what does it not prohibit? [Read more →]

Cloud-computing has reached the masses.  With the advent of websites like MegaUpload and RapidShare, “cyber-locking” is becoming an increasingly popular method for sharing large files.  Photo archives, music, and videos can all be shared with friends, without worrying about how much memory you have or exceeding inbox thresholds.  MegaUpload, with 150 million registered users and 50 million hits daily, was among one of the largest and most popular cyber-locking (file-sharing) websites in the world before it was abruptly shutdown in January of this year.  After a two-year investigation, prosecutors in Virginia filed a 72-page indictment alleging that MegaUpload facilitated massive copyright violations, and the FBI shut down the site. [Read more →]

“….And can I have your ZIP code, please?”

Over a year after the Supreme Court of California ruled that a retailer could not ask this question to store customers paying by credit card, retailers are still waiting to learn for certain whether California is the only state with this prohibition.  The highest court in another state may soon help answer this question.

Retailers might want to know a shopper’s ZIP code for various reasons.  Often, it is for identity verification purposes.  Sometimes, a retailer simply wants to know where its customers are coming from, information that can be helpful when researching potential new store locations.  But many retailers also try to obtain customers’ ZIP codes so they can engage in a marketing practice called “reverse appending,” by which they can cross-reference the ZIP code with information in other databases to obtain the customer’s full address.  Having the customer’s full address, of course, allows the retailer to send marketing materials directly to the customer.  But is this practice a legally actionable violation of consumer privacy? [Read more →]

Litigants and courts are struggling with ways to manage the costs and burdens associated with electronic discovery.  Traditionally, the general rule has been that the cost of production falls on the producing party.  Shifting the costs of e-discovery to the party making the request is one proposed solution that, according to cost-shifting advocates, may force reasonableness and impose some limits on the increasing costs of producing large volumes of electronically stored information (ESI).  Cost shifting may sound very appealing to parties saddled with legal fees and costs associated with collection, processing, filtering, reviewing, and producing the equivalent of the Library of Congress.  But whether, when and how much of the costs of production can be shifted to the requesting party is still a developing area of the law, and results are currently inconsistent in varying jurisdictions.  Still, who pays the costs of production of ESI is not totally outside of your control.  [Read more →]

Traditionally, raising capital for profit-making ventures is accomplished through face-to-face contact with an investment bank or potential investors.  It involves, among other things, an issuer or the issuer’s broker compiling information about the issuer and then providing that information to a limited number of potential investors.  But Congress recently passed, and the President signed into law, a bill known as the “Jumpstart Our Business Startups Act.”  With the passage of the “JOBS Act” emerging growth companies can now harness the power of the Internet and solicit investments from the general public. A portion of the JOBS Act, commonly known as the Crowdfund Act, dramatically changes current securities legislation by legitimizing (and regulating) “crowdfunding” – an online money raising technique that allows individuals to pool resources to fund projects.  The Crowdfund Act permits emerging growth companies that meet certain criteria to offer up to $1 million worth of unregistered stock every 12 months to an unlimited number of unaccredited investors. [Read more →]

Recently, the Ninth Circuit issued an en banc decision in US v. Nosal, holding that the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (CFAA) should be construed narrowly so as to be “limited to violations of restrictions on access to information, and not restrictions on its use.” This ruling represents a split from the Fifth, Seventh, and Eleventh Circuits.   Some have even gone so far as to suggest that the Ninth Circuit decision gives a license to employees to steal from company computers.

[Read more →]

Forty or fifty years ago, it was normal for an employee to stay his or her entire career with a single employer.  Retention back in those days was high and turnover was low.  Employees often trained for their next position within the company as part of a normal succession plan. 

Fast-forward to the world of today.  Employee turnover is higher than in the past as employees have become “mobile,” moving from company to company.  Employers incur ever-increasing costs associated with hiring, training, firing or losing an employee.  To reduce the costs and risks of hiring a “bad apple,” employers naturally want to find out as much information as possible about the candidate before making a hiring decision. 

But, when does the employer know “too much?” [Read more →]

At the end of March 2012, the Federal Trade Commission issued a final report setting forth proposed “best practices” to protect consumer privacy and to give consumers more control over the collection and use of their personal data. The report, entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers,” came one month after the White House unveiled its “Consumer Privacy Bill of Rights.”  The FTC Report attempts to flesh out some of the seven broad “privacy principles” contained in the White House release, and further builds on a preliminary FTC staff report issued in 2010. [Read more →]

In February 2012, the White House released President Obama’s much-anticipated “Privacy Framework,” or, as many have coined it, a “Privacy Bill of Rights.”  The Framework is a broad-based, if not very specific, vision for a vastly different personal data privacy landscape than the one in which most online commercial businesses in the United States operate today.  Currently, the U.S. privacy scheme is a very fragmented, industry-by-industry approach.  Financial institutions, for instance, have a very comprehensive set of rules governing how customer information may be collected, stored and used, including annual opt-out rights.  On another front, HIPAA governs the use of Personal Health Information in the context of health care providers, health benefit plans, and health plan sponsors. [Read more →]