On March 13, 2013, the FTC updated its “.com Disclosures” guidance document for online disclosures to address new issues resulting from the expanding use of smartphones and other mobile devices for advertising purposes.
Originally published in 2000, the FTC guide addresses how companies who are engaged in online advertising should provide the various disclosures that are required by the laws that the FTC enforces. These disclosures include those required to prevent a claim that a particular advertisement is misleading or deceptive. Examples include: Continue reading
The Federal Trade Commission (FTC) has proposed an updated set of online privacy rules to address the use of new technologies — including mobile technologies – by children under the age of 13. The original rules, issued in 2000 to implement requirements of the Children’s Online Privacy Protection Act (COPPA), require operators of commercial websites and online services directed to children under age 13 to:
- provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information;
- give parents the option to allow the operator to collect and use a child’s information, but not disclose it to third parties;
- give parents access to their child’s personal information for review and/or deletion;
- give parents the opportunity to prevent further use of the information; and
- maintain the confidentiality, security, and integrity of information collected from children.
Changes proposed in the new rule include:
- an expanded definition of “personal information” that includes substantially all information that can be used for online profiling or directed behavioral advertising – including geo-location information, instant messaging user IDs, voice over IP (VOIP) identifiers, video chat user IDs, and tracking cookies;
- new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s identification is deleted promptly after verification is done;
- a requirement that website operators ensure that service providers or others to whom they disclose a child’s personal information implement reasonable procedures to protect it, retain the information for only as long as is reasonably necessary, and properly delete the information; and
- a requirement that self-regulatory “safe harbor programs” audit their members at least annually and report the results of those audits to the FTC.
The FTC will accept comments on the proposed rules through November 28, 2011.
My colleague Rebekah Monson recently co-authored an article discussing the growth of social media as a tool for doctor/patient communications. Although this use of social media requires careful consideration so that private information is not Tweeted, Facebooked, or otherwise make available for public view, Rebekah points out that
Social media is a powerful tool that can be used effectively and efficiently for peer, patient, and family communication, as well as a vehicle for learning, as part of patient education, graduate medical education (GME), and continuing medical education (CME). . . .The Internet is replete with lay opinions and medical misinformation. Surgeons who use social media have a unique opportunity and non-legal responsibility to critically review and correct this misinformation.
The full text of Rebekah’s article can be found here.
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule. The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General.
My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods. As Rebekah notes in the article:
While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.
The full text of the article is available here.
The American Conference Institute is hosting new seminar that is tailored to help companies learn how to avoid advertising-related pitfalls that can weaken a company’s brand and expose the company to intellectual property litigation. The new seminar, titled Advanced IP Forum for Advertising Counsel, will feature speakers from leading media and brand-driven companies, along with counsel who represent them. Topics of the seminar will include:
- strategies for resolving conflicts and avoiding patent litigation when advertising using new technologies;
- sidestepping copyright landmines: what the DMCA, YouTube and Hulu mean to brand media strategies;
- licensing negotiation strategies for new media; and
- best practices for combatting widespread IP infringement on the Internet.
The seminar will be held in New York City on April 27-28, 2011, with optional workshops on April 29. (Full disclosure: I am one of the speakers at the seminar. I will discuss strategies for avoiding patent infringement claims when using new advertising technologies.)
For more details, visit the ACI website. Early bird registration pricing is available through February 28.
The California Supreme Court recently ruled that ZIP codes are “personal identification information” under the state’s credit card consumer protection statute. Accordingly, the Court ruled retailers may not collect and record ZIP codes from consumers as a condition to completing a credit card transaction.
Just a few days later, several law firms in San Francisco and Los Angeles filed class action lawsuits against major retailers, seeking damages for alleged violations of the California law.
First enacted in 1971, the Song-Beverly Credit Card Act prohibits California retailers from Continue reading
When performing due diligence in connection with a merger or acquisition, one item that should not be overlooked is the target company’s privacy policies. If the business of the target relies on account holders, subscribers, or others who provide the business with personally identifiable information, a seller who ignores the target’s privacy policies may find itself purchasing a business with no ability to access the existing customer base.
The purchaser ultimately acquired the assets, but only after entering into a consent order in which the parties agreed to destroy all personally identifiable information before the asset transfer.
The FTC warning should serve as a reminder that purchasers should carefully review privacy policies as part of their intellectual property due diligence. In addition, companies with a goal of being acquired should review their privacy policies to ensure that the policies will allow a successor to continue the business with the existing customer base.
The New Jersey Supreme Court recently issued a decision that caught the interest of companies across the country who are considering whether similar rulings may spread to other jurisdictions. In Stengart v. Loving Care Agency, Inc., A-16-09, 2010 N.J. LEXIS 241 (Mar. 30, 2010), the court explained that employers may (and may not) take certain actions, and it also discussed conditions on each type of action. Maureen Dwyer of Pepper Hamilton’s Princeton, NJ office summarized the decision and its implications for New Jersey employers in a recent article. As Maureen writes:
The court ruled that employers may implement policies limiting personal communications on company computers, and employers may discipline employees for violating those policies. The court also ruled that employers may review the substance of most private e-mail and computer communications, but only if the employer has implemented and communicated a detailed policy that effectively eliminates any reasonable expectation the employee may have that his or her computer communications are private. [However], the court held that employers are never free to review the substance of certain communications, in particular an employee’s confidential communications with his or her lawyer.
More details and Maureen Dwyer’s article are available at the Pepper Hamilton website via this link.
The creation and storage of electronic medical records has resulted in medical professionals generating massive amounts of data about their patients. Privacy requirements, such as those arising under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules mandate that this data be carefully secured from unintentional disclosure. However, most medical professionals do not have the time or resources to implement security requirements themselves. Because of this, it is common practice to outsource electronic medical records storage services.
My colleague Anne Newman recently wrote an article describing the items that hospitals, physican practices, and other medical professionals should consider when contracting to outsource medical records storage services. As Anne notes in the article, agreements to outsource medical records storage must contain several features that are not typically found in agreements for other outsourcing services.
For the complete article, click here.
On March 1, 2010, new personal information protection standards took effect in Massachusetts. The standards are published at 201 CMR 1700 and establish requirements for anyone who owns or licenses personal information about a resident of the state of Massachusetts — regardless of whether the information is maintained in written or electronic form.
Under the regulations, anyone who owns or licenses personal information about a Massachusetts resident must “develop, implement and maintain” a comprehensive, written information security program. The written information security program:
must contain[ ] administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
The standards require that the written program include many additional elements, including:
- designating one or more employees as responsible for maintaining the program;
- imposing disciplinary measures on employees who violated the policy; and
- requiring third party service providers to implement and maintain appropriate security measures for personal information.
The standards also contains specific protocols for electronically stored personal information.
Several companies have developed software products to assist with masking of electronically stored personal information. These include DMSuite from Axis Technology LLC, and products from Grid-Tools. These products will not allow data holders to avoid developing an information security plan. However, tools like these can be a useful feature of a plan when it is developed.