Consumers frequently reveal personal information about themselves through a variety of daily online and offline activities. For fashion designers and retailers, this consumer information represents a valuable tool to identify, target, and expand customer advertising and messaging. This information can be utilized by employing a data broker, or a company who aggregates consumer information and do provide information about the relevant consumer marketplace. Data brokers collect, maintain, manipulate, and share a significant amount of data about consumers without ever directly interacting with them. While data brokers afford a major advantage for retailers, including fashion companies, they also raise privacy concerns for the consumers that data brokers profile. The Federal Trade Commission (“FTC”) recently issued a report summarizing the results of its study on the activities of nine data brokers, and recommended that Congress consider enacting legislation to make data broker practices more transparent or to give consumers greater control over the personal information that is collected about them and shared by data brokers. This post summarizes the portions of the FTC’s report that are most relevant for fashion retailers and designers.
Since early 2014, the Federal Trade Commission has charged at least fourteen U.S. businesses in varying industries, from fashion to telecommunications, for falsely claiming to participate in the US – EU Safe Harbor privacy. Three of the companies were also charged with similar violations of the US – Swiss Safe Harbor. The Safe Harbor provisions were designed to provide U.S. and European organizations a legal, cost-effective means for transmitting consumer data outside of European countries, which maintain strict data privacy laws. On June 25, 2014, the FTC reported approval of final orders settling charges of US – EU Safe Harbor violations against the fourteen entities.
As federal courts continue to grapple with the explosion of litigation brought by plaintiffs under the Telephone Consumer Protection Act (“TCPA”), the Federal Communications Commission (“FCC”) is increasingly being called upon to address complex questions arising from the application of this analog statute to the digital world. The latest example is a brief amicus curiae filed by the FCC in Nigro v. Mercantile Adjustment Bureau, LLC. In that case, Albert Nigro contacted a power company in New York to discontinue the service of his recently deceased mother-in-law and provided the company with his cell phone number in doing so. Thereafter, a debt collector (acting on behalf of the power company) called Nigro 72 times over a nine month period to collect on a $67 delinquency that remained on his mother-in-law’s account.
In Osorio v. State Farm Bank, F.S.B., No. 13-10951, 2014 U.S. App. LEXIS 5709 (11th Cir. Mar. 28, 2014), the U.S. Court of Appeals for the Eleventh Circuit has provided some guidance on the parameters of “prior express consent” under the Telephone Consumer Protection Act (“TCPA”). In particular, the court held: (1) consent can be given on behalf of another person if an agency relationship exists and (2) a party may orally revoke consent.
In Americana Art China Company, Inc. v. Foxfire Printing & Packaging, Inc., 743 F.3d 243 (7th Cir. Feb. 18, 2014), the U.S. Court of Appeals for the Seventh Circuit affirmed the district court’s attorneys’ fees award in a class action settlement arising from the defendant’s faxing of thousands of unsolicited advertisements in violation of the federal Telephone Consumer Protection Act. In doing so, the Seventh Circuit reaffirmed the district court’s discretionary power to use the lodestar method, rather than the percentage method, to determine an appropriate fee award for class counsel. The Seventh Circuit held that the lodestar methodology was properly applied and permissible under the circumstances.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, et seq. (“TCPA”), prohibits “robo-calls” to cell phones, text messages and “junk” faxes without prior consent. It imposes statutory penalties from $500 to $1,500 per violation, regardless of any actual damage, and is thus increasingly popular with the plaintiffs’ class action bar. Though passed in 1991, there are relatively few Circuit Court of Appeals decisions regarding the TCPA. In August of 2013, however, both the Third and Seventh Circuits issued TCPA decisions—one involving the revocation of prior express consent and the other involving cy pres awards in TCPA class actions.
On March 13, 2014, the European Parliament voted to approve the draft Network and Information Security Directive (as known as the Cybersecurity Directive), which contains new rules designed to improve the cybersecurity of the European Union. In the most recent draft of the Directive, removes the requirement that certain technology service providers (including social networks, search engines, e-commerce platforms and online payment gateways) notify national authorities of data systems breaches. Only providers who own, operate or provide infrastructure which, if disrupted or destroyed, would have a significant impact on a Member State will be subject to the notification requirements of the Directive. Now that the current draft of the Directive has been approved by the European Parliament, it will be negotiated with the European Commission and the Council. Read more about the EU Cybersecurity Directive here.
Growing concern over the use of consumer data to generate scores designed to predict consumer behavior, what some refer to as predictive analytics or alternative scoring products, has caught the attention of the Federal Trade Commission. Earlier this month, the FTC held a seminar focused on exploring the use and impact of predictive scoring. While these analytic products have traditionally been used for purposes of marketing, advertising, identify verification and fraud prevention, some consumer advocates are concerned that their increasing use is disparately impacting vulnerable communities through, among other things, what offers and prices to offer products to these consumers. They urge the FTC to use the Fair Credit Reporting Act to regulate these products, as it has historically done in connection with the sale of credit reports under certain circumstances. The FTC has express some apprehension over the fact that consumers may not be aware these analytic products are used and have little access to correct or challenge underlying consumer data that may not be correct. The seminar was one of several steps the FTC is currently taking as it delves more deeply into predictive scoring and the data broker industry. For more information or to review the transcript or materials presented at the seminar click here.
In the wake of recent national-level data security breaches, a number of privacy breach laws have been presented in Congress that are aimed at creating national standards to replace the current state patchwork of data security laws. Senator Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2014 (SB 1897). This bill is intended to “prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” In terms of data protection, the bill contains detailed requirements for privacy and security programs and breach notification, including preemption of state law on breach notification. Senators Tom Carper and Roy Blount have introduced the bi-partisan Data Security Act of 2014 (SB 1927), which would provide “rules of the road” for companies and agencies to avoid and respond to data breaches, providing standards for safeguarding information, investigation breaches, and notifying consumers. While a comprehensive national data breach law may sound like a good idea, a national standard could prove to be more cumbersome and onerous depending on what, if anything, is finally enacted. To read more about these bills click here.
The White House introduced a voluntary cybersecurity framework that would have banks, utilities, and other critical industries adopt best practices to protect against security threats. The National Institute of Standards and Technology worked with industry groups to create the “Framework for Improving Critical Infrastructure Cybersecurity.” The framework is designed to be a roadmap for companies to follow. To learn more about the framework click here.