Practical Takeaways From FTC Settlement
Details of FTC “privacy by design” enforcement action against mobile device manufacturer.
Privacy issues are a major focus of Congress, government agencies, state Attorneys General, the media, industry and consumers. The rules are changing rapidly - from looming comprehensive federal legislation; to a patchwork of federal and state laws, regulations and guidance; to expanding industry association requirements and guidelines. Kelley Drye is at the forefront of this evolving area of law. We counsel clients on privacy and security laws governing the collection, use and protection of personal information, and on managing risks and reducing exposure to investigations and litigation arising from how companies handle personal data. We have a national reputation for providing high quality legal services and practical, efficient and timely advice on a broad range of privacy and data security issues. Our team includes several former Federal Trade Commission (FTC) officials and a deep bench of consumer protection law specialists, which uniquely positions us to guide our clients through all aspects involved in privacy and data security matters.
Kelley Drye's Privacy and Information Security practice group helps clients achieve their business goals and a competitive edge while balancing the risks of maintaining customer and employee data. Our attorneys assist clients in designing and updating marketing programs; perform privacy and/or data security compliance and strategic planning and business reviews, including data mapping; draft and amend information security policies and programs; prevent and optimally resolve data breaches; design oversight and monitoring programs for third party handling of customer and employee data; develop and provide privacy training, and represent clients in connection with FTC and state Attorney General investigations and class action litigation. We serve clients in all types of highly-scrutinized industries, including consumer products and retail, hotel and leisure, financial services, and telecommunications, broadband, and technology and mobile services.
Kelley Drye's Privacy and Information Security practice group includes recognized leaders in the field, including two former directors of the FTC's Bureau of Consumer Protection, an Assistant Director, and attorney advisors. While at the FTC, members of our group directed the implementation and enforcement of the Children's Online Privacy Protection Act (COPPA) and the Gramm-Leach Bliley Act (GLBA), and targeted Internet privacy, identity theft, and electronic commerce consumer protection issues. Our group also includes the past chair of the American Bar Association's Privacy and Information Security Committee, former editor-in-chief of the ABA's Data Security Handbook and The Secure Times newsletter, the co-chairs of the ABA Consumer Protection Law Developments treatise, and co-chair of the Federal Communications Bar Association's Privacy and Data Security Committee.
The firm’s Privacy and Information Security practice is internationally recognized in Chambers Global, is nationally ranked in Chambers USA and U.S. Legal 500, and was named one of the top five privacy advisers among law firms and consulting firms around the world in a survey published by Computerworld magazine. Notably, sources tell Chambers researchers that the group "prioritizes risk to provide practical, thoughtful advice in a timely manner."
This team regularly counsels and represents clients in the following areas:
- Investigations - Kelley Drye represents clients in investigations and inquiries from the FTC, state Attorneys General, and other regulatory agencies. We defend clients in federal and state courts and before regulatory agencies regarding their privacy and information security business practices.
- Compliance and Planning - We ensure that clients' business practices are designed to comply with privacy and information security laws, regulations, guidance and applicable industry self-regulatory requirements. We counsel on all aspects of privacy and information security requirements, including the FTC Act, GLBA, COPPA, the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), FCC Customer Proprietary Network Information (CPNI) regulations, the Payment Card Industry Data Security Standard (PCI DSS), Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), state privacy and data security laws, the EU Data Protection Directive and other national and local privacy laws around the world. Our advice also is mindful of the current government enforcement and class action litigation trends on all of these issues.
- Marketing Campaigns - Our group counsels clients on how to use consumers' personal information, geolocational and device data, and CPNI lawfully in marketing, including obtaining effective consent for email marketing, text messaging and online behavioral/preference marketing. We advise clients about their compliance obligations with related laws including the FCC's CPNI regulations, the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule, and the CAN-SPAM Act. In the early stages of marketing campaigns, the firm represents clients in meetings with privacy advocates to address the use of consumer information, particularly with regard to online and mobile behavior.
- Policy Development and Training - Our attorneys help clients draft, review, revise and interpret their privacy, data security and CPNI policies and procedures, and develop appropriate, comprehensive enterprise-wide privacy and data security programs. We also develop and conduct training for clients' employees on privacy, data security, advertising and business practices that comply with consumer protection laws.
- Business Practice Audits - We perform privacy or data security audits of existing business practices. This involves assessing client compliance with current policies and reviewing how clients receive and share personal information and CPNI with affiliates and third parties to ensure that such information sharing complies with laws and business policies, and to ensure that the design of new products and services complies with existing consumer protection law and is balanced with a practical legal risk assessment.
- Third-Party Compliance - Kelley Drye helps clients develop and update reasonable oversight and monitoring programs of third party vendors handling consumer data. These efforts, which include developing vendor privacy due diligence templates, drafting and negotiating strategic contractual provisions, and formulating appropriate compliance checks and responses to issues which arise during the relationship, ensure clarity with respect to the parties' responsibilities and assignment of risk, promote compliance, and reduce exposure in the event a third party vendor mishandles personal data.
- Data Breach Counseling - We develop policies and procedures to help clients avoid data breach events and ensure that they are prepared to meet their legal obligations if such an event happens. In the event of a breach, we advise clients on conducting internal and third party investigations as to the source of the breach, the company's notification obligations, managing public relations, and the overall strategy to reduce the risk of resulting investigations and/or litigation.
- Litigation - When a government or industry-based investigation escalates to litigation or a company faces a class action, Kelley Drye's Privacy and Information Security practice has both the subject matter expertise and deep litigation experience needed to develop a robust and cost-effective defense strategy.
As the rules governing privacy and data security change and expand, our Privacy and Information Security lawyers work closely with other members of the firm, including the Advertising and Marketing, Telecommunications, and Government Relations and Public Policy practice groups, to stay ahead of new developments and assist clients in seizing opportunities and protecting against new risks.
Our attorneys work with clients in a range of industries, including the following areas in which we have extensive expertise:
Consumer Products and Retail
In the course of marketing and conducting business, retailers are subject to various state and federal laws regulating the collection, use and disclosure of customer information. Violations of such laws and industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), can result in fines and payment card reimbursement costs often in the six figure range, if not higher. We help companies minimize their risk exposure while meeting their legal and contractual obligations. By way of example, we have addressed the following issues for various clients:
- Represented a Fortune 100 retailer in an FTC investigation into the company’s handling of customer information. After a robust defense of the client’s privacy practices, the FTC staff closed the investigation.
- Assisted a major retailer with a gap analysis for privacy compliance. This involved dividing the business units into discreet parts with similar privacy compliance issues. Our analysis then cataloged every applicable privacy law in the United States (federal and state) in the form of easy-to-follow questions for the business units to answer, which allowed the legal department to identify compliance gaps and most efficiently focus resources on those areas that needed them most.
- Regularly counsel a Fortune 50 computer and technology company on global privacy and data security compliance, including assisting on compliance with the various U.S. state developments, enforcement trends and strategies for managing vendor relationships worldwide.
- Appointed Consumer Privacy Ombudsman by United States Trustees in bankruptcy proceedings for three retail companies, submitting reports and recommendations to the courts regarding the disposition of customer lists and other personally identifiable information.
- Assisted major consumer electronics retailers in connection with implementing a behavioral advertising initiative.
- Represented a popular children's specialty retailer in an FTC investigation of the company's in-store and online privacy practices. Successful in convincing the FTC to close the investigation without pursuing law enforcement or remedial action.
- Represented a leading academic research company in separate privacy investigations by the FTC and 42 state Attorneys General, and negotiated FTC consent order and state Assurance of Voluntary Compliance.
- Represented an online retailer in investigation of security breaches involving customer information by New York Attorney General's Office, resulting in the negotiation of an Assurance of Discontinuance.
- Represented a leading online retailer in FTC privacy investigation, resulting in the agency's closing of the investigation without further action.
- Provide comprehensive privacy and data security advice for a major online retailer. This includes advising on compliance with COPPA, CAN-SPAM, and relevant FTC and state consumer protection, privacy and data security laws.
- Work with international retailers to review and certify data practices under the Safe Harbor program, to permit them to lawfully transfer its European Union employee and customer data to the United States.
Apparel designers, manufacturers and retailers must have the proper privacy and data security compliance programs to ensure customers' personal information is managed appropriately. The following examples are representative of the advice our attorneys have provided to clients in this particular area:
- Counseled a Fortune 500 clothing manufacturer on enterprise-wide data security compliance. This included strategies for data protection compliance, legal policies, managing vendor relationships, negotiating privacy and data security terms in vendor contracts, and exercising privacy and due diligence in the company's acquisition of new businesses, data assets and service providers.
- Advised a major clothing and luxury lifestyle retailer on employment-related privacy matters, including disclosures related to the Fair Credit Reporting Act.
- Assisted a luxury brand retailer with designing a program to analyze customer behavior consistent with state and federal privacy laws and concerns.
- Counseled several clients, including a Fortune 500 athletic apparel company and a children’s retailer on issues in product design and services that involve online/wireless gaming and social media components.
- Regularly advise Fortune 500 and 1000 clothing retailers on privacy and data security matters, including working closely with the companies in designing tailored privacy and data security compliance programs that meet federal and state regulatory requirements.
- Defended an apparel manufacturer in two major California class actions alleging violations of the Song-Beverly Act in the collection of customers' personal information.
Financial institutions face a number of rigorous legal obligations, including compliance with Gramm-Leach-Bliley and the GLB Safeguards Rule. The following examples are representative of the advice our attorneys have provided to clients in this particular area:
- Defended a national financial services company in an FTC investigation for GLBA Safeguards Rule violations. The matter was closed without action.
- Represented a financial institution in an investigation by the FTC concerning an information security breach the business incurred, and whether the company's business practices complied with Section 5 of the FTC Act, the GLBA Safeguards Rule and the GLBA Privacy Rule. The case was resolved with a settlement that included relatively narrow injunctive relief (compared to other similar FTC settlements), and no monetary damages or penalties.
- Counseled numerous clients, including financial service entities, on appropriate responses to a data breach event.
Hotel, Travel and Leisure
Protecting the privacy and security of consumer information can be a challenge for hotels and leisure companies, especially if they have franchises or a decentralized management system. We counsel companies to ensure their privacy and data security policies are uniform across brands and affiliates and advise clients on their obligations in the event of a breach or investigation. The following examples are representative of the advice our attorneys have provided to clients in this particular area:
- Representing a global restaurant company in a state Attorney General investigation into the company’s collection and use of customers’ personally identifiable information in the context of advertising to children.
- Assisted a global, privately-held hospitality and travel company in a data breach situation at one of its hotels involving millions of records containing personally identifiable information.
- Advised a global rental car company on its data breach notification obligations in foreign countries, including the UK, Ireland and Germany.
- Reviewed a video surveillance program and evaluated web camera legal issues in more than 20 countries for one of the world's largest hotel and leisure companies.
Communications and technology providers must be particularly sensitive to privacy and data security issues, given the extensive amount of customer and associated data that they collect. Kelley Drye attorneys help telecom, broadband, mobile, Internet, and other technology providers and related companies understand the myriad laws and regulations which may apply to them, develop policies to remain compliant, and balance the risks associated with holding customer information. The following examples are a representative sampling of the advice our attorneys have provided to clients in this particular area:
- Provide consumer protection counseling to several major mobile application developers and marketers, including privacy-related counseling.
- Represented a diversified mass media company on children’s privacy issues and submitted comments on behalf of the client in response to the FTC’s proposed revisions to the Children’s Online Privacy Protection Rule.
- Represented a mobile app developer in an FTC investigation concerning the company’s compliance with privacy and information security obligations. We negotiated successfully with the FTC and the matter was closed.
- Counseled a client on the privacy issues with respect to developing an international proprietary social networking platform.
- Developed a comprehensive information security program designed to comply with FTC and FCC regulations, as well as state regulations such as the Massachusetts standards, for a major regional integrated communications service provider. This included drafting policies, process documents and training materials, as well as the development of a third party vendor oversight program.
- Provide regular advice to a national retail and carrier on privacy-related issues stemming from the FCC's CPNI regulations, the FTC Red Flags rule, COPPA, CAN-SPAM, HIPAA and relevant FTC and state consumer protection, privacy, and data security laws.
- Advised regional fiber provider on vendor certification and contract requests involving GLBA, HIPAA and other privacy-related laws and regulations.
- Developed FCC CPNI compliance filings, programs and manuals for a major international carrier.
- Represented telecom and voice over Internet protocol (VoIP) service provider in FCC enforcement proceedings involving CPNI regulation compliance.
- Represented national broadband service provider in FCC rulemaking on CPNI, resulting in rule provisions tailored to carriers serving business customers.
- Developed Red Flags compliance program and training for metropolitan fiber provider.
- Advised cable companies and an applications provider on compliance on with the Cable Act privacy provisions.