Category Archives: Privacy Regulation & Legislation

Illinois Bars Employers from Requesting Social Media Passwords

On August 1, Illinois became the second state to amend its workplace privacy law to prohibit employers from asking employees and job applicants for their social media passwords. The change to the state’s Right to Privacy in the Workplace Act goes into effect on January 1, 2013.  Maryland was the first to pass a similar law in April.  Other states like California, Minnesota, Michigan, Massachusetts, New Jersey and New York have similar laws pending. The laws are designed to curb employers’ use of social media accounts to assess the online behavior of a potential new hire or existing employee.

Congress Probes Leading Data Brokers on Dossiers

On Tuesday, the Congressional Privacy Caucus sent inquiry letters to nine of the largest data brokers regarding their privacy practices, including how they collect, analyze and sell consumer information.  Data brokers are organizations that compile data on consumers and sell that data to third parties for marketing and other purposes.  “By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every US consumer,” the letters said.  This practice is worrisome to privacy advocates and particularly the Federal Trade Commission (FTC), which has been candid in its statements and in its March report on consumer privacy, stating that the FTC intends to crack down on these unregulated data aggregators.  The settlement with Spokeo last month is reportedly the first with others to follow this year. The Privacy Caucus, co-chaired by Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), seems to be weighing legislative action to demand oversight and industry accountability.  Companies receiving the letter were Axciom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Markle and Meredith Corp.  The companies have until August 15 to respond.

E.U. Cookie Law: U.K.’s ICO Says “It’s Complicated”

 Starting today, U.K. websites must ask for and get the consent of their users before placing non-essential cookies on their computers.  (A “cookie” is a small text file that is served to a computer when you visit a website and can be used to recognize you when you return, or when you visit other websites.)  The so-called E.U. “Cookie Law” aims to protect website users from unwanted marketing by giving them more control over cookies.

The E.U. Commission implemented the Cookie Law on May 25, 2011, but the U.K.’s data protection authority, the Information Commissioner’s Office (ICO), gave companies one year to comply.  The deadline for compliance is technically today, May 26, 2012.  However, the ICO announced yesterday that compliance with the law is complicated and so it does not expect (or require) full compliance by today.  Instead, the ICO expects companies to have taken steps to comply, including the development of a plan to achieve compliance by a specific date.  The specific steps the ICO mentions include conducting a cookie audit to determine what types of cookies a website has and how they are used, making notices on the website about cookies more obvious to users, and determining the best method to get users’ permission.  A recent KPMG study found that 95% of companies have yet to comply with the law, so the Commission’s shift seems rooted in reality.

The guidance yesterday made an important clarification about getting users’ permission.  Contrary to its previous statement regarding consent, the ICO now says “implied consent” is a valid form of consent.  Previously, the ICO guided that once the law took effect, users would have to opt-in to all non-essential cookies, which critics pounced on as being impractical and burdensome.  In other words, before a cookie could be placed on a user’s computer, the user would have to agree.  This would have required users to, for example, click an icon, dismiss a banner, send an email or subscribe to a service.  Based on yesterday’s reversal, a company can now rely on implied consent, so long as it believes its visitors have a reasonable understanding that their actions will result in cookies being set or information being accessed on their mobile device.  This is a very significant change. 

Also in the good news column for website owners, the ICO said that failure of a company to comply with the new law will not likely result in fines — the maximum monetary penalty for non-compliance is £500,000 (which is not a small sum), but instead, the ICO would need to see a specific plan of action to bring the company into compliance. 

The law applies to all 27 Member states of the European Union.  Websites outside of the E.U. must comply with the law if they are targeting people within member states.  So, a website based in the U.S. that sells to users who residents in the U.K., for example, will also have to comply with the Cookie Law.  What this compliance looks like is certainly more reasonable today from a website owner’s perspective, than before the ICO’s announcement yesterday.


Nolo’s Privacy Matters Blog Premieres!

Welcome to Privacy Matters, a Nolo blog devoted to information privacy and data security issues as they relate to small businesses and consumers.  Information privacy covers the rules that apply to the gathering and handling of “personal information” — in other words information that can be traced to a particular individual, like geolocation information, credit information, or health records. 

Privacy law varies by industry, state, country, transaction and customer and is complicated.  Through blog posts and an ongoing series of Nolo primer articles, I hope to provide general, useful information about fundamental privacy principles and best practices that Internet, technology and bricks and mortar businesses need to be aware of, as this area of law can be a field of landmines for the unknowing.

Class action lawsuits and Federal Trade Commission enforcement actions against tech titans like Facebook and Google, and high-profile data breaches jeopardizing that private data of millions of individuals and tarnishing the reputations of scores of companies like Sony, Heartland Payments Systems and RSA Security — have thrust privacy onto the front pages.  It’s important for small business owners to recognize that the same rules that have gotten large companies into trouble apply to small businesses as well.  When it comes to privacy, an once of prevention is, in fact, worth a pound of cure.