Skip to main content

Privacy Monday - September 16, 2013

Dis-Like! Senator Markey Urges the FTC to Investigate Facebook’s New Policies

Written By Adam Veness

As we previously reported here, Facebook has proposed a number of revisions to its Data Use Policy and Statement of Rights and Responsibilities.  In response to these proposed changes, Senator Edward J. Markey (D-MA) sent a letter to the Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez asking her to take a closer look into whether these new proposed policies violate Facebook’s 2011 settlement with the FTC.  That same day, the FTC announced that it was investigating Facebook’s new policies.

Facebook’s new policies make it clear that users are required to grant Facebook wide permission to use their personal information as a condition to using Facebook.  Peter Kaplan, a spokesman for the FTC, stated, “Facebook never sought out a discussion with us beforehand about these proposed changes.”  According to the New York Times, Facebook informed the FTC of the new language just before it was posted to its website.

Senator Markey’s letter to the FTC questions whether Facebook is attempting to improperly alter its privacy policy without user consent.  He points out that the Facebook/FTC settlement requires that Facebook “clearly and prominently” provide consumers notice and obtain consumers’ “affirmative express consent”, or opt-in, before their information is shared beyond previously established privacy settings.  Senator Markey is concerned that the new policy will automatically allow Facebook the right to use user information unless users expressly revoke permission, or opt-out, and this runs contrary to the settlement’s opt-in requirement.

The other main point in Senator Markey’s letter focuses on children under the age of 18.  Facebook’s new policies state to users under the age of 18 that “you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.”  Senator Markey is particularly concerned with this new policy and he points out that impressionable teens are still developing and learning safe online habits.  He cautions that “the FTC should pay close attention to any change that could harm our nation’s young people.

The Countdown to the HIPAA Omnibus Rule -- Are you Ready For September 23rd?

With the September 23, 2013 compliance date for the HIPAA Omnibus Rule only one week away, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have developed model Notices of Privacy Practices (“NPP”) to help health care providers and health plans ensure compliance with the HIPAA Privacy Rule and recent changes implemented under the Omnibus Rule.   Mintz Levin's Health Law Policy Matters blog has a complete discussion here.

Breach of the Week - 2 Million Vodafone Germany Customers

Another case of insider data theft.   “This criminal attack appears to have been executed by an individual working inside Vodafone,” the company said in a statement provided to SecurityWeek. “An individual has been identified by the police and their assets have been seized.”

Read more:   SecurityWeek

"Small" is No Excuse - Vermont AG Settles Suit Against Grocer in Data Incident

A small grocery store chain in Vermont agreed to pay $30,000 to settle claims that it failed to protect consumer data when customer credit card numbers were repeatedly stolen from its computers.  Natural Provisions, Inc., of Williston, Vermont, agreed to pay a civil penalty of $14,938, spend $15,062 to upgrade its information technology systems and take other steps to prevent future data breaches, according to the assurance of discontinuance  in the Vermont Superior Court.
 
The company, which specializes in organic and natural foods, said it was unaware of the requirements of the Vermont Security Breach Notice Act, according to the settlement, and apparently relied on a third party vendor to make sure it was secure.   Under the act, a business must work quickly to remedy a security breach, inform the attorney general within 14 days of the breach and tell customers within 45 days.   After learning from a local police department about reports that customer credit card numbers were stolen and abused, Natural Provisions didn't inform the attorney general for 45 days and didn't begin to fix the problem until a month later, the settlement said.
 
Read more:  Burlington Free Press
 
 
 

 

 

 

 

 

 

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.