Compliance with a carrier’s CPNI certification obligations has provided steady fodder for this blog, with the annual Omnibus CPNI fines, unusual settlements and consistent enforcement focus from the FCC’s enforcement bureau.  With the start of a new year, the CPNI season begins anew.  Yeasterday, the FCC unofficially kicked off the 2012 CPNI certification season with

Back in 2007, in response to the pretexting controversy, the FCC strengthened its CPNI rules to require telecommunications carriers to authenticate a subscriber’s identity before providing call detail information.  The FCC rules required carriers to authenticate customers with a password or some other information that does not rely upon "readily available biographical information" before

Jameson Dempsey co-authored this blog post.

Hot on the heels of its recent lawsuit against Delta Airlines for alleged violations of the California Online Privacy Protection Act (“CalOPPA”), today the California Attorney General’s Privacy Enforcement and Protection Unit released its highly anticipated mobile privacy report, Privacy on the Go: Recommendations for the Mobile Ecosystem. The report, developed in collaboration with a wide array of industry stakeholders, provides a series of specific recommendations designed to promote “surprise minimization” for users of mobile applications.

Continue Reading

Barbara Miller co-authored this post.

A few years back, the use of deep packet inspection software – software that examines individual data packets in a broadband transmission – to deliver targeted advertising was a hot topic in regulatory and privacy circles.  Those activities spawned a series of cases against the DPI companies and their Internet Service Provider (“ISP”) partners.  In one such case, the ISP just won an important victory closing a potentially troublesome area of liability.  On December 28, 2012, in Kirch v. Embarq Management Co,  the Tenth Circuit held that an ISP was not liable under the Electronic Communications Privacy Act of 1986 (“ECPA”) for authorizing an online advertising company to collect and use certain customer electronic information for the purpose of targeted direct online advertising.  This ruling effectively ends this particular case against Embarq and likely will close a chapter in the deep-packet inspection saga.  However, because the Tenth Circuit’s finding is closely tied to the facts of this case, ISPs should carefully consider potential liability under the ECPA for any actions involving the collection of customer information for purposes other than provision of ISP services.

Continue Reading

Days before tomorrow’s Federal Trade Commission (FTC) Workshop on Mobile Disclosures, the FCC weighed in with a pair of releases on privacy and security issues raised by mobile devices.  In the first item released on Friday, the FCC is seeking to refresh its record regarding the privacy and data security practices of mobile wireless service providers in light of recent disclosures concerning software developed by CarrierIQ.  The FCC’s Public Notice seeks to update the record in a five-year-old rulemaking proceeding addressing carrier obligations in connection with devices that function on their networks.  In the second item released, the FCC released its staff report on location-based services (LBS).  Consistent with the approach of the Administration and the FTC (as was discussed at our 4th Annual Privacy Seminar), the FCC focused on ways carriers can protect information from misuse or mishandling, transparency in carrier disclosures and maximizing consumer choice in the use of LBS.

Collectively, the releases demonstrate that the FCC will continue to work cooperatively with the FTC and the Administration (including the NTIA) to address privacy issues in the mobile market. The FCC appears to believe it has sufficient statutory authority to act on mobile and device privacy, with its emphasis being on its jurisdiction over carrier practices in connection with both services and devices.

Josh Guyan contributed to this post.

Continue Reading

On July 14, 2011, a joint House Energy and Commerce Subcommittee hearing focused on online privacy policy and perspectives of the ‘big three’ federal agencies with potential jurisdiction over online privacy – the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the National Telecommunications and Information Administration (NTIA). The hearing, Internet Privacy: The

On January 21, 2011, Kelley Drye & Warren hosted the seminar and audiocast, "Privacy By Design, Choice, and Transparency: What a New Framework Will Mean for Business and Technology." The seminar highlighted key regulatory and legislative developments in privacy and information security law during the past year.

Click here to listen to the audio recording.

On January 20, Kelley Drye will host its 3rd annual privacy law seminar:
Privacy by Design, Choice and Transparency: What a New Framework Will Mean for Business and Technology.

As businesses strive to innovate and evolve using new technologies, federal agencies including the FTC and FCC, the Congress, and state regulators are increasing scrutiny on

Late last week, the Federal Trade Commission (“FTC”) issued a highly-anticipated staff report on privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change.” The report – which is preliminary in nature and does not reflect the views of the FTC (though it was approved and issued by the FTC) – proposes a new privacy framework for businesses and policymakers which is intended to be adopted next year by the FTC after public comment (due January 31, 2011) and further modification (which may or may not be significant). In other words, the proposals in the report provide insight as to what business can expect with respect to privacy compliance requirements and enforcement in the future and are not directly enforceable regulations right now. Readers should keep in mind, however, that there is much that is mentioned in the report that is enforceable right now and distinguishing the enforceable from the aspirational isn’t always easy.

Continue Reading

Yesterday, the FCC released an Order adopting a consent decree resolving several investigations into failures of AT&T’s CPNI opt-out practices. In the settlement, AT&T agreed to make a $200,000 voluntary contribution to the U.S. Treasury and to adopt a two-year Compliance Plan including monthly testing of its opt-out mechanisms, training and reporting requirements. The Order,