Archive for November, 2011

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

Posted by fgilbert on November 30th, 2011

Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.

While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.

After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world.

Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.

When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: “My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved.”

And in her concluding remarks she stressed: “Indeed, I encourage companies of all sizes to start working on their own binding corporate rules!”

Ms. Reding recognized that the current regime is cumbersome, and announced that in the new regime, the rules for BCR approval will be significantly streamlined.

The approval of one single DPA will be required. Thus, it is expected that the current “mutual recognition regime”, which is in effect in only a little more than half of the EU countries, will be replaced with a mandatory regime where one of the DPAs – probably that of the country where the entity is having its EU headquarters – will be responsible for making all decisions related to the approval of the proposed BCRs.

After Ms. Reding left the IAPP conference, there was a discussion on what these BCRs would or should contain. I.e., whether it would be a free form based on specific instructions, or a template that companies would have to follow, or a form (like the current model contracts) with little possible changes. At this point, it is not clear what the upcoming regulation will allow or require. There was also a discussion on how to choose the country where the BCR would be filed. One question raised was whether this would lead to forum shopping.

There is no reason to think that, at this point, the Safe Harbor program is in jeopardy or would become obsolete or irrelevant. It remains useful for certain categories of companies that have streamlined data flows. However, for entities with more complex data flows, it is clear that the new expectation from EU regulatory authorities will be for these companies to adopt binding corporate rules.

Ms. Reding’s prepared remarks are available at http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/817&format=HTML&aged=0&language=EN&guiLanguage=en, and a summary of her presentation at http://tinyurl.com/7zalu2o.

Never too Small to Face an FTC COPPA Action

Posted by fgilbert on November 9th, 2011

Some companies think that they are small and can fly under the radar, and need not worry about compliance.  They should rethink their analysis of their legal risks after the recent FTC action against a small social networking site.

On November 8, 2011 the FTC announced a proposed settlement with the social networking site www.skidekids.com, which collected personally information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

In this case, the personal information of 5,600 children was illegally collected. This was much less than the violations identified in some of the recent FTC COPPA enforcement actions. For example, the 2006 action against Xanga revealed that Xanga had collected 1.7 million records, the 2008 action against Sony, that Sony had collected 30,000 records, and the 2011 action against W3 Innovations identified 50,000 illegally collected records.

The Problem

The social networking site Skid-e-kids targeted children ages 7-14 and allowed them to register, create and update profile information, create public posts, upload pictures and videos, send messages to other Skid-e-kids members, and “friend” them.

According to the FTC complaint, the website owner – a sole proprietor – was prosecuted for:

  • Failing to provide sufficient notice of its personal data handling practices on its website;
  • Failing to provide direct notice to parents about these practices; and
  • Failing to obtain verifiable parental consent.

In addition, these practices were found to be misleading and deceptive, which in turn was deemed to violate Section 5 of the FTC Act.

The site online privacy statement claimed that the site requires child users to provide a parent’s valid email address in order to register on the website and that it uses this information to send parents a message that can be used to activate the Skid-e-kids account, to notify the parent about its privacy practices, and that it can use the contact information to send the parent communications about features of the site.

According to the FTC, however, Skid-e-kids, actually registered children on the website without collecting a parent’s email address or obtaining permission for their children to participate. Children who registered were able to provide personal information, including their date of birth, email address, first and last name, and city.

The Proposed Settlement

The proposed Consent Decree and Settlement Order against Jones O. Godwin, sole owner of the site www.skidekids.com is available at http://www.ftc.gov/os/caselist/1123033/111108skidekidsorder.pdf. The proposed settlement would:

  • Bar Skid-e-Kids from future violations of COPPA and misrepresentations about the collection and use of children’s information.
  • Require the deletion of all information collected from children in violation of the COPPA Rule;
  • Require that the site post a clear and conspicuous link to www.onguardonline.gov, the FTC site focusing on the protection of children privacy, and that the site privacy statement as well as the privacy notice for parents also contain a reference to the On Guard Online site;
  • Require that, for 5 years, the company engaged qualified privacy professionals to conduct annual assessments of the effectiveness of its privacy controls or become a member in good standing of a COPPA Safe Harbor program approved by the FTC;
  • Require that, for 8 years, records be kept to demonstrate compliance with the above.

A lenient fine … subject to probation

An interesting aspect of the proposed settlement is that the settlement, in effect, imposes only a $1,000 fine to the defendant. The fine is to be paid within five days of the entry of the order. However, if Skid-e-Kids fails to comply with some of the requirements of the Settlement, it will have to pay the full $100,000 fine that is provided for in the settlement.

Specifically, a $100,000 will be assessed if:

  • The defendant fails (a) to have initial and annual privacy assessment (for a total of 5 annual assessments) conducted by a qualified professional approved by the FTC and identifying the privacy controls that have been implemented, how they have been implemented and certifying that the controls are sufficiently effective; or (b) to become a member in good standing of a COPPA Safe Harbor program approved by the FTC for 5 years; or
  • The disclosures made about the defendant’s financial condition are materially inaccurate or contain material misrepresentations.

The Lesson for Site with Children Content

This new case is a reminder that the COPPA Rule contains specific requirements that must be followed, no matter the size of the site, when intending to collect children personal information. The COPPA rule defines procedures and processes that must be followed rigorously.

Among other things, the COPPA Rule requires websites that are directed to children and general audience websites that have actual knowledge that they are collecting children information to:

  • Place on its website a conspicuous link to its privacy statement;
  • Provide specified information in the website privacy statement, describe in clear terms what personal information of children is collected, how it used, and explain what rights children and parents have to review and delete this information;
  • Provide a notice directly to the parents, which must include the website privacy statement, and inform the parents that their consent is required for the collection and use of the children’s information by the site, and how their consent can be obtained;
  • Obtain verifiable consent from the parents before collecting or using the children’s information;
  • Give parents the option to agree to the collection and use of the children’s information without agreeing to the disclosure of this information to third parties.

In addition, we suggest also including, clearly and conspicuously, (a) in the website privacy statement; (b) in the notice to parents; and (c) at each location where personal information is collected a notice that invites the user to visit the On Guard Online website of the Federal Trade Commission for tips on protecting children’s privacy online: www.onguardonline.gov/topics/kids-privacy.aspx.

 

 

 

New EU Directive on Consumer Rights Affects Website Terms

Posted by fgilbert on November 9th, 2011

In late October 2011, the European Council of Ministers formally adopted the new EU Consumer Rights Directive. The new Directive will drastically affect the rules that apply to online shopping. Numerous provisions will also apply to both the online and the offline markets.

Scope of the Consumer Rights Directive

The Directive is intended to protect “consumers,” i.e., all natural persons who are acting for purposes that are outside

their trade, business, craft, or profession. It creates new obligations for “traders,” a broad term that encompasses all categories of persons who sell products or services. The Directive defines the term “trader” as any natural or legal person who is acting, directly or indirectly for purposes relating to his/its trade, business, craft of profession in relations to contracts covered by the Directive. These contracts include: sales contracts, service contracts, distance contracts, off-premises contracts, and public auction contracts that are concluded between a trader and a consumer.

There are numerous exceptions, such as contract for healthcare services, for financial services, for the construction of new buildings, for package travel, for passenger transport services, or contracts concluded by means of automatic vending machines.

Effect on US Companies

US companies that operate websites that sell to European customers, as well as their affiliates who make direct sales to EU consumers, must start evaluating the numerous consequences that the implementation of the Directive on Consumer Rights will have on their operations. The consequences include:

  • Practical consequences: The Directive introduces a new way of doing things. Thus, there will be a need to adapt the exisitng processes, procedures, and interaction with the customer to the new order. Forms and purchase orders will have to be revised.
  • Logistics: The Directive encourages returns. Under the new regime, customers will have 14 days to change their minds and return the purchased goods. Thus, the rate of return will increase. Logistics will have to change to allow the company to handle a heavier rate of returns.
  • Financial consequences: Merchants and traders will have to bear more costs. For example, hotline services will be permitted to charge only for actual telephone rate for phone calls.
  • Rewrite of Terms:  Terms of sale will have to be clearer and more explicit. For example, the additional charges must be clearly explained, or the customer will not bear these charges. Thus, new terms will to be drafted in order to communicate better with customers.

Overview of the changes

The Directive will require extensive changes in the Consumer Protection Laws of the Member States, including changes to implement the following requirements:

  • Pre-ticked boxes on websites will be banned

Pre-ticked boxes will be banned, so that consumers do not inadvertently get charged for options or services that they did not intend to purchase. Currently, consumers are frequently forced to untick these boxes if they do not want extra services.

  • Price transparency will be increased

Consumers will not have to pay charges or other costs if they were not properly informed before they place an order. Traders will be required to disclose the total cost of the product or service, as well as any extra fees.

  • Hidden charges and costs on the Internet on the Internet will be eliminated

Consumers will be required to explicitly confirm that they understand that they have to pay a price. This measure is expected to prevent hidden charges and cost that arise when companies try to trick consumers into paying for “free services,” such as horoscopes or recipes.

  • Surcharges for the use hotlines prohibited

Traders who operate telephone hotlines allowing the consumer to contact them in relation to the contract will not be able to charge more than the basic telephone rate for the telephone calls.

  • Surcharges for the use of credit cards prohibited

Traders will not be able to charge consumers more for paying by credit card (or other means of payment) than what it actually costs the trader to offer such means of payment.

  • Better consumer protection in relation to digital products

Information on digital content will have to be clearer, including about its compatibility with hardware and software and the application of any technical protection measures, for example digital rights management applications, which limit the right for the consumers to make copies of the content.

  • 14 Days to change one’s mind on a purchase

Consumers will be able to return the goods that they purchased if they change their minds within 14 calendar days. This change extends by 7 days the current period during which purchases can be returned. In addition, if a seller has not clearly informed the customer about the right to return the goods, the return period will be extended to a year.

The 14-day return period will start from the moment the consumer receives the goods. The rules will apply to Internet, phone, and mail order sales, sales outside shops (e.g. on the consumer’s doorstep, in the street, at a home party or during an excursion organized by the trader).

The right of withdrawal is extended to online auctions, such as eBay. However, the ability to return goods bought in auctions will be limited to goods bought from a professional seller. In the case of digital content, such as music or video downloads, consumers will have a right to withdraw from purchases of digital content only up until the moment the actual downloading process begins.

  • Better refund rights

Traders will be required to refund consumers for the product within 14 days of the withdrawal. This includes the costs of delivery. In general, the trader will bear the risk for any damage to goods during transportation, until the consumer takes possession of the goods.

  • Clearer information on who pays for returning goods must be provided

Traders who want the consumer to bear the cost of returning goods after they change their mind, will be required to clearly inform consumers about this requirement beforehand. Otherwise, they will have to pay for the return themselves.

At a minimum, they will have to clearly give, before the purchase, an estimate of the maximum costs of returning bulky goods (e.g. a sofa) bought on the Internet or through mail order.

  • Common rules will apply throughout the European Union

A single set of rules for distance contracts (sales by phone, post or internet) and off-premises contracts (sales away from a company’s premises, such as in the street or the doorstep) will apply throughout the European Union. Standard forms will be used, such as a form to comply with the information requirements on the right of withdrawal.

Implementation in the national laws

The EU Member States will have two years to implement the Directive into their national laws. The deadline for implementation will be computed from the date of publication of the Directive in the Official Journal of the European Union.

Based on experience with other implementations of other directives, we can expect that several EU countries will have implemented the Consumer Rights Directive by the end of 2013, and the remainder will follow during the following years. As always, the manner in which each country implements the Directive will be crucial. If the member states diverge in their interpretation of the Directive, websites, which reach customers across borders, will have to juggle with these discrepancies.

Relations with existing directives

The Directive on Consumer Rights will replace the current Directive 97/7/ECon the protection of consumers in respect of distance contracts and the current Directive 85/577/EECto protect consumer in respect of contracts negotiated away from business premises.

However, Directive 1999/44/ECon certain aspects of the sale of consumer goods and associated guarantees and Directive 93/13/EECon unfair terms in consumer contracts will remain in force.