Archive for September, 2014

Yelp to pay $450,000 penalty for COPPA violation

Posted by fgilbert on September 17th, 2014

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service.

According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering.

Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Verizon to pay $7.4 million to settle FCC privacy enforcement action

Posted by fgilbert on September 8th, 2014

The Enforcement Bureau of the Federal Communication Commission (FCC) reached a $7.4 million settlement with Verizon on September 3, 2014, after an investigation into the company’s use of customers’ personal information for marketing purposes. This $7.4 million fine is the largest such payment in FCC’s history for settling an investigation related solely to the privacy of phone customers’ personal information.

Section 222 of the Communications Act, entitled “Privacy of Customer Information” imposes a duty on every telecommunications carrier to protect the “proprietary information” of its customers. These obligations are further clarified in the Customer Proprietary Network Information Rules (CPNI Rules) of the FCC.

Among other things, phone companies are prohibited from accessing or using certain personal information except in imitated circumstances. To be able to use customers’ information for certain marketing purposes, phone companies must obtain the approval of their customers through an opt-in or an opt-out. When that process is not working, the phone company must report the problem to the FCC within five business days.

The FCC investigation found that, beginning in 2006, and continuing for seven thereafter, Verizon failed to notify approximately two million new customers, on their welcome letter or their first invoices, of the privacy rights, including how to opt-out from having their personal information used in marketing campaigns. Further, Verizon failed to discover this deficiency until September 2012, and failed to notify the FCC until January 2013, over four months later.

Verizon represented that it took remediation efforts following discovery of the problem, including sending opt-out notices, banning all marketing, and implementing a new program to place CPNI opt-out notice on every invoice, each month, for all the potentially affected customers (consumers and small and medium size business customers).

In addition to the $7.4 million fine, to be paid to the US Treasury, Verizon will be required improve its privacy practices, including, among others, to:

  • Designate a senior corporate manager to serve as compliance manager responsible for implementing and administering Verizon’s compliance plan;
  • Notify all Verizon directors, officers, managers and employees of the terms of the consent order;
  • Establish operating procedures to ensure compliance with the consent order;
  • Develop and distribute a compliance manual regarding the handling of customer information;
  • Establish a compliance training program;
  • Notify customers of their opt-out rights on every bill;
  • Monitor and test its billing system and opt-out notice process on a monthly basis, to ensure that customers are receiving appropriate notices;
  • Report any detected problem to the FCC within 5 business days;
  • Report any non-compliance to the FCC within 30 calendar days.

Several of the compliance obligations listed above terminate three years after the date of the Consent Decree.

The Federal Trade Commission is only one of the federal agencies charged with the protection of personal information. Several agencies have sectoral responsibilities, as well. As discussed above, Section 222 of the Federal Communications Act and the related CPNI Rules, contain important provisions regarding the privacy of the personal information of phone users. These provisions are enforced by the Federal Communications Commission.