backVizio Pays $2.2 Million To Settle With The FTC Over Its Data Collection And Sharing Practices—On February 6, 2017, Vizio Inc., a manufacturer and seller of internet-connected “smart” televisions, agreed to pay $2.2 million to settle allegations by the Federal Trade Commission (“FTC”) and the Office of the New Jersey Attorney General that Vizio installed software on its TVs to collect and sell data detailing the viewing habits of 11 million consumers without their knowledge or consent. The settlement requires that going forward Vizio obtain affirmative consent from consumers for its data collection and sharing practices and implement a comprehensive data privacy program.
According to the FTC’s and New Jersey Attorney General’s complaint, Vizio developed and installed on its TVs automated content recognition (“ACR”) software, which it used to collect from its TVs information about what a consumer was watching on a second-by-second basis. Vizio appended specific demographic information to the viewing data, such as sex, age, income, marital status, household size, education level, home ownership, and household value. Vizio then sold this information to third parties, who used the information for various purposes, including targeting advertising to consumers across devices. According to Vizio, the ACR program never paired viewing data with personally identifiable information of the consumers, such as name or contact information.
According to the complaint, this practice constituted an unfair and deceptive act or practice under the Federal Trade Commission Act and an unconscionable commercial practice under the New Jersey Consumer Fraud Act because Vizio touted its “Smart Interactivity” feature that “enables program offers and suggestions,” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data.
Under the settlement, Vizio will pay $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of the amount going to New Jersey suspended and eligible to be vacated after five years if Vizio complies with certain provisions of the agreement. Those provisions include the requirements that Vizio (1) prominently disclose and obtain affirmative express consent for its data collection and sharing practices, (2) delete all data collected prior to March 1, 2016, (3) implement a comprehensive data privacy program, (4) regularly report on the progress of that program, and (5) permit the FTC or New Jersey Attorney General to monitor Vizio’s compliance by interviewing anyone affiliated with Vizio or even posing as a consumer or other supplier to ensure Vizio’s compliance. According to Vizio, going forward, “this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices.”
Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.
House Legislation Purports To Require Warrants For All Email—On February 6, 2017, the U.S. House of Representatives unanimously passed the Email Privacy Act (the “Act”), co-sponsored by Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO), which would require law enforcement to obtain a warrant to search any email messages, regardless of the age of the emails. The Act has garnered wide support among technology companies and civil liberties groups, but could face continued opposition from Republicans in the U.S. Senate.
Under current law (the Stored Communications Act, enacted as part of the 1986 Communications Privacy Act), a warrant is required for the disclosure of the contents of emails stored for 180 days or fewer. See 18 U.S.C. § 2703. However, email messages stored for a longer period may be disclosed under an administrative subpoena, which does not require court approval. Moreover, an administrative subpoena in some cases permits notice to the subscriber of the request to be delayed for up to ninety days. In United States v. Warshak, 631 F.3d 266 (2010), the U.S. Court of Appeals for the Sixth Circuit held that email subscribers have a reasonable expectation of privacy in their stored email messages under the Fourth Amendment, rendering these warrantless search options unconstitutional. However, in the years since, no other federal appellate court has reached the same conclusion.
The Act has a long history in prior sessions of Congress, most recently having passed the House unanimously in 2016 only to be derailed in the Senate Committee on the Judiciary, where it faced an amendment intended to weaken its restrictions with respect to exigent circumstances. That amendment, offered by then-Senator Jeff Sessions (R-AL), would have required disclosure of email contents (as well as metadata) upon a “certification … that an emergency involving the danger of death or serious physical injury requires disclosure without delay.”
Whether the same fate awaits the Act in the 115th Congress remains to be seen, particularly given the recent confirmation of Senator Sessions as U.S. Attorney General. Email storage was an issue in the 2016 presidential campaign, and this attention could make the Act more salient to activists in both parties.
Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.
Government Accountability Office Issues Report On Department Of Homeland Security’s National Cybersecurity And Communications Integration Center—On February 1, 2017, the United States Government Accountability Office (“GAO”) published a report assessing the performance and effectiveness of the National Cybersecurity and Communications Integration Center (“NCCIC”) of the Department of Homeland Security (“DHS”).
The NCCIC is statutorily required to perform cybersecurity-related functions set forth in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, including, for example, the coordination of sharing cybersecurity-related information between the federal and state governments and across multiple sectors. The GAO’s report generally finds that the NCCIC has taken steps to perform each of its statutorily required functions, while noting that the NCCIC has not yet established metrics and methods to evaluate its performance of those functions in accordance with required principles. The report provides a series of recommendations for NCCIC to improve its effectiveness and efficiency.
One of the report’s findings relates to NCCIC’s required function of coordinating the sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks and incidents across the federal government. According to the report, cybersecurity incidents that are reported to the NCCIC may be reported to either the NCCIC Operations and Integration Service Desk or the Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”), with the NCCIC service desk not being able to access data from the ICS-CERT incident reporting system. During its study of the NCCIC, the GAO found that NCCIC officials were not able to track the status of all cybersecurity incidents reported to the NCCIC because of the separate incident reporting systems. Therefore, the GAO’s report notes that the lack of a centralized incident tracking system hinders the NCCIC’s ability to effectively coordinate sharing of information.
The GAO’s one-page summary that provides highlights of the report is available here.
Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502, sshin@kslaw.com.
Russia Supreme Court Rules On Phone Recordings—In a December 6, 2016 ruling [No. 35-KG16-18], the Supreme Court of Russia confirmed that secret recordings of telephone conversations can be admissible evidence in certain circumstances, changing a long-standing position.
The plaintiff in the case had made audio recordings of telephone conversations in which the other party to the conversation was recorded without knowledge or consent. The plaintiff sought to use the recordings to prove that the spouse of the person she lent money to was also a party to a loan, so that the spouse would be responsible for repaying the amount borrowed after the couple had divorced. The lower court, however, held that the recordings were inadmissible.
Although the recordings were made without the other party’s knowledge—which was the reason the lower court ruled that the recordings were inadmissible—the Supreme Court decided that the privacy rules and limitations protecting private life were not applicable because (1) the recordings were made by one of the parties to the conversation and (2) the recordings were related to a contractual relationship between the parties. The case was returned for review on the merits to the lower court, which will be required to accept the recordings as evidence.
Prior to this case, Russian courts had always rejected recordings of conversations made without consent of all parties as improperly collected and intruding on privacy—and therefore inadmissible. The new position of the Supreme Court may lead to widespread admission of secretly-made recordings as evidence of contractual terms and parties’ verbal arrangements.
Reporter, Xenia Melkova, Moscow, +7 495 228 8500, xmelkova@kslaw.com.
ALSO IN THE NEWS
King & Spalding’s 2017 Cybersecurity & Privacy Summit—On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit. This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection. King & Spalding will provide a registration link in the coming weeks.