InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Seventh Circuit Holds TCPA Does Not Preempt State Law Banning Robocalls
On November 21, the U.S. Court of Appeals for the Seventh Circuit held that the federal Telephone Consumer Protection Act (TCPA) does not preempt an Indiana statute that bans most robocalls without exempting calls that are not made for a commercial purpose. Patriotic Veterans, Inc. v. State of Indiana, No. 11-3265, 2013 WL 6114836 (7th Cir. Nov. 21, 2013). A not-for-profit Illinois corporation seeking to use automatically dialed interstate phone calls to deliver political messages to Indiana residents sought a declaration that the Indiana Automated Dialing Machine Statute (IADMS) violates the First Amendment, at least as it applies to political messages, and also is preempted by the TCPA, which expressly exempts non-commercial calls such as political calls from the TCPA’s regulation of autodialers. Overturning the district court’s decision, the Seventh Circuit found that the Indiana statute is not expressly preempted by the TCPA because the plain language of the TCPA’s savings clause states that the federal law does not preempt any state law that prohibits the use of automatic telephone dialing systems and, even if the IADMS is considered a regulation of, rather than a prohibition on, the use of autodialers, the savings clause does not at all address state laws that impose interstate regulations on their use. The court further found that the IADMS is not impliedly preempted by the TCPA because it is possible to comply with the state statute without violating the TCPA, the state statute furthers the TCPA’s purpose of protecting the privacy interests of residential telephone subscribers, and Congress did not intend to create field preemption when it enacted the TCPA. The court, however, remanded the case to the district court to consider whether the statute violates the First Amendment.
FTC To Host Consumer Privacy Seminars
On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
Payment Card Group Refines Data Security Standards
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
Senate Commerce Committee Continues Data Broker Inquiries
Recently, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) continued his committee’s examination of the way data brokers collect and share personal information. The Senator sent a letter to one data broker seeking additional information about the broker’s customer vetting practices and how it shares consumer information with those customers. As the basis for the letter, Senator Rockefeller cited news reports alleging that a company acquired in March 2012 by the data broker receiving the letter had sold data to an identity theft scheme. At least one report suggested that the alleged activity continued after the broker conducted its due diligence and completed the acquisition. The Senator’s letter also poses follow up questions based on the broker’s response to the Senator’s original October 2012 request to numerous data brokers, which the Senator expanded to include other industry participants in September 2013.
Federal Court Holds Email Addresses Are PII Under California Credit Card Act
On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
NIST Releases Preliminary Cybersecurity Framework
On October 22, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework pursuant to President Obama’s Executive Order 13636 title Improving Critical Infrastructure Cybersecurity. The Preliminary Framework seeks to help critical infrastructure owners and operators reduce cybersecurity risks through voluntary best practices. The financial services sector is one of the many sectors identified as a critical sector, and NIST notes that the Preliminary Framework can be applied by organizations beyond those contemplated by the Executive Order. The Preliminary Framework outlines steps that can be customized to various sectors and adapted by organizations of any size while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The Preliminary Framework is intended to help all organizations identify and prioritize opportunities for improving cybersecurity risk management. NIST will accept public comments for 45 days, will hold a workshop on the Preliminary Framework on November 14 and 15 at North Carolina State University, and will release the finalized framework in February 2014, as required by the Executive Order.
EU Parliament Committee Approves Data Protection Overhaul
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.
New TCPA Express Written Consent Requirement Takes Effect
On October 16, new rules took effect that require businesses to obtain express written consent before making certain telemarketing calls to customers. The rules arise from a February 2012 Report and Order issued pursuant to the Telephone Consumer Protection Act (TCPA), in which the Federal Communications Commission (FCC): (i) required that businesses obtain prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines, (ii) allowed consumers to opt out of future robocalls during a robocall, and (ii) limited permissible abandoned calls on a per-calling campaign basis. While the consumer opt-out and abandoned calls limitations are already in effect, compliance with the express written consent requirement was not mandated until now. The rules require that the written consent be signed and be sufficient to show that the customer: (i) receives “clear and conspicuous disclosure” of the consequences of providing the requested consent and (ii) having received this information, agrees unambiguously to receive such calls at a telephone number the consumer designates. In addition, the rules require the written agreement to be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” The FCC rule allows electronic or digital forms of signatures obtained in compliance with the E-SIGN Act—e.g. agreements obtained via a compliant email, website form, text message, telephone keypress or voice recording—to satisfy the written requirement. The FCC also removed an exemption that allowed businesses to demonstrate consent based on an “established business relationship” between the caller and customer.
EU Working Group Advises Companies On Obtaining Consent For Cookies
On October 8, the EU’s Article 29 Data Protection Working Party, which represents all 28 data protection authorities of the EU countries, released a document to provide guidance to website operators for obtaining consent for use of cookies on their websites. The guidance notes that implementation of the e-Privacy Directive that requires such consent varies by member state, and that practices for obtaining user consent for storage of or access to cookies also vary. The Working Party therefore identifies the main elements of valid consent, implementation of which would ensure compliance with each member state’s implementation of the directive: (i) specific information, (ii) timing, (iii) active choice, and (iv) freely given. The document provides further detail on each of the elements.
California Approves Petition for Personal Privacy Ballot Initiative
Recently, the California Secretary of State announced that the proponents of a new initiative regarding personally identifying information (PII) may begin collecting petition signatures for their proposed ballot measure. The potential ballot measure would propose a constitutional amendment that would create a presumption that an individual's PII—including financial or health information—is confidential when collected for a commercial or governmental purpose, and would create a presumption of harm when PII is disclosed without the subject’s authorization. The measure also would require a collector of PII to use all reasonably available means to protect it from unauthorized disclosure. The ballot measure proponents have until February 14, 2014 to collect 807,615 registered voters’ signatures in order to qualify it for the ballot.