APRIL 26, 2011

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Significant New Online Privacy Legislation Introduced in Congress as the FTC Presses Ahead with a Novel Enforcement Action Against Google
Congressional interest in online privacy continued to rise with the introduction of significant new legislation to regulate the collection and use of consumer information online. In the Senate, Commerce Committee member John Kerry (DMass.) and former Commerce Committee Chairman John McCain (R-Ariz.) formally introduced what may be the most significant piece of privacy legislation in several years, entitled The Commercial Privacy Bill of Rights Act of 2011 (S.799). Although the bill faces significant hurdles, the draft legislation has considerable support in the Administration and among a number of leading technology companies. If passed, the Kerry-McCain bill would establish an omnibus data protection regime based on fair information practice principles (FIPPs) broadly applicable across all industry sectors, with some limitations for already-regulated areas. Financial institutions, however, will continue to be primarily subject to the privacy and security obligations of the Gramm-Leach-Bliley Act and other financial statutes. Moreover, banks, securities firms and insurance companies would be excluded from the bill, except to the extent such financial institutions may be subject to concurrent FTC jurisdiction under existing law. Similarly, covered entities subject to healthcare privacy regulations issued under HIPAA would be governed by those regulations rather than the provisions of the new bill. Significantly, the bill may alter the privacy framework for telecommunications carriers and cable companies by subordinating existing customer privacy rules in the Communications Act to Kerry-McCain. Coverage of CPNI data (customer proprietary network information) is intended to be shifted from the Communications Act to KerryMcCain. However, while the ultimate import of the legislative language is not entirely predictable, it may level the Internet playing field between telecom carriers that are now highly regulated and other online companies that have been less regulated. 1 The significance of the FIPPs-based approach is that Kerry-McCain is not merely a bill requiring disclosure of privacy practices; it intends to set substantive, baseline standards regarding what practices are legally acceptable. Companies would be required to give a clear and concise notice of uses for their personally identifiable information (PII), as many already do. But individuals would also have a right to opt-out of unauthorized uses of non-sensitive PII, and opt-in consent would be required for both any uses of sensitive PII and transfers or uses that were materially different
1

Section 601(c) provides If a person is subject to a provision of section 222 or 631 of the Communications Act of 1934 (47 U.S.C. 222 and 551) and a provision of this Act, such provision of such section 222 or 631 shall not apply to such person to the extent that such provision of this Act applies to such person.

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

PRIVACY UPDATE Page 2

from those specified in the notice and that created a risk of harm to the individual. The bill would also require a mechanism for individuals to access and correct their PII, but it does not establish a do not track mechanism. The primary alternative to the Kerry-McCain bill is a revised version of the Boucher-Stearns privacy bill floated widely in the last Congress. This Congressional term Rep. Cliff Stearns (R-Fla.), together with Jim Matheson (D-Utah), has introduced privacy legislation in the House that is less prescriptive than Kerry-McCain. (We understand that former Congressman Rick Boucher will shortly be making an announcement regarding his plans for private law practice.) The Stearns-Matheson bill would require companies to publish privacy policies to inform consumers about the collection, use and transfer of PII. The Stearns-Matheson bill, entitled the Consumer Privacy Protection Act of 2011 (H.R. 1528), does not regulate as intensively as the Kerry-McCain legislation, either by creating a Consumer Bill of Rights or by empowering the FTC to engage in extensive rulemaking. Instead, the bill relies primarily on the prophylactic technique of requiring the disclosure of privacy practices, as well as on self-regulatory programs developed by the data collection industry and approved by the FTC. The Stearns-Matheson bill does not cover any employee data since it expressly applies only to consumer information. Kerry-McCain probably does not intend to exclude employee data from its regulation of privacy. However, while the bill references a consumer bill of rights, it does not mention "employee" data anywhere in the legislation. Moreover, the FTC's current authority to regulate workplace privacy and employers qua employers is controversial. The KerryMcCain bill does not clear up that controversy. In any event, the fact that serious privacy legislation has been introduced in both Houses, with bipartisan sponsors, suggests that Congress may take up the issue before the next election, although the legislative environment is particularly challenging at present. Moreover, no significant congressional leaders of either party have gone on record objecting categorically to federal privacy legislation. This Alert summarizes and compares the provisions of the two bills. In addition, we discuss the FTCs recent enforcement action against Google Buzz. This action may have significant implications for other online businesses and social media networks.

FTC Authority
The two bills vary profoundly on the question of FTC authority. Kerry-McCain empowers, indeed requires, the FTC to engage broad new rulemaking under the Administrative Procedure Act (APA). This will likely be somewhat controversial. Stearns-Matheson, on the other hand, would not endow the FTC with new rulemaking authority under the APA. Both bills look to the FTC to provide enforcement for privacy violations as unfair or deceptive acts or practices. The Kerry-McCain bill looks to the Commerce Department to convene industry groups to work on codes of conduct, and to promote international interoperability of privacy norms, while the Stearns bill has no similar measure. Neither Kerry-McCain nor the Stearns-Matheson bill enhances the Administrations authority over the development of federal privacy policy, instead leaving the field largely to the FTC, an independent agency. Accordingly, President Obamas recent affirmation that cost-benefit principles must be applied to federal regulation in order to promote technological innovation and job growth would not necessarily govern the FTCs interpretation and enforcement of the new privacy legislation. To be sure, however, the FTCs preliminary staff report Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers expressed the desire to preserve the substantial consumer benefits made possible through the flow of information.

Impact on Other Federal Privacy and Security Laws

While the Kerry-McCain bill recites a congressional finding that the U.S. data privacy regime is inadequate, it nonetheless sets forth a list of 14 federal privacy laws that are currently in effect. Indeed, the bill provides that these

PRIVACY UPDATE Page 3

existing privacy laws take precedence over the provisions of Kerry-McCain. In addition to these 14 laws, the bill refers to the existing privacy provisions in the Communications and Cable Acts (applicable to telecom carriers and cable companies), but here, the bill provides that the provisions of Kerry-McCain take precedence over such existing laws. The Stearns-Matheson bill recites a list of 18 currently applicable privacy laws. Stearns-Matheson would leave such laws unaffected.

Preemption of State Laws

Significantly, both bills contain substantial preemption of certain state laws. It is thus likely that both bills would succeed in preempting general state laws setting privacy and data security standards. The Kerry-McCain bill, however, expressly disclaims preemption of state data breach notification statutes, and of state privacy laws regarding financial or health information. The Stearns-Matheson bill preempts any provision of state statutory law, regulation, rule or common law that relates to or affects the collection, use, sale, disclosure, retention, or dissemination of personally identifiable information in commerce. It seems likely that the Massachusetts data security law, and similar state information security statutes, would be preempted by both bills at least with regard to consumer information (as opposed to employment-related human resources data).

State Enforcement; Treatment of Employee Data

States are not authorized to enforce the provisions of Stearns-Matheson. Stearns-Matheson would not apply to the handling of personal information of employees, as distinct from consumer information. Kerry-McCain does not expressly address employee data or other HR information, but rather covers all personal information subject to the jurisdiction of the FTC, the FCC (for telecom carriers and cable companies), and non-profit organizations. While the FTC has taken the position that it has jurisdiction over employee data, this authority has not been conclusively established and Kerry-McCain does not clarify the issue.

Private Right of Action Rejected

Both Kerry-McCain and Stearns-Matheson expressly reject the creation of a private right of action to enforce the new legislative standards.

Administration Support for the Kerry-McCain Privacy Bill

Although several proposals for comprehensive privacy laws in the U.S. have surfaced over the past several years, none has attracted broad support. The Kerry-McCain bill, on the other hand, appears to have some bipartisan support, as well as the backing of the White House, and several major technology companies. The reception from consumer advocacy organizations has been mixed. Significantly, financial institutions outside the jurisdiction of the FTC have been carved out from the legislation. Even before the legislation was formally introduced, Department of Commerce Assistant Secretary Strickling announced the Obama Administrations support for new privacy legislation in a Senate Commerce Committee hearing. The Administrations support for new legislation was based on its conclusion that reaching the full potential of the Internet requires the development of a new set of baseline rules that protect consumer privacy while avoiding a complicated regulatory system.2 Specifically, the Assistant Secretary outlined three elements the Administration wanted to include, all of which are consistent with the new Kerry-McCain bill:

Testimony of Lawrence E. Strickling, Assistant Secretary for Communications and Information, Department of Commerce, Before the Senate Committee on Commerce, Science, and Transportation, Mar. 16, 2011 at 6 (Strickling Testimony) (available at http://commerce.senate.gov/public/?a=Files.Serve&File_id=9e90bd89-dcb9-42c3-a8b7-e59c126b8fad).

PRIVACY UPDATE Page 4

1) Establish a Consumer Privacy Bill of Rights based on comprehensive and accepted Fair Information Practice Principles (FIPPs). 2) Strengthen the powers of the Federal Trade Commission (FTC) regarding enforcement of online consumer privacy. 3) Incentivize the development of codes of conduct by industry, including enabling FTC to create safe harbors for companies meeting the baseline requirements. In announcing this position, the Administration built on the policy proposals in the Department of Commerces Green Paper on data privacy, which was released in December 2010 and played an important role in the KerryMcCain bill. The Green Paper generally received a positive reception from the business community due to its approach of creating a fair information practices-based regime with a non-enforcement entity at the Department of Commerce working with industry to develop voluntary privacy codes of conduct for the private sector. Several industry groups commented that well-crafted legislation would have a positive impact on e-commerce by providing baseline protections that could keep up with changing technology and maintain consumer trust. In a blog post on the Department of Commerce website the same day, Cameron Kerry, General Counsel of the Department of Commerce, Co-Chair of the Privacy and Internet Policy Subcommittee of the White House National Science and Technology Council (and Sen. Kerrys brother) amplified the Administrations support for a consumer privacy bill of rights, and highlighted two other key priority areas for the Administration in information privacy legislation: 1) Promoting global interoperability through Administration efforts and legislation that would reduce the multiple compliance burdens multinational companies currently face. 2) Enacting a Federal consumer data security breach notification law to address inconsistencies among state laws.3 Cameron Kerrys blog post emphasized that regardless of whether new legislation was passed, the Administration would continue to work to enhance privacy protections with other stakeholders, including the FTC, to develop enforceable best practices or codes of conduct for consumer data privacy. Although the Kerry-McCain bill may be better poised for passage than other similar efforts and has strong White House support, it still faces significant congressional hurdles. Some privacy advocates remain concerned about the strength of the bill and elements of the online advertising community and some business organizations may oppose the legislation. The tremendous national debate over competing tax and spending reform provisions may effectively stall out other major legislation. Committee jurisdiction may also be an issue in the Senate. Sen. Kerry clearly intended the bill to go through the Senate Commerce Committee, where he is a member, and Sen. McCain, who previously served as Commerce Committee Chairman, was a member until January 2011. The Senate Judiciary Committee, however, led by Sen. Patrick Leahy (DVT), recently created a new Subcommittee on Privacy, Technology and the Law, which will be chaired by prominent progressive Sen. Al Franken (D-Minn.) with Sen. Tom Coburn (R-Okla.) serving as ranking member. The subcommittee will have oversight of laws and policies touching the commercial data lifecycle in the private sector, including issues such as behavioral advertising and social networking. In announcing the new subcommittee, which came shortly before Sen. Kerry and the Commerce Committee introduced this new bill, Sen. Leahy noted that privacy is one of his top priorities as Chairman of the Judiciary Committee. Sens. Jay Rockefeller (D-WV) and Kay Bailey Hutchison (R-Tex.), the Chair and Ranking Member of the Commerce Committee, respectively, took the unusual step of sending a public letter to Sen. Leahy asserting the Commerce Committees jurisdiction over data privacy.
3 Cameron Kerry, General Counsel, Department of Commerce, Protecting Consumers & Promoting Innovation Online: A Call for Baseline Privacy Legislation, Dept of Commerce Blog (Mar. 16, 2011, 11:00 AM), http://www.commerce.gov/blog.

PRIVACY UPDATE Page 5

The Stearns Alternative in the House of Representatives

In the House of Representatives, the situation is even less clear than in the Senate, especially in light of the new Republican majority and the untested views of the Republican Tea Party regarding consumer privacy. Privacy issues, however, are a common topic in several proposals unveiled in the House early in this Congress. Moreover, privacy has been discussed in a relatively non-partisan tone for a number of years. Reprising legislation he crafted with former Congressman Rick Boucher, Rep. Cliff Stearns (R-Fla.) introduced an alternative bill now co-sponsored by Rep. Jim Matheson (R-Utah) that would also require companies to create privacy policies to inform consumers about the collection, use and transfer of PII only one day after the much-anticipated formal announcement of the Kerry-McCain legislation. As seen in more detail in the chart below, the Stearns bill takes a more limited, disclosure-based approach than the Kerry-McCain bill, relying heavily on industry-developed, self-regulatory programs as the primary method for developing the specific compliance rules and mechanisms. Under that bill, covered entities must develop a privacy policy, make that policy easily available to consumers, and provide a notice when PII may be used for a purpose other than the transaction for which the information was collected, or when there is a material change in the privacy policy. Consumers must also be given an opportunity to opt-out of the sale or disclosure of their information to third parties. The FTC is directed to approve self-regulatory programs that are substantially equivalent to or exceed these requirements and include both mechanisms for monitoring participants and a dispute resolution process. The FTC is also given sole responsibility for enforcement of the bills provisions, and civil fines are capped at $500,000 for related violations by a single entity. Additionally, Rep. Darrell Issa (R-Cal.), the Chair of the House Committee on Oversight and Government Reform, has indicated that privacy is one of the key elements of his two year oversight plan. And Rep. Jackie Speier (D-Cal.) introduced a bill known as the Do Not Track Me Online Act (H.R. 654), which would establish general privacy and data collection standards, as well as authorize the FTC to develop a Do-Not-Track program for online advertisers, including a consistent consumer opt-out. In light of this, the House has several options on how to proceed, including passing one of the bills introduced there, taking up the Kerry-McCain bill if it passes the Senate, passing something similar to the Kerry-McCain bill and working out the differences in conference, or simply ignoring the issue and letting it pass into the next Congress. Interestingly, however, several Tea Party House members, as well as other Republicans, have shown significant interest in the issue of privacy, and could prove to be important in getting a privacy bill through the House this Congress. Rep. Stearns said the following about his bill: I believe that our approach of greater consumer notice and choice balances the needs of privacy and innovation and provides the necessary flexibility and avoids . . . unnecessary government intervention. In contrast, following the Administration's call for a consumer privacy bill of rights, Rep. Mary Bono Mack (R-CA), who chairs the House Subcommittee on Commerce, Manufacturing and Trade, which has the lead on online privacy matters, said that Privacy is a critically-important issue, but a very difficult area in which to legislate. First, we should take a close look at whether current privacy laws are allowing the U.S. technology sector to maintain its position as the worlds high-tech leader. These statements make clear that while there is considerable consensus on the importance of privacy, there is less agreement on the right approach to regulating it.

PRIVACY UPDATE Page 6

Comparison of the Kerry-McCain and Stearns-Matheson Legislation

Kerry-McCain Covered Entities Any entity that collects, uses, transfers or stores covered information about more than 5,000 individuals during a 12 month period and is: 1) 2) 3) Excluded Covered Entities Covered Information Regulated by FTC, A common carrier subject to FCC jurisdiction, or A non-profit organization. Government agencies, data processing outsourcing entities and professional service providers that are obligated by rules of professional ethics or law not to disclose confidential information without consent. Individually identifying information relating to a living individual who can be identified, including name, address, email address, telephone and cell number, social security number, and full debit or credit card number. Birth dates and IP addresses are included if used in combination with one of the previously listed items. Anonymous or aggregate data is specifically excluded. Stearns-Matheson Any entity that collects, sells, discloses for consideration or uses PII of more than 5,000 consumers in any 12-month period, including non-profit organizations.

Industries such as banks and other financial institutions outside of the FTCs jurisdiction. Entities covered by provisions of specifically enumerated federal privacy laws are excluded from conflicting provisions. Broad definition of PII that includes names, addresses, email addresses, telephone numbers, social security numbers and credit card numbers. Also introduces two new concepts: 1) Unique Identifier Information, defined as information associated with a person or device, and includes geographic location if used in connection with a name, as well as IP and MAC addresses, processor or device serial number, and customer ID numbers in cookies, and Sensitive PII, defined as information that carries a significant risk of economic or physical harm if inappropriately disclosed or compromised, or information related to a particular medical condition or the individuals religious affiliation.

2)

Employee Information Covered? Privacy Notice Trigger

Not excluded, but would seem to be covered only to the extent that the FTC has jurisdiction, which is unclear. FTC to use rulemaking authority to require all covered entities to provide notice when: 1) 2) Covered information is collected, and A material change is made to the privacy policy.

Not covered. A privacy notice is required when: 1) PII will be used for purposes unrelated to the transaction, which is broadly defined as an interaction between a consumer and covered entity that is necessary to complete the interaction the information was collected for or maintain the provision of a good or service requested by the consumer, or There is a material change to the privacy policy.

Additionally, the contents of the Privacy Notice must be permanently maintained in a readily accessible form for consumers. Privacy Notice Contents The FTC is directed to conduct rulemaking to require covered entities to provide privacy notices that include: 1) 2) The practices of the entity regarding the collection, use, transfer and storage of covered information, or The specific purposes of those practices.

2)

The privacy notice must include: 1) 2) 3) A statement that PII may be used or disclosed for purposes unrelated to the transaction for which it was collected, Information on how the consumer can obtain a privacy policy statement, and If applicable, a statement that there has been a change in the privacy policy.

PRIVACY UPDATE Page 7 Kerry-McCain Privacy Policy Statement Privacy policy effectively, albeit implicitly, required unless only authorized uses of data are contemplated. Any contents of the privacy policy, which include the privacy practices of the entity, must be permanently maintained in a readily accessible form for consumers. Stearns-Matheson Covered entities must make available a privacy policy statement to consumers that is accessible by all consumers, free of charge, and available at the time the entity first collects PII about the consumer that may be used for a purpose other than the transaction. The statement must include the identity of each covered entity, the types of information collected and how information may be used, and the extent to which information may be sold or disclosed for consideration. Not expressly regulated.

Authorized and Unauthorized Uses

Unauthorized use defined as everything that does not fall into one of the categories of allowed uses or exceptions. The exceptions are applicable only if they are reasonable and consistent with the required notice to the individual and include use of covered information: to provide the service or transaction requested by the individual, to operate the business, to prevent fraud, to investigate a crime or otherwise required by law, for internal operations, by a covered entity with whom the individual has an established business relationship, that could have been reasonably expected based on the service provided, that does not constitute a material change from what could have been reasonably expected, and to conduct first party marketing. FTC required to use its rulemaking authority to require opt-out notice for any unauthorized use of PII or use by third parties for behavioral advertising and marketing.

Opt-Out Requirements

Consumers must be given the opportunity to opt-out of the sale or disclosure for consideration of their PII to any organization that is not an information-sharing partner of the covered entity. This preclusion lasts for up to five years and reconsideration of this decision cannot be sought for at least one year. None.

Opt-In Requirements

Consumer opt-in is required for collection or use of sensitive PII, as well as use or transfer of PII if there is: 1) 2) A material change in the organizations privacy policy, and A risk of economic or physical harm.

Application to Service Providers / Third Parties Re-identification Bans

Conduct due diligence and restrict third-partys use of data.

None.

Combining information that is not personally identifiable with other information to make it identifiable is prohibited, preventing advertisers from using algorithms to re-identify people using non-PII. Not included. Transfers of information to unreliable parties are prohibited. Exactly what conduct will make an entity an unreliable party is unclear at this point. Individuals must be able to access and correct their PII held by a covered entity.

None.

Do Not Track Transfer Restrictions Opportunity to Access and Correct Information

Not included. None. None.

PRIVACY UPDATE Page 8 Kerry-McCain Security Policy FTC required to use rulemaking authority to create new rules on what security is required to protect PII. Potential for the development of a nationwide code of information security, or, at least, an ever-expanding list of banned information security practices. Department of Commerce directed to work with private sector industry groups to develop codes of conduct that meet the requirements of the bill, including an opt-out mechanism for transfer of information to third parties. If approved by the FTC, these codes of conduct would form the basis of safe-harbor programs administered by nongovernmental organizations. Participants in a safe harbor program would be exempt from opt-out and opt-in requirements that the FTC determined had been met or exceeded by the safe-harbor program. FTC directed to conduct rulemaking using certain provisions of the Administrative Procedure Act (APA), thus providing the FTC with additional rulemaking authority to fulfill the requirements of the bill. Given the wide number of new concepts and requirements in the legislation, this additional authority would be important in determining the full impact of the law. Not required. Essentially mandated. Collection limited to what is reasonably necessary for the purpose. Provisions of existing federal privacy laws would continue to apply, except that KerryMcCain takes precedence over existing provisions of certain communications privacy laws for telecom common carriers and cable companies. FTC to enforce violations as unfair or deceptive practices under the Federal Trade Commission Act (FTCA). Yes, unless there is federal action pending. No. Violations are considered an unfair or deceptive practice under the FTCA and could result in civil penalties of $16,500 per day that an entity is not in compliance, with a maximum total liability of $5,000,000. General pre-emption clause with a series of significant exceptions, including state laws on healthcare and financial information, data breach notification provisions, and fraud laws. Stearns-Matheson All covered entities must develop an information security policy designed to prevent the unauthorized release or disclosure of PII. FTC directed to approve industry self-regulatory programs that meet or exceed the requirements of the bill. The program must include mechanisms for review and oversight of the program participants as well as a dispute resolution process. The approval is good for five years. The FTC is required to presume that a covered entity is in compliance with the Act if it is participating in an approved self-regulatory program.

Self-Regulatory or SafeHarbor Program

FTC Rulemaking

FTC given general authority to issue regulations and interpretive rules under its limited, existing FTC Act sec. 18 rulemaking authority in order to assist compliance with the Act. (15 U.S.C. Sec. 57(a)(2)).

Agency Cost-Benefit Analysis Privacy By Design Data Minimization Impact on Other Federal Laws FTC Enforcement Enforcement by State Attorneys General Private Right of Action Penalties

Not required. Not contemplated. No limitation. No effect.

FTC to enforce violations as unfair or deceptive practices under the Federal Trade Commission Act (FTCA). No. No. Violations are considered an unfair or deceptive practice under the FTCA and could result in civil penalties of $32,000 per violation, with a maximum total liability of $500,000 for all related violations. Participants in an approved self-regulatory program are exempt from the civil penalties. Full pre-emption of state laws affecting the collection or use of PII in commerce.

Pre-emption of State Laws

PRIVACY UPDATE Page 9

FTC Requires Opt-In Consent for Third Party Data Sharing and Privacy by Design in Enforcement Action Against Google
On March 30, 2011, the FTC demonstrated its continued commitment to enhanced enforcement by releasing a proposed consent agreement that may signal certain new baseline expectations of the agency. In the most significant settlement since Sears, the FTCs settlement over Google Buzz may suggest a new approach to enforcement, with many elements stemming directly from the 2010 Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change (2010 FTC Preliminary Staff Report), including requirements for opt-in consent and Privacy by Design. This enforcement comes months before the 2010 FTC Preliminary Staff Report is due to be finalized, providing a valuable barometer of how the Report may be deployed in practice. In addition to the first requirement of Privacy by Design in an enforcement action, and a specific opt-in requirement, the Google Buzz settlement may be the strongest first indication that the FTC intends its recent Staff Guidance to be understood as a document that industry cannot afford to ignore. The FTC's "Buzz" consent agreement with Google is unquestionably stringent and sends a clear admonition that companies must evaluate how they are using previously collected personal information any time they do something new; otherwise, they may not be able to ensure compliance with their privacy promises they made when the information was collected as well as applicable legal standards.

Facts. In In re Google Buzz, File No. 1023136 (March 30, 2011), Google agreed to settle the FTCs allegations of
privacy violations in the launch of its social networking service, Google Buzz. The FTC accused Google of violating section 5(a) of the FTC Act through false statements in its privacy policy regarding the extent of its data use and third party sharing, as well as false statements that it complied with the US-EU Safe Harbor Framework. The complaint alleged that in the February 2010 Google Buzz launch, Google used data previously collected for Gmail to create the Google Buzz network, failed to obtain consent for this new use, and publicly shared otherwise private information by default. Some of this information included non-Gmail email addresses from users frequent email contacts. Additionally, the default set up process made user followers based on frequent email contacts publicly available and searchable - publicizing the identity of those whom an individual had frequent communications with in such sensitive settings as individuals against whom they had obtained restraining orders; abusive ex-husbands; clients of mental health professionals; clients of attorneys; children; and recruiters they had emailed regarding job leads. The FTC also alleged that the privacy options in Google Buzz were difficult to access, and/or were ultimately misleading. The fact that the FTC brought an enforcement action in these circumstances was not surprising; but the scope and substance of its proposed resolution was novel.

An Omnibus Restriction on Non-consensual Third Party Sharing. Significantly, the proposed FTC consent agreement prohibits Google from engaging in any new or additional third party sharing of previously collected personal information without express affirmative consent. This is a broad requirement that, as Commissioner Rosch recognized in his concurring statement, due to the nature of internet business models and technology, is certain to apply (and with some frequency) as long as Google does not warn users or consumers it is its general Privacy Policy that it may engage in such sharing in the future. First Privacy By Design Requirement. The proposed consent agreement also requires that Google establish a
comprehensive privacy program and provides a new express formulation of what a privacy program should be. This formulation essentially is the first time the FTC is requiring Privacy by Design in an enforcement action - despite the elastic nature of this term. The proposed consent agreement explicitly states that Googles privacy program must address privacy risks related to the development and management of new and existing products and services for consumers as well as protect covered information. Note that this element of the consent decree comes months before the FTC is expected to finalize the most recent Staff Report where they first formally proposed Privacy by

PRIVACY UPDATE Page 10

Design. The proposed consent agreement also has an expansive definition of covered information - encompassing IP addresses and physical location - as does the Kerry-McCain bill. Another potentially expansive element of the privacy program required under the Google Buzz proposed consent decree is the need for ongoing evaluation and adjustment of the respondents privacy program in light of the results of the testing and monitoring , any material changes to the respondents operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its privacy program.

First Safe Harbor Enforcement Action. The consent agreement also prohibits Google from misrepresenting in any
manner, expressly or by implication, the extent to which the respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework. While the FTC has previously gone after entities who falsely claim to be Safe Harbor certified, this settlement would represent the first enforcement action against a Safe Harbor certified entity for failing to fully comply with the terms of the Safe Harbor Framework while actively certified an absence of enforcement which the European Unions Article 29 Working Party has long noted. And, as Katie Ratte, lead attorney in the FTCs Division of Privacy & Identity Protection tweeted on March 30 in a Twitter Q&A on the proposed settlement, [this] case demonstrates FTCs continuing commitment to enforcing U.S.-EU Safe Harbor. Always looking for more cases.

Commissioner Roschs Criticisms. Commissioner Rosch highlighted and criticized the importance of this new
approach in his concurring statement to the consent agreement, which is similar to the reservations expressed in his concurring statement to the 2010 FTC Preliminary Staff Report. Again, Commissioner Rosch voiced significant concerns that elements of the proposed consent order essentially may be against the public interest in stifling competitive industry innovation. He also pointed out that the opt-in requirement is seemingly brand new. It does not echo what Google promised to do at the outset. In his view, the FTC went too far here in tying up Google with regard to parts of its business that were not reasonably related to the Buzz social networking services. Commissioner Rosch noted that consent decrees should be approved by the agency only so long as they are in the public interest even if the respondent is willing to agree to the order's terms. Here, Commissioner Rosch feared that Google agreed to the order's terms because it was being challenged by other government agencies and it wanted to get the Commission off its back? Or did it do so in hopes that [it] would be used as leverage in future government challenges to the practices of its competitors. Commissioner Rosch thus noted his concern that the order might not be in the public interest if either of these factors was at play in Googles willingness to agree to the consent decree.
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.

The Privacy, Data Security & Information Law Practice of Sidley Austin LLP
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas: Privacy and Internet Litigation and Regulatory Advice Data Breach, Incident Response, and Cybercrime Advice Global Data Protection and Information Security International Data Transfer Solutions Outsourcing and Cross-Border Issues Gramm-Leach-Bliley and Financial Privacy HIPAA and Healthcare Privacy Workplace Privacy and Employee Monitoring Cyberlaw, E-Commerce, and Internet Issues Unfair Competition and Consumer Protection Trademark and Copyright Litigation and Counseling Website Policies and Domain Name Protection Records Retention and Electronic Discovery

PRIVACY UPDATE Page 11

To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

www.sidley.com
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firms offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley or the firm.