Consumer privacy regulation and litigation in the United States

INTRODUCTION

This Article summarizes recent court decisions, consent decrees, and other resolutions of enforcement actions that have arisen as private litigants and regulatory agencies continue to address consumer privacy issues. The Article also provides an update regarding the significant developments in privacy actions discussed in prior survey articles. (1) The first part of this Article addresses cases relating directly to the Gramm-Leach-Bliley Act (“GLB Act”) and the financial services industry. The second part of this Article discusses cases related to data security issues, primarily on the Internet. The third part of this Article discusses cases brought under the Children’s Online Privacy Protection Act of 1998. (2)

ENFORCEMENT CASES REGARDING FINANCIAL PRIVACY AND THE GLB ACT

AMERICAN BAR ASSOCIATION V. FEDERAL TRADE COMMISSION (3)

In September 2002, the American Bar Association (ABA) filed a complaint in the U.S. District Court for the District of Columbia seeking review of a Federal Trade Commission (FTC) opinion letter that lawyers engaged in the practice of law were subject to title V of the GLB Act. (4) On August 11, 2003, the court denied the FTC’s motion to dismiss. (5) Citing Trans Union, LLC v. FTC, (6) the court rejected the FTC’s argument that lawyers should be regulated by the GLB Act’s privacy provisions for “financial institution[s],” holding that lawyers would not qualify “[e]ven applying the broadest possible interpretation of the dictionary definition[] of ‘institution.'” (7) The court reasoned that the FTC’s interpretation was contrary to the public policy rationale of the GLB Act–to provide a privacy framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers. (8) The court also held that Congress could not have intended to regulate lawyers through the GLB Act, as the legal profession is already subject to state law ethics rules. (9) Moreover, the court found that the FTC’s interpretation of the GLB Act was “arbitrary and capricious” under 5 U.S.C. [section] 706(2)(A). (10)

BANK OF AMERICA V. CITY OF DALY CITY (11)

On July 29, 2003, a California district court granted partial summary judgment in favor of Bank of America and Wells Fargo Bank, enjoining Daly City, California and San Mateo County, California from enforcing local privacy regulations on disclosure of personally identifiable information by financial institutions. (12) In a case of first impression, the court offered a broad interpretation of the Fair Credit Reporting Act’s (FCRA) preemption provision, invalidating city and county regulations requiring banks to have consumers “opt-in” before sharing information with affiliates. (13) The court found that the FCRA did not preclude restrictions on information sharing with non-affiliated third parties, however. (14)

GRAND VALLEY NATIONAL BANK

On April 4, 2003, the Office of the Comptroller of the Currency (OCC) settled two separate actions against former national bank employees who allegedly compromised the confidentiality of bank customers’ financial information. (15) The employees pleaded no contest to misappropriating over 2,200 electronic mortgage loan files from the bank by an electronic transfer of the files to a third party in violation of Colorado trade secret law. (16)

In addition to paying monetary penalties of $20,000 and $14,000, the employees were permanently barred from the financial services industry and are required to notify any prospective employer of the enforcement actions prior to accepting any new position that will expose them to “nonpublic personal information.” (17)

REGULATORY ENFORCEMENT ACTIONS AND SETTLEMENTS RELATING TO THE SECURITY OF PERSONAL INFORMATION

GUESS.COM SETTLEMENT (18)

On June 18, 2003, the FTC announced it had settled charges against clothing designer Guess?, Inc. (“Guess”) for allegedly misrepresenting the security of personal information on its Web site. (19) Guess’ privacy policy stated that the data, including credit card information, was “stored in an unreadable, encrypted format at all times” and that Guess had implemented “reasonable” security measures to protect personal information from “loss, misuse and alteration.” (20) The complaint charges that these representations were false or misleading for several reasons. First, the Web site was vulnerable to “commonly known or reasonably foreseeable” third-party attacks. (21) Second, Guess did not implement reasonable security measures to protect its online customer databases. Third, Guess failed to adopt procedures to protect “sensitive consumer information collected through the website” or adequately assess the Web site’s vulnerability to attacks. (22) According to Guess, the company took precautionary measures designed to ensure secure consumer transactions, including use of Verisign and Cybersource SSL technology. The FTC believed these measures were insufficient to support Guess’s security representations, however, given that “[tlhe risk of web-based application attacks is commonly known in the information technology industry, as are simple, publicly available measures to prevent such attacks.” (23)

On August 5, 2003, the FTC approved a consent agreement that provided Guess would cease misrepresenting the extent of data security on its Web site. (24) The agreement provides for the establishment of a comprehensive information security program with designated employees to coordinate the program, identify and assess internal and external security risks to customer information, design and implement safeguards, and periodically audit the company’s information security practices. (25) The agreement also requires Guess, within one year and on a hi-annual basis thereafter, to obtain an independent professional certification of the information security program’s compliance and its adequacy to “provide reasonable assurance [of] security.” (26)

NETSCAPE SMARTDOWNLOAD SETTLEMENT

On June 13, 2003, Netscape Communications Corp. (“Netscape”) entered into an Assurance of Discontinuance (“Assurance”) with the New York Attorney General (N.Y.A.G.) regarding allegedly misleading representations made by Netscape concerning the internet-activity data collected by a profiling feature incorporated in version 1.1 of its SmartDownload software. (27) Through a communication link with its NetCenter Web site, the SmartDownload Profiling feature of the software prompted the computer of each SmartDownload user to transmit four pieces of user data–the Internet address of the files downloaded, a key code stored in the system registry during installation, the name and version number of the operating system, and the version of SmartDownload being used. (28) This data remained on Netscape’s servers or back-up tapes for six months before being purged in accordance with Netscape’s normal procedures for server logs. (29) The N.Y.A.G. alleged that Netscape knowingly misled customers that the information would not be stored. (30)

Netscape maintained that the information transmitted by SmartDownload to its servers “was not personally identifiable,” because the company could not link the information to any particular individual. (31) Netscape also noted that a user could prevent the data transmission by checking an option to turn off the SmartDownload Profiling feature. (32)

The Assurance provides for Netscape to pay $100,000 to the state of New York, undergo annual audits for a two-year period concerning the accuracy of its disclosures to consumers, and delete all user data received. (33)

Toys “R” Us

On January 2, 2003, Toysrus.com settled a class action lawsuit originally filed in California Superior Court, San Bernadino County in July 2000. (34) The complaint alleged that the toy company had violated California consumer protection laws by gathering personally identifiable information from Web site visitors without their knowledge and by transmitting that data to Coremetrics, a consumer data aggregator. (35) Toysrus allegedly used “web bugs” and “cookies” on a customer’s hard drive which linked that individual with purchasing and online browsing information. (36) These practices were alleged to be directly in conflict with the Toysrus privacy policy promising that the company would keep customers’ information confidential. (37)

The settlement requires that Toysrus pay attorney’s fees and costs of up to $900,000, edit its Web site to include clear and conspicuous links to its privacy policy, provide notices as to policy changes, and obtain consent before engaging in activities outside the parameters of its privacy policy. (38) The company must also appoint an internal privacy committee and destroy any Toysrus.com customer data held by Coremetrics. (39) On December 26, 2001, Toyrsus had reached another settlement with the New Jersey Division of Consumer Affairs regarding similar allegations under New Jersey consumer protection laws. (40)

STATE OF NEW YORK V. MONSTERHUT, INC.

On January 6, 2003, the Supreme Court of New York permanently enjoined MonsterHut, Inc. (“MonsterHut”), a Niagara Falls online marketing company, from falsely representing to consumers that its e-mail marketing practices were permission-based. (41) The court ruled that e-mail communications were not “permission-based” simply because they had been sent through affiliations with third parties. (42) The court rejected MonsterHut’s definition of “opt-in,” instead adopting the following standard for “opt-in”–i.e., requiring consumers to check a box on an e-mail or Web site, requesting that promotions or commercial information be sent directly from that particular company or organization. (43)

YAHOO! INC.

On October 1, 2003, internet portal Yahoo! Inc. (“Yahoo”) reached a settlement with the N.Y.A.G. on reforming its marketing practices. (44) The N.Y.A.G. initiated an investigation of the company when, as part of a revised marketing campaign, Yahoo sent e-mails to registered users informing them that they would automatically receive marketing solicitations unless they declined within sixty days. (45) Under the settlement, Yahoo will provide registered users with thirty days notice prior to the effective date of any changes to its marketing practices. (46) Furthermore, Yahoo is required to include a “clear and conspicuous” link to a marketing preferences page, where users may “opt-out” or “unsubscribe” from marketing initiatives. (47) Yahoo also promised not to telemarket to users who provided their telephone numbers in the registration process, but who had already indicated a preference not to receive calls. (48) Under the settlement, Yahoo will pay $75,000 to the N.Y.A.G.’s office to cover the costs of the investigation. (49)

THE “Do NOT CALL” REGISTRY

The FTC’s “Do-Not-Call” registry, a database where consumers can “opt-out” of receiving telemarketing phone calls, sparked a national debate involving members of Congress, federal agencies, courts, and the White House. (50) On January 29, 2003, the FTC issued regulations under the 1994 Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFAP) (51) that: (i) established a nationwide Do-Not-Call registry

The FTC regulations did not apply to banks, insurance companies, and common carriers. (56) On July 3, 2003, however, the Federal Communications Commission (FCC) adopted similar “Do-Not-Call” rules, which expanded the scope of the rules to apply to those institutions outside the FTC’s authority. (57)

As of September 17, 2003, the FTC reported that consumers registered more than fifty million telephone numbers in the Do-Not-Call registry. (58) A federal district court in Oklahoma granted summary judgment on September 23, 2003, however, to the Direct Market Association (DMA) and other plaintiff telemarketing services corporations enjoining the FTC from enforcing the Do-Not-Call registry. (59) The court ruled that the FTC had exceeded its grant of authority from Congress and its rule-making actions raised a “serious or grave constitutional question. (60)

On September 25, 2003, in a bi-partisan show of support, Congress passed legislation confirming the FTC’s authority to create and enforce the opt-out registry. (61) On the same day, a U.S. District Court in Colorado ruled that the Do-Not-Call registry violated the First Amendment, holding that the exemption for charitable solicitations resulted in “a content-based limitation on what the consumer may ban from his home. Although the consumer does retain the choice whether to sign up for the registry, the government has removed the absoluteness of that autonomy by itself exempting certain types of speech from the restrictions of the registry.” (62)

On October 7, 2003, the U.S. Court of Appeals for the Tenth Circuit issued a stay of the Colorado district court’s decision, ruling that the “opt-in” nature of the registry provides “an element of private choice” that weighs in favor of finding that the government regulation is sufficiently narrow in scope. (63) The Tenth Circuit also rejected the district court’s finding that the FTC had made a content-based restriction on speech, pointing out that consumers can block non-commercial solicitations by making company-specific objections to the FTC. (64)

The stay allowed the FTC to enforce the Do-Not-Call provisions while the appeal was undergoing expedited review. In its opinion on a consolidated appeal, the Tenth Circuit affirmed the district court’s decision, holding that the Do-Not-Call Registry survived analysis under the First Amendment because it advances a substantial governmental interest and is narrowly tailored to that purpose. The court also upheld the fee provisions of the regulation as well as the FTC’s statutory authority to promulgate Do-Not-Call regulations. (65)

PRIVATE SUITS

PARKER V. TIME WARNER ENTERTAINMENT CO. (66)

On June 2, 2003, the U.S. Court of Appeals for the Second Circuit vacated and remanded a district court decision which partially denied class certification to a group of cable television subscribers bringing privacy claims against Time Warner Entertainment Company (“Time Warner”). (67) The subscribers claimed that Time Warner had failed to provide adequate notice that the cable company was selling subscribers’ personal information to third parties and improperly disclosed subscribers’ programming selections to third parties without offering subscribers a valid “opt-out” method. (68) The complaint alleged violations of both state consumer protection laws and the Cable Communications Policy Act of 1984. (69) The district court had denied class certification in relation to monetary damages, finding that potential statutory damages for a class of twelve million subscribers would far exceed any actual harm, but found that class certification would be appropriate with regard to injunctive relief. (70) The Second Circuit rejected the lower court’s ruling because no motion for class certification had been filed and no discovery regarding the class certification had been initiated. (71) The case was remanded for further inquiry regarding the manageability and size of the class. (72)

VERIZON NORTHWEST, INC. V. SHOWALTER (73)

On August 26, 2003, the U.S. District Court for the Western District of Washington held that a Washington state telecommunications privacy regulation violated the First Amendment by placing unconstitutional burdens on commercial speech. (74) Verizon Northwest, a local telephone service provider, sued the Washington Utilities and Transportation Commission (WUTC) for adopting a regulation that required a consumer to “opt-in” before a telecommunication carrier could reveal Customer Proprietary Network Information (CPNI)–including a customer’s name, address, and call history–to third parties. (75)

On a summary judgment motion, the district court ruled that Verizon’s targeted marketing was protected commercial speech and subject to the three-prong intermediate scrutiny standard under Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y. (76) Under this standard, the WUTC bore the burden to establish that its regulation on “truthful and non-misleading” commercial speech furthered a “substantial state interest,” “directly and materially advance[d] that interest,” and was “no more extensive than necessary to serve [that] interest.” (77) Although the court found that Washington state had a substantial interest in protecting consumer privacy, it held that the WUTC regulations did not pass constitutional muster on the other two prongs of the test. (78) The court argued that the regulations did not directly advance the state’s privacy interest because they were “dauntingly confusing and riddled with exceptions”

GILLMAN V. SPRINT COMMUNICATIONS CO. (81)

On February 28, 2003, a U.S. District Court for the District of Utah granted summary judgment to Sprint Communications Co. (“Sprint”), dismissing an action against the telecommunications company for sending unsolicited commercial e-mail. (82) The court’s opinion significantly restricted the scope of Utah’s Unsolicited Commercial and Sexually Explicit Email Act (the “Act”), (83) holding that an e-mail message from a sender with whom the recipient has a “preexisting business relationship” did not qualify as “unsolicited,” (84) even where the recipient has specifically requested to “opt-out” of receiving further e-mail solicitations from the sender. (85)

In this case, the plaintiff registered with, and agreed to receive promotional e-mails from, a third-party Web site, Audio Galaxy Audio Galaxy sold its e-mail addresses to GroupLotto, which contracted with Sprint to send promotional e-mails advertising Sprint’s Nickel Nights long-distance telephone service. (86) Based on these facts, the court found that the plaintiff had a “preexisting business relationship” with Sprint, despite having requested removal from GroupLotto’s email distribution list, and that the e-mail at issue was not prohibited by the statute because it was not “unsolicited.” (87) The court stated that the statute was silent as to how a recipient “can effectively terminate that relationship in order to claim the protection of the Act.” (88) The court also acknowledged that its reading of the statute “excludes from the Act’s protection a potentially sizeable group of people” and “could be questioned as creating an outcome the legislature could not have intended.” (89) The Utah district court received approximately 1,200 new complaints regarding unsolicited commercial e-mails following the ruling. (90)

JETBLUE AIRWAYS

In September 2003, consumer law suits were filed in California (91) and Utah (92) against JetBlue Airways (“JetBlue”) after the company admitted releasing five million passenger records in violation of its own privacy policies to Torch Concepts, a defense contractor linked with the Transportation Security Administration. (93)

The private attorney general action filed in San Diego Superior Court alleged unfair and fraudulent business practices, (94) although the class action suit filed in federal court in Utah alleged fraudulent misrepresentation, breach of express warranty (based on representations made in JetBlue’s Privacy Statement that the company would not share passenger personal information with any third parties), breach of contract, invasion of privacy, and violation of Utah Consumer Sales Practices Act. (95) The Utah lawsuit sought compensatory, but not punitive, damages. (96)

JetBlue admitted that it had released personal information–including names, addresses, and telephone numbers–of passengers that had traveled between early 2000 and September 2002. (97) The company claimed that it released this information in response to a request from the Department of Defense to assist a government project on military base security. This data was allegedly used to create a passenger profiling report that identified “high risk passengers.” (98) In response to the public outcry over the released records, JetBlue hired private consultants to analyze and further develop its privacy policy. (99)

The Electronic Privacy Information Center (EPIC) also filed a complaint with the FTC, alleging that JetBlue engaged in deceptive trade practices and requesting that the company pay civil penalties, destroy all passenger information, and obtain express consent from consumers in the future? (100) EPIC’s complaint was filed as part of its larger campaign against passenger profiling. (101)

REMSBURG V. DOCUSEARCH, INC. (102)

The Supreme Court of New Hampshire recently ruled that, although an individual has no reasonable expectation of privacy in her work or home address, an information broker or private investigator owes a duty to exercise reasonable care before disclosing a third person’s information to a client. (103) A New Hampshire citizen, Amy Lynn Boyer, was stalked and murdered after the perpetrator purchased personal information about her from the operators of Docusearch.com, an Internet-based information services firm. Docusearch acquired Boyer’s social security number from a credit reporting agency and obtained her employment address by a pretextual telephone call, during which a Docusearch contractor allegedly lied to the victim to convince her to reveal her employment information.

The New Hampshire Supreme Court concluded that the victim’s estate had no cause of action against the subcontractor for making the pretextual phone call or against the information brokerage for intrusion upon the victim’s privacy, finding that “[wle have no reasonable expectation of privacy as to our identity or as to where we live or work.” (104) The court nevertheless held that, as stalking and identity theft were reasonably foreseeable risks, an information broker selling personal information to a client has a legal duty to the person to which that information pertains, “especially true when, as in this case, the investigator does not know the client or the client’s purpose in seeking the information.” (105) Accordingly, the court found that an information broker obtaining and selling an individual’s social security number without the individual’s knowledge or permission is liable for damages for intrusion upon seclusion caused by the sale of that information, as well as for violation of New Hampshire’s Consumer Protection Act. (106)

IN RE PHARMATRAK PRIVACY LITIGATION

In a decision relating to privacy on the Internet, the U.S. Court of Appeals for the First Circuit ruled on May 9, 2003 that the purchase of a service does not constitute consent to the collection of personally identifiable information and, therefore, does not shield a company from liability under the Electronic Communications Privacy Act (ECPA). (107) The appellate court reversed and remanded an earlier decision by the district court, which held that defendant Pharmatrak’s use of Web site tracking devices known as “web bugs” to collect personal data from visitors of pharmaceutical Web sites was exempted from ECPA liability because pharmaceutical companies had authorized Pharmatrak to put its software on their sites. (108)

The pharmaceutical companies hired defendant Pharmatrak, Inc. (“Pharmatrak”) to monitor and perform a monthly analysis of intra-industry Web site traffic and usage, but requested that Pharmatrak refrain from collecting personally identifiable information from customers. Pharmatrak nevertheless collected personal information, however,–including name, address, telephone number, e-mail address, date of birth, gender, insurance status, educational level, occupation, medical conditions, medications, and reasons for visiting the Web site–from a subset of users. A group of internet users filed a class action suit against both Pharmatrak and the pharmaceutical companies alleging violations of ECPA. (109)

After determining that the burden of demonstrating consent lay with the party seeking the benefit of the exception, the First Circuit held that the district court erred by finding that “consent to an interception can be inferred from the mere purchase of a service, regardless of circumstances.” (110) Instead, the First Circuit emphasized that “consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception.” (111) The First Circuit underscored the fact that the companies explicitly conditioned their contractual agreement with Pharmatrak for the use of NETcompare on the fact that it would not access and collect personal data. The First Circuit also failed to find user consent, noting that “[d]eficient notice will almost always defeat a claim of implied consent.” (112)

The First Circuit also decided that Pharmatrak “intercepted” user communications within the meaning of ECPA, concluding that acquisition of a communication must only occur at the same time as the transmission, not that the acquisition must constitute the same communication as the transmission. (113)

Finally, the First Circuit remanded the case for the district court to determine whether the intent requirement of ECPA had been met after ruling that “intent” under the ECPA requires a conscious objective. (114)

CHILDREN’S ONLINE PRIVACY PROTECTION ACT CASES

IN RE AMAZON.COM

On April 22, 2003, a group of privacy and consumer advocacy groups filed a complaint with the FTC alleging that Amazon.com collected and displayed children’s personal information on its Web site in violation of the Children’s Online Privacy Protection Act of 1998 (COPPA). (115) COPPA requires that Web sites directed towards children under the age of thirteen provide mandatory privacy protections including a privacy notice, a system for obtaining parental consent, a method for parental review of use and disclosure of children’s information, a method for parents to prevent future collection of children’s personal information, and procedures to maintain the confidentiality and security of the information collected. (116)

The privacy and consumer advocacy groups argued that, although Amazon.com marketed children’s products, its methods of collecting customer data fell short of COPPA’s requirements. (117) First, the complaint alleges that Amazon’s privacy policy did not provide adequate means for parental review and deletion of children’s personal information. Second, the complaint alleges that Amazon’s special form to post children’s product reviews malfunctioned and directed child customers to an adult review form that posted their unedited personal information–including e-mail address, name, age, gender, and home address–on the Internet. The complaint requests the FTC to order Amazon.com to delete and destroy all personal information of children posted on its site. The complaint also requests that the FTC initiate an investigation of Amazon.com’s information collection and sharing practices.

MRS. FIELDS COOKIES AND HERSHEY FOODS SETTLEMENTS

On February 27, 2003, the FTC imposed civil penalties of $100,000 and $85,000 on Mrs. Fields Cookies and Hershey Foods, respectively. (118) The FTC charged that both corporations violated COPPA’s requirements that operators of commercial Web sites directed towards children under the age of thirteen must obtain parental consent before collecting personal information from children. Mrs. Fields Cookies published three Web sites offering birthday clubs for children age twelve or under, allegedly collecting the full name, home address, e-mail address, and birth date of over 84,000 children. Operating in excess of thirty candy-related Web sites, Hershey Foods allegedly instructed children younger than thirteen to complete the online parental notice and consent form without precautionary measures to ensure that the consent forms were reviewed by a parent or guardian. Both corporations also allegedly failed to post adequate privacy policies, did not provide notice to parents regarding information collection and dissemination practices, and did not offer a reasonable means for parents to review children’s personal information before further use.

Both corporations are enjoined from further violation of the COPPA and must delete any information collected from child consumers. Mrs. Fields and Hershey Foods must place a “clear and conspicuous notice” which states in boldface type, “NOTICE: Visit www.ftc.gov/kidzprivacy for information from the Federal Trade Commission about protecting children’s privacy online” (119) in both the privacy policy they are required to post on their Web sites and the direct notice they are required to send to parents pursuant to 16 C.F.R. sections 312.4(b) and (c). They must also post the notice “at each location on their website(s) where personal information is collected from children.” (120) Finally each corporation’s consent decree provides for compliance monitoring by the FTC.

(1.) See Stephen F. Ambrose, Jr. & Joseph W. Gelb, Consumer privacy Regulation, Enforcement, and Litigation in the United States, 58 BUS. LAW. 1181 (2003) [hereinafter Consumer Privacy]

(2.) Pub. L. No. 105-277, 112 Stat. 2681 (codified at 15 U.S.C. [subsection] 6501-6506 (2000)).

(3.) 276 F. Supp. 2d 110 (D.D.C. 2003).

(4.) Pub. L. No. 106-102, [subsection] 501-527, 113 Stat. 1338, 1436-50 (1999) (codified at 15 U.S.C. [subsection] 6801-5827 (1999)). The GLB Act is the commonly known name for the federal Financial Modernization Act, which was signed into law by President Clinton in November 1999.

(5.) New York State Bar Ass’n, 276 F. Supp. 2d at 146. The New York Bar Association (NYBA) filed a separate complaint, in response to which the FTC also filed a motion to dismiss. See Complaint for Declaratory Relief, New York Bar Ass’n v. FTC, 276 F. Supp. 2d 110 (D.D.C. 2003) (No. 02CV00810). The U.S. District Court for the District of Columbia held a joint hearing on FTC’s motion to dismiss both cases.

(6.) 295 F.3d 42 (D.C. Cir. 2002)

(7.) New York State Bar Ass’n, 276 F. Supp. 2d at 118.

(8.) Id. at 123.

(9.) Id. at 123-24. “[T]he regulation of lawyers and the practice of law have historically been recognized as the responsibility of the states, and not the federal government.” Id. at 128.

(10.) Id. at 142

(11.) 279 F. Supp. 2d 1118 (N.D. Cal. 2003).

(12.) Id. at 1128-29

(13.) Bank of America, 279 F. Supp 2d at 1122-24.

(14.) Id. at 1125.

(15.) See Stipulation and Consent Order, Department of the Treasury Office of the Comptroller of the Currency, AA-EC-2003-08 (2003) [hereinafter AA-EC-2003-08]

(16.) See AA-EC-2003-08 at 3

(17.) See AA-EC-2003-08 at 3-5

(18.) Complaint, In re Guess?, Inc., FTC No. C-4091 (July 30, 2003), available at http://www3. ftc.gov/os/2003/06/guesscmp.htm. The N.Y.A.G. reached a similar agreement with retailer Victoria’s Secret on October 21, 2003, settling allegations that security vulnerabilities in the company’s Web site had exposed its customers’ personal ordering information to interception in violation of its posted privacy policy. See Press Release, Office of New York State Attorney General, Victoria’s Secret Settles Privacy Case (Oct. 20, 2003), available at http://www.oag.state.ny.us/press/2003/oct/oct21b_03.html.

(19.) See Press Release, Federal Trade Commission (June 18, 2003), at http://www.ftc.gov/opa/2003/ 06/guess.htm.

(20.) Complaint, In re Guess?, supra note 18.

(21.) Id.

(22.) Id.

(23.) Id.

(24.) Decision and Order, In re Guess? Inc., FTC No. C-4091 (July 30, 2003), available at http:// www3.ftc.gov/os/2003/08/guessdo.pdf

(25.) In re Guess?, Inc. Agreement Containing Consent Order supra note 24.

(26.) Id.

(27.) Assurance of Discontinuance, In re Netscape Communications Corp., at 7 (June 13, 2003), available at http://pub.bna.com/eclr/nynetsc061303.pdf.

(28.) Id. at 7.

(29.) Id. at 8.

(30.) Id.

(31.) Id. at 8-9.

(32.) Id. at 9.

(33.) Id. at 10, 12.

(34.) Toyrus.com, Data Aggregator Coremetrics Settle Suit Over Surreptitious Data Gathering, 8 ELECTRONIC COMMERCE & L. REP., Jan. 8, 2003, No. 3, at 25, at http://ippubs.bna.com/ip/BNA/EIP.NSF/23d9e82d7d25950 885256743006e3012/ 8c36ad5 ecfb27c7585256ca80000b7f2?OpenDocument.

(35.) Id.

(36.) Complaint Charges Toys R Us Transmitted Data to Aggregator, Violated Privacy Policy, 5 ELECTRONIC COMMERCE & L. REP., Aug. 9, 2000, No. 31, at 828, at http://ippubs.bna.com/ip/BNA/EIP.NSF/ 85256269004a99l e852561130021448712498b5ec3f96 a656852569360009lcld? OpenDocument.

(37.) Toysrus.com, supra note 34.

(38.) Id.

(39.) Id.

(40.) Lorraine McCarthy, Toysrus.com to Pay $50,000, Clarify Policy Under Consent Agreement with New Jersey, 7 ELECTRONIC COMMERCE & L. REP. Jan. 16, 2002, No. 3 at 56, at http://ippubs.bna. com/ip/BNA /EIP.NSF/ 23d9e82d7d259 50885256743006e3012 /e358dab3ca72ff5185256b410 08025de?OpenDocument.

(41.) See Press Release, Office of the New York State Attorney General, Judge Orders Spammer to Halt Deceptive Practices (Jan. 22, 2003), available at http://www.oag.ny.us/press/2003/jan/jan22c_03.html.

(42.) State of New York v. MonsterHut, Inc. No. 402140/02, at 4 (Sup. Ct. N.Y. May 8, 2003).

(43.) Id. at 2-4.

(44.) Press Release, Office of New York State Attorney General, Settlement with Internet Company Ensures Transparency in Email Marketing Practices (Oct. 1, 2002), available at http://www.oag. state.ny.us/press/2003/oct/oct01a_03.html.

(45.) Id.

(46.) Id.

(47.) Id.

(48.) Id.

(49.) Id.

(50.) Telemarketing Sales Rule, 16 C.F.R. [section] 310.4 (2003).

(51.) 15 U.S.C. [subsection] 6101-6108 (2001).

(52.) See Telemarketing Sales Rule, 68 Fed. Reg. 4580, 4595, 4628-45 (Jan. 29, 2003) (to be codified at 16 C.F.R. pt. 310).

(53.) Id. at 4628.

(54.) Id. at 4629.

(55.) Id.

(56.) Report and Order of the FCC, in the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, at 19 (July 3, 2003), available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-03-153A1.pdf.

(57.) Id. at 4.

(58.) Press Release, FTC, Do Not Call Registrations Exceed 50 Million (Sept. 17, 2003), available at http://www.ftc.gov/opa/2003/09/dncnumbers030917.htm.

(59.) U.S. Security v. FTC, 282 F. Supp. 2d 1285, 1294 (W.D. Okla. 2003).

(60.) Id. at 1290.

(61.) H.R. 3161, 108th Cong. (2003).

(62.) Mainstream Mktg. Servs., Inc. v. FTC, 283 F. Supp. 2d 1151, 1163 (D. Colo. 2003).

(63.) FTC v. Mainstream Mktg Servs., Inc., 345 F.3d 850, 860-61 (10th Cir. 2003).

(64). Id. at 860.

(65.) Mainstream Mktg Servs., Inc. v. FTC, 358 F.3d 1228 (10th Cir. 2004).

(66.) 331 F.3d 13 (2d Cir. 2003).

(67.) Id. at 22-23.

(68.) Id. at 15.

(69.) Id.

(70.) Parker v. Time Warner Entm’t, Co., 198 F.R.D. 374, 386 (E.D.N.Y 2001).

(71.) Parker, 331 F.3d at 22.

(72.) Id. at 22-23.

(73.) 282 F. Supp. 2d 1187 (W.D. Wash. 2003).

(74.) Id. at 1195.

(75.) Id. at 1189.

(76.) Id. at 1190-91

(77.) Verizon Northwest, 282 F. Supp. 2d at 1191 (citing Central Hudson, 447 U.S. at 564-65).

(78.) Id. at 1191-95.

(79.) Id. at 1193.

(80.) Id. at 1194 (“[I]t is evident that the presentation and form of opt-out notices is what determines whether an opt-out campaign enables consumers to express their privacy preferences.”) (alteration in original).

(81.) No. 020406640 (D. Utah. Feb. 28, 2003), available at http://www.spamlaws.com/cases/gillman/pdf.

(82.) Id. at 7.

(83.) UTAH CODE ANN. [subsection] 13-36-101 to -105 (2002). The Act states that “[i]f the recipient of an unsolicited commercial email … notifies the sender that the recipient does not want to receive future commercial email … from the sender, the sender may not send that recipient a commercial email … either directly or through a subsidiary.” Id. [section] 13-36-103(3) (emphasis added).

(84.) Gillman, No. 020406640, at 5.

(85.) Id.

(86.) Id. at 2.

(87.) Id. at 5-6.

(88.) Id. at 5.

(89.) Id. at 6.

(90.) Bob Mims, Spam Filings Flood Court, SALT LAKE TRIB. (July 18, 2003), available at http://www. sltrib.com/2003/Jul/07182003/utah/76358.asp/No-GIC818603.

(91.) Complaint for Violations of Business and Professions Code Sections 17200 et. seq., Privacy Rights Clearinghouse v. JetBlue Airways Corp., (Cal. Super. Ct. Sept. 2003), available at http://www. privacyrights.org/ar/jetbluecase.htm [hereinafter California Complaint].

(92.) Class Action Complaint and Request for Class Certification, Halverson v. JetBlue Airways Corp., (D. Utah Sept. 2003), available at www.hasbrouck.org/articles/JETCOMPLAINT.PDF [hereinafter Utah Complaint].

(93.) Sylvia Adcock, JetBlue:Gov’t Asked for Data/Release Prompts 2 Lawsuits, NEWSDAY.COM, Sept. 24, 2003, at A41, available at http://pqasb.pqarchiver.com/newsday/410610521.html

(94.) See California Complaint, supra note 91.

(95.) See Utah Complaint, supra note 92, at 3-6

(96.) See Utah Complaint, supra note 92, at 9-10.

(97.) Fliers File Suit Against JetBlue, WIRED NEWS (Sept. 23, 2003), available at http://www. wired.com/news/privacy/0,1848,60551,00.html

(98.) California Complaint, supra note 91.

(99.) Complaint and Request for Injunction, Investigation and Other Relief, In re JetBlue Airways Corp., (Sept. 22, 2003), available at http://www.epic.org/privacy/airtravel/profiling/jetblue/ ftccomplaint.html. See generally, Homeland Security Office Releases JetBlue Report, EPIC.ORG, Feb. 29, 2004, at http://www.epic.org/.

(100.) See generally, http://www.epic.org.

(101.) See generally, Homeland Security Office Releases JetBlue Report, supra note 99.

(102.) 816 A.2d 1001 (N.H. 2003).

(103.) Id. at 1007-11.

(104.) Id. at 1009.

(105.) Id. at 1008.

(106.) Id. at 1011

(107.) In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 19-21 (1st Cir. 2003)

(108.) In re Pharmatrak, Inc. Privacy Litig., 220 F. Supp, 2d 4, 12-]4 (D. Mass. 2002), rev’d 329 F.3d 9 (1st Cir. 2003). The ECPA contains a consent provision, which precludes a private right of action in the case “where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act.” 18 U.S.C. [section] 2511(2)(d).

(109.) Pharmatrak, 329 F.3d at 16. The ECPA provides for a private right of action versus one who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” 18 U.S.C. [section] 2511(1)(a).

(110.) Pharmatrak, 329 F.3d at 20.

(111.) Id. (citations omitted).

(112.) Id. at 21.

(113.) Id. at 22.

(114.) Id. at 22-23. On remand, the district court determined that the interceptions were not “intentional” under ECPA standards because they were infrequent, caused by third-party programmer errors and were unknown to the defendant until the lawsuit arose The district court thus granted summary judgment to the defendants on the intent issue. In re Pharmatrak, Inc. Privacy Litig., 292 F. Supp. 2d 263, 266-68 (D. Mass. 2003).

(115.) EPIC Complaint and Request for Injunction, Investigation and [or Other Relief, In re Amazon.com, Inc., (April 22, 2003), available at http://www.epic.org/privacy/amazon/coppacomplaint.html [hereinafter Amazon.com Complaint]: see also Children’s Online Privacy Protection Act of 1998, 15 U.S.C. [subsection] 6501-6506 (2000).

(116.) See 15 U.S.C. [section] 6502(b)(1).

(117.) Amazon.com Complaint, supra note 115.

(118.) Consent Decree and Order for Civil Penalties, Injunctive, and Other Relief, United States v. Mrs. Fields Famous Brands, Inc., (2002), available at http://www.ftc.gov/os/2003/02/mrsfieldsconsent.htm [hereinafter Mrs. Fields Consent Decree]: Consent Decree and Order for Civil Penalties, Injunctive, and Other Rebel, United States v. Hershey Foods Corp., (2003), available at http://www. ftc.gov/os/2003/02/hersheyconsent.htm [hereinafter Hershey Foods Consent Decree].

(119.) Mrs. Fields Consent Decree, supra note 118: Hershey Foods Consent Decree, supra note 118.

(120.) Mrs. Fields Consent Decree, supra note 118: Hershey Foods Consent Decree, supra note 118.

Stephen F. Ambrose, Jr. and Joseph W. Gelb *

* Stephen F. Ambrose, Jr. is the General Counsel of GE Consumer Finance, Americas, a business unit of General Electric Capital Corporation. Joseph W. Gelb is a partner in the Trade Practices & Regulatory Law Department of Well, Gotshal & Manges LLP in New York City. The authors would like to acknowledge the assistance of David M. Lange and Lusan Chua in the preparation of this Article. The views expressed in this Article are those of the authors and should not be attributed to their respective employers.