Blog Post

GSK Breach Letter

Consumers receive breach letters -- Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants' names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient's Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a "throwaway" or temporary email address if deciding to register at a Pharmaceutical product web sites.

Major Changes Weaken FERPA

Educational Privacy -- The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students' medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.

WPF Comments on Health Information Exchanges in California

Joint Comments on HIEs -- California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.

Privacy News: WPF Complaint to FTC Results in Online Data Broker Settlements

Data Broker Settlement -- In April 2009, the World Privacy Forum sent the FTC a complaint regarding a lack of online opt-outs for consumers at some online data broker web sites. Our complaint focused on the difficulties online consumers would have opting out of certain web sites. In our complaint, we noted that online consumers were having difficulties with the opt outs. Today the FTC issued a final decision in this matter, and specifically improved online opt outs for consumers at US Search.

WPF Urges Fair Privacy Stakeholder Process

NTIA Multistakeholder Process -- The US Department of Commerce has announced that it is supporting privacy legislation and a "stakeholder process" to determine self regulatory rules for Internet privacy. WPF wrote about what a fair stakeholder process needs to include in our comments to the US Department of Commerce. We urge that at a minimum, the stakeholder process will include these items: 1) Consumer and business representation be equal in any multi-stakeholder process. 2) Approval of consumer representatives must be a necessary element in any formal decisions, just as the approval of business will be necessary. 3) Consumers must select their own representatives through a process yet to be determined, and consumer representatives may not be designated or limited by business or government. 4) Consumer organization that require financial assistance to participate in the multi- stakeholder process should receive support for travel and other expenses (but not for staff support). 5) Government agencies may participate in the process, but no agency may have a vote. 6) Participants in the process must chose their own rules and presiding officer. 7) Certifiers of accountability with codes of conduct should be not-for-profit organizations that are wholly independent of business, consumers, and government.

WPF on EASA: Self-Regulation on Online Behavioral Advertising No Longer Credible

Comments on EASA --The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.

Public Comments: February 2011 WPF Responds to FTC's Report on Privacy

The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.

WPF Responds to FTC's Report on Privacy

WPF Comments on the FTC Privacy Report -- The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.

WPF launches Facebook Page

WPF launches Facebook page -- The World Privacy Forum has begun posting materials to its new Facebook page. "Millions of users are looking for information on Facebook. Our goal is to reach consumers with high-quality privacy materials and information, so it makes sense for us to reach out to people through this medium" said executive director Pam Dixon.

Public Comments: December 2010 Personal Health Records and online advertising

The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

WPF comments about Personal Health Records and online advertising

Health privacy -- The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

FTC issues long-awaited privacy report

FTC privacy report -- The Federal Trade Commission has published its report on online privacy. The World Privacy Forum will be issuing comments on the report at 2:30 pm Eastern today in a press briefing.

New Report on US Department of Commerce Privacy Track Record

Department of Commerce and Safe Harbor -- New Report The World Privacy Forum published a new report today that evaluates the US Department of Commerce's work on privacy protection for consumers, given its role overseeing such critical programs as the US/EU Safe Harbor data agreement. The report, The US Department of Commerce and International Privacy Activities: Indifference and Neglect, identifies a number of issues of concern regarding the Department's privacy programs, most particularly, the current Safe Harbor framework. The report's analysis find that three separate studies consistently show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under Safe Harbor.

FTC starts sending out checks to LifeLock victims

LifeLock -- The Federal Trade Commission began sending checks to almost a million consumers who were subscribers to the LifeLock ID theft protection service. LifeLock agreed to pay fines of $11 million to the FTC and $1 million to a group of state attorneys generals to settle charges that had been made against the company. Consumers with questions about this distribution may call 888-288-0783 or see the FTC's web page on this, http://www.ftc.gov/refunds.

Top Ten Opt Out list updated

Opt-out and how-to -- The popular WPF Top Ten Opt Out List has been newly updated. We have added a new section to our list with step by step details on how to opt out of RapLeaf. We encourage consumers to view any of their profiles that exist at RapLeaf and to opt out of RapLeaf permanently. We have also updated the phone numbers and other information on the rest of our opt out list. To see more, visit our Opt Out List.

FTC drops Google WiFi case

Online privacy -- The FTC sent a letter to Google today expressing concern about the company's privacy practices, but at the same time, the FTC informed Google that it was dropping its investigation of the Street View WiFi case. The FTC wrote: "FTC staff has concerns about the internal policies and procedures that gave rise to this data collection. ... the company did not discover that it had been collecting payload data until it responded to a request for information from a data protection authority." The FTC told Google it should develop and implement procedures to properly collect, dispose of, and maintain information.

Good privacy decision in Amazon v. Lay fight to keep customer information private

Resource | case file -- Amazon.com filed a lawsuit in April to fight the North Carolina Department of Revenue's request for detailed information on Amazon.com customers. The North Carolina tax department requested Amazon.com to hand over "all information for all sales to customers with a North Carolina shipping address" between 2003 to 2010. In the decision, Seattle, Washington U.S. District Court Judge Marsha J. Pechman wrote, "Citizens are entitled to receive information and ideas through books, films, and other expressive materials anonymously." She also stated that "The fear of government tracking and censoring one\'s reading, listening, and viewing choices chills the exercise of First Amendment rights." This is an important decision for privacy rights, and online privacy in particular.

WPF files two sets of key comments on HIPAA privacy rule

Health privacy and HIPAA -- The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

WPF files comments on deeply flawed SEC plan

Financial privacy and SEC -- The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC's new regulations would "Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public." The comments also note that the SEC's plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.

State AGs press Google on Wi-Fi debacle

Online privacy -- A press release issued by Connecticut's AG Richard Blumenthal revelaed that 38 states have joined a mulitstate investigation of Google's Street View wi fi sniffing program. Blumenthal stated in the release: “We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this code allowed the Street View cars to collect data broadcast over WiFi networks. Information we are awaiting includes how the spy software was included in Google’s Street View network and specific locations where unauthorized data collection occurred. We will take all appropriate steps -- including potential legal action if warranted -- to obtain complete, comprehensive answers.”

Data broker presentation at CFP conference

Data brokers -- WPF will be speaking at the CFP conference on two panels. On June 15, Pam Dixon will participate in a plenary session on data brokers. On June 16, Dixon will moderate a health care privacy panel. This panel will focus on electronic health care in the state of California and the current privacy issues in electronic health exchange.

WPF votes on key California medical privacy guidelines

California health privacy -- The World Privacy Forum, as co-chair of the California Privacy and Security Advisory Board, was pleased to vote on an opt-in privacy standard for Californians in the June CalPSAB board meeting. The standard will be part of a set of guidelines the state of California uses in its development of electronic health care records. This set of guidelines was the culmination of two years of policy work with the CalPSAB board.

WPF comments on proposed changes to HIPAA

Health privacy and HIPAA -- The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."