Latest

US Department of Health and Human Services fines Arizona provider $100,000 for HIPAA violations

In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.

Public Comments: April 2012 - WPF asks that the full Consumer Privacy Bill of Rights be applied to MS Process

WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF's formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers' Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers' League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF's own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.

WPF files comments with US Department of Commerce; Asks that the full Consumer Privacy Bill of Rights be applied to MS Process

WPF comments on Multi-Stakeholder Process -- WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF's formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers' Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers' League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF's own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.

WPF Strongly Endorses Centralized Data Broker Opt-Out Mechanism

Data Broker opt out -- WPF, in 2011 comments to the FTC, urged the FTC to create a centralized place for consumers to opt-out of data broker tracking. This is a long-standing issue WPF has worked on. Previously, WPF filed a petition in 2009 to the FTC regarding mail-in data broker opt outs, which resulted in an FTC action and improvements for consumers. In its new report published today, the FTC has picked up WPF's centralized opt out recommendation, specifically citing WPF's comments. From its report: "The Commission recommends that the data broker industry explore the idea of creating a centralized website where data brokers that compile and sell data for marketing could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information." The WPF strongly supports this idea and views assistance to consumers in this area as vital.

FTC releases report: picks up two key WPF recommendations in report, numerous cites

The FTC's new privacy report -- a long -awaited planbook for privacy in the digital age - has picked up several key recommendations the WPF has made. First, the report picks up WPF's direct recommendation in its 2011 comments that the FTC set up a centralized web site to allow consumers to opt out of data brokers. The FTC has directly called for this as a primary part of its report. The WPF strongly supports this. Pam Dixon of the WPF originated the Do Not Track idea in 2007, and with a group of privacy experts, submitted the original idea to the FTC that year. Now, DNT has also made it into the final FTC report.

WPF Facebook Page

Following WPF on Facebook -- WPF maintains an active Facebook page, and it features slightly different content than our home website. For Facebook, we make regular newsfeed postings about WPF activities and also post content for people who want to follow privacy via their Facebook newsfeeds. This past week, stories we've posted include a report on the economics of privacy, the new Pew study on privacy, a privacy-related human interest story, and news about the VZBW lawsuit in Germany against Facebook. It's not the only way to keep up with WPF, but if you are on Facebook a lot, it is a good way. Our page is located

Principles for Multi-Stakeholder Process (NTIA)

On Feb. 23, 2012, nine signatory organizations published a MultiStakeholder Principles designed to guide the NTIA MultiStakeholder Process, a self-regulatory process to develop voluntary codes of conduct with industry and civil society. The document states: "The US Department of Commerce is proposing a multi-stakeholder process for developing better applications of privacy principles. For the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible. We believe the following baseline principles will provide the multi-stakeholder process the legitimacy it needs to succeed."

Leading Civil Society Groups Agree on Key Principles: the Commerce Privacy Process Must be Fair, Transparent, Credible

MultiStakeholder Privacy Principles -- The World Privacy Forum has led an effort to craft a set of principles with the nation’s leading civil liberties, privacy, and consumer groups. Today, the groups are releasing a set of baseline Multi-Stakeholder Principles in response to the U.S. Department of Commerce’s plan for a multi-stakeholder process on privacy. (The U.S. Department of Commerce is undertaking a representative process for bringing together members of industry and civil society to form new privacy rules.) These leading groups believe that for the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible.

Public Comments: February 2012 - WPF asks that the full Consumer Privacy Bill of Rights be applied to MS Process (Principles for Multi-Stakeholder Process)

WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF’s formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers’ Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers’ League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF’s own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.

Companies overriding Safari browser privacy settings

Online privacy | Apple privacy -- Stanford University has released a study documenting how Google and other companies overrode Safari users' browser privacy settings. The WPF encourages Apple users to download the Firefox browser and use Firefox, if at all possible, instead of Safari. Firefox did not have the same problem, and it allows for additional privacy add-ons, such as AdBlock Plus which are helpful privacy-enhancing tools.

WPF says a "walk-out opt-out" is not enough for consumer protection

Facial recognition | Digital signage -- The World Privacy Forum filed extensive comments to the FTC today following up on Pam Dixon's testimony at a December 2011 FTC facial recognition privacy workshop. The WPF comments noted that "A walk-out opt-out is not a viable way of managing consumer consent in the area of facial recognition or detection technologies." The comments discussed the importance of recognizing the Face Print as a unique biometric, and also discussed the need for finding ways of consumer consent that are reasonable. Given the ubiquity of cameras in some retail and public spaces, just walking away will become less and less of an option for consumers going forward, the comments argued. The comments also included the WPF's ground breaking report, The One-Way Mirror Society, and the joint Consumer Privacy Principles for Digital Signage.These principles were signed by the nation's leading privacy and consumer groups.

Public Comments: January 2012 - Regarding Face Facts: A Forum on Facial Recognition

The World Privacy Forum appreciates the opportunity to comment on the issue of facial recognition pursuant to the FTC Face Facts Workshop held on December 8, 2011. [1] The World Privacy Forum spoke on Panel 4 of the workshop, and those comments are already on the record. In these written comments, we would like to submit several key documents for the record and reaffirm several ideas from the workshop. The documents we are including as part of these comments include the World Privacy Forum’s groundbreaking report on digital signage, The One Way Mirror Society. Also included as part of these comments are the consensus privacy principles for digital signage installations that were signed by the leading US consumer and privacy groups.

Public Comments: January 2012 - Regarding Disclosure of Certain Credit Card Complaint Data

The World Privacy Forum appreciates the opportunity to submit comments to the Consumer Financial Protection Bureau’s (CFPB) proposed policy statement about the CFPB's proactive disclosure of credit card complaint data. The proposed statement appeared in the Federal Register on December 8, 2011 at 76 Federal Register 76628, http://www.gpo.gov/fdsys/pkg/FR- 2011-12-08/pdf/2011-31153.pdf and at https://www.federalregister.gov/articles/2011/12/08/2011-31153/disclosure-of-certain-credit- card-complaint-data.

US Supreme Court delivers opinion about GPS tracking

01/23/2012 GPS tracking | United States v. Jones -- The US Supreme Court unanimously ruled that police must get a warrant before using GPS devices to track criminal suspects. This case was narrow and dealt specifically with a GPS device physically attached to a suspect's vehicle. The concurring opinion of Justice Sotomayor points out that the subtler issues of digital era tracking were not dealt with in this case, for example, cell phone tracking, web site tracking, etc. She wrote: "More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976)." She continued: "This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."

WPF opposes censorship bills; supports right to create and use anonymization tools to protect privacy

Stop SOPA & PIPA ---- The World Privacy Forum is deeply concerned about the profound, far-reaching privacy consequences of two bills, SOPA and PIPA. The bills have many negative aspects. In terms of the privacy impacts, one of the serious consequences is that the right to create and use anonymization ...

WPF urges more consumer protection and redress in the Facebook FTC settlement

Facebook -- In response to the FTC's proposed settlement with Facebook over the company's multiple privacy violations, the World Privacy Forum has asked the FTC to make key changes. "We applaud the FTC for its work on the Facebook case," said executive director Pam Dixon. "We support many parts of the settlement. However, we urge the FTC to provide full redress for affected consumers by rolling back the privacy controls to the 2009 defaults, and we also urge the FTC to follow the 2004 Gateway Learning, Corp. precedent and require Facebook to disgorge profits they made from violating their privacy policy retroactively." The comment period is open to the public until December 30.

Public Comments: December 2011 - WPF urges more consumer protection and redress in the Facebook FTC settlement

In response to the FTC's proposed settlement with Facebook over the company's multiple privacy violations, the World Privacy Forum has asked the FTC to make key changes. "We applaud the FTC for its work on the Facebook case," said executive director Pam Dixon. "We support many parts of the settlement. However, we urge the FTC to provide full redress for affected consumers by rolling back the privacy controls to the 2009 defaults, and we also urge the FTC to follow the 2004 Gateway Learning, Corp. precedent and require Facebook to disgorge profits they made from violating their privacy policy retroactively." The comment period is open to the public until December 30.

WPF testifies at FTC facial recognition hearing

Facial recognition -- Pam Dixon of WPF testified at the FTC's Facial Recognition workshop, speaking on a panel about the policy implications of facial recognition technology. The World Privacy Forum's report on Digital Signage was mentioned several times at the hearing, as were the collaborative consumer protection principles the WPF led.

WPF Resource Page: Cloud Computing and Privacy

Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.

WPF urges HHS to do more to protect the privacy of people who are medical research subjects

Common Rule | Health Privacy -- The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)