FACE Act Introduced

To be effective, legislation should have adequate enforcement mechanisms. This bill appears to enable not only the FTC, but also state attorneys general and/or state officials and agencies to enforce the Act. According to the bill, a “state may enforce the act by bringing a civil action to: enjoin such act or practice; enforce compliance with such section or such regulation; obtain damages, restitution, or other such compensation on behalf of residents of the State; or obtain such other legal and equitable relief as the court may consider to be appropriate.”

The Act specifically states that it would not preempt states or political subdivisions of a state from enacting a law that provides minors greater personal privacy protection. At first glance, this appears to provide the potential to create burdensome regulations on cloud providers and their clients; however, cloud computing vendors have been able to flourish despite being required to adhere to different privacy laws in each state. For example, at least 46 states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data breach notification statutes. (A list of those states with links to their security breach notification laws is available from the National Conference of State Legislatures (NCSL).)

According to a GigaOM article about Gartner's Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update that was released earlier this year, “the U.S. is predicted to remain number one in overall cloud services deployment-by a wide margin-into 2016.” See, “Gartner: Public Cloud Services to Hit $131B by 2017.” Therefore, despite almost every state in the U.S. enacting its own data breach notification statutes (whose provisions may vary widely state by state), cloud computing providers have still been able to offer to clients compliant cost effective solutions.

States Take Charge

While the FTC's recent updates to the Children's Online Privacy Protection Act (COPPA) provide our children more privacy protections, state attorneys general, along with state officials or agencies, may be in a better position to protect the digital privacy of our children. See, “FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.” For example, while multiple EU data protection authorities are pursuing enforcement actions against Google because of its March 1, 2012 privacy policy change; so far the FTC has declined to do so. See, “European Data Protection Authorities Threaten to Fine Google,” The Irish Times.

In contrast, in 2012 the National Association of Attorneys General (www.naag.org) sent a letter (signed by 36 state attorneys general) expressing their concern about Google's privacy policy change. See, “Attorneys General Express Concerns over Google's Privacy Policy.” In July, 23 state attorneys general signed onto a follow up letter that stated, “[w]e are still greatly concerned about the way Google collects consumer information” and “[w]e also think more needs to be done to enable consumers to review and delete data that has been collected about them from specific Google products.” See, “Maryland Says Google Privacy Policy Doesn't Go Far Enough,” The Baltimore Sun.'

In addition to the actions spearheaded by the NAAG, California's Attorney General Kamala Harris has been active regarding protecting those who utilize mobile apps. Her office's recent report on mobile apps “provides guidance on developing strong privacy practices.” See, “Attorney General Kamala D. Harris Issues Guidance on How Mobile Apps Can Better Protect Consumer Privacy.” Harris also created the Privacy Enforcement and Protection Unit'to enforce federal and state privacy laws. Other states, such as Massachusetts, have introduced legislation (H 331) that would ban cloud computing service providers who contract with K-12 schools from processing student data for commercial purposes. See, http://1.usa.gov/176bzYz.

Conclusion

Even though some state attorneys general and state lawmakers around the country are working to protect the digital privacy of children, more tools are needed to ensure that children are not exploited. The FACE Act's introduction is important because it demonstrates that legislators realize that enacting stronger digital privacy laws is not only best for society, but that it will resonate with voters on election day.

While it may take several legislative sessions for the FACE Act to move forward due to the acrimony on Capitol Hill, it demonstrates that lawmakers still believe we have an expectation of privacy in the Digital Age. It would not surprise me if the FACE Act's introduction encourages state lawmakers to introduce similar bills in their respective legislatures around the country. Therefore, it is imperative that the cloud computing industry work with stakeholders to ensure that our children's personal digital data is not utilized for commercial purposes.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.

The Forbidding Advertisement Through Child Exploitation Act (FACE Act) of 2013 was introduced in Congress on July 10, 2013 by U.S. Congressman John J. Duncan, Jr. (R-N) to help protect the personal privacy of children and teens. The official title as introduced states: “To prohibit providers of social media services from using self-images uploaded by minors for commercial purposes.”

The FACE Act states: “(a) provider of a social media service may not intentionally or knowingly use for a commercial purpose a self image uploaded to such a service by a minor.” http://1.usa.gov/17Nl6Uf. The Act empowers the Federal Trade Commission (FTC) to promulgate regulations under section 553 of title 5 of the United States Code to implement the Act. This aspect of the legislation is extremely important because it appears to provide the FTC the flexibility to create regulations that will enable it to account for changes in technology.

Enforcement

To be effective, legislation should have adequate enforcement mechanisms. This bill appears to enable not only the FTC, but also state attorneys general and/or state officials and agencies to enforce the Act. According to the bill, a “state may enforce the act by bringing a civil action to: enjoin such act or practice; enforce compliance with such section or such regulation; obtain damages, restitution, or other such compensation on behalf of residents of the State; or obtain such other legal and equitable relief as the court may consider to be appropriate.”

The Act specifically states that it would not preempt states or political subdivisions of a state from enacting a law that provides minors greater personal privacy protection. At first glance, this appears to provide the potential to create burdensome regulations on cloud providers and their clients; however, cloud computing vendors have been able to flourish despite being required to adhere to different privacy laws in each state. For example, at least 46 states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data breach notification statutes. (A list of those states with links to their security breach notification laws is available from the National Conference of State Legislatures (NCSL).)

According to a GigaOM article about Gartner's Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update that was released earlier this year, “the U.S. is predicted to remain number one in overall cloud services deployment-by a wide margin-into 2016.” See, “Gartner: Public Cloud Services to Hit $131B by 2017.” Therefore, despite almost every state in the U.S. enacting its own data breach notification statutes (whose provisions may vary widely state by state), cloud computing providers have still been able to offer to clients compliant cost effective solutions.

States Take Charge

While the FTC's recent updates to the Children's Online Privacy Protection Act (COPPA) provide our children more privacy protections, state attorneys general, along with state officials or agencies, may be in a better position to protect the digital privacy of our children. See, “FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.” For example, while multiple EU data protection authorities are pursuing enforcement actions against Google because of its March 1, 2012 privacy policy change; so far the FTC has declined to do so. See, “European Data Protection Authorities Threaten to Fine Google,” The Irish Times.

In contrast, in 2012 the National Association of Attorneys General (www.naag.org) sent a letter (signed by 36 state attorneys general) expressing their concern about Google's privacy policy change. See, “Attorneys General Express Concerns over Google's Privacy Policy.” In July, 23 state attorneys general signed onto a follow up letter that stated, “[w]e are still greatly concerned about the way Google collects consumer information” and “[w]e also think more needs to be done to enable consumers to review and delete data that has been collected about them from specific Google products.” See, “Maryland Says Google Privacy Policy Doesn't Go Far Enough,” The Baltimore Sun.'

In addition to the actions spearheaded by the NAAG, California's Attorney General Kamala Harris has been active regarding protecting those who utilize mobile apps. Her office's recent report on mobile apps “provides guidance on developing strong privacy practices.” See, “Attorney General Kamala D. Harris Issues Guidance on How Mobile Apps Can Better Protect Consumer Privacy.” Harris also created the Privacy Enforcement and Protection Unit'to enforce federal and state privacy laws. Other states, such as Massachusetts, have introduced legislation (H 331) that would ban cloud computing service providers who contract with K-12 schools from processing student data for commercial purposes. See, http://1.usa.gov/176bzYz.

Conclusion

Even though some state attorneys general and state lawmakers around the country are working to protect the digital privacy of children, more tools are needed to ensure that children are not exploited. The FACE Act's introduction is important because it demonstrates that legislators realize that enacting stronger digital privacy laws is not only best for society, but that it will resonate with voters on election day.

While it may take several legislative sessions for the FACE Act to move forward due to the acrimony on Capitol Hill, it demonstrates that lawmakers still believe we have an expectation of privacy in the Digital Age. It would not surprise me if the FACE Act's introduction encourages state lawmakers to introduce similar bills in their respective legislatures around the country. Therefore, it is imperative that the cloud computing industry work with stakeholders to ensure that our children's personal digital data is not utilized for commercial purposes.

Bradley S. Shear is a lawyer in Bethesda, MD, and an Adjunct Professor at George Washington University. A member of this newsletter's Board of Editors, he practices cyber and social media law, privacy and advertising law, and copyright and trademark law. Shear advises state and federal lawmakers around the country on digital media law and public policy issues. He can be reached at www.shearlaw.com.