Federal Trade Commission (FTC)

FTC issues final rule on health data breaches

Health data breach rulemaking — The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.

When opting out is hard to do: World Privacy Forum sends letter to FTC about data broker companies offering mail-based opt outs

Data broker opt out issue — The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.

Public Comments: April 2009 – Request for declaration regarding fairness of opt-out methods and investigation into Acxiom, US Search, PublicRecordsNow, and USA People Search consumer opt-out methods for compliance with Section 5 of the FTC Act, 15 U.S.C. § 45(a)(1)

The Commission has laid down specific examples of what constitutes unreasonable opt- out procedures, particularly in its Affiliate Marketing Rule, which describes three distinct types of opt-out methods the Commission considers to be unreasonable. Some companies are ignoring the standards the Commission has set, and are requiring consumers whom they have notified online of an opt-out opportunity to then use paper and postal mail processes to accomplish the opt out.

World Privacy Forum asks FTC to reconsider proposed consent agreement with CVS

CVS Caremark | FTC proposed consent agreement — The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.

Public Comments: March 2009 – Comments on the Proposed Consent Agreement with CVS / Caremark

The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach. The World Privacy Forum urged the FTC to reconsider the agreement.