Archive for the ‘Technology’ Category
New Jersey’s Revised Uniform Limited Liability Company Act – What all owners of New Jersey LLCs Need to Know
What is the New Jersey’s Revised Uniform Limited Liability Company Act?
The Revised Uniform Limited Liability Company Act (“RULLCA”) replaces and expands New Jersey’s Uniform Limited Liability Company Act (“NJ ULLCA”) which was originally put in place to govern limited liability companies in January of 1994. RULLCA was officially enacted on March 18, 2013, and, at least for the next 11 months, applies only to LLCs formed after that date. After March 1, 2014, the RULLCA will apply to all LLCs regardless of the date of formation.
How will the RULLCA affect your LLC?
The following is a brief summary of the most significant changes to the statute that may affect your LLC:
1. Fiduciary Duties
Under the outgoing NJ ULLCA, LLC members owe fiduciary duties to other members. (These are generally the duty of loyalty and the duty of care.) The duty of loyalty often involves avoiding conflicts of interest, however, the members could waive the fiduciary duty in the operating agreement. This framework allows many people to participate in multiple businesses outside an LLC even when those other activities might conflict with the LLC’s business.
RULLCA no longer permits the members to agree to waive certain rights, including fiduciary and other rights that they owe to each other, like the duty of good faith and fair dealing. While this may not have significant impact on the operation of a company in the ordinary course, in disputes between members involving activities outside of the company, this can have a dramatic effect and provides an aggrieved member with significantly improved rights.
Under the RULLCA, the default rule on distributions is that all profit available for distribution will be made to the members on a ‘per capita” distribution, meaning equal shares for each member, unless otherwise agreed to in the operating agreement. This change means that any LLCs that do not have an operating agreement and that have been distributing profit other than on an “equal share” basis, will be required to do so.
Under the NJ ULLCA, upon disassociation a member, absent a contrary provision in the operating agreement, is entitled to be paid the fair value of his or her interest in the company, which can be a financial stress on a business that might prefer to deploy its capital for growth. Under the RUCLLA, a “resigning” member is no longer automatically entitled to receive fair value; instead that person becomes dissociated as a member and assumes the rights of economic interest holder. This change means that the member loses the right to participate in the governance of the company (as well as the potential liability associated with the operation of the company), but retains the rights to receive distributions of profit and of the company’s assets upon liquidation or dissolution. Absent a provision in the operating agreement that requires the sale of the member’s interest upon disassociation, a member will neither be entitled to be bought out nor will the company have the right (or obligation) to do so (note that this can have the effect of enabling a member to cease participating in the business while continuing to profit from it, an outcome typically not desired by the remaining members).
4. Deadlock and Oppression
Under the NJ ULLCA, there are very few rights afforded to a minority member that is oppressed by the majority or, similarly, to resolve a deadlock between members. As such, this issue is typically addressed in the operating agreement to ensure that the members have remedies in the event of oppression or deadlock. The RULLCA provides express remedies for oppressed minority members: the right to seek the dissolution of the LLC or the appointment of a custodian. These remedies give the oppressed minority substantial leverage to obtain a buyout or other relief relating to the operation of the company that it previously did not expressly have under the NJ ULLCA.
While it is good practice to have your LLC operating agreement reviewed every few years to ensure that it is consistent with the intentions and practices of the members, the changes effectuated by the RULLCA make it critical that every company’s operating agreement be updated to make sure that it consistent with the revisions to the law.
OlenderFeldman LLP Data Protection and Privacy lawyers Michael Feldman and Aaron Messing will attend the International Association of Privacy Professionals (IAPP) Global Privacy Summit, to be held March 6-8 in Washington, D.C.
The event will feature thousands of privacy industry professionals participating in dozens of educational sessions. If you would like to meetup with Michael or Aaron, please send them an email or contact us using the contact form. We hope to see you there.
The Federal Trade Commission has proposed revisions that will bring the Children’s Online Privacy Protection Act in line with 21st century technology, largely targeting social networks and online advertisers.
By Alice Cheng
Based on comments solicited last year, the Federal Trade Commission (FTC) has posted proposed revisions to the Children’s Online Privacy Protection Act (COPPA). The Act, which has not been updated since its inception in 1998, may be extended to include social networks and online advertisers.
According to the current regulations, COPPA applies only to website operators who know or have reason to know that users are under the age of 13, requiring the sites to obtain parental consent before any collection of data. In the past decade, an increased ability to harvest consumer information has necessitated revisions. In a FTC staff report conducted earlier this year, the Commission addressed a growing need for app stores and app developers to provide more information regarding their data collection practices to parents. With the proposed changes posted today, the FTC plans to update COPPA to respond to modern concerns surrounding social networking sites, advertising networks, and applications. Under the proposed changes, such third parties may be held responsible for unlawful data collection practices when they know or have reason to know that they are connecting to children’s websites. Mixed audience websites may have to screen all visitors in order for COPPA regulations to apply to users under 13 years of age. Additionally, restrictions on advertising based on children’s online activity may be tightened.
The FTC will be accepting public comment to the proposed rules via the FTC website. Comments will be accepted until September 10, 2012.
Several House lawmakers have sent letters to nine major data broker firms, seeking transparency on data practices.
By Alice Cheng
Last week, eight House members, including Congressional Bi-Partisan Privacy Caucus chairmen Ed Markey (D-Mass.) and Joe Barton (R-Tex.), sent letters to nine major data broker firms, asking for information on how they collect, assemble, maintain, and sell consumer information to third parties.
The letter references a recent New York Times article profiling data broker Acxiom, which may have spurred the lawmakers’ decision to target the firms. Data brokers are large firms that aggregate information about hundreds of millions of consumers, selling them to third parties for marketing, advertising, and other purposes. Oftentimes, profiles of consumers are created to reflect spending habits, political affiliation, and other behavioral information. As the article explains, the issue with these activities is that they are largely unregulated, largely unknown to the general public, and are often be difficult to opt out of.
Privacy advocates, lawmakers, and often the Federal Trade Commission have made continued moves towards increased transparency of the activities of data brokers. A statement explains that, in sending the letter to the nine firms, the lawmakers in the Bi-Partisan Privacy Caucus seek to obtain information on the brokers relating to “privacy, transparency and consumer notification, including as they relate to children and teens.”
Survey finds that only 61.3% of apps have privacy policies, reflecting perceived need for increased app privacy regulations.
By Alice Cheng
The FPF credits the consumer privacy efforts of various groups, including the Federal Trade Commission and the California Attorney General. The FTC has made continuous efforts to develop companies develop best consumer privacy practices, and has been involved in battling privacy violations. In February, California Attorney General Kamala Harris persuaded six major companies with mobile platforms (including Apple, Microsoft, and Google) to ensure that app developers include privacy policies that comply with the California Online Privacy Protection Act. More recently, Harris also announced the formation of the Privacy Enforcement and Protection Unit to oversee privacy issues and to ensure that companies are in compliance with the state’s privacy laws.
National Telecommunications and Information Administration (NTIA) Holds Public Meeting on Mobile PrivacyFriday, July 13th, 2012
The NTIA’s first multistakeholder meeting on mobile privacy focused on ways to improve the transparency of the privacy practices of mobile apps.
By Alice Cheng
On Thursday, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) held a public meeting in Washington, D.C., to discuss mobile privacy. After taking public comment in March on consumer data privacy, the NTIA decided to address mobile app transparency in its first privacy multistakeholder process. The discussion is part of the Obama administration’s push for companies to abide by a consumer privacy “bill of rights,” and is an issue that has been recently tackled by the Federal Communications Commission as well.
As smartphone use continues to grow rapidly, concerns about mobile app access to consumer data have also grown. Through the devices, mobile apps may be able to access sensitive personal information regarding users, such as geographic location. Additionally, privacy advocates have pushed fervently for regulation on digital advertising. The prevalence of digital advertising on apps is not only a nuisance, but can at times be downright aggressive (i.e., ads pushed onto notification bars and phone desktops).
During the meeting, audience members were asked how greater mobile app transparency could be achieved. Suggestions ranged from software that notified users of what information was shared, to the use of icons indicating privacy concepts in lieu of lengthy privacy policies. Others proposed that broader fair information practices should be addressed, as transparency itself would not be helpful without regulations.
While the NTIA’s next steps are unclear, keep in mind that privacy policies should still be as clear as possible. Effective privacy policies let users know how and for what purpose information is collected and used. Privacy lawyers and advocates generally recommend an opt-in approach is where possible, as it allows users to choose what information they would like to share.
If your password looks something like “123456,” you might want to change it.
By Alice Cheng
Late Wednesday evening, hackers successfully breached Yahoo! security published a list of unencrypted emails and passwords. The list exposed the login information of more than 450,000 Yahoo! users. The hackers, who call themselves the D33D Company, explained that they obtained the passwords by using an SQL injection vulnerability—a technique that is often used to make online databases cough up information. The familiar method has been employed in other high-profile hacks, including of Sony and, more recently, LinkedIn.
However, unlike other malicious attacks, the D33D hackers claim that they only had good intentions: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”
The attempted wake-up call is apparently much needed, though often ignored. An analysis of the exposed Yahoo! passwords revealed that a large number were incredibly weak— popular passwords in the set ranged from sequential numbers to being merely “password.”
In a statement, Yahoo! apologized and stated that notifications will be sent out to all affected users. The company also urged users to change their passwords regularly.
If you are a Yahoo! user, you may want to change your account password, as well as any accounts with similar login credentials. It will also be well worth your time to heed to the wake-up call and incorporate better password practices. Use a different password for each site, and create long passwords that include a mix of upper- and lower- case letters, numbers, and symbols. To help keep things simple, password management software (such as LastPass and KeePass) is also available to help keep track of the complex passwords you create.
Data Breach Prevention and Remediation: How to Protect Your Company from Hackers and Internal Threats and Ensure Your Customer’s PrivacyThursday, July 12th, 2012
All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Information privacy and security is essential to protect your business, safeguard your customers’ privacy, and secure your company’s vital information.
Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.
While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.
Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.
Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses. Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.
Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing. Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.
Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users. Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.
Employee Who Read and Printed Coworker’s Emails Found Not Guilty of Violating the Stored Communications ActThursday, July 5th, 2012
A New Jersey court recently held that a teacher who accessed and printed a co-worker’s personal email after the coworker left the computer without signing out of her account was not guilty of a crime.
By Alice Cheng
In Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012), a New Jersey court held that a defendant was not in violation of any laws when he snooped through the emails of a coworker who had forgotten to sign out of a shared computer.
The defendant, a teacher who was involved in a salary dispute with the school district he worked for, sat down to use a computer in the school’s computer room when he accidentally bumped the mouse of the computer next to him. The screen of the adjacent computer came alive to show the Yahoo! email inbox of a member of the education association he was in dispute with, which included two emails that clearly mentioned him. He then clicked on the emails, printed them out, and used them at a meeting with the education association as evidence that they had not bargained in good faith.
The individuals who were copied on the email conversations filed suit, claiming that the defendant had violated New Jersey’s version of the Stored Communications Act (N.J.S.A. 2A:156A-27), which reads in pertinent part:
A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.
The court found that the defendant did not “knowingly access [the facility] without authorization” as it was the previous user who had logged into the account. The judge then let the jury decide whether or not he “exceed[ed] an authorization to access that facility” when she failed to close her inbox and log out of her account. The jury found that did not, as he had “tacit authorization” to access the account. On appeal, the court affirmed.
While there is no clear answer to the question of whether snooping emails is illegal (as always, it depends), always remember to log out of public computers. Similarly, all mobile devices, such as smartphones or laptops, should be password protected. As for the email snoopers, be forewarned that snooping may nevertheless carry major consequences, if hacking or unauthorized access is found.
The Jumpstart Our Business Startups Act or JOBS Act, intended to encourage funding of United States small businesses by easing various securities regulations, was signed into law by President Obama on April 5, 2012.
On April 5, 2012, the Jumpstart Our Business Startups Act (“JOBS Act”) was signed into law. The fundamental change that it will have on companies is their ability to raise capital through a private placement under Rule 506 of Regulation D of the Securities Act of 1933, as amended (“Rule 506 Offering”). The JOBS Act, among other things, will eliminate the prohibitions under the U.S. federal securities laws against general advertising or general solicitation in connection with a Rule 506 Offering; provided that all purchases are made to accredited investors. The elimination of the general advertising and general solicitation restrictions could have a significant impact on a company’s ability to raise capital because it allows companies to reach a more diverse group and larger number of potential investors through their marketing efforts. The enactment of the JOBS Act directed the U.S. Securities and Exchange Commission (“SEC”) to revise Rule 506 of Regulation D within 90 days of its enactment, or by July 4, 2012. The current rules are still applicable to Rule 506 Offerings until the SEC amends Rule 506 of Regulation D.
Currently, under Rule 506 of Regulation D, companies are prohibited from soliciting investors through general advertisements or general solicitations, which makes it difficult for startups and small companies to raise capital since, as is often the case, they do not have enough contacts who are accredited investors that have the financial capability to invest in their company. With the implementation of the JOBS Act, a company will have the ability to tap a larger pool of investors than they originally had access to since they will now be allowed to solicit investors through general advertisements and general solicitations. This should open up access to more funding opportunities then companies previously experienced. The one caveat is that all investors must be accredited investors as such term is defined under Rule 501(a) of Regulation D (“Accredited Investor”).
An Accredited Investor is generally someone who has enough knowledge and business experience and acumen that they do not need to be afforded the full protection of the securities laws. Since this was a difficult standard to interpret, the SEC enacted Rule 501(a) to clarify the meaning of an Accredited Investor. There are eight (8) different categories of investors under the definition of an Accredited Investor, the most widely used by startup and small companies is:
- 501(a)(6) any natural person whose individual net worth, or jointly with their spouse, exceeds $1 million at the time of purchase, excluding the value of such person’s primary residence; or
- 501(a)(7) any natural person with income exceeding $200,000, or joint income with a spouse exceeding $300,000, for the two most recent years with a reasonable expectation of achieving the same income level in the current year.
A company can avail itself of the elimination of the advertising prohibitions in a Rule 506 Offering by taking “reasonable steps to verify that purchasers of the securities are accredited investors”. The meaning of this standard is unclear as of now, but hopes are that the SEC will clarify its meaning when it revises Rule 506 of Regulation D.
Once the SEC amends Rule 506 of Regulation D, companies will be able to conduct private placements through the facilitation of general advertisements and general solicitations as long as they reasonably verify that the securities are sold to Accredited Investors only.
Your smartphone knows all about you. Before giving it away or recycling your smartphone, make sure that you take the proper precautions so that your smartphone doesn’t spill your secrets to the world.
In a Fox Business article by Michael Estrin entitled, “Don’t be Stupid With an Unwanted Smartphone,” OlenderFeldman LLP’s Aaron Messing provides insight on the importance of wiping all data before selling or donating an old phone. Some excerpts follow, and be sure to read the entire thing:
If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.
“It’s important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information,” says Messing, who’s with the Olender Feldman firm in Union, N.J.
That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you’d have in your wallet — and more — as more consumers are using mobile banking and payment apps.
If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.
“Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information,” says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.
So far, there haven’t been many reported incidents of identity theft using data pulled from discarded smartphones. But it’s a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.
The Federal Trade Commission fined an online data broker who allegedly sold consumer reports containing internet and social media data in the context of employment screenings without adhering to the Fair Credit Reporting Act’s consumer protections.
By Alice Cheng
Data broker Spokeo recently agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges in what is the FTC’s first Fair Credit Reporting Act (FCRA) case involving the “sale of internet and social media data in the employment screening context.”
Spokeo, a social network aggregator website, has long been notorious for the comprehensive profiles (including name, address, email address, phone number, hobbies, ethnicity, religion, etc.) it compiles and sells to third parties. Personal information of individuals is collected both online and offline, and profiles have been used for employment screening purposes—a practice that the FTC has alleged is in violation of the FCRA.
The FTC recently took legal action against the company after receiving an initial complaint about its practices from the Center of Democracy & Technology in 2010. The FCRA violations include failing to make sure that the information was sold for legally permissible uses only, failing to ensure that the information was accurate, and failing to notify users of the consumer reports about their obligations under FCRA.
The FCRA is a federal law regulating the collection, dissemination, and use of consumer information (including consumer credit information) to promote the accuracy, fairness, and privacy of such information. In order to avoid violating FCRA regulations, Spokeo says it will no longer build “consumer reports” and will no longer sell its information for employment screening purposes.
Aside from potential FCRA violations, such widespread collection of data by data aggregators like Spokeo continues to be an ongoing privacy issue. The collection of personally identifiable information, such as social security numbers or driver’s license numbers, carry obvious concerns, but even the collection of “non-sensitive” information can be problematic. Aggregation of this data is commonly used by advertisers to target prospective customers, or as in Spokeo’s case, sold to any willing buyers. While it may not always be easy to pinpoint any concrete harm to consumers, many are nevertheless uneasy about such compilations.
While the FTC has been increasingly vigilant regarding big data concerns, little progress is being made in developing data protection regulations. Continual changes in technology, such as the move to cloud computing services, may also invite further complications to developing appropriate regulations. Consumers need to be aware of what information is being collected and how it is used. Businesses need to be aware of what laws, rules and regulations govern their collection and use of information so they can assure successful compliance.
The Federal Communications Commission (FCC) is seeking for public comment on the privacy and security of personal information on mobile devices.
By Alice Cheng
The Federal Communications Commission (FCC) recently released a request for public comment on the privacy and security of personal information on mobile devices. The Commission, which regulates interstate and international radio, television, wire, satellite, and cable communications, had solicited public input on this subject five years ago, but acknowledges the vast changes in technologies and business practices since then.
Section 222 of the Communications Act of 1934 addresses customer privacy, and establishes that all telecommunications carriers have the duty, with limited exceptions, to protect the confidentiality of proprietary information of and relating to customers. All carriers must also protect “customer proprietary network information” (CPNI), such as time, date, and duration of a call, which the carrier receives and obtains. They may use, disclose, and allow access of such information only in limited circumstances.
The FCC enforces these obligations, and is seeking comments to better understand the practices of mobile wireless service providers, and the types of customer information that is stored on mobile devices.
This request for public comment appears to come in light of the Carrier IQ controversy of late 2011. The Federal Trade Commission (FTC) brought legal action against analytics company Carrier IQ after it was discovered that the software, installed on over 140 million mobile devices, was capable of detailed logging of user keystrokes, recording of calls, storing text messages, tracking location, and more. The detailed tracking was intended to provide phone usage information that would be helpful to improve device performance. However, the widespread collection and difficulty in opting out attracted nationwide attention and a slew of lawsuits.
In addition to the request for public comments, the FCC has also recently released a report on location-based services (LBS), focusing on “mobile services that combine information about a user’s physical location with online connectivity.” While the report acknowledges the benefits of these services (ease of transacting business, for social networking purposes, etc.), they also address concerns of creating highly accurate and personal user profiles through LBS data—specifically, “how, when and by whom this information can and should be used.”
Congress has displayed a growing interest in privacy as well—several privacy and information security-related bills have been introduced and hearings on the issues have been held.
Five years after their initial inquiry into the matter, the FCC hopes to obtain an updated understanding of these mobile information security and privacy issues. Comments are due by July 13, and reply comments are due by July 30.
Websites that collect information from children under the age of thirteen are required to comply with Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) is generally responsible for ensuring compliance with COPPA.
By Alice Cheng
Earlier this year, the Federal Trade Commission (FTC) issued a staff report on the growing market for mobile apps for children and the disappointing privacy disclosures that accompanied them.
A survey of mobile apps for children showed that both app stores and app developers need to provide more information on online behavioral advertising and data collection that parents need in order to make informed decisions. The report also concluded that, in the interest of protecting children, the industry should provide greater transparency of their data practices.
In 1998, Congress addressed similar concerns when it enacted the Children’s Online Privacy Protection Act (COPPA) in order to provide parents with control over what information is collected online from their young children.
The Rule, which became effective on April 21, 2000, applies to persons or entities (such as operators of commercial website and online services) who operate sites that are either designed for children under 13 or collects information from this age group.
Those covered by the Rule must:
- Post a clear and prominent link to a privacy notice on the home page of the website or online service and at each area where it collects personal information from children. The notice must be clearly written and understandable, and include the name and contact info of all operators collecting or maintaining the information, the kinds of personal information collected, how the information is collected, how the information is used, and whether the information is disclosed to third parties.
- Provide a direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children. Operators must use reasonable procedures, such as obtaining a signed form or verifying a credit card number, to ensure that they are dealing with the parent.
- Obtain a more reliable method of consent if operators wish to disclose a child’s personal information to third parties or make it publicly available
- Allow parents to consent to the collection and internal use of a child’s information, but prohibit the third-party use of the information;
- Give parents access to the child’s personal information to review and/or delete. Parents must also be given the option of prohibiting further use or collection of a child’s personal information, providing them with the procedures to do so.
Operators may not require that a child provide more information than is reasonably necessary in order to participate in an activity on a site. The Federal Trade Commission enforces COPPA, and may bring actions and impose civil penalties of up to $11,000 per violation. Additionally, the States Attorneys General can sue for COPPA breaches as well.
A New Jersey appeals court recently ruled that a criminal suspect has no reasonable expectation of privacy in his cell phone number.
By Alice Cheng
In State v. DeFranco, the defendant schoolteacher was charged with sexual assault of a former student. Defendant filed a motion to suppress evidence of a telephone conversation with the victim, which was intercepted by the police with the victim’s consent. The Appellate Division upheld the trial court’s denial of the motion, determining that the defendant had no reasonable expectation of privacy in the cell phone number used to make the call. The defendant had disclosed the cell phone number to the school where he taught, and the number had been given to a policeman prior to the interception.
The court determined that, unlike long-distance billing information and banking records, the cell phone number was “simply a number.” Additionally, the defendant had in the past disclosed his number to the victim and expressed no surprise when contacted by the victim via cell phone, suggesting that he had no reasonable expectation of privacy in his cell phone number. Under the circumstances, the court found nothing unreasonable in the police officer obtaining the number from the school.
If the court had found that the defendant had a reasonable expectation of privacy in his cell phone number, then the number could be acquired only through a search warrant or grand jury subpoena (neither of which had been obtained).
Under U.S. federal law and in most states, including New Jersey, the monitoring of telephone calls (or wiretapping) by local and state law enforcement is permitted with the consent of at least one party to the call.