• Preventing alcohol advertising on social media from inadvertently reaching underage users, including implementing standards for effective age-related controls, Facebook-sponsored stories and user-generated content, as well as controls on sharing and forwarding content.
• Limiting exposure of minors to alcohol ads across all media, including setting a common “adult demographic standard” limiting advertising to media where at least 70 percent of the audience is over the legal purchasing age (which is 18 in most countries, 16 in a few).
• Ensuring that the content of alcohol advertising appeals primarily to adults.

Among the most significant of the law’s requirements are the adoption of a comprehensive, regularly audited written information security program and the encryption of personal information transmitted across public networks or wirelessly, or stored or accessed on portable devices such as laptops and tablets. Other administrative, technical and physical safeguards to protect personal information are required as well.

The law took effect on March 1, 2010, but covered entities were given a two-year grace period before they were required to amend existing contracts with third-party service providers to obligate them to comply with the law to the same extent as the covered entities themselves. The final aspect of the law goes into effect on March 1, 2012, and by that date, any third-party service provider that handles the personal information of a Massachusetts resident must be contractually required to implement and maintain appropriate security measures consistent with the regulations.

Entities that use third-party service providers to handle the personal information of Massachusetts residents should examine their agreements with those providers to determine whether they adequately obligate the providers to implement and maintain appropriate security measures. Although the regulations do not prescribe specific contractual language, such security measures would likely include administrative, technical and physical safeguards to protect against the unauthorized disclosure, destruction or alteration, or accidental loss, of personal information. If the third-party service providers handle such personal information for other entities, they have probably been complying with the regulations since March 1, 2010, but older agreements may need to be amended or otherwise updated to obligate them to do so.

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

• Allow the FTC and state Attorneys General to enforce the law directly (there is no mention of a private right of action).
• Pre-empt state privacy laws that are inconsistent with the Consumer Privacy Bill of Rights.
• Avoid prescribing technology-specific means of complying with the law’s obligations.
• State companies’ obligations under the Consumer Privacy Bill of Rights with greater specificity than the Bill of Rights provides.
• Establish a safe harbor from enforcement for companies that adhere to voluntary codes of conduct that the FTC has reviewed and adopted.
• Set a national standard for security breach notification.

ICANN's proposal would allow an unlimited number of domain names created out of almost any word, including brand names and trademarks. The application fee is $185,000 and total costs are likely to run many hundreds of thousands more. Trademark owners and brands are particularly concerned that they will have to invest many hundreds of thousands of dollars to pre-emptively claim new gTLDs containing their name or marks, to prevent others from claiming them and with little hope of a real return on their investment. Lawmakers also expressed concern about the January 12 launch during a Senate Commerce, Science and Transportation Committee hearing on December 8 and a House Subcommittee on Communications and Technology hearing on December 14. Many industry groups, including The Association of National Advertisers (ANA) and the International Trademark Association, have expressed serious concerns about the imminent launch of new gTLD program. launch process. Mei-Lan Stark, INTA Treasurer, testified in May before the House Subcommittee on Intellectual Property, Competition and the Internet and said "INTA is not against the expansion of the gTLD space...[however] INTA remains concerned that the current proposal for new gTLDs has not yet been refined to the point of being ready for launch."

For more information, read our alert on the recent opposition to the gLTD program and ICANN’s response.

Senate Bill 24 applies to any agency, person, or business that owns or licenses computerized data that includes personal information, as defined under the statute, and that experiences a data breach of that information. The law requires that security breach notification to affected consumers must include at least the following:

1. Plain language;
2. The name and contact information of the reporting agency;
3. A list of the types of personal information that were or reasonably believed to have been the subject of the breach;
4. The date, estimated date, or date range of the breach, to the extent possible to determine;
5. The date of the notification;
6. Whether a law enforcement agency investigation delayed notification of the breach;
7. A general description of the breach;
8. The toll-free telephone numbers and addresses of major credit reporting agencies, if the breach involved a social security number or a driver's license number or a California Identification Card number.

At the discretion of the entity issuing the notice, the notification may also include the following:

1. Information regarding what the agency, person, or business has done to protect the personal information that was breached;
2. Additional steps that consumers may take to protect themselves.

For breaches affecting more than 500 California residents, the agency, person or business must also send a sample copy to the California Attorney General’s office.

For more information on compliance and detailed summary of California’s new data breach requirements, please read our alert.

Under the U.S. Call Center and Consumer Protection Act (HR 3596), covered employers must provide at least 120 days’ notice to the Secretary of Labor prior to relocation. Companies that fail to comply with this notice provision face civil penalties of up to $10,000 per day The Act would also require the Secretary of Labor to maintain a publicly available list of these companies, with each company remaining on the list for up to three years after each instance of relocation. With certain limited exceptions, any company on this list would be ineligible for any direct or indirect federal grants or guaranteed loan programs for a period of five years from when they were added to the list, and federal and state agencies would have to give preference in civilian or defense contracting to U.S. companies not on the list.

The bill also separately requires that any call center agents located outside of the United States to (1) disclose their physical location at the beginning of all calls and (2) to transfer the call back to a U.S.-based call center upon the customer’s request, unless the customer initiates the call and knew or should have known the call was to a customer service center outside the U.S.

Read our alert on the U.S. Call Center and Consumer Protection Act here.

Canada's privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), requires an individual's knowledge and consent for the collection, use or disclosure of personal information. PIPEDA also requires that the purposes for which an individual's information is to be collected, used or disclosed be explained in a clear and transparent manner.

The Office of the Privacy Commissioner determined that the information involved in online tracking and targeting for the purpose of serving behaviorally targeted advertising to individuals constitutes personal information under PIPEDA. Therefore, "any collection or use of an individual's web browsing activity must be done with that person's knowledge and consent." However, the form of consent can vary: "for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive." According to the Guidelines, the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed.

The guidelines specifically address these practices:

Children. The Guidelines discourage companies from tracking children or tracking on websites aimed at children.

Technologies that should not be used. "If an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes." In a press release announcing the new Guidelines, the Privacy Commissioner stated: "So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline."

Non-sensitive information. The Guidelines state that opt-out consent for online behavioral advertising could be considered reasonable provided that:

• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable - the purposes must be made obvious and cannot be buried in a privacy policy;
• Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioral advertising;
• Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
• The opt-out takes effect immediately and is persistent;
• The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
• Information collected and used is destroyed as soon as possible or effectively de-identified.

• The overall message conveyed by Facebook ‘like” or the total number of “likes” on Facebook constitutes a general social endorsement;
• Coastal Contact did have the general social endorsement the “likes” conveyed because actual consumers had “liked” the Coastal Contacts page and no evidence suggested those consumers who participated in the like-gated “free glasses” promotion did not receive the benefit of the promotion;
• Had the evidence demonstrated that consumers who participated in the like-gated promotion could not or did not receive the benefit of the offer, or that the advertiser used misleading or artificial means to inflate the number of Facebook “likes,” the outcome of the case would not have been as favorable to the company;
• Coastal Contacts should clarify that its representations about the number of Facebook “fans” or “likes” indicate totals from all of its Facebook pages targeted to different countries, in order to avoid conveying the unsupported claim that the U.S. Facebook page alone had obtained such a high number of “fans” and “likes.”

As explained in the bill, the law aims to "provide consumers with information regarding [the companies'] efforts to eradicate slavery and human trafficking from their supply chains" and to "educate consumers on how to purchase goods produced by companies that responsibly manage their supply chains."

Many large "retail sellers" and "manufacturers" that are organized or domiciled outside of California are likely to be affected by the Act, even if the activities and operations that such "retail sellers" and "manufacturers" perform in California are relatively small.

Please see our recent client alert which provides a detailed summary of this law and compliance considerations.