Photo of Jennifer Archie

A 20-year member of the Washington, D.C. Litigation Department, Jennifer Archie advises some of the largest online brands and US corporations on a broad array of privacy and data security matters, investigations, and lawsuits. Her specific areas of expertise and interest include representing companies before the US Federal Trade Commission in response to agency investigations of consumer marketing or privacy practices, defending privacy and deceptive practices lawsuits, rendering practical privacy and security advice for global companies in consultation with her colleagues in Europe and elsewhere, advising on individual marketing and promotional campaigns with a special focus on social media and social gaming, and advising global businesses on (authorized) data collection, use, storage, and export practices.

On July 10, the Federal Communications Commission (“FCC”) released the text of a Declaratory Ruling and Order, initially adopted on June 18, that provides various clarifications regarding the Telephone Consumer Protection Act of 1991 (“TCPA”) and the FCC’s existing rules. The proceeding that led to the Order attracted widespread attention and was the result of nearly two dozen petitions filed by organizations representing healthcare, banking, retail, and telecommunications interests. The broad interest in this proceeding is the direct result of the sweeping impact that the TCPA has had on when and how businesses may contact consumers, as well as the multiplicity of consumer class actions threatened and filed against advertisers, debt collectors, and others making automated calls or sending automated text messages.

What is an “Automatic Telephone Dialing System” (ATDS)?

The first clarification made by the Order is with respect to “autodialers” (or, in the wording of the statute, an “automatic telephone dialing system”). The TCPA and the FCC’s existing rules prohibit making non-emergency calls to a wireless number without prior express consent when those calls are made using an autodialer or an artificial or prerecorded voice. Accordingly, there has been significant controversy over what kinds of dialing systems qualify as autodialers, which the TCPA defines as equipment that has the “capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and to “dial such numbers.” See, e.g., Satterfield v. Simon & Shuster, Inc., 569 F.3d 946, 951 (9th Cir. 2009) (A “system need not actually store, produce, or call randomly or sequentially generated telephone numbers, it need only have the capacity to do it” for the TCPA to apply.).[i]

The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets.  Among the specific requirements are periodic testing, annual systems review and disclosure of “SCI events” – including both functional and security issues.  In addition to security issues,

The State of California, long the most proactive U.S. state in enacting data privacy laws, has again modified its breach notification and data protection laws.  This week, Governor Jerry Brown signed two privacy bills into law:  SOPIPA (SB 1177), aimed at regulating the use of student data, and AB 1710, targeting data protection more broadly.  Taken together, these bills highlight the continuing compliance challenges facing American businesses which must conform not only to state-specific privacy standards, but also monitor

A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an email box,

On Thursday, the U.S. Senate failed to pass a motion to end debate on the Cybersecurity Act of 2012 by a vote of 52-46. Sponsors were unable to muster the 60 votes required to move forward with the legislation, following heavy lobbying against the bill by the U.S. Chamber of Commerce, the financial industry, and other interested constituencies, and despite an aggressive, coordinated push from the White House. The vote was principally along party lines, with several notable exceptions. The

By Jennifer Archie and Suan Ambler-Ebersole

Second Highest HIPAA Settlement Amount to Date and First Paid by a State

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 arising out of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

In October 2009 a

By Jennifer Archie and Rebekah Lewis

WH Report2.JPGThe Obama Administration has unveiled a 50-page blueprint for consumer data privacy, including a recommendation for a federally legislated and FTC-enforced Consumer Privacy Bill of Rights. While it would not alter existing laws, the legislation would extend privacy protections to unregulated sectors and preempt conflicting state law. The Administration’s framework also recommends a national standard for security breach notifications.

The report proposes an immediate “multistakeholder process” to develop enforceable codes of conduct, and embraces

Thumbnail image for iStock_000005643842XSmall.jpgVast amounts of global personal data flow through India, including as a result of its major outsourced services industry.  For that reason, India’s recently adopted data privacy regulations, which implement the Information Technology (Amendment) Act 2008, have the potential for a profound impact on global businesses with either their own or outsourced operations in India.  Importantly for global companies with outsourced functions or vendor relationships, the rules are not

Thumbnail image for iStock_000005643842XSmall.jpgGoogle has consented to the entry of a proposed Agreement Containing Consent Order with the US Federal Trade Commission, subjecting the company to sweeping government oversight of its privacy disclosure and product development and release practices, nominally arising out of the roll-out of its Buzz product in February 2010. The auditing and reporting requirements are staggering in scope, breadth and duration, reaching Google’s entire business, not merely online communication products such as Gmail. One interpretation of the (rather amazing) document

iStock_globe.jpgFollowing the change of control in the U.S. House of Representatives, privacy and security issues are frequently raised as likely subjects for hearings and new legislation in the U.S. Congress. Multiple committees in both houses repeatedly express interest in holding hearings and in exploring topics impacting privacy and data security regulations in the United States.

For the Republican leadership in the House Energy & Commerce Committee, internet privacy and cyber-security are on the communications and technology agenda, but these are