Are Dynamic IP Addresses Personal Information?


What is a Dynamic IP address?

An Internet Protocol (IP) address is a series of digits assigned by an Internet Service Provider (ISP) such as Time Warner or Verizon, to each computer that accesses the internet.

Static IP addresses are permanent IP addresses, usually assigned to organizations with large networks.

Most individuals however get assigned “dynamic” IP addresses, which are IP addresses that may potentially be changed by the ISP provider when they experience a need for it, but which in practice do not change that often. Individual ISP subscribers may maintain the same dynamic IP address for long periods of time, such as eight to twelve months. Individual subscribers usually also have their dynamic IP address changed when they travel, move to a different home or a different city, or if they change their routers, or anytime they access the Internet with their device from a different network.

Dynamic IP addresses, just as static IP addresses, do not enable a link to be established between the IP address and a given computer or user. Only the ISP has access to the additional subscriber information required to establish that link.


Why is this a privacy issue?

Many websites collect and store static and dynamic IP addresses of the computers that visit their sites, together with the time and date of visit and use this information for marketing or other purposes, such as fraud and security monitoring.

If dynamic IP addresses are Personal Data, then all applicable laws and regulations regarding the collection and processing of personal data apply to the collection and processing of dynamic IP addresses as well.


Unique identifiers and Combined Identifiers

Most global privacy/data protection laws and regulations define personal data as data that not only uniquely identifies a person, such as the name of a person, but also data that, while on its own may not uniquely identify an individual, but when combined with other data, may render an individual identifiable. A simple example would be a phone number (landline and/or mobile). A phone number, on its own, does not identify an individual. However, with the use of reverse lookup tools , a phone number can be used to identify an individual, by associating a name and address with that phone number.

In other words, most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified or “identifiable” individual, whether by one unique identifier or by a combination of two or more data elements.


The special case of dynamic IP addresses

If a user of the website concerned has revealed his/her identity during the website consultation period, e.g. by creating a profile, then the operator of that website is able to identify the website user by linking his/her name to his/her computer’s IP address. In that case, even a dynamic IP address will most probably qualify as personal data.

What if the website user has not revealed his/her identity when visiting a website?

Is access to the IP address alone enough to identify that user?

An IP address, whether static or dynamic, can be traced back to an individual when combined with Internet subscriber information held by the ISP provider.

In case of a static IP address, the subscriber information remains the same, regardless of the date when the access to the website by that subscriber occurred.

In the case of dynamic IP addresses, one needs to know the date of access to the website in addition to the IP address of the subscriber, since dynamic IP addresses of internet connected devices tend to change over time.

The fact that additional information on date of access is needed for the identification of dynamic IP addresses renders dynamic IP addresses a tad more “unidentifiable” than static IP addresses.

However, most websites collecting IP addresses also collect time and date of access, so that the distinction between static and dynamic IP addresses from a privacy perspective is not all that significant. All one needs to identify a dynamic IP address, in addition to the subscriber data that connects it to it, is the desired time frame of the subscriber data.


Should your organization treat dynamic IP addresses as “Personal Information”?

The answer to this question, from a privacy/data protection compliance perspective, depends first of all on which privacy/data protection laws and regulations your organization is subject to. Usually, there has to be some connection between a country’s privacy/data protection laws and the organization in question.

Here are some questions, which may help determine these connections:

  • In which countries does your organization have a seat of business? These might be the countries whose privacy/data protection laws apply to your organization.
  • To individuals from which countries does your organization market its business? Some countries make their laws applicable to businesses that are targeting their country’s residents or citizens or both, even if the business in question has no physical presence in that country.

For example, if your organization has a seat of business in one or more of the 28 EU member states, and processes personal data in the context of that business, the EU Data Protection Directive 95/46 (the Directive) and the Member State’s national data protection laws based upon it will apply to your organization.

Under the expanded territorial applicability of the General Data Protection Regulation (GDPR), which will replace the Directive and all the Member States’ national privacy/data protection laws as of May 2018, your organization will also be subject to the GDPR if it markets to or monitors data subjects of EU Member States, even if the organization in question has no physical presence in a EU Member State.


Are dynamic IP addresses “personal data” under the EU Data Protection Directive? Under the GDPR?

Until recently, there was no legal clarity or certainty whether dynamic IP addresses, collected and processed by websites or third parties were Personal Data under the Directive.

However, the recent ruling of the Court of Justice of the European Union (CJEU) of October 19, 2016 in the Patrick Breyer v. Bundesrepublik Deutschland case removed all doubt: The CJEU ruled that a dynamic IP address of a website user is personal data with respect to the website operator, if that website operator has the legal means allowing it to identify the user in question with the help of additional information about that user which is held by that user’s ISP. For example, most countries allow for law enforcement (with or w/o a court order) to approach the ISP for more detailed information about who an IP address was assigned to at the time of access in case of a criminal investigation.

If for example, a website is the victim of a cyber attack, the website operator is usually able to contact the competent authorities, so that the latter can take the necessary steps to obtain the relevant IP address subscriber information from the ISP and to bring criminal proceedings.

That mere possibility for a data subject to potentially become identified through his/her device’s IP address renders the IP address into personal data. Controllers must ask themselves the following question: Is it reasonably likely that they or a third party might be able to identify an individual through the IP addresses which they collect and process, even if recourse to data held by a third party (here, the ISP) is required in order to obtain identification? If the answer is yes, the IP address is personal data and must be handled accordingly.

Since the GDPR has retained the same basic, broad definition of “personal data” as the definition of the Directive, it is reasonable to predict that the Breyer decision of the CJEU will apply to the GDPR and that dynamic IP addresses will be considered personal data under the GDPR.


What are the practical implications of dynamic IP addresses being considered personal information?

 Once an organization has established that it is subject to the EU Directive and/or, in a short while, to the GDPR, it must ensure that all requirements applicable to the collection and handling of personal information of data subjects are applied to the collection and handling of dynamic IP addresses of these data subjects. Some examples include notice and consent requirements, use limitations of the collected dynamic IP addresses, the provision of adequate information security to this data set, the restriction of retention periods and the restriction of cross-border transfers of and cross-border access to dynamic IP addresses.






Top Monthly Privacy and Data Protection News

by Monique Altheim on April 30, 2014

privacy pic

This past month saw another batch of large data breaches, with “Heartbleed” considered by some the largest data security breach in the history of the internet; a flurry of legislative efforts by the States to regulate the use of drones, student privacy and government surveillance; a landmark victory for the FTC’s authority to regulate commercial data security practices; important privacy legislation in Australia, Brazil, and Canada; the EU Art 29 WP was busy as a bee publishing Opinions on EU Data Protection, and the European Parliament voted in favor of the proposed General Data Protection Regulation, leaving the next step up to the Council of Ministers.


Big Data


• FTC to Examine Effects of Big Data on Low Income and Underserved Consumers at September Workshop





• Facial Recognition: Talks resume at NTIA (National Telecommunications and Information Administration) to craft a privacy-enhancing code of conduct for commercial uses of facial recognition technology






• FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

• FTC Concludes Review of iVeriFly’s Proposed COPPA Verifiable Parental Consent Method

• FTC: COPPA Does Not Preempt State Teen Online Protections




Data Breaches

. ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

• Experian: U.S. States Investigate Breach at Experian/Court Ventures

• Tax Fraud: D.C. physicians swept up in tax ID theft scam ; Spike in Tax Fraud against Doctors

• Michaels, Aaron: 3 Million Customer Credit, Debit Cards Stolen in Michaels,Aaron Brothers Breaches

• Paper Breaches (Don’t dump those papers, shred them!)

OR: Employment applications found in Little Caesars Pizza dumpster in Salem

UT: Client files with personal information found in Dumpster

• Legislation: Kentucky has become the 47th state to enact a data breach notification law

• Holder calls for federal law on data breaches

• Court approves first-of-its-kind data breach settlement. AvMed agrees to set aside $3 million for breach victims, whether they suffered direct harm or not.

FTC Deputy Director Daniel Kaufman Backs Civil Penalties for Large Breaches

• Two Congressional Hearings on Data Security





Data Brokers/FCRA


• Two Data Brokers Settle FTC Charges That They Sold Consumer Data Without Complying With Protections Required Under the Fair Credit Reporting Act (FCRA)




Drones (Unmanned Areal Systems or UAS)


• According to the American Civil Liberties Union, 43 states are considering 96 bills related to domestic drone usage. Wisconsin is the ninth state to regulate drone usage, joining Florida, Idaho, Illinois, Montana, Oregon, Tennessee, Texas and Virginia.


• The Kansas Senate Committee passed SB 409, which would limit the use of drones with recording devices


• Wisconsin governor signs bill restricting drone use


• Utah governor signs bill that puts limits on police use of drones


• On the other hand: New Hampshire Drone Bill Shot Down in Senate




EU Data Protection


• Many Art 29 WP Opinions this past month. Eduardo Ustaran sums it up: Art 29WP – Something old, something new, something borrowed, something blue.


• Art29 WP Working Document on contractual clauses from EU processors to non-EU sub processors.

• Article 29 WP Opinion 03/2014 on “Data Breach Notification”

. Art 29 WP Opinion 04/2014 “on surveillance of electronic communications for intelligence and national security purposes

• Art 29 WP Opinion 05/2014 on “Anonymisation Techniques”

• Article 29 WP Opinion 06/2014 on “Legitimate Interests”

• EU Court of Justice invalidates the Data Retention Directive

• ECJ upholds independence of data protection authorities in case against Hungary

. The New EDPS’ Opinion Privacy and Competitiveness in the Age of Big Data

. DPAs, FTC Unveil Cross-Border Data Transfer Tool (APEC CBPRs and EU BCRs Referential)

• Council of Europe launches a human rights guide for internet users

Italy: Garante imposes ‘landmark’ €1 million fine on Google

• France: New French Law Authorizes the CNIL to Conduct Online Inspections

 . Germany’s DPAs Adopt Resolutions on Employee Privacy, Facial Recognition and EU Draft Regulation

• Microsoft can now transfer data from its EU cloud servers to its non-EU servers via EU approved model contracts




EU Data Protection Reform



• Article 29 WP Issues Statement on One-Stop-Shop Within Proposed EU General Data Protection Regulation

• Member States unveil positions on proposed “One-stop-shop [complaint] mechanism”



EU-US Safe Harbor


• Art WP 29 has many additional recommendations to strengthen personal data protection under the Safe Harbor Decision

• In a Joint Statement at the EU-US Summit on 26 March 2014 EU and U.S. officials announced a commitment to strengthening the Safe Harbor framework by this coming summer





• Facebook admits users are confused about Privacy, will show more on-screen explanations, in an effort to practice “surprise minimization” or “minimize the surprise to the consumer”.




FERPA/Student Privacy


• Kentucky enacts law Protecting Student Data In the Cloud

• Louisiana House Passes Student Privacy Bill

• Florida Senate Passes Student Privacy Bill, which would prohibit schools from collecting political and religious beliefs and biometric information from students

• Kansas House Passes Student Privacy Bill which would restrict access to student records and prohibit the state from collecting information relating to students’ and their families’ personal beliefs or practices on issues such as sex, family life, morality and religion.”

• The Colorado House Education Committee unanimously passed a bill that would put restrictions on the sharing of education data.

• South Dakota Passes Student Privacy Law

• California Sen. Proposes Student Privacy Bill

• Illinois House Committee Endorses Student Privacy Bill

• inBloom’s closure highlights dark side of privacy in sectors driven by data




Fourth Amendment /Surveillance


• Idaho: New law limits DNA collection by law enforcement: only upon criminal conviction or by court order

• Utah: New law makes any electronic data obtained by law enforcement without a warrant, including location data, inadmissible in a criminal proceeding.

• Indiana:  Anti-Surveillance Bill signed into law- requires police to obtain search warrants before using drones, using cellphones to track individuals or demanding passwords for electronic devices among other restrictions

. The U.S. Supreme Court heard oral arguments in Riley v. California and United States v. Wurie, two cases involving the warrantless search of an individual’s cell phone incident to arrest and will decide on an important Fourth Amendment question: can the police search the entire contents of an individual’s cell phone incident to any lawful arrest. To be followed.




FTC, Section 5, Deceptive and Unfair Practices


· FTC Approves Final Order Settling Charges that Aaron’s Inc. Allowed Franchisees to Spy on Consumers via Rental Computers


FTC v. Wyndham

· Federal court denies Wyndham Hotels & Resorts’ motion to dismiss FTC’s complaint and upholds FTC’s authority to regulate commercial data security practices






• Google has updated its terms of service to reflect that it analyses user content including e-mails






• Australia: Reforms to the Privacy Act are in effect as of March 12, 2014


• Brazil: Brazil passes the “Internet Bill of Rights”, a law that protects online privacy and promotes an open Internet


• Canada: Canada’s anti-spam legislation (CASL), requiring express consent, becomes effective July 1, 2014.






• HHS is serious about HIPAA compliance, reveals audit plans


• HHS Releases Security Risk Assessment Tool


• OCR Announces $1,975,220 in Settlements Over Stolen, Unencrypted Laptops containing PHI








• Yahoo webcam images from millions of users intercepted by GCHQ; 1.8m users targeted by UK agency in six-month period alone. Material included large quantity of sexually explicit images


• Introducing the ACLU’s NSA Documents Database. These documents stand as primary source evidence of our government’s interpretation of its authority to engage in sweeping surveillance activities at home and abroad, and how it carries out that surveillance.


• NSA Said to Exploit Heartbleed Bug for Intelligence for Years


• U.S. v Lavabit judgment: Fourth Circuit affirms district ruling: Lavabit in contempt. Lavabit tried giving the feds its SSL Key In 11 pages of 4-Point Type; Feds complained that it was illegible







• FBI Plans to Have 52 Million Photos in its NGI (next generation identification) Face Recognition Database by Next Year




Technology and Lifestyles, New Developments in



• Facebook unveils new “Nearby Friends” location feature

• Google Glass Etiquette

• Conversnitch: a device that live-tweets private conversations.






The FCC issued two rulings regarding exemptions to the “express consent” requirement under TCPA (The TCPA and associated FCC rules require parties to obtain “prior express consent” before transmitting autodialed or prerecorded informational calls or text messages to a wireless telephone number).

• The FCC exempted package delivery notifications from the “prior express consent” requirement when the called party is not charged for them by the wireless carrier. For example, under the exemption, FedEx or UPS will not need prior express consent of package recipients for automated shipment notification messages sent to their mobile telephone numbers.

• In the context of “text-based social networks” such as GroupMe, “prior express consent” to receive automated text messages can be obtained through an intermediary (in this case, the text message group creator), where the messages are administrative in nature and concern the use and cancellation of the service.





Top Monthly Privacy and Data Protection Stories

by Monique Altheim on February 23, 2014








Data Breaches



Data Brokers/FCRA



Data Security


  • The White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs.
  • Senate Democrats Introduce the Data Security and Breach Notification Act of 2014. The bill would require the Federal Trade Commission (FTC) to promulgate federal data security standards, establish federal data breach notification requirements, criminalize concealing breaches of security involving personal information, provide potentially harsh civil penalties, and preempt state data security and breach notification laws. 





EU Data Protection


  • Facebook must comply with German data protection law, the Higher Court of Berlin rules. The High Court of Berlin finds that Facebook’s data processing is handled by US parent company, not FB Ireland. If the court had found that the user data was processed by Facebook Ireland and not by Facebook US, the Irish Data Protection law would have applied; According to the EU Directive, the law of the EU Member State applies, where the company has an establishment and where the processing is carried out in the context of the activities of the establishment.(EU Directive 95/46/EC, Art.4,1(a)); In the absence of this condition (as was the case here, since the court decided that no processing was occurring in Ireland, but instead the processing happened through data centers in the US), the second rule of applicable law applies: the Member State on whose resident’s computers or other devices the data controller (FB here) sets cookies EU Directive 95/46/EC, Art.4,1(c)), in this case Germany;







EU Data Protection Reform




EU-US Safe Harbor






















Q: Is a mental healthcare provider allowed to share psychotherapy notes with anyone?

A: NO, not even with another healthcare provider for treatment purposes, unless patient gives consent. As for sharing the notes with the patient, HIPAA leaves it to the discretion of the mental healthcare provider.

Q: What if patient threatens to blow up a school?

A: Yes, this is an imminent safety threat. Depending on the applicable State Law, there may even be a “duty to warn”.

Remember that in a State with stricter laws, the stricter State law prevails.





IoT (Internet of Things)













Technology and Lifestyles, New Developments in


  • Dropbox’s new Privacy Policy, effective March 24, includes a Government Surveillance “Manifesto”. Its new Terms of Service include an arbitration clause, which you have 30 days to opt out of.
  • Dutch telecom operator KPN has struck a deal with encrypted communications provider Silent Circle to start offering its Dutch, German and Belgian customers encrypted phone calls and text messages.


  •  Apple promises fix “very soon” for Macs with failed encryption.


  • Cryptolocker scrambles US law firm’s entire cache of legal files.



  • Facebook Unveils New Tool to Read Posts and News, via @nytimes







Destruction of Private Data: Pushing the “Delete” Button is Not Enough

by Monique Altheim on February 22, 2014



A study commissioned in Australia by the National Association for Information Destruction (NAID), published on Feb.19, has found significant amounts of sensitive personal information left on recycled computers. The researchers purchased  52 computers randomly  on sites such as eBay, and hired a reputable forensic investigator to find out whether any personal information was left on the drives. Out of the 52 devices, 15 still contained highly confidential personal information, including health and financial information, as well as personal photos and videos. Those devices had been “recycled” by individuals, law firms and government agencies and the forensic evidence showed that all the files in question had been subjected to attempted deletion.

Clearly, many still believe that pressing the “delete” button will permanently delete a file and/or have never heard of forensic retrieval of digital data. Whether one operates in a jurisdiction that mandates secure disposal of personal data or not, improper removal of personal data on computers, smartphones or tablets is certainly bad practice. It is not only bad practice in the case of recycling of a device, as was the case in this study, but also when disposing of a device. Even when simply deleting personal files that have reached the end of their lifecycle, one needs to ensure their professional and final disappearance. Otherwise, these files may easily come back to life through a simple forensic examination of the computer in question, as was the case with the famous incriminating documents in the Enron case. The incriminating files, the needles in the haystack, had all been “deleted” by Enron employees and later retrieved by forensic experts during the investigation of the Enron scandal.

At the 34th International Conference of Data Protection and Privacy Professionals  in Punta del Este, Uruguay (2012), a panel I moderated dealt in depth with the issue of deletion of digital data and forensic retrieval of personal information. You can watch the entire panel here: (Some of the presentations are in Spanish).

My panel consisted of, from left to right,  Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay, Yoram Hacohen, at the time, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).



William Barker’s Slides:

Gustavo Betarte’s Slides:


Dissection of a Twitter Chat on Privacy and Data Protection with @JulieBrillFTC


FTC Comissioner Julie Brill recently held her first Twitter chat on the topic of privacy and the FTC.


Those who are regular twiteratti can skip the following paragraph, but for those still not familiar with Twitter lingo, I have included a short introduction to Twitter shorthand:

  • @JulieBrillFTC: This is Julie Brill’s twitter handle, or twitter user name. Tweeters need to create a twitter handle in order to tweet.
  • RT: Re Tweet; When @JulieBrillFTC tweets: RT@soandso, she re-tweets @soandso’s tweet; in other words, she repeats that person’s tweet.
  • MT: Modified Tweet; When @JulieBrill tweets: MT@soandso, she retweets @soandso’s tweet, but with a slight modification, usually in order to remain within the 140 character limit.
  • In the Twitter chat, @JulieBrillFTC RT’d or MT’d participant’s questions (Q). She preceeded her answers with an A.
  • #: Hashtag. A hashtag on Twitter is the pound sign, followed by an acronym or word to group all tweets related to a particular topic. If you click on that particular hashtag link, you will see all tweets that were posted with that hashtag included in their tweets. In @JulieBrillFTC’s Twitter chat, the chosen hashtag was #FTCpriv
  • Tweets have a limit of 140 characters. A lot more can be crammed into a tweet by the use of a link to an article, something which @JukieBrillFTC avails herself of in her answers to tweeters’ questions. There are even several ways of shortening the links, to leave more characters free for use in the tweet.

I reposted @JulieBrill’s Twitter chat in a user friendly way. Tweets that were not directly relevant to the Q&A were omitted. Tweets by those who posted the questions were omitted as well to avoid unnecessary duplication of the questions, since @JuliBrillFTC re-tweeted them anyway. Since Twitter operates as a live feed, later tweets appear before earlier tweets. Therefore, for someone not used to Twitter, it might be disconcerting to read the answers before the questions. I therefore reversed the order of the tweets, and posted the earlier ones before the older ones.


  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Welcome to my 1st Twitter chat! Happy to answer your questions about big data, data security, internet of things, & privacy. #FTCpriv
  • I’ll try to answer as many questions as I can in the next 60 minutes. So, what do you want to know? #FTCpriv
  • Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to #FTCpriv
  • Q2 RT @hfienberg What is the definition of a data broker, according to the @FTC ? #FTCpriv
  • A2 We set out definition of data broker in its 2012 Privacy Report  . 3 categories: FCRA, eligibility, or marketing.
  • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
  • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
  • Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people? #FTCpriv
  • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names  #FTCpriv
  • Q5 MT @ lexanderhanff In Jan 2013, Brussels ou stated FTC ready to work w/EU on mutual enforcement prog. has discussion evolved? #FTCPriv
  • A5 The FTC remains committed to improving mutual enforcement cooperation with EU partners. #FTCpriv
  • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
  • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
  • Q7 RT @TouroLawIBLT How does the FTC differentiate between cos that sell #bigdata and those that use and amass it? #FTCpriv
  • A7 Same principles apply: PBD, effective transparency, simplified choice. Co.’s shd give careful thought to data collection & use. #FTCpriv
  • Q8 MT @MHJCarlson Does @FTC see proliferation of mobile devices in hospitals as a threat to patient data security? Solutions? #FTCpriv
  • A8 Doc-controlled mobile devices present opps for innovation in HC; but patient #datasecurity & #privacy must be protected. #FTCpriv
  • Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • Q10 RT @StuartLevi Dont recent FTC actions discourage companies from saying anything about their security practices to the public? #FTCPriv
  • A10 FTC examines co statements & underlying data security practices. We consider both potentially deceptive and unfair activity. #FTCpriv
  • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
  • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
  • Q12 RT @sharemindfully #ftcpriv – What steps is the #FTC taking to increase consumer awareness of #privacy issues?
  • A12 1/2 FTC has very robust consumer education program, including blogs, publications, staff outreach. See  #FTCpriv
  • A12 2/2 Also, lots of Commission outreach on emerging issues. I speak a lot too. :>) #FTCpriv
  • We are at 60 minutes. You all have asked lots of great questions. I’ll take a few more minutes to answer a few more. #FTCpriv
  • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
  • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
  • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
  • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
  • Q15 RT @Cellular1988 Do u think that the Safe Harbor give to all EU citizens good protection of their fundamental rights (redress)? #FTCpriv
  • A15 Safe Harbor gives FTC effective tool for protecting privacy of EU consumers. On redress, I support reducing ADR fees. #FTCpriv
  • I’m going to answer one final question. #FTCpriv
  • Q16 RT @Cellular1988 How many processor[s] can process data for one Safe Harbor certified company? #FTCpriv
  • A16 1/2 There’s no set number of permissible processors, but all agents have to apply privacy protections. #FTCpriv
  • A16 2/2 Mechanisms for agents incl. being in SH, being subject to the directive or under adequacy finding, or by contract. #FTCpriv
  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Thanks so much for participating in my Twitter chat. Sorry I couldn’t answer all of your great ?s. Let’s do this again soon. #FTCpriv



This Twitter chat is a perfect example to illustrate the advantages, as well as the pitfalls of communication through Twitter.

A few examples where Twitter works well:


  • The practical question:
  •  Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to #FTCpriv
  • Practical solution to a concrete question. Bravo!


  •  The clarification question:
  •  Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • The FTC, as well as many other U.S. regulatory and enforcing agencies have always stayed away from imposing specific technologies for ensuring data security, since technology changes at the speed of light and the type of technology to be applied is always contextual and depending on the type of data handled and the type of company handling the data. “Reasonable and appropriate practices” it is. And @JulieBrillFTC managed to squeeze in the FTC’s opinion on the need for FEDERAL legislation on data security and data breach notification, since the U.S. doesn’t have one yet. (Most of the States have data security and data breach notification laws, but they are all different from each other and create an impossible patchwork of laws). All this in 140 characters. Hats off! On the other hand, in order to make any sense of those <140 characters, one does need to have some background knowledge of the topic.


  • The policy question:
    • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
    • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
    • The future of U.S.-EU Safe Harbor is on every privacy professional’s mind these days. Here, with a tweet, @JulieBrillFTC has indicated that Safe Harbor is the subject of negotiations between the US Government and the EU Commission in order to tweak it into a viable solution. The end of Safe Harbor? Not.
    • Another good policy exchange was the following one, assuming one knows that IoT stands for “Internet of Things”:
      • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
      • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
    • This is a clear question, with a very clear answer.


A few examples where Twitter doesn’t work as well:

  • The avoiding the question answer:
    • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
    • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
    • So, has the FTC been in communication with FB, Google and the DAA?


  • The diplomatic answer:
    • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
    • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
    • Ah, we all know that the FTC supports legislation to implement the 2012 Privacy Bill of Rights, but when will it become law? When?


  • The simplistic answer:
  •              Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people?   #FTCpriv
    • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names  #FTCpriv
    • Well, yes, having access to one’s data and having the ability to correct wrong information is a very good start, but it is far from sufficient to ensure the integrity of the algorithms that are used to make important decisions about an individual. For example, how do we ensure that the algorithm itself is not based on some illegal discriminatory premises? Clearly, Twitter is not an adequate channel to discuss such deep and granular issues.



  • The incorrect answer?
    • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
    • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
    • Safe Harbor protects U.S. consumers? Really? And I thought that it only protected personal data originating from the EU. Who knew? Maybe the lightning speed at which one must react on Twitter can be faulted for such seemingly erroneous statements. I have no doubt that @JulieBrillFTC did not make a mistake in her area of expertise, but short tweets are conducive to ambiguous meanings and maybe incorrect interpretations.



A Twitter chat is the democratic communication tool par excellence. Every Jo/Jean Shmo with a twitter handle can instantly communicate with an authority figure, regardless of where in the world he/she resides, as long as he/she has an internet connection.

The format works well for simple, concrete questions that require simple and concrete answers.

As soon as the question requires a more granular response, Twitter fails to deliver. It is simply impossible to convey nuance, cover grey areas and explain complex matters with a 140 character tweet. Inserting a link to an article that deals with the issue at hand is a good way of introducing more nuance and information in a tweet or Twitter chat.


Please follow me on Twitter at @AltheimLaw and at @MoniqueAltheim!







The FTC’s Data Security Guidelines



On the occasion of the Federal Trade Commission’s (FTC) 50th data security settlement, it issued a statement, giving businesses guidelines for their data security practices.

Under Section 5 of the Federal Trade Commission Act (FTCA), the FTC must protect consumers from “deceptive and unfair” commercial practices in the economic sectors under its jurisdiction. One of those deceptive or unfair practices is the lack of data security to protect a wide variety of sensitive consumer data, such as social security numbers, health data etc… Over the years since its first settlement in 2002, the FTC has developed certain principles.


The FTC’s standard for appropriate data security is “reasonableness”, which is a flexible standard that varies according to a.o. the sensitivity of  the data or the size and complexity of the business. In other words, the security requirements of a large financial institution will be greater than the security requirements of a small grocery store.

Despite the fact that the FTC allows for such elasticity in the application of appropriate security standards, it proposes five basic data security practices that should be followed by every business:

  1. Data Mapping: Know what data the company has, where it is and who has access to it. This knowledge will help expose possible vulnerabilities.
  2. Data Minimization: A company should only collect and retain data that it really needs for its legitimate business purposes. (eg. no need to retain pin numbers of payment cards after the payment has been made).
  3. Risk assessment and remediation in key areas: physical security, electronic security, employee training, and vendor oversight.
  4. Secure Disposal: Once data is not needed anymore, make sure to dispose of it in a secure fashion. (eg. once paper files are not needed anymore, don’t throw them in a garbage dump. Shred them instead).
  5. Security Breach Preparedness: Companies should have a plan in place to respond to security incidents.




Top Weekly Privacy Stories










Data Breaches








EU Data Protection Reform











IoT (Internet of Things)




Mobile Payments



Net Neutrality






Practical Tips



Privacy Management



TCPA (Telephone Consumer Protection Act)



Technology and Lifestyle s, New Developments in











The TCPA, Robocalls and a Meaningful Definition of Consent

Under the Telephone Consumer Protection Act (TCPA), in order for marketers to call or text a telephone subscriber via autodialer or prerecorded messages (robocalls), the subscriber must have given the robocaller “prior express consent” to do so.

What constitutes “express consent” under the TCPA?

The TCPA does not define “express consent.” Congress delegated to the FCC  the authority to make rules and regulations to implement the TCPA.

The FCC has defined “express consent” as follows:

“any telephone subscriber who releases his or her telephone number has, in effect, given prior express consent to be called by the entity to which the number was released. “

and “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.”


A recent case, (Murphy v. DCI Biologicals Orlando, LLC) decided on 12/31/2013, illustrates this type of consent requirement.

Plaintiff, a blood donor gave his cell phone number on a new donor information sheet to the defendants, a blood bank. He subsequently got a few automated, telemarketing text messages from the defendants in 2012, suggesting he give more blood, which he found quite offensive. Plaintiff claimed he had not given defendant, the blood bank, express consent to “robocall” him, as required under the TCPA. He only shared his cell phone number as a contact number for the blood bank to reach him. The US District Court for the Middle District of Florida ruled that giving his cell phone on the new donor information constituted his express consent to the defendants to robocall him at that number through marketers. The Court granted defendant’s motion to dismiss the case. The Court followed the definition of “express consent”, as defined by the FCC. (see above).

The Court decided that when the blood donor shared his cell phone number with the blood bank, he thereby gave “express consent” to the blood bank to share his sensitive health data with marketers and to have those marketers “robocall” him.


Most courts have followed this interpretation of “express consent” under TCPA, while other courts have argued that If consent is not manifested by explicit and direct words, it is not express consent. Rather, it is merely “implied consent.”.


On February 15, 2012, the FCC adopted additional protections for consumers concerning unwanted robocalls. One of the changes concerned the “consent” issue.

Effective October 16, 2013, in order for marketers to call or text a telephone subscriber via autodialer or prerecorded messages (robocalls), the subscriber must have given the robocaller “prior UNAMBIGUOUS written express consent” to do so.

Gone is the “implied-express consent” as previously defined by the FCC.

Unambiguous consent means that the consumer must receive a “clear and conspicuous disclosure” that he will receive future calls that deliver autodialed and/or pre-recorded telemarketing messages on behalf of a specific marketer.

In other words, the consent form to be signed by the consumer should look something like this:

“ I hereby consent to receive autodialed and/or pre-recorded telemarketing calls and/or texts from or on behalf of [marketer] at the telephone number provided above. “

Under this new definition of consent, our blood donor might have won his case.

Or, if the blood bank had given him a clear and informed choice, he might very well have agreed to share his cell phone number with marketers in order to be notified of future blood donor opportunities. He would have made an informed choice and the overburdened justice system might have had  fewer time-wasting and costly class-action law suits to deal with.

This new consent requirement resembles very closely the requirement of “unambiguous consent” of the data subject that forms one of the most important legal grounds for processing personal data by data controllers under the EU Data Protection Directive. (Article 7. (a) Directive 95/46/EC).

Article 2 (h) of Directive 95/46/EC defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

The validity of consent as a mechanism to regulate privacy in our era of big data, predictive algorithms and internet of things has been a subject of debate for a while now, and more recently, the cause of a heated polemic in privacy circles.(see: “I Never Said That”—A Response to Cavoukian et al. by Viktor Mayer-Schönberger)

The latest FCC implementation of the TCPA is one example of how the concept of consent is still alive and well.  Whether consent by the consumer is meaningful often depends on whether the term “consent” is defined in a meaningful way or not.


Top Weekly Privacy Stories















Data Breaches



EU Data Protection




EU Data Protection Reform






First Amendment


  • Virginia Court Scales Back Right to Online Anonymity: A Virginia company filed a defamation lawsuit against seven anonymous Yelp users who wrote critical reviews about it. After filing the suit, the company subpoenaed Yelp for information that would identify the seven reviewers. A Virginia statute requires a subpoena for the identity of an anonymous Internet users’ identity to identify communications “that are or may be tortious or illegal.”











  • FTC Commissioner @MOhlhausenFTC  hosted a Twitter chat on 1/6/14 about #privacy and #IoT – see #FTCpriv




IoT (Internet of Things)











Practical Tips




Technology and Lifestyles, New Developments in





Year in Review






@AltheimLaw’s Privacy and Data Protection Week in Review

Big Data




Children Online Privacy



·      Watch All ‪#30c3 talks, without data retention or Google spyware ‪ …



Data Breaches

·      WA: Sumner fires temporary court clerk for sending herself city data on 3,600 people ‪ 


The Briar Group discloses security breach affecting eight Boston bars and restaurants (updated) ‪ 

·      South Carolina Health Insurance Pool reports breach after laptop stolen from independent auditor’s car ‪ 

·      Social Security Customer Service Employee Indicted For Stealing Information And Money From Agency ‪ 

·      Data breach cost $3.7m, claims report ‪ 


Following hack, RegistratioNation discovers some customer data was inadvertently being stored on its server ‪ 


T-Mobile USA customers to be notified of security breach at supplier’s ‪ 

·      Actelis Networks reports theft of safes with Human Resources files ‪ 

·      PA: Waiter skimmed customers’ cards ‪ 

·      Office backup drive stored at home,stolen‪ 

·      Senators Call for Hearing on Data Security in Wake of Target Data Breach ‪ 

·      House Republicans Signal Push for Data Breach Legislation ‪ 

·      Hackers Leaked 4.6 Million Snapchat Usernames and Phone Numbers

·      Alleged Snapchat hackers explain how and why they leaked data on 4.6 million accounts ‪ 


Omniquad Surf Wall Remote injects string into the browser user agent that identifies users – claim ‪ 

  • Sandwich chain ‘wichcraft had two-months worth of its customers’ card information hacked





·      Facebook Sued For Scanning ‘Private’ Messages


EU Data Protection



Cookie harmonisation? Forget  it ‪ …

·      French DPA Issues Guidance on Cookie Consent Allowing Flexibility ‪ 

·      Privacy group reveals more than 1m pupils are fingerprinted – thousands without their parent’s consent ‪ …


EU Data Protection Reform


·      The decisions on ‪#EUDataP will be made by Spring 2014. Get active now! says ‪@JanAlbrecht‪#30c3


VIDEO Jan Phillip Albrecht at ‪#30C3 ‪#EUDataP: State of the Union ‪ …



Fourth Amendment 






FTC, Section 5


·      Accretive Health Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information ‪ 

FOIA (Freedom of Information Act)




·      Clinic Hit With $150,000 ‪#HIPAA Penalty ‪ 

·      ‪@MedPractices stories of 2013 ‪ 

·      HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures ‪ 


4-year long HIPAA breach uncovered ‪ 


IoT (Internet of Things)


·      The Internet of Sharks sends tweets to alert swimmers of approaching sharks: ‪ 




·      MetaPhone: The NSA’s Got Your Number ‪ 

·      Minnesota librarians push to curb NSA snooping ‪ 


Documents Reveal Top NSA Hacking Unit, TAO ‪ 

·      Snowden: “A child born today will grow up with no conception of ‪#privacy at all.” VIDEO ‪ …


ACLU Appeals Decision Upholding NSA’s Mass Surveillance ‪ 

·      NSA building quantum computer to crack all forms of encryption  ‪ …



Social Media


·      3 Social Media Trends You Should Know About ‪ 


Technology and Lifestyles, New Developments in


·      Bitcoin’s Incredible Year ‪ 

·  Drones Raise Red Flags Regarding Privacy Rights ‪ 

·      Bob Greenberg on advertising in 2014: Prepare to be disrupted. ‪ …

·      9 technologies that can be game changers in 2014‪ …

·      Not sure what to expect at ‪#CES2014? Here’s a handy preview from ‪@verge: ‪ 


Video Privacy Protection Act (VPPA)


·      Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury ‪ 



Year in Review


·      The Year in Privacy 2013 and the Year to Come ‪