Basic Privacy Obligations of a New Business in the US--
What must you do to protect your clients' privacy? We emphasize those areas which may expose you to legal liability and which policies you should be aware of. This presentation is a valuable resource for businesses that operate in the U.S. and interact with consumer information.
1. Privacy and Business: What
MUST You Be Aware Of?
Basic Privacy Obligations of a New Business in
the US
Andrew T. Mirsky
Mirsky & Company, PLLC
Mirsky & Company, PLLC (“Kenyon”) has provided this presentation for general informational purposes only. It is not
intended as professional counsel and should not be used as such. You should contact your attorney to obtain advice with
respect to any particular issue or problem.
2. Andrew T. Mirsky, Esq.
• Principal, Mirsky & Company, PLLC, DC and NY
(www.mirskylegal.com)
• Formerly in-house counsel with National Journal
and Atlantic Monthly magazines
• Clients in new media and technology, including
intellectual property, corporate and finance,
privacy, joint ventures and partnerships, and
employment and HR matters.
• Founder, Media Future Now
(www.mediafuturenow.com)
3. Important Note: This discussion covers
privacy for business as a general matter.
This is not a policy discussion, but rather a
discussion of what businesses must be
aware of and what areas expose all
businesses to legal liability. We will not
address consumer privacy, nor HIPAA,
Graham-Leach or employment-specific
privacy, nor non-US (particularly EU).
Those are topics for another day. This is
meant to address privacy from the
perspective of the general privacy
considerations for a company doing
business in the United States and
interacting with consumer information.
4. Introduction
1. From Kelley Drye & Warren’s 2/16/12 seminar,
"Privacy in 2012: What to Watch Regarding COPPA,
Mobile Apps, and Evolving Law Enforcement and Public
Policy Trends," quoting Peter Swire, Law Professor at Ohio
State University: Professor Swire noted that, while it is
unclear whether Congress will pass consumer privacy
legislation in the current session, the level of ongoing
regulatory activity is forcing businesses to reevaluate
their existing privacy practices and policies.
http://www.kelleydrye.com/publications/client_advisories
/0725
5. Introduction
2. From John Heitman, in NextDailyDeal.com, discussing
Groupon’s recent aggressive changes to its privacy
policy: An online marketing business using consumers’
personal information must do so carefully in order to limit its
exposure to private class action litigation, Federal Trade
Commission (FTC) investigations and enforcement, state
attorneys general actions, and more. Groupon’s changes
won’t satisfy everyone, but they certainly take the company in
the right direction and much of what’s been done can serve as
an example for others mindful of (or needing to be mindful of)
their corporate privacy posture and the risks that come with it.
http://nextdailydeal.com/groupon-privacy-statement-
revisions-reflect-rapid-changes-in-the-marketplace-and-an-
evolving-legal-and-regulatory-landscape/
6. I. Background
1. General theme in US is:
Meaning Disclosure (and
compliance with what you
voluntarily disclose and say you'll
do) accounts for much of
US privacy law.“
Rather than positive requirements of
law. Meaning: As long as you disclose,
you can pretty much do anything you
want.
7. I. Background
2. Disclosure rule is still largely way it is in US: So, for
example, new privacy policies of Google (notoriously)
and Groupon (less notoriously) show companies
proactively getting out ahead of regulators by “putting
it all out there”.
Groupon: (a) Disclosures to third party partners: Very clear
statements of what disclosures you make to third parties.
Very clear, very transparent. (Lot of recent caselaw in this
area.)
(b) (Tracking and OBA) What tracking technology, if any, (e.g.
cookies) is used on the site. NAI (Network Advertising
Initiative) and FTC guidance pushing for standardization of (1)
transparency about data collection practices and how collected
data is used and (2) easier access to opt-out options from
tracking, even if provided through a third-party provider (e.g.
analytics/optimization providers) rather than directly.
8. I. Background
With increasing threats of regulatory
scrutiny, enforcement action and class-action
litigation, increased noise from Congress and
state legislatures, and increasingly
standardized “best practices” issued by non-
governmental SROs, reaction has been to
3. Big caveat: voluntarily become more protective. Not
just in terms of transparency, but in
How things substance as well.
are changing Example: Affirmative consent not
generally legally required, but businesses
now almost universally seeking affirmative
consent to statements of privacy practices
and disclosures on collecting of data,
particularly when it comes to OBA.
9. II. Laws and SROs
1. What privacy laws must
businesses be aware of?
• Depends on the business:
• Particularly in US, so many different situations could
apply. For example, does HIPAA apply? Yes if user
medical or healthcare information is involved. Do
financial information laws apply? E.g. Gramm-
Leach? Yes if personal financial information is
involved. What state laws apply? Depends on what
states you’re “doing business” in.
• “Which laws apply” can’t be answered in
abstract, because “it depends”:
• There are some general “best practices” and
guidelines developing, but specifics matter.
10. II. Laws and SROs
•
Data security laws always apply:
(1) Federal Trade Commission (FTC): “unfair
and deceptive trade practice” under FTC Act
Section 5 to hold personal data without
providing adequate security.
(2) California (+ Illinois + many others)
requires companies to implement “reasonable
security measures” for handling personal
information. (3) Minnesota imposes strict
liability on companies that retain credit card
data for damages caused by data breaches.
(4) COPPA.
11. II. Laws and SROs
Massachusetts then goes beyond most other
states with its requirements for
administrative, technical, and physical
safeguards.
12. II. Laws and SROs
From ongoing employee training and data
access controls to encryption, malware
protection and taking responsibility for third
party service providers, it looks to me like
Massachusetts, like Nevada, is emulating the
standard used by the Payment Card Industry
(PCI DSS).And if information security is the
goal, that makes sense. Why reinvent the
wheel? The Payment Card Industry Data
Security Standard has been evolving over
many years through the efforts of card
issuers like Visa, MasterCard, Amex, and
Discover. Source:
http://www.rendervisionsconsulting.com/blo
g/are-online-privacy-policies-required-by-
law/
13. II. Laws and SROs
Who does it apply to? “Every person that
owns or licenses personal information about a
resident of the Commonwealth
”Always Apply: (1) FTC (under Section 5 of
FTC Act) “unfair and deceptive trade practice”
statutes governing noncompliance with
published privacy policies. (2) State
Attorneys General enforcing same under state
“Baby” FTC Acts.
14. II. Laws and SROs
2. Don’t ever forget
contract law:
• Class-action and private rights of action for breaches
of published privacy policies, which are binding
contracts.
15. II. Laws and SROs
3. What if you “do
business” in every state?
• Not unrealistic. How do you possibly comply with every
state law?
• Oftentimes, you might not be able to. What some
companies do: Look to “leading” states when it comes
to privacy and data security, and realistically comply with
the most restrictive.
• What states? California. Massachusetts. Definitely the
state you’re based in and all states in which you expect
to do most of your business. More and more states have
laws like Illinois’ “Personal Information Protection Act”,
addressing data security responsibilities, including
notification responsibilities, setting up toll-free numbers,
credit monitoring services, etc. Reality is that you don’t
have to provide these services to residents of all states,
but it’s somewhat impractical to set up your business
practices based on cherry-picking different state law
requirements for different users of your services.
16. II. Laws and SROs
4. FTC and SROs –
Guidelines and “Best
Practices”
• FTC Report (3/26/12): The FTC will work with the
Department of Commerce and stakeholders to develop
industry-specific codes of conduct. To the extent that
strong privacy codes are developed, when companies
adhere to these codes, the FTC will take that into
account in its law enforcement efforts. If companies
do not honor the codes they sign up for, they could be
subject to FTC enforcement actions.
• Small Business Exception: What about small
businesses? To minimize the effect on smaller
companies, the final framework doesn’t apply to them
if they collect only non-sensitive data from fewer than
5,000 consumers a year, provided they don’t share
the data with third parties.
17. III. Actual Privacy Practices
1. Must you have a privacy policy?
Mobile? Yes (in California from California
Non-mobile? No.
users).
2. Should you have a privacy
policy?
And, some states (e.g. California) have moved
toward requiring an actual policy. (Growing trend
anyway.) (1) California Online Privacy Protection
Yes. Is “having a privacy policy” the end of your Act requires a website to “conspicuously post” a
job? No. Law and practice in the US has evolved to privacy policy if it “collects and maintains personally
not only (effectively) having a privacy policy, but identifiable information from a consumer residing in
also having certain prescribed disclosures in that California.” And “personally identifiable information”
policy. defined broadly. (2) California AG agreement with
Google and Apple app stores requires app makers to
submit privacy policies as part of application
submission process.
18. III. Actual Privacy Practices
3. Privacy policy or not, what must you really do?
(From California law:) Conspicuously disclose:
(a) Information Collected – Categories of personal information the
website collects.
(b) Categories of 3rd-parties with whom the company shares the
information.
(c) How the user can review and request changes to their information
collected by the company.
(d) How the company notifies users of material changes to its privacy
policy.
(e) The effective date of the privacy policy.
19. III. Actual Privacy Practices
eTrust (privacytrust.org) requires these additional
elements for “seal” privacy certification:
(f) (Option not to Provide PII) A user of the site must be given the option of not giving their PII if
the information collected is not related to the primary purpose for which the information was
collected or the personally identified information was disclosed to third parties.
(g) (Unsubscribe Options) All newsletters and promotional email messages that are sent to users,
apart from the messages the user has agreed to receive as a condition of using your service, must
include an unsubscribe link.
(h) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any
personally identifiable information on your site without the knowledge and permission of their
parent or guardian. If there are certain web pages within your Site that require users to be at
least 13 years of age, anyone under the age of 13 should be restricted from participating in such
web page activities.
(i) (Data Security) You must take reasonable steps when collecting, creating, maintaining, using
and disclosing Personally Identifiable Information, to assure that the data are accurate, complete
and timely for the purposes for which they are to be used; and you also implement reasonable
security procedures, such as encryption, to protect Personally Identifiable Information.
(j) (User Access) Inform the user how to access and change the Personally Identifiable
Information provided by them to you.
(k) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI
(Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency
about data collection practices and how collected data is used and (2) easier access to opt-out
options from tracking, even if provided through a third-party provider (e.g. analytics/optimization
providers) rather than directly.
20. IV. The Whys and Wherefores
• Part legal compliance, but part also
practical: Increasing use of tracking.
IE 9 Tracking Protection utilizes
Tracking Protection Lists (TPLs) to
enable users to control content
delivered by third party companies to
any website they are visiting. The
intent of this feature is to provide
1. Compliance consumers with choice regarding both
and Practicality: the collection and use of third party
tracking information. Obviously
getting an “Allow” certification (from
TRUSTe or another certification
company) overrides “Block” settings in
TPLs, allowing delivery of content,
products and services.
• http://www.privacytrust.org/certificati
on/privacy/privacy_requirements.html
21. IV. The Whys and Wherefores
• The reality: When user expectations are
established by a company’s stated
privacy policies or through actual
practice. For example, on the
PrivacyChoice blog, the CEO of PlaceIQ
[www.placeiq.com] explained Apple and
Android have already established user
2. User expectations about consent. Location-
expectations based services in the operating system
and, therefore, provide very precise location
information, but only through a user-
legal risk: consent framework built-in to the OS.
This creates a baseline user expectation
about consent for precise location
targeting.
• http://blog.privacychoice.org/2012/01/2
3/geo-ip-location-targetingwhen-is-
consent-required/
22. Significance of “Personally Identifiable Information” (PII)?
Most privacy
obligations apply
ONLY to handling
of users’ PII.
23. What is PII?
(a) PII Generally:
Name (full name or first initial and last name), maiden name
Email address or other online contact information such as instant messaging identifier
Home or other physical address
Telephone number
Credit card or debit card members
Bank account numbers
Social Security number
Driver’s license number or state issued ID card number
Passport number
Taxpayer identification number
Personal characteristics such as photographic images (especially of face or other identifying
characteristic), fingerprints, or other biometric data (i.e. retina scan, voice signature, facial geometry)
24. What is PII?
MA and
• Zip Codes are PII.
CA
• Industry is moving
away from overly legal
distinctions and simply
treating anything that is
Trend
reasonably “personal”
as PII- essentially
removing the middle
“identifiable”.
25. What is PII?
•The report also responds
to comments filed by
organizations and
individuals that, with
technological advances,
more and more data
could be "reasonably
From FTC linked" to consumers,
computers, or devices.
Report The final report concludes
that data is not
(3/26/12): "reasonably linked" if a
company takes
reasonable measures to
de-identify the data,
commits not to re-identify
it, and prohibits
downstream recipients
from re-identifying it.
26. What is PII?
(b) Potential PII (not by themselves):
A persistent identifier such as a generic customer/ user value held in a “cookie”
IP (Internet Protocol) address or host name
Date of birth, age
Racial or ethnic background
Religious affiliation
Gender
Marital status
Employment information
Medical information
Financial information
Credit information
Student information
27. What is PII?
Sensitive PII Or Information
PII which, if related to (i) a
either alone or particular
lost, with other
compromised, medical
information, condition or a
or disclosed caries a
without health record
significant risk or (ii) the
authorization of economic or
either alone or religious
physical harm.
with other affiliation of an
information, individual.
28. What is PII?
(d) Not PII:
Browser type
Browser plug-in details
Local time zone
Date and time of each visitor request (i.e. arrival, exit on each
web page)
Language preference
Referring site
Device type (i.e. desktop, laptop, or smartphone)
Screen size, screen color depth, and system fonts
29. Major Laws (generally) applicable to privacy in the US (from
business perspective):
FTC Act Section 5
State “Baby” FTC Acts
State (e.g. CA) Privacy Laws
State Data Security Laws (e.g. MA, IL, MN, etc.)
HIPAA (medical and health information)
Gramm-Leach (financial information)
COPPA
30. Major differences between mobile and non-mobile?
• Yes, particularly because of FCC
oversight of mobile (N/A for
non-mobile), and application of
issues like sharing of customer
proprietary network information
Are there ("CPNI"), including geographic
major location information. FCC is not
claiming oversight of internet
differences beyond mobile, but FTC is
between mobile claiming oversight of mobile as
well (FTC public workshop
and non- 5/30/12).
mobile?
31. Privacy: What must a business really do?
Conspicuously
disclose (absolute
minimums):
(a) Information
Collected –
Categories of
personal information
the website collects.
(b) Categories of
3rd-parties with
whom the company
shares the
information.
(c) How the user can
review and request
changes to their
information collected
by the company.
(d) How the
company notifies
users of material
changes to its
privacy policy.
(e) The effective
date of the privacy
policy.
32. Privacy: What must a business really do?
But also … (from SRO and
“seal” program certifications):
(b) (Unsubscribe Options)
(a) (Option not to Provide All newsletters and
PII) Users given option of promotional email
not giving PII if messages that are sent to
information collected is not users, apart from the
related to primary purpose messages the user has
for which it was collected agreed to receive as a
or the PII was disclosed to condition of using the
third parties. service, must include an
unsubscribe link.
33. Privacy: What must a business really do?
(c) (COPPA) If a user has stated (d) (Data Security) You must
that he/she is under 13 years of take reasonable steps when
age you should not collect any collecting, creating, maintaining,
PII on your site without the using and disclosing PII, to
knowledge and permission of assure that the data are
their parent or guardian. If there accurate, complete and timely
are certain web pages within for the purposes for which they
your Site that require users to be are to be used; and you also
at least 13 years of age, anyone implement reasonable security
under the age of 13 should be procedures, such as encryption,
restricted from participating in to protect Personally Identifiable
such web page activities. Information.
34. Privacy: What must a business really do?
(f) (Tracking and OBA) What
tracking technology, if any (e.g.
cookies), is used on the site.
NAI (Network Advertising
Initiative) and FTC guidance
pushing for standardization of
(e) (User Access) Inform users
(1) transparency about data
how to access and change the
collection practices and how
PII provided by them to you.
collected data is used and (2)
easier access to opt-out options
from tracking, even if provided
through a third-party provider
(e.g. analytics/optimization
providers) rather than directly.
35. For Discussion
Self-regulatory compliance and
Industry “best practice” guidelines:
Seal programs: BBB Online
(http://www.bbbonline.com), or
TRUSTe, (http://www.truste.com).
What significance?
Winter/Spring 2012: FTC/White
House/DoC Initiatives
36. Andrew T. Mirsky
andy@mirskylegal.com
(202) 339-0303
www.mirskylegal.com
@mirskylegal
2301 N Street, NW 318 West 14th Street
Suite 313 4th Floor
Washington, DC 20037 New York, NY 10014