Privacy and Data Protection CLE Presentation for Touro Law Center
1. Perfect for Practice CLE:
Privacy and Data
Protection in Business
Prof. Jonathan I. Ezor
Director, Center for Innovation in Business, Law and Technology
jezor@tourolaw.edu
@ProfJonathan on Twitter
Perfect for Practice CLE
Touro Law Center
January 19, 2014
2. Privacy Has Dual
Meaning In Business
World
• Freedom from having behavior monitored
– In person
– Over the Internet
• Protection of “Personally Identifiable
Information”
– Any fact(s) that can identify a unique individual
– Issues of use, misuse and disclosure
• PII more often subject of laws, policies
• Digital age added significant weight to privacy
issues
jezor@tourolaw.edu
3. Consumer Privacy:
Value Versus Value
• Consumers may benefit from information use
– Regular customers’ preferences known
– Sales linked to previous purchases
• Businesses benefit from collecting, using
information
– PII
– Behavior (purchases, etc.)
• Issue is balancing value to consumer against
value of consumer
jezor@tourolaw.edu
4.
5.
6. E-Commerce Case Study:
Who’s Involved in
Online Retailing?
• One major challenge for accurate privacy policy is
online retailing
• Many third parties involved
• Need to consider all ways information will be shared,
used when creating or modifying policy
jezor@tourolaw.edu
8. Fair Information
Practice Principles
• Evolving set of best practices &
recommendations
• Arose at outset of information age (early 1970s)
• Revised, restated over time
• Inform both self-regulatory and legislative
approaches
• Key concept: consumer empowerment
jezor@tourolaw.edu
10. •
•
•
•
•
•
•
2012 White House
Consumer Privacy Bill of
Rights
Individual control over what personal data organizations collect
from them and how they use it
Transparency that allows consumers to easily understand
information about privacy and security practices
Respect for the context in which consumers provide data
Security and responsibility in the way companies handle personal
data
Access to personal data in usable format and an ability to correct
errors
Reasonable limits on the personal data that companies collect and
retain
Accountability as to how companies handle personal data
jezor@tourolaw.edu
11. Self-Regulation vs. Legal
Mandate
• U.S. default generally self-regulation
– Organizations responsible for own practices
– Enforcement under consumer protection authority (e.g. FTC
Act)
• Call for legislation when self-regulation fails or
inappropriate
– Vulnerable populations
– Overly sensitive information
• FTC monitors self-regulation, reports to Congress
• 1999 FTC call for general online privacy law unheeded
jezor@tourolaw.edu
12. Privacy Policy:
Primary Self-Regulatory
Method
• Consumers must be informed to make proper
decisions regarding use of their information
• As with securities, information provided through
disclosure, via privacy policy
• Privacy policies should conform to Fair
Information Practice Principles
• Accuracy a key requirement
• FTC, others may penalize inaccurate privacy
policies
jezor@tourolaw.edu
13. Privacy and Electronic
Communications:
Three Major Statutes
• Privacy of electronic communications generally
protected
• Three major statutes cover these issues:
– Wiretap Act: 18 USC §§ 2510-22
– Pen Register statute: 18 USC §§3121-27
– Stored Communications Act: 18 USC §§2701-11
• Each covers different part of communications
• Note that these are separate from constitutional
protections
jezor@tourolaw.edu
14. CA “Shine The Light”
Law Adds Requirements
to Policies
• California Civil Code § 1798.83 went into effect
1/1/05
• Gives CA residents control of how information is
shared
• Requires disclosure to CA residents of recipients
of information
• Mandates language in privacy policies
• Recently revised
• MA also has data privacy-related laws requiring
encryption
jezor@tourolaw.edu
15. EU Data Protection
Directive Another
Major Factor
• Restrictive rules covering collection, export of
data about EU residents
• Could prevent transfer to US
– Problem for multinational companies
– Many Web site owners affected
• US Dept. of Commerce worked with EU to create
Safe Harbor
• Other countries also have major privacy laws
jezor@tourolaw.edu
16. COPPA: The
Children’s Online
Privacy Protection
Act of 1998
•
•
•
•
•
Web sites targeting or appealing to children
Covers information from children under age 13
Requires clear and frequent disclosure
Mandates verifiable parental consent
FTC has enforcement jurisdiction
jezor@tourolaw.edu
17. COPPA Case Study:
Ohio Art Company
• Ohio Art is the maker of Etch-A-Sketch
• Site collected information, suggested parent permission
rather than requiring prior parental consent
• Fined $35,000 in April 2002 by FTC for COPPA violations in
“Etchy’s Birthday Club” Web site
• Mrs. Fields Cookies fined $100,000, Hershey Foods $85,000
in 2003
• Universal Music (owners of Motown and others) fined
$400,000 in 2/2004 (lilromeo.com)
• Xanga.com fined $1,000,000 in 9/06
• Imbee.com fined $130,000 1/30/08
• Sony BMG Music fined $1,000,000 12/11/08
jezor@tourolaw.edu
18. 2012: FTC
Revision to COPPA Rule
• FTC evaluated, revised COPPA rule in 2012
• Sought input on changes due to
– New online technologies
– Multiple parties (e.g. advertisers) collecting from single
resource
• Published two RFCs:
– http://ftc.gov/os/2011/09/110915coppa.pdf
– http://ftc.gov/os/2012/08/120801copparule.pdf
• Published final rule in December 2012 (effective
7/1/13): http://ezor.org/paq3z
• Continues enforcement: $1 million penalty against Artist
Arena (http://ftc.gov/opa/2012/10/artistarena.shtm)
jezor@tourolaw.edu
19. Gramm-Leach-Bliley:
Financial Information
Disclosure Requirements
• GLB mandates disclosure of information use by
those engaged in “financial activities”
• Customers have right to opt-out of planned
disclosure to 3rd parties
• FTC defines “financial activities” broadly
– Any entity giving financial or related advice
– Attorneys, CPAs have been exempted
jezor@tourolaw.edu
20. HIPAA Privacy Rules:
Wide-Reaching and
Burdensome
• Rules enacted by HHS under Health Insurance Portability
and Accountability Act of 1996 (HIPAA)
• Rules cover receipt and disclosure of “individually
identifiable health information” by health plans, health care
clearinghouses, and certain health care providers
• Went into effect 4/14/03 for most covered entities
• “Business Associates,” companies serving covered
entities, must certify compliance with HIPAA privacy rules
in written agreement
• HITECH Act signed 2/17/09 revises HIPAA rules further
jezor@tourolaw.edu
25. Data Breach:
Prevention and
Disclosure
• Increasing number and severity of data breaches
has encouraged legislative and regulatory action
• Focus on identifying and addressing potential
risks before occurrences
• Growing mandates for disclosing breaches when
they occur
jezor@tourolaw.edu
26. FTC Red Flags Rule
• Covers all businesses that maintain ongoing
billing accounts
• Requires ongoing audits of potential “red flags”
• Enforcement repeatedly delayed
• http://ezor.org/redflagsrule
jezor@tourolaw.edu
30. FTC Promotion of
Consumer Privacy
•
•
•
•
Enforcement actions
Education
Support for privacy legislation
Encouragement of industry self-regulation
jezor@tourolaw.edu
31. FTC Enforcement
Authority
• Section 5 of the Federal Trade Commission Act,
15 U.S.C. § 45
• “[U]nfair or deceptive acts or practices in or
affecting commerce, are hereby declared
unlawful.”
• Grants the FTC power to investigate and prevent
• Judicial action
– Injunctions
– Restitution
jezor@tourolaw.edu
32. 2011 Google and
Facebook
Settlements
• Requires obtaining consumers’ affirmative express consent
before materially changing certain data practices;
• Requires adopting company-wide privacy programs that
outside auditors will assess for 20 years.
• 2012 enforcement of Google settlement
– “misrepresented” to users of Safari Internet browser that it
would not place tracking “cookies” or serve targeted ads to
those users
– agreed to pay a record $22.5 million civil penalty
jezor@tourolaw.edu
33. Other Recent
Enforcement Targets
• Online advertising networks that failed to honor consumer
opt out of tracking by advertisers.
• Mobile applications that violated the Children’s Online
Privacy Protection Act
• Entities that sold consumer lists to marketers in violation of
Fair Credit Reporting Act
• Companies that fail to maintain reasonable data security
• Applications that set default privacy settings in a way that
caused consumers to unwittingly share their personal data
jezor@tourolaw.edu
35. Purpose and Scope
of
White Paper
• Articulate best practices
• Assist Congress
• Limitations
– Not intended to extend existing legal
obligations
– Not applicable to business that collect
information from less than 5000 consumers a
year and do not share with 3rd parties
jezor@tourolaw.edu
36. “Best Practices”
Promoted by White
Paper
• Privacy by Design
• Simplified Choice
• Greater Transparency
jezor@tourolaw.edu
37. Initiatives Promoted
by FTC
•
•
•
•
“Do Not Track”
“Short, meaningful mobile service disclosures
Address consumers’ “lack of control over” data brokers
Scrutinize “comprehensive” tracking of consumers online
by “large platform providers” - e.g. ISPs, operating
systems, browsers and social media
• Promoting Enforceable Self-Regulatory Codes
– FTC staff working with industry to develop codes
– Promoting enforce compliance with codes through FTC Act
enforcement
jezor@tourolaw.edu
38. Privacy by Design
• “Companies should promote consumer privacy
throughout their organizations and at every stage
of the development of their products and
services”
• “Companies should maintain comprehensive data
management procedures throughout the life cycle
of their products and services”
jezor@tourolaw.edu
40. Simplified Choice
• “Companies should simplify consumer choice.”
• Practices that do not require choice
– Data uses consistent with the context of the transaction
– Data uses consistent with company’s relationship with
consumer
– Data uses specifically authorized by law
• Practices that require “Affirmative Express
Consent”
– Using consumer data in a materially different manner
than claimed when the data was collected
– Collecting sensitive data for certain purposes
jezor@tourolaw.edu
42. Simplified Choice
and
“Do Not Track”
• Tracking technologies
• “Do Not Track” Tools
–
–
–
–
Browser settings
DAA’s Icon-based tool
W3C Development of International Standards
Impact of EU Cookie Directive
• “Do Not Track” and the “Free Internet”
jezor@tourolaw.edu
43. Transparency
• Companies should increase the transparency of
their data practices.”
• Privacy notices
– Clearer, shorter, more standardized?
– Privacy icons?
• Access
– Companies should provide “reasonable access” to
consumers
– “Proportionate to the sensitivity of the data and the
nature of its use”
• Educate consumers about privacy practices
jezor@tourolaw.edu
44. Transparency and
Data Brokers
• Regulation under FCRA
• FTC Recommendations for Legislation
• Senator Rockefeller’s Initiative
jezor@tourolaw.edu
45. Olshan Frome Wolosky
Privacy Policy:
Questionnaire:
General Information
– Corporate or other official entity name:
– Business address(es) of entity:
– Does the entity have offices, facilities or remote workers
based in other states? If so, which?
– Does the entity have offices, facilities, remote workers
or customers based in other countries? If so, which?
jezor@tourolaw.edu
46. More General Information
– Names and URL of Web site(s) for which policy is being
created (if any):
– Description of Web site(s):
– Is/are Web site(s) part of offline business as well?
• If so, describe offline business
• Are data shared between online and offline operations?
– Is this policy for a specific site/business unit or across
the entire corporation?
jezor@tourolaw.edu
47. More General Information
• Is/are the entity’s Web site(s) hosted by a third party?
• If so, what third party?
• Does the third party provide any other services (e.g. e-mail
transmission services) to the entity?
• Is there a written agreement with that third party for the hosting
service?
• Does the written agreement protect the confidentiality of
information shared by the entity (its own and/or user information
collected by the entity)?
– Are goods or other tangible products shipped to users
through postal mail and/or couriers?
– Are there any other third party service providers who may
have access to the databases or transmission network
through which data is collected and stored?
jezor@tourolaw.edu
48. Data Collection
– What specific categories of information are collected
from:
•
•
•
•
•
•
•
•
•
Forms filled in by the user on the Web site?
Purchases made by the user on the Web site?
E-mail sent by the user?
Analysis of server logs?
Postal mail sent by the user?
Telephone calls from the user?
Faxes from the user?
Third-party databases with which the user is matched?
Other (specify)?
jezor@tourolaw.edu
49. More Data Collection
– Is the user’s age or birth date requested or
collected?
• If so, is it possible for the user to enter data
indicating the user is under 13 years of age?
• If the user indicates he/she is under 13, is that data
collected, segregated or rejected?
• If rejected, using what method?
– What method(s) of data protection and access
control (if any) are in place?
• Physical
• Electronic (detail on security measures)
– Are backups of the data stored offsite with a
third party?
jezor@tourolaw.edu
50. Use of Information
– How is the information currently used by the entity
collecting it? (Please provide details.)
– How may the information be used by the entity in the
future?
– Is the entity currently sharing the information with other
corporate affiliates or business units within the same
corporation?
– Does it plan to do so in the future?
jezor@tourolaw.edu
51. More Use of Information
– Is the entity currently communicating with users on
behalf of a third party?
• If so, through what method(s)?
• Is the third party provided with the user information?
– Is the entity currently providing the information to a
third party for marketing purposes?
– Is the entity currently providing the information to a
third party for internal services (e.g. list management or
analysis)?
jezor@tourolaw.edu
52. User Access to
Information
– Can a user request information collected about
him/her?
• If so, through what method?
• In what form/format is the information provided?
– Is there a method through which the user can
correct errors?
• If so, what is it?
• How quickly is the correction done?
jezor@tourolaw.edu
53. Regulatory and Legal
Compliance
– Is the entity a member of any trade
associations?
• If so, is there a policy about data collection and use
mandated for association members?
– Does the entity have a current privacy policy?
•
•
•
•
•
If so, please attach a copy of it to this response.
How is it provided to users?
If online, what is its URL?
Is it currently accurate as to information collection?
Does it provide for a method by which changes can
be made and publicized? If so, what are they?
jezor@tourolaw.edu
54. More on Compliance
– Has the entity been involved in any
legal compliance or enforcement
activity related to privacy or data
collection?
• If so, please describe it.
• Has the entity been involved in any other
consumer protection legal compliance or
enforcement activity?
jezor@tourolaw.edu
55. Contact Information
– Does the entity have an automated list removal
process?
• If so, how does it work?
» Does it remove data from all databases?
» Does it apply to 3rd parties to whom information may be
shared?
• If not, please provide:
» An e-mail address to which users can address removal
requests
» A postal address to which users can address removal
requests
jezor@tourolaw.edu
56. More on Contact
Information
– Which person(s) at the entity are responsible
for managing removal requests?
– Please provide an address (e-mail or postal)
through which California users can request
information on how their information has been
shared.
jezor@tourolaw.edu