2. Topics we will cover
What activities give rise to privacy
concerns?
When is location data regulated and do
any restrictions apply even if it is not itself
personal data?
Special issues relating to children?
How can service providers and
developers limit legal exposure?
September 23, 2009 [1]
3. What uses are being made of location data
Government uses
□ Investigation
□ Evidence
Commercial Uses
□ Telecom services
□ Navigation
□ Directories
□ Targeted advertising
September 23, 2009 [2]
4. Finding the Holy Gr
ail
of Web Advertising
Behavioral Targeti
ng G rows
y
g Works b s
Marketin onsumer
C
Targeting Online Marketin
g’s New Tack
The Quest fo
r the
Perfect Onli
ne Ad How Marketers Hone
Their Aim Online
ve
ed Ad s M o
Online Customiz Today’s
Niche M
er
a Step Clos Narrow
arketin
g
, Not Sm is About
all
September 23, 2009 [3]
5. What can happen when location data is
combined with other Personally
Identifiable Information?
September 23, 2009 [4]
7. Sources of Relevant Privacy Law
United States Constitution
FCC CPNI-related rules
FTC Regulations and Guidelines
The Electronic Communications Privacy Act (ECPA)
The Computer Fraud and Abuse Act (CFAA)
The Children’s Online Privacy Protection Act (COPPA)
EU Data Directives
State Laws
September 23, 2009 [6]
8. United States Constitution
United States Constitution
□ 4th Amendment: default
standard governing
evidence collection in
criminal investigations
□ Technology raises new
issues in 4th Amendment
analysis
September 23, 2009 [7]
9. United States Constitution
Fourth Amendment
□ Bans only “unreasonable”
searches and seizures
□ Searches and seizures are
“reasonable” if authorized
by a warrant or a warrant
exception
□ 4th Amendment is not
implicated if there is no
Search
Seizure
September 23, 2009 [8]
10. United States Constitution
Federal and state court decisions
inconsistent, but the trend is to
find that a warrant is required
This summer alone:
□ May 12, 2009 – NY’s highest
court rules that GPS tracking is
a constitutional “search” that
requires a warrant.
□ September 18, 2009 – MA’s
highest court rules that warrant
required for GPS tracking
September 23, 2009 [9]
11. Relevant Privacy Laws
The Communications Act and CPNI
□ Who must comply?
The FCC’s CPNI rules apply to carriers, including
interconnected VoIP providers
The Telephone Records and Privacy Protection Act of 2006
(“TRPPA”) is a generally applicable criminal statute
□ What activities and information are covered?
FCC’s CPNI rules govern the collection and use of
customer proprietary information by carriers and their
partners and contractors.
When does location information qualify as CPNI?
September 23, 2009 [ 10 ]
12. Relevant Privacy Laws
CPNI
□ What are the key rules under the FCC’s CPNI Orders?
Carriers may only use CPNI to provide requested services
to the customer, or as the customer authorizes/directs in
writing
Can use customer info in aggregate form
□ What are the key rules under TRPPA?
It’s a crime to
□ Obtain CPNI from a carrier without authorization or using
fraudulent means
□ Knowingly sell or transfer CPNI obtained improperly
September 23, 2009 [ 11 ]
13. Relevant Privacy Laws
FTC Act, and Related Guidelines
□ FTC Act grants the FTC broad powers to protect
consumers against unfair, deceptive acts or practices
□ Personal information collection best practices for adult
consumers
Notice/awareness
Choice/consent
Access/participation
Integrity/security
Enforcement/redress
September 23, 2009 [ 12 ]
14. Relevant Privacy Laws
FTC
□ Under the FTC Act, the FTC actively pursues unfair and
deceptive practices related to personal information
Deceptive practices include a company’s failure to follow
or implement its own privacy policy to the detriment of
consumers
□ Unfair practices include failure to adopt minimal levels of
security
De facto standard directs companies to implement
reasonable information security programs to protect
consumer personal information
September 23, 2009 [ 13 ]
15. Relevant Privacy Laws
FTC
□ FTC promotes effective industry self regulation
New behavioral marketing guidelines
□ Issued principles after town hall meeting in 2007
□ Staff report on Self-Regulatory Principles for Online Behavioral
Marketing issued February 2009
Currently considering location information privacy
issues
□ FTC Town Hall meeting scheduled for December 7, 2009
discussing, among other things, privacy implications of
location information tracking services
September 23, 2009 [ 14 ]
16. Relevant Privacy Laws
Electronic Communications Privacy Act (ECPA)
□ Who must comply?
ISPs, online service providers (wired and wireless),
and remote computing service providers
But only if they provide services to the public
□ What activities and information are covered?
Disclosure of any wireless or wired transmission
Access to electronically stored information
September 23, 2009 [ 15 ]
17. Relevant Privacy Laws
ECPA
□ What are the key rules?
No person or entity may intercept electronic
communications without authorization
Service providers may not knowingly use any
electronic, mechanical or other devices to intercept,
use or disclose contents of in-transit or stored
electronic communications including customer
account records unless a statutory exception applies
September 23, 2009 [ 16 ]
18. Relevant Privacy Laws
Computer Fraud and Abuse Act (CFAA)
□ Who must comply?
Generally applicable federal criminal statute
□ What activities and information are covered?
Accessing protected computer resources
Intercepting information or communications
Accessing government computers or national security
information
Accessing computers to commit a crime
Causing damage to a protected computer
Trafficking in passwords
September 23, 2009 [ 17 ]
19. Relevant Privacy Laws
CFAA
□ What are the key rules?
May not access computer resources (without
authorization) to intentionally engage in any of
prohibited acts
Exceeding authorization and then engaging in
prohibited act is also a crime
Damage threshold of $5,000 over 12 month-period
for civil actions and felony criminal prosecution
Does CFAA apply to unauthorized collection of
personal information without notifying customers?
□ Probably, but satisfying the loss threshold is the trick
□ Aggregating claims across victims and time requires a single
act
September 23, 2009 [ 18 ]
20. Relevant Privacy Laws
Children’s Online Privacy Protection Act (COPPA)
□ Who must comply?
Operators of commercial web sites and online
services satisfying either of the following:
□ Directed at children
□ General purpose service with actual knowledge that children
are providing personal information
FTC has accelerated review of rules for application
to mobile services to 2010
□ What activities and information are covered?
Collection of personal information from children
under 13
September 23, 2009 [ 19 ]
21. Relevant Privacy Laws
EU Data Directive 95/46/EC
□ Who must comply?
Any person or entity can be subject to the EU Data
Directive, even companies without operations in the EU
□ What activities and information are covered?
Transfer of personal data from any EU Country
Covered data is information that personally identifies an
individual
□ What are the key rules?
Personal data from the EU may not be transferred to any
country unless that country has adequate privacy
protections
U.S. laws generally not considered adequate
September 23, 2009 [ 20 ]
22. Relevant Privacy Laws
EU Data Directive 95/46/EC
□ To provide U.S. companies clarity, U.S. and EU agreed on
certain safe harbor principles
They do not apply to non-U.S. companies, or transfers
within and between EU member states
Compliance with principles is presumptive
compliance with EU Data Directive
Methods of compliance
□ Participate in self-regulatory industry standards
□ Self-certify with submission to U.S. DoC
September 23, 2009 [ 21 ]
23. Relevant Privacy Laws
EU Directive on Privacy and Electronic Communications
2002/58/EC
□ Covers real-time and historic location information
□ Providers can process location information to enable
transmission, process bills, and manage traffic
□ Location data (other than traffic data) can be processed
(without consent) if the individual isn’t identified
□ For value added services, location can be tracked with
informed consent of the user or subscriber
□ User or subscriber must be able to withdraw consent
□ Use of non-anonymous location data only to the extent
necessary to provide the value-added service within the
scope of the consent
September 23, 2009 [ 22 ]
24. Relevant Privacy Laws
Invasion of privacy under state common law
□ Elements: (1) unauthorized intrusion; (2) level of intrusion
is offensive to a reasonable person; (3) intrusion relates
to private matters; and (4) results in anguish or suffering
□ Most states recognize the tort
NY - no
CA - yes
September 23, 2009 [ 23 ]
25. Relevant Privacy Laws
45 States (+P.R.) have breach - notice Laws
Typical statutory elements
□ Protected personal information covered
Name plus one or more identifying element
□ SS#, driver’s license #, other government ID #, financial account numbers and
account access credentials
Health insurance or medical records
Applies to owners or delegated custodians of covered personal
information of a citizen of the state
Location information not widely recognized . . . yet
□ Notice triggering events
Actual unauthorized access or disclosure of unencrypted personal
information
Reasonable belief of unauthorized access to such data
September 23, 2009 [ 24 ]
27. LBS providers and developers - best practices
Include privacy-enhancing features into location-tracking
services for consumer markets in the U.S.
□ Have a clear written privacy policy
Say what you do and do what you say
□ Opt-in feature, with ability to opt-out easily
□ Allow users to select/de-select which and when third parties
can obtain their location information
□ Enable users to temporarily turn off location tracking
□ If device or service is targeted for children or likely to attract
children, follow COPPA if you want kids or block users younger
than 13 years old if you don’t want child users
□ Encrypt or redact personal information at rest and in storage
□ Destroy personal information after it is no longer useful
September 23, 2009 [ 26 ]
28. LBS providers and developers - best practices
Follow FTC general rule of reason approach
□ Employ privacy protections based on the sensitivity of the data
and the nature of provider’s business operations, the risks
faced and the reasonable protections available to
avoid/mitigate those risks.
Adopt and implement data breach and notice policies that
comply with applicable state laws
□ Start with the states where your customer personal data is
stored
□ Look to the states where you have principal offices
□ Examine states where you’ll likely have customers
□ Decide which laws are most applicable
□ Safe harbors are available for data handlers that encrypt
September 23, 2009 [ 27 ]
29. LBS providers and developers - best practices
Adopt security program that is, at a minimum, consistent
with FTC’s guidelines
□ Designate a security program responsible party
□ Initial risk assessment for each area of relevant operation
Employee training and management;
Examine relevant information systems for vulnerabilities;
and
Prevention, detection, and response to attacks,
intrusions, or other systems failures
□ Design and implement reasonable safeguards
□ Regularly test and monitor the safeguards
□ Evaluate and adjust the key controls
September 23, 2009 [ 28 ]
30. LBS providers and developers - best practices
Carefully choose downstream/upstream providers and act
on information of non-compliance
Negotiate effective service and product agreements
□ Bind all providers and data handlers
□ Representations and warranties
□ Indemnifications covering losses/liabilities for non-compliance
□ Create remedies that address true cost of data breach
□ Remove indemnification liabilities from the cap on damages
September 23, 2009 [ 29 ]