• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Privacy and Business: What MUST You Be Aware Of?
 

Privacy and Business: What MUST You Be Aware Of?

on

  • 547 views

Basic Privacy Obligations of a New Business in the US-- ...

Basic Privacy Obligations of a New Business in the US--
What must you do to protect your clients' privacy? We emphasize those areas which may expose you to legal liability and which policies you should be aware of. This presentation is a valuable resource for businesses that operate in the U.S. and interact with consumer information.

Statistics

Views

Total Views
547
Views on SlideShare
438
Embed Views
109

Actions

Likes
0
Downloads
4
Comments
0

3 Embeds 109

http://mirskylegal.com 105
https://twitter.com 2
http://newmediatechlaw.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Privacy and Business: What MUST You Be Aware Of? Privacy and Business: What MUST You Be Aware Of? Presentation Transcript

    • Privacy and Business: What MUST You Be Aware Of? Basic Privacy Obligations of a New Business in the US Andrew T. Mirsky Mirsky & Company, PLLCMirsky & Company, PLLC (“Kenyon”) has provided this presentation for general informational purposes only. It is notintended as professional counsel and should not be used as such. You should contact your attorney to obtain advice withrespect to any particular issue or problem.
    • Andrew T. Mirsky, Esq.• Principal, Mirsky & Company, PLLC, DC and NY (www.mirskylegal.com)• Formerly in-house counsel with National Journal and Atlantic Monthly magazines• Clients in new media and technology, including intellectual property, corporate and finance, privacy, joint ventures and partnerships, and employment and HR matters.• Founder, Media Future Now (www.mediafuturenow.com)
    • Important Note: This discussion covers privacy for business as a general matter.This is not a policy discussion, but rather a discussion of what businesses must be aware of and what areas expose all businesses to legal liability. We will not address consumer privacy, nor HIPAA, Graham-Leach or employment-specific privacy, nor non-US (particularly EU). Those are topics for another day. This is meant to address privacy from the perspective of the general privacy considerations for a company doing business in the United States and interacting with consumer information.
    • Introduction 1. From Kelley Drye & Warren’s 2/16/12 seminar, "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends," quoting Peter Swire, Law Professor at Ohio State University: Professor Swire noted that, while it is unclear whether Congress will pass consumer privacy legislation in the current session, the level of ongoing regulatory activity is forcing businesses to reevaluate their existing privacy practices and policies. http://www.kelleydrye.com/publications/client_advisories /0725
    • Introduction 2. From John Heitman, in NextDailyDeal.com, discussing Groupon’s recent aggressive changes to its privacy policy: An online marketing business using consumers’ personal information must do so carefully in order to limit its exposure to private class action litigation, Federal Trade Commission (FTC) investigations and enforcement, state attorneys general actions, and more. Groupon’s changes won’t satisfy everyone, but they certainly take the company in the right direction and much of what’s been done can serve as an example for others mindful of (or needing to be mindful of) their corporate privacy posture and the risks that come with it. http://nextdailydeal.com/groupon-privacy-statement- revisions-reflect-rapid-changes-in-the-marketplace-and-an- evolving-legal-and-regulatory-landscape/
    • I. Background 1. General theme in US is: Meaning Disclosure (and compliance with what you voluntarily disclose and say youll do) accounts for much of US privacy law.“ Rather than positive requirements of law. Meaning: As long as you disclose, you can pretty much do anything you want.
    • I. Background 2. Disclosure rule is still largely way it is in US: So, for example, new privacy policies of Google (notoriously) and Groupon (less notoriously) show companies proactively getting out ahead of regulators by “putting it all out there”. Groupon: (a) Disclosures to third party partners: Very clear statements of what disclosures you make to third parties. Very clear, very transparent. (Lot of recent caselaw in this area.) (b) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI (Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly.
    • I. Background With increasing threats of regulatory scrutiny, enforcement action and class-action litigation, increased noise from Congress and state legislatures, and increasingly standardized “best practices” issued by non- governmental SROs, reaction has been to 3. Big caveat: voluntarily become more protective. Not just in terms of transparency, but in How things substance as well. are changing Example: Affirmative consent not generally legally required, but businesses now almost universally seeking affirmative consent to statements of privacy practices and disclosures on collecting of data, particularly when it comes to OBA.
    • II. Laws and SROs 1. What privacy laws must businesses be aware of? • Depends on the business: • Particularly in US, so many different situations could apply. For example, does HIPAA apply? Yes if user medical or healthcare information is involved. Do financial information laws apply? E.g. Gramm- Leach? Yes if personal financial information is involved. What state laws apply? Depends on what states you’re “doing business” in. • “Which laws apply” can’t be answered in abstract, because “it depends”: • There are some general “best practices” and guidelines developing, but specifics matter.
    • II. Laws and SROs • Data security laws always apply: (1) Federal Trade Commission (FTC): “unfair and deceptive trade practice” under FTC Act Section 5 to hold personal data without providing adequate security. (2) California (+ Illinois + many others) requires companies to implement “reasonable security measures” for handling personal information. (3) Minnesota imposes strict liability on companies that retain credit card data for damages caused by data breaches. (4) COPPA.
    • II. Laws and SROs Massachusetts then goes beyond most other states with its requirements for administrative, technical, and physical safeguards.
    • II. Laws and SROs From ongoing employee training and data access controls to encryption, malware protection and taking responsibility for third party service providers, it looks to me like Massachusetts, like Nevada, is emulating the standard used by the Payment Card Industry (PCI DSS).And if information security is the goal, that makes sense. Why reinvent the wheel? The Payment Card Industry Data Security Standard has been evolving over many years through the efforts of card issuers like Visa, MasterCard, Amex, and Discover. Source: http://www.rendervisionsconsulting.com/blo g/are-online-privacy-policies-required-by- law/
    • II. Laws and SROs Who does it apply to? “Every person that owns or licenses personal information about a resident of the Commonwealth ”Always Apply: (1) FTC (under Section 5 of FTC Act) “unfair and deceptive trade practice” statutes governing noncompliance with published privacy policies. (2) State Attorneys General enforcing same under state “Baby” FTC Acts.
    • II. Laws and SROs 2. Don’t ever forget contract law: • Class-action and private rights of action for breaches of published privacy policies, which are binding contracts.
    • II. Laws and SROs 3. What if you “do business” in every state? • Not unrealistic. How do you possibly comply with every state law? • Oftentimes, you might not be able to. What some companies do: Look to “leading” states when it comes to privacy and data security, and realistically comply with the most restrictive. • What states? California. Massachusetts. Definitely the state you’re based in and all states in which you expect to do most of your business. More and more states have laws like Illinois’ “Personal Information Protection Act”, addressing data security responsibilities, including notification responsibilities, setting up toll-free numbers, credit monitoring services, etc. Reality is that you don’t have to provide these services to residents of all states, but it’s somewhat impractical to set up your business practices based on cherry-picking different state law requirements for different users of your services.
    • II. Laws and SROs 4. FTC and SROs – Guidelines and “Best Practices” • FTC Report (3/26/12): The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions. • Small Business Exception: What about small businesses? To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.
    • III. Actual Privacy Practices 1. Must you have a privacy policy? Mobile? Yes (in California from California Non-mobile? No. users). 2. Should you have a privacy policy? And, some states (e.g. California) have moved toward requiring an actual policy. (Growing trend anyway.) (1) California Online Privacy Protection Yes. Is “having a privacy policy” the end of your Act requires a website to “conspicuously post” a job? No. Law and practice in the US has evolved to privacy policy if it “collects and maintains personally not only (effectively) having a privacy policy, but identifiable information from a consumer residing in also having certain prescribed disclosures in that California.” And “personally identifiable information” policy. defined broadly. (2) California AG agreement with Google and Apple app stores requires app makers to submit privacy policies as part of application submission process.
    • III. Actual Privacy Practices 3. Privacy policy or not, what must you really do? (From California law:) Conspicuously disclose: (a) Information Collected – Categories of personal information the website collects. (b) Categories of 3rd-parties with whom the company shares the information. (c) How the user can review and request changes to their information collected by the company. (d) How the company notifies users of material changes to its privacy policy. (e) The effective date of the privacy policy.
    • III. Actual Privacy Practices eTrust (privacytrust.org) requires these additional elements for “seal” privacy certification: (f) (Option not to Provide PII) A user of the site must be given the option of not giving their PII if the information collected is not related to the primary purpose for which the information was collected or the personally identified information was disclosed to third parties. (g) (Unsubscribe Options) All newsletters and promotional email messages that are sent to users, apart from the messages the user has agreed to receive as a condition of using your service, must include an unsubscribe link. (h) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any personally identifiable information on your site without the knowledge and permission of their parent or guardian. If there are certain web pages within your Site that require users to be at least 13 years of age, anyone under the age of 13 should be restricted from participating in such web page activities. (i) (Data Security) You must take reasonable steps when collecting, creating, maintaining, using and disclosing Personally Identifiable Information, to assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also implement reasonable security procedures, such as encryption, to protect Personally Identifiable Information. (j) (User Access) Inform the user how to access and change the Personally Identifiable Information provided by them to you. (k) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI (Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly.
    • IV. The Whys and Wherefores • Part legal compliance, but part also practical: Increasing use of tracking. IE 9 Tracking Protection utilizes Tracking Protection Lists (TPLs) to enable users to control content delivered by third party companies to any website they are visiting. The intent of this feature is to provide 1. Compliance consumers with choice regarding both and Practicality: the collection and use of third party tracking information. Obviously getting an “Allow” certification (from TRUSTe or another certification company) overrides “Block” settings in TPLs, allowing delivery of content, products and services. • http://www.privacytrust.org/certificati on/privacy/privacy_requirements.html
    • IV. The Whys and Wherefores • The reality: When user expectations are established by a company’s stated privacy policies or through actual practice. For example, on the PrivacyChoice blog, the CEO of PlaceIQ [www.placeiq.com] explained Apple and Android have already established user 2. User expectations about consent. Location- expectations based services in the operating system and, therefore, provide very precise location information, but only through a user- legal risk: consent framework built-in to the OS. This creates a baseline user expectation about consent for precise location targeting. • http://blog.privacychoice.org/2012/01/2 3/geo-ip-location-targetingwhen-is- consent-required/
    • Significance of “Personally Identifiable Information” (PII)? Most privacy obligations apply ONLY to handling of users’ PII.
    • What is PII? (a) PII Generally: Name (full name or first initial and last name), maiden name Email address or other online contact information such as instant messaging identifier Home or other physical address Telephone number Credit card or debit card members Bank account numbers Social Security number Driver’s license number or state issued ID card number Passport number Taxpayer identification number Personal characteristics such as photographic images (especially of face or other identifying characteristic), fingerprints, or other biometric data (i.e. retina scan, voice signature, facial geometry)
    • What is PII? MA and • Zip Codes are PII. CA • Industry is moving away from overly legal distinctions and simply treating anything that is Trend reasonably “personal” as PII- essentially removing the middle “identifiable”.
    • What is PII? •The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be "reasonably From FTC linked" to consumers, computers, or devices. Report The final report concludes that data is not (3/26/12): "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.
    • What is PII? (b) Potential PII (not by themselves): A persistent identifier such as a generic customer/ user value held in a “cookie” IP (Internet Protocol) address or host name Date of birth, age Racial or ethnic background Religious affiliation Gender Marital status Employment information Medical information Financial information Credit information Student information
    • What is PII? Sensitive PII Or Information PII which, if related to (i) a either alone or particular lost, with other compromised, medical information, condition or a or disclosed caries a without health record significant risk or (ii) the authorization of economic or either alone or religious physical harm. with other affiliation of an information, individual.
    • What is PII? (d) Not PII: Browser type Browser plug-in details Local time zone Date and time of each visitor request (i.e. arrival, exit on each web page) Language preference Referring site Device type (i.e. desktop, laptop, or smartphone) Screen size, screen color depth, and system fonts
    • Major Laws (generally) applicable to privacy in the US (frombusiness perspective): FTC Act Section 5 State “Baby” FTC Acts State (e.g. CA) Privacy Laws State Data Security Laws (e.g. MA, IL, MN, etc.) HIPAA (medical and health information) Gramm-Leach (financial information) COPPA
    • Major differences between mobile and non-mobile? • Yes, particularly because of FCC oversight of mobile (N/A for non-mobile), and application of issues like sharing of customer proprietary network information Are there ("CPNI"), including geographic major location information. FCC is not claiming oversight of internet differences beyond mobile, but FTC is between mobile claiming oversight of mobile as well (FTC public workshop and non- 5/30/12). mobile?
    • Privacy: What must a business really do? Conspicuously disclose (absolute minimums): (a) Information Collected – Categories of personal information the website collects. (b) Categories of 3rd-parties with whom the company shares the information. (c) How the user can review and request changes to their information collected by the company. (d) How the company notifies users of material changes to its privacy policy. (e) The effective date of the privacy policy.
    • Privacy: What must a business really do? But also … (from SRO and “seal” program certifications): (b) (Unsubscribe Options) (a) (Option not to Provide All newsletters and PII) Users given option of promotional email not giving PII if messages that are sent to information collected is not users, apart from the related to primary purpose messages the user has for which it was collected agreed to receive as a or the PII was disclosed to condition of using the third parties. service, must include an unsubscribe link.
    • Privacy: What must a business really do? (c) (COPPA) If a user has stated (d) (Data Security) You must that he/she is under 13 years of take reasonable steps when age you should not collect any collecting, creating, maintaining, PII on your site without the using and disclosing PII, to knowledge and permission of assure that the data are their parent or guardian. If there accurate, complete and timely are certain web pages within for the purposes for which they your Site that require users to be are to be used; and you also at least 13 years of age, anyone implement reasonable security under the age of 13 should be procedures, such as encryption, restricted from participating in to protect Personally Identifiable such web page activities. Information.
    • Privacy: What must a business really do? (f) (Tracking and OBA) What tracking technology, if any (e.g. cookies), is used on the site. NAI (Network Advertising Initiative) and FTC guidance pushing for standardization of (e) (User Access) Inform users (1) transparency about data how to access and change the collection practices and how PII provided by them to you. collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly.
    • For Discussion Self-regulatory compliance and Industry “best practice” guidelines: Seal programs: BBB Online (http://www.bbbonline.com), or TRUSTe, (http://www.truste.com). What significance? Winter/Spring 2012: FTC/White House/DoC Initiatives
    • Andrew T. Mirsky andy@mirskylegal.com (202) 339-0303 www.mirskylegal.com @mirskylegal2301 N Street, NW 318 West 14th StreetSuite 313 4th FloorWashington, DC 20037 New York, NY 10014