MANAGING PRIVACY & MAXIMIZING DATA IN AFFILIATE MARKETING Gary Kibel Partner Davis & Gilbert LLP 212.468.4918 [email_address]

PRIVACY & SECURITY IN AMERICA “ Any society that would give up a little liberty to gain a little security will deserve neither and lose both.” Benjamin Franklin, Founding Father “ You have zero privacy anyway. Get over it!” Scott McNealy, CEO Sun Microsystems

“ Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”

Benjamin Franklin, Founding Father

“ You have zero privacy anyway. Get over it!”

Scott McNealy, CEO Sun Microsystems

Understand where the data is coming from Understand who owns the data Understand how to legally use the data Know when to ask questions Don’t be deceptive! KEY PRESENTATION TAKEAWAYS

Understand where the data is coming from

Understand who owns the data

Understand how to legally use the data

Know when to ask questions

Don’t be deceptive!

CONSUMER EXPECTATIONS

http://www.ftc.gov/reports/privacy3/fairinfo.shtm Notice Choice Access Security Enforcement It’s all about transparency & consumer expectations FTC Fair Information Practice Principles

http://www.ftc.gov/reports/privacy3/fairinfo.shtm

Notice

Choice

Access

Security

Enforcement

It’s all about transparency & consumer expectations

CONSUMER-FACING PRIVACY POLICIES

PRIVACY POLICIES ENFORCEABILE Greer v. 1-800 Flowers.Com Inc. (Texas – 2007) Facts Privacy Policy violation Internal Controls

Greer v. 1-800 Flowers.Com Inc. (Texas – 2007)

Facts

Privacy Policy violation

Internal Controls

INDUSTRY – SPECIFIC PRIVACY LAWS

CHILDRENS ONLINE PRIVACY PROTECTION ACT “COPPA” All website operators who intend to reach children under the age of 13 or have actual knowledge (regardless of the age group targeted by their website) that children under the age of 13 visit their website must: Post a privacy policy Obtain “verifiable parental consent” Advise parent/legal guardian that they can review the child's personal information Establish and maintain reasonable security procedures

All website operators who intend to reach children under the age of 13 or have actual knowledge (regardless of the age group targeted by their website) that children under the age of 13 visit their website must:

Post a privacy policy

Obtain “verifiable parental consent”

Advise parent/legal guardian that they can review the child's personal information

Establish and maintain reasonable security procedures

SOCIAL NETWORKING SITES – COPPA VIOLATIONS Maintained a blogging and social networking service Collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent Age verification system was: (1) suggestive and (2) faulty 1.7 million accounts created by children under the age of 13 Result = $1,000,000 fine

Maintained a blogging and social networking service

Collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent

Age verification system was:

(1) suggestive and

(2) faulty

1.7 million accounts created by children under the age of 13

Result = $1,000,000 fine

DATA SECURITY & STATE SECURITY BREACH NOTIFICATION LAWS

SECURITY BREACHES ChoicePoint Bank of America CardSystems Department of Veteran Affairs TJ Maxx BJs

ChoicePoint

Bank of America

CardSystems

Department of Veteran Affairs

TJ Maxx

BJs

STATE SECURITY BREACH STATE NOTIFICATION LAWS California SB 1386 (2003) Now 44 states have security breach notification laws Most generally apply to unencrypted personal information of consumers

California SB 1386 (2003)

Now 44 states have security breach notification laws

Most generally apply to unencrypted personal information of consumers

STATE OF NEVADA Effective October 1, 2008 “ A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission .”

Effective October 1, 2008

“ A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission .”

COMMONWEALTH OF MASSACHUSETTS Effective January 1, 2010 “ Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program …”

Effective January 1, 2010

“ Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program …”

FEDERAL TRADE COMMISSION GUIDANCE A sound data security plan is built on 5 key principles: Take stock . Know what personal information you have in your files and on your computers. Scale down . Keep only what you need for your business. Lock it . Protect the information that you keep. Pitch it . Properly dispose of what you no longer need. Plan ahead . Create a plan to respond to security incidents.

A sound data security plan is built on 5 key principles:

Take stock . Know what personal information you have in your files and on your computers.

Scale down . Keep only what you need for your business.

Lock it . Protect the information that you keep.

Pitch it . Properly dispose of what you no longer need.

Plan ahead . Create a plan to respond to security incidents.

EMERGING TECHNOLOGIES

BEHAVIORAL ADVERTISING Federal Trade Commission – December 20, 2007 Online Behavioral Advertising – Moving the Discussion Forward to Possible Self-Regulatory Principles Transparency and consumer control Reasonable security , and limited data retention , for consumer data Affirmative express consent for material changes to existing privacy promises Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Federal Trade Commission – December 20, 2007

Online Behavioral Advertising – Moving the Discussion Forward to Possible Self-Regulatory Principles

Transparency and consumer control

Reasonable security , and limited data retention , for consumer data

Affirmative express consent for material changes to existing privacy promises

Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Federal Trade Commission (Staff Report) – February 2009 Generally maintained the 4 principles Excluded “first party” behavioral advertising and contextual advertising from the principles Distinction between PII and non-PII is no longer determinative Data retention = only as long as necessary Be creative for non-web site disclosures Did not resolve the opt-in v. opt-out debate Did not further define “sensitive data” BEHAVIORAL ADVERTISING

Federal Trade Commission (Staff Report) – February 2009 Generally maintained the 4 principles

Excluded “first party” behavioral advertising and contextual advertising from the principles

Distinction between PII and non-PII is no longer determinative

Data retention = only as long as necessary

Be creative for non-web site disclosures

Did not resolve the opt-in v. opt-out debate

Did not further define “sensitive data”

BEHAVIORAL ADVERTISING AAAA/ANA/DMA/IAB – July 2009 7 principles: Education; Transparency; Consumer Control; Data Security; Material Changes; Sensitive Data; Accountability Basically, FTC + tagging ads + industry enforcement

AAAA/ANA/DMA/IAB – July 2009

7 principles: Education; Transparency; Consumer Control; Data Security; Material Changes; Sensitive Data; Accountability

Basically, FTC + tagging ads + industry enforcement

PARTIES IN THE BEHAVIORAL MARKETING ECOSYSTEM Advertisers Ad Agencies Publishers ISPs End Users Content Delivery Networks Ad Networks Ad Servers

DON’T BE DECEPTIVE IN CREATING DATA New York AG v. Lifestyle Lift (July 2009) Employees published positive reviews on message boards Employees did not identify themselves as Lifestyle Lift employees $300,000 fine

New York AG v. Lifestyle Lift (July 2009)

Employees published positive reviews on message boards

Employees did not identify themselves as Lifestyle Lift employees

$300,000 fine

DON’T BE DECEPTIVE IN CREATING DATA Twitter Hashtag Spam European furniture maker “ #MOUSAVI Join the database for free to win a £1,000 gift card” Bad PR

Twitter Hashtag Spam

European furniture maker

“ #MOUSAVI Join the database for free to win a £1,000 gift card”

Bad PR

SOCIAL NETWORKING DATA

Understand where the data is coming from Understand who owns the data Understand how to legally use the data Know when to ask questions Don’t be deceptive! KEY PRESENTATION TAKEAWAYS

Understand where the data is coming from

Understand who owns the data

Understand how to legally use the data

Know when to ask questions

Don’t be deceptive!

MANAGING PRIVACY & MAXIMIZING DATA IN AFFILIATE MARKETING Gary Kibel Partner Davis & Gilbert LLP 212.468.4918 [email_address] Alan Chapell JD, CIPP Chapell & Associates [email_address]