Alan Sutin - Privacy


Published on

Legal Perspective on Use of Location Data

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Alan Sutin - Privacy

  1. 1. September 23, 2009 Location data and privacy The legal perspective Alan N. Sutin Chair, Global Intellectual Property & Technology Practice GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM ©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.
  2. 2. Topics we will cover  What activities give rise to privacy concerns?  When is location data regulated and do any restrictions apply even if it is not itself personal data?  Special issues relating to children?  How can service providers and developers limit legal exposure? September 23, 2009 [1]
  3. 3. What uses are being made of location data  Government uses □ Investigation □ Evidence  Commercial Uses □ Telecom services □ Navigation □ Directories □ Targeted advertising September 23, 2009 [2]
  4. 4. Finding the Holy Gr ail of Web Advertising Behavioral Targeti ng G rows y g Works b s Marketin onsumer C Targeting Online Marketin g’s New Tack The Quest fo r the Perfect Onli ne Ad How Marketers Hone Their Aim Online ve ed Ad s M o Online Customiz Today’s Niche M er a Step Clos Narrow arketin g , Not Sm is About all September 23, 2009 [3]
  5. 5. What can happen when location data is combined with other Personally Identifiable Information? September 23, 2009 [4]
  6. 6. Privacy Law Overview September 23, 2009 [5]
  7. 7. Sources of Relevant Privacy Law  United States Constitution  FCC CPNI-related rules  FTC Regulations and Guidelines  The Electronic Communications Privacy Act (ECPA)  The Computer Fraud and Abuse Act (CFAA)  The Children’s Online Privacy Protection Act (COPPA)  EU Data Directives  State Laws September 23, 2009 [6]
  8. 8. United States Constitution  United States Constitution □ 4th Amendment: default standard governing evidence collection in criminal investigations □ Technology raises new issues in 4th Amendment analysis September 23, 2009 [7]
  9. 9. United States Constitution  Fourth Amendment □ Bans only “unreasonable” searches and seizures □ Searches and seizures are “reasonable” if authorized by a warrant or a warrant exception □ 4th Amendment is not implicated if there is no  Search  Seizure September 23, 2009 [8]
  10. 10. United States Constitution  Federal and state court decisions inconsistent, but the trend is to find that a warrant is required  This summer alone: □ May 12, 2009 – NY’s highest court rules that GPS tracking is a constitutional “search” that requires a warrant. □ September 18, 2009 – MA’s highest court rules that warrant required for GPS tracking September 23, 2009 [9]
  11. 11. Relevant Privacy Laws  The Communications Act and CPNI □ Who must comply?  The FCC’s CPNI rules apply to carriers, including interconnected VoIP providers  The Telephone Records and Privacy Protection Act of 2006 (“TRPPA”) is a generally applicable criminal statute □ What activities and information are covered?  FCC’s CPNI rules govern the collection and use of customer proprietary information by carriers and their partners and contractors.  When does location information qualify as CPNI? September 23, 2009 [ 10 ]
  12. 12. Relevant Privacy Laws  CPNI □ What are the key rules under the FCC’s CPNI Orders?  Carriers may only use CPNI to provide requested services to the customer, or as the customer authorizes/directs in writing  Can use customer info in aggregate form □ What are the key rules under TRPPA?  It’s a crime to □ Obtain CPNI from a carrier without authorization or using fraudulent means □ Knowingly sell or transfer CPNI obtained improperly September 23, 2009 [ 11 ]
  13. 13. Relevant Privacy Laws  FTC Act, and Related Guidelines □ FTC Act grants the FTC broad powers to protect consumers against unfair, deceptive acts or practices □ Personal information collection best practices for adult consumers  Notice/awareness  Choice/consent  Access/participation  Integrity/security  Enforcement/redress September 23, 2009 [ 12 ]
  14. 14. Relevant Privacy Laws  FTC □ Under the FTC Act, the FTC actively pursues unfair and deceptive practices related to personal information  Deceptive practices include a company’s failure to follow or implement its own privacy policy to the detriment of consumers □ Unfair practices include failure to adopt minimal levels of security  De facto standard directs companies to implement reasonable information security programs to protect consumer personal information September 23, 2009 [ 13 ]
  15. 15. Relevant Privacy Laws  FTC □ FTC promotes effective industry self regulation  New behavioral marketing guidelines □ Issued principles after town hall meeting in 2007 □ Staff report on Self-Regulatory Principles for Online Behavioral Marketing issued February 2009  Currently considering location information privacy issues □ FTC Town Hall meeting scheduled for December 7, 2009 discussing, among other things, privacy implications of location information tracking services September 23, 2009 [ 14 ]
  16. 16. Relevant Privacy Laws  Electronic Communications Privacy Act (ECPA) □ Who must comply?  ISPs, online service providers (wired and wireless), and remote computing service providers  But only if they provide services to the public □ What activities and information are covered?  Disclosure of any wireless or wired transmission  Access to electronically stored information September 23, 2009 [ 15 ]
  17. 17. Relevant Privacy Laws  ECPA □ What are the key rules?  No person or entity may intercept electronic communications without authorization  Service providers may not knowingly use any electronic, mechanical or other devices to intercept, use or disclose contents of in-transit or stored electronic communications including customer account records unless a statutory exception applies September 23, 2009 [ 16 ]
  18. 18. Relevant Privacy Laws  Computer Fraud and Abuse Act (CFAA) □ Who must comply?  Generally applicable federal criminal statute □ What activities and information are covered?  Accessing protected computer resources  Intercepting information or communications  Accessing government computers or national security information  Accessing computers to commit a crime  Causing damage to a protected computer  Trafficking in passwords September 23, 2009 [ 17 ]
  19. 19. Relevant Privacy Laws  CFAA □ What are the key rules?  May not access computer resources (without authorization) to intentionally engage in any of prohibited acts  Exceeding authorization and then engaging in prohibited act is also a crime  Damage threshold of $5,000 over 12 month-period for civil actions and felony criminal prosecution  Does CFAA apply to unauthorized collection of personal information without notifying customers? □ Probably, but satisfying the loss threshold is the trick □ Aggregating claims across victims and time requires a single act September 23, 2009 [ 18 ]
  20. 20. Relevant Privacy Laws  Children’s Online Privacy Protection Act (COPPA) □ Who must comply?  Operators of commercial web sites and online services satisfying either of the following: □ Directed at children □ General purpose service with actual knowledge that children are providing personal information  FTC has accelerated review of rules for application to mobile services to 2010 □ What activities and information are covered?  Collection of personal information from children under 13 September 23, 2009 [ 19 ]
  21. 21. Relevant Privacy Laws  EU Data Directive 95/46/EC □ Who must comply?  Any person or entity can be subject to the EU Data Directive, even companies without operations in the EU □ What activities and information are covered?  Transfer of personal data from any EU Country  Covered data is information that personally identifies an individual □ What are the key rules?  Personal data from the EU may not be transferred to any country unless that country has adequate privacy protections  U.S. laws generally not considered adequate September 23, 2009 [ 20 ]
  22. 22. Relevant Privacy Laws  EU Data Directive 95/46/EC □ To provide U.S. companies clarity, U.S. and EU agreed on certain safe harbor principles  They do not apply to non-U.S. companies, or transfers within and between EU member states  Compliance with principles is presumptive compliance with EU Data Directive  Methods of compliance □ Participate in self-regulatory industry standards □ Self-certify with submission to U.S. DoC September 23, 2009 [ 21 ]
  23. 23. Relevant Privacy Laws  EU Directive on Privacy and Electronic Communications 2002/58/EC □ Covers real-time and historic location information □ Providers can process location information to enable transmission, process bills, and manage traffic □ Location data (other than traffic data) can be processed (without consent) if the individual isn’t identified □ For value added services, location can be tracked with informed consent of the user or subscriber □ User or subscriber must be able to withdraw consent □ Use of non-anonymous location data only to the extent necessary to provide the value-added service within the scope of the consent September 23, 2009 [ 22 ]
  24. 24. Relevant Privacy Laws  Invasion of privacy under state common law □ Elements: (1) unauthorized intrusion; (2) level of intrusion is offensive to a reasonable person; (3) intrusion relates to private matters; and (4) results in anguish or suffering □ Most states recognize the tort  NY - no  CA - yes September 23, 2009 [ 23 ]
  25. 25. Relevant Privacy Laws  45 States (+P.R.) have breach - notice Laws  Typical statutory elements □ Protected personal information covered  Name plus one or more identifying element □ SS#, driver’s license #, other government ID #, financial account numbers and account access credentials  Health insurance or medical records  Applies to owners or delegated custodians of covered personal information of a citizen of the state  Location information not widely recognized . . . yet □ Notice triggering events  Actual unauthorized access or disclosure of unencrypted personal information  Reasonable belief of unauthorized access to such data September 23, 2009 [ 24 ]
  26. 26. What Should Providers and Developers Do? September 23, 2009 [ 25 ]
  27. 27. LBS providers and developers - best practices  Include privacy-enhancing features into location-tracking services for consumer markets in the U.S. □ Have a clear written privacy policy  Say what you do and do what you say □ Opt-in feature, with ability to opt-out easily □ Allow users to select/de-select which and when third parties can obtain their location information □ Enable users to temporarily turn off location tracking □ If device or service is targeted for children or likely to attract children, follow COPPA if you want kids or block users younger than 13 years old if you don’t want child users □ Encrypt or redact personal information at rest and in storage □ Destroy personal information after it is no longer useful September 23, 2009 [ 26 ]
  28. 28. LBS providers and developers - best practices  Follow FTC general rule of reason approach □ Employ privacy protections based on the sensitivity of the data and the nature of provider’s business operations, the risks faced and the reasonable protections available to avoid/mitigate those risks.  Adopt and implement data breach and notice policies that comply with applicable state laws □ Start with the states where your customer personal data is stored □ Look to the states where you have principal offices □ Examine states where you’ll likely have customers □ Decide which laws are most applicable □ Safe harbors are available for data handlers that encrypt September 23, 2009 [ 27 ]
  29. 29. LBS providers and developers - best practices  Adopt security program that is, at a minimum, consistent with FTC’s guidelines □ Designate a security program responsible party □ Initial risk assessment for each area of relevant operation  Employee training and management;  Examine relevant information systems for vulnerabilities; and  Prevention, detection, and response to attacks, intrusions, or other systems failures □ Design and implement reasonable safeguards □ Regularly test and monitor the safeguards □ Evaluate and adjust the key controls September 23, 2009 [ 28 ]
  30. 30. LBS providers and developers - best practices  Carefully choose downstream/upstream providers and act on information of non-compliance  Negotiate effective service and product agreements □ Bind all providers and data handlers □ Representations and warranties □ Indemnifications covering losses/liabilities for non-compliance □ Create remedies that address true cost of data breach □ Remove indemnification liabilities from the cap on damages September 23, 2009 [ 29 ]
  31. 31. Thank You! Alan N. Sutin Chair, Global Intellectual Property & Technology Practice Tel: 212-801-9286 Email: GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM ©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.