John Nicholson Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

John Nicholson Presentation

  1. 1. Privacy for Social Media and Location-Based Services John L. Nicholson Counsel, PWSP Washington, DC Telephone: (+1)202-663-8269 www.virtualworldlaw.comPillsbury Winthrop Shaw Pittman LLP
  2. 2. The good news and the bad news - I’m a lawyer… I’m from Washington … and I’m here to help you.1 | Privacy for Social Media and Location-Based Marketing
  3. 3. What We’ll Cover Privacy Laws Current status of global privacy laws, Recent regulatory concerns and guidance for social media and location-based services What might happen Creating Privacy Policies and Privacy by Design2 | Privacy for Social Media and Location-Based Marketing
  4. 4. Where We Stand on Privacy Laws“Where you stand depends on where you sit.” - Nelson Mandela3 | Privacy for Social Media and Location-Based Marketing
  5. 5. Asia (General) – EU-style privacy law, APEC Japan – EU-style Canada – EU-style privacy law privacy law (PIPEDA) Australia / NZ – EU-style privacy law US – “Harm”-based, sectoral privacy law China – EU-style privacy lawMexico – EU-styleprivacy law Russia – EU-style Argentina – privacy law EU-style EU – Most stringent privacy law privacy law S. America (General) – Switzerland – EU-style Privacy law developing privacy law Dubai – EU-style Africa (General) – privacy law. 1st Israel – EU-style Privacy law not in Middle East privacy law developed 4 | Privacy for Social Media and Location-Based Marketing
  6. 6. What Is “EU-style” Privacy Law? Views personal information as being owned and controlled by data subject Much broader definition of personal information Effectively any uniquely identifying data Comprehensive approach based on “privacy principles” Principle 1: Collection Limitation Principle 2: Data Quality Principle 3: Purpose Specification Principle 4: Use Limitation Principle 5: Security Safeguards Principle 6: Openness Principle 7: Individual Participation Principle 8: Accountability Enacted by EU Parliament and then enacted into member state law by each state – so each is slightly different5 | Privacy for Social Media and Location-Based Marketing
  7. 7. Why Should You Care About the EU Approach? Your customers in countries with EU-style privacy laws do And even if they don’t, the regulators in those countries do 2010 – Google executives CONVICTED in Italy for violating privacy law by failing to take video off YouTube quickly enough Was posted for 2 months Taken down within 2 hours of notice from Italian police 2010 – Many countries investigate Google for capturing personal information as part of Street View project 2011 – South Korea considering prosecuting Google for privacy violations related to Google Street View6 | Privacy for Social Media and Location-Based Marketing
  8. 8. What is US “Harm”-Based Approach Views personal information as commodity to be bought, sold and traded Applies limits only where “harm” is identified Financial information (GLBA) Health information (HIPAA) Children’s information (COPPA & FERPA) Social security numbers Drivers license numbers Telephone / email records Video rental / library records Etc. State data breach notification laws California Patchwork framework Some states now adding medical information However, US is moving towards a more comprehensive, holistic definition of “harm,” broader definition of PII, broader security obligations7 | Privacy for Social Media and Location-Based Marketing
  9. 9. Massachusetts New Massachusetts law requires employers to tell workers w/in 10 days about any info placed in employee’s personnel file that has been or may be used to negatively affect the worker’s job Employee also has right to review or get a copy of records w/in days of request up to 2x/year Limit does not apply to the notice and review of negative entries Failure could lead to fine between $500 and $2,500 per incident Could cause problems for employers during other employment litigation. If discovery reveals that employer failed to comply, could hurt the employer’s credibility Documentation dilemma Attorneys tell clients to document employee issues as much as possible, just in case the issues go to litigation New law makes putting relatively innocuous information into a personnel file a much more-provocative event. Now a note in a file carries the risk of upsetting employee“I hope you know that this will go down on your Permanent Record.”8 | Privacy for Social Media and Location-Based Marketing
  10. 10. Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 Mass. Code Regs.§ 17.00) Who Must Comply? “…persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” A presence in Massachusetts is not required to be liable under the Regulation. Requires organizations to develop, implement, maintain and monitor a comprehensive, written information security program for records containing personal information (“Program”). Regulations allow for flexibility to tailor each organization’s Program. See 38A21998.pdf9 | Privacy for Social Media and Location-Based Marketing
  11. 11. Getting From There to Here From the EU Exporting personal information from the EU to another country is only allowed if the receiving country has data protection laws that have been found “adequate” by the EU DPA The US is not one of those countries Without express consent, exports of personal information from the EU to the US are enabled under three regimes: Model clauses – efficient for two-party transactions Binding Corporate Rules – good theory, difficult to implement Safe Harbor – efficient for multi-nationals/multi-party transactions Some dissatisfaction in EU regarding Safe Harbor From Canada Contractual obligations to comply with PIPEDA protections10 | Privacy for Social Media and Location-Based Marketing
  12. 12. Regulatory Concerns & Guidance FTC Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” Published Feb. 2009 Available at Proposed four principles for handling online behavioral profiling: Transparency and control Reasonable security and limited data retention Must obtain affirmative express consent before information is used in a way that is materially different from that authorized in a privacy statement Must obtain affirmative express consent before using sensitive data (e.g., data about children, health or finances) in advertising Expressed concept that PII is becoming broader than traditional definition and could include things like IP address FTC is becoming concerned about creation of data profiles that uniquely identify a person despite lack of specific, traditional PII11 | Privacy for Social Media and Location-Based Marketing
  13. 13. Regulatory Concerns & Guidance FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace” Published April 2009 Available at Key privacy/security findings on LBS: Contrast between automatic, ubiquitous nature of LBS and cookies or telephone call logs that are created when consumer takes action Confusion over identity of controller of location information Confusion over application of current legal structure Customer Proprietary Network Information (CPNI) rules Apply to location information BUT Do not apply to non-telecom carriers AND Protect account holder, which may not be user of mobile device Notice & Consent Banner ad vs. disclosure to third party Frequency of notice issues Children’s use International issues (e.g., EU data retention requirements)12 | Privacy for Social Media and Location-Based Marketing
  14. 14. Regulatory Concerns & Guidance FTC Preliminary Report “Protecting Consumer Privacy in an Era of Rapid Change” Published Dec. 2010 Available at Key findings: Expands concept of “harm” from just economic Endorses “do not track” concept Promotes idea of “privacy by design” Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.13 | Privacy for Social Media and Location-Based Marketing
  15. 15. Regulatory Concerns & Guidance Dept. of Commerce “Green Paper” – “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Published Dec. 2010 Available at More commerce and policy oriented Recommends application of “Fair Information Privacy Principles” Does not address privacy by design or privacy enhancing technologies EU “Communication” – “A comprehensive approach on personal data protection in the European Union” Published April 2010 Available at Focuses on rapid rate of change in technology Goal is to focus on improving protection of personal privacy, increasing transparency (including for children), enhancing control over own information (including “right to be forgotten”), strengthening rules on consent, and extending enforcement powers and sanctions.14 | Privacy for Social Media and Location-Based Marketing
  16. 16. Additional Guidance CTIA – “Best Practices and Guidelines for Location-Based Services” v.2.0 published March 23, 2010 Available at Focuses on notice and consent LBS providers must ensure ability of users to receive meaningful notice LBS providers must ensure users consent and recognize that LBS providers bear burden of demonstrating consent Users must have right to terminate consent at any time Sample policies available at EFF – “On Locational Privacy, and How to Avoid Losing it Forever” “build systems which don’t collect the data in the first place”15 | Privacy for Social Media and Location-Based Marketing
  17. 17. So What’s Congress Up To? Last Congress - Two privacy bills H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act) Boucher/Sterns Privacy Bill Contemplating definitions of personal information that are broader than are currently used in US and more like EU (IP address has been mentioned) Several data security bills H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and Breach Notification Act of 2010 S.1490 Personal Data Privacy and Security Act of 2009 S.3579 Data Security Act of 2010 S.3742 -- Data Security and Breach Notification Act of 2010 Each contains requirements for data aggregators and for protection of personal information, as well as data breach notification obligations16 | Privacy for Social Media and Location-Based Marketing
  18. 18. What’s Likely? Window of about 8 months before 2012 election gridlock Leading House Republicans are interested in privacy Joe Barton (R-TX) - Leading Republican on the Energy and Commerce Committee Cliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and the Internet Still, not much likely on a big scale - smaller pieces might get through Electronic Communications Privacy Act reform - Tech industry and DoJ both want clarity on rules related to law enforcement searches of e-mail messages and documents stored in the cloud Web tracking and Privacy Several Republicans opposed it in 2010; FTC has endorsed it FTC likely to revise COPPA regulations - Likely to expand definition of PII States likely to keep moving forward Europeans likely to put more pressure on US – either through multinationals or US gov’t – to protect EU consumer data17 | Privacy for Social Media and Location-Based Marketing
  19. 19. Creating Privacy Policies and Privacy by Design18 | Privacy for Social Media and Location-Based Marketing
  20. 20. Drafting and Implementing a Privacy Policy Privacy decisions are operational decisions Privacy statement is a contractual commitment with the user that may be enforced by the FTC or other regulatory agencies Copying the privacy statement from another company is not a good idea Technically copyright infringement Assumes that the copied policy is worth copying Assumes that you’re doing business in the same way that company is19 | Privacy for Social Media and Location-Based Marketing
  21. 21. Privacy Statement for Social Media and LBS General Privacy Statement Obligations Notice - Must be provided in plain language; must not be misleading Choice LBS or other identifying services (e.g., photo-tagging) should be opt-in Use of information for purposes not originally identified requires new consent Distinction between account holder consent and user consent Users should be able to withdraw consent and information about them should be removed Onward transfer – Describe third parties to whom information is provided Security – Commit to security of information Access – Users should be able to see information you’ve collected about them (if you keep it) Children’s information raises additional issues COPPA20 | Privacy for Social Media and Location-Based Marketing
  22. 22. Facebook Places Opt-in Service Unlike Beacon, which was opt-out Facebook users can “place” tag friends who have not signed up for Places, BUT tags do not become active until tagged individual approves them Assumption is that people will sign up Privacy by Design Best implementation would be to reject Place tags for anyone who has not activated the service, but provide incentives to turn it on Better implementation would be to only hold Place tags for non-users for limited period of time then delete them Facebook users can check other users into locations (2nd party tagging) 2nd party check-ins can be manually deleted Individual friends can be blocked from 2nd party check-ins 2nd party check-ins can be blocked completely Privacy by Design - Best implementation would be that 2nd party check-ins are blocked by default and must be turned on, but provide incentives to turn it on21 | Privacy for Social Media and Location-Based Marketing
  23. 23. Facebook Places (cont) Default is “friends only” Leakage to “friends of friends” Special protections to limit access to information for members under 18 to friends only The Unspoken Problem Facebook limits membership to age 13 and over. According to industry, most popular games among U13s are Facebook games According to Center on Media and Child Health: 60 percent of children ages 10 to 14 have cell phones 22 percent of children 9 and younger have cell phones22 | Privacy for Social Media and Location-Based Marketing
  24. 24. Facebook Photo Tagging & Facial Recognition Facial Recognition & Tagging When a user can tag friends in an album, Facebook will use its facial recognition technology to group similar faces together and automatically fill in the "Who is this?" box with its suggestion Users can log in and remove tags Users can opt out of Tag Suggestions by going to their privacy settings and disabling the "Suggest photos of me to friends" feature Individuals being tagged in a photo do not have to have a profile on Facebook Privacy by Design: No tagging people without Facebook profiles Users can opt-in to photo tagging – provide incentives for opting in Multiple options for tag approval – provide incentives for increasing access Universal Selective (white list or black list) Approval required23 | Privacy for Social Media and Location-Based Marketing
  25. 25. Comments and Questions? Thank you for listening.24 | Privacy for Social Media and Location-Based Marketing