Presentation ncsl - mobile privacy enforcement 130502 (as presented)Jason Haislmaier
This document discusses mobile app privacy and policy issues. It summarizes recent actions by the Federal Trade Commission (FTC) and state of California to enforce privacy laws regarding mobile apps. The FTC has increased enforcement actions against companies for failures to implement reasonable data security and deceptive privacy policies. California has also aggressively enforced its Online Privacy Protection Act against mobile apps that do not adequately disclose data collection and sharing practices. Enforcement actions against major companies like Delta Airlines show increased scrutiny of mobile app privacy practices. Future focus areas are expected to include children's privacy and coordination between regulators and industry.
This document summarizes a presentation on Facebook marketing and legal/regulatory compliance in Canada and the U.S. It discusses Canada's privacy laws, cases related to social media and privacy, and new developments. Key points include that Canada has a mix of federal and provincial privacy laws, the OPCC has investigated Facebook's practices, and the FTC has taken action against companies like Facebook and Twitter for deceiving consumers. Privacy rights continue evolving with potential new regulations in both countries.
This document summarizes a presentation on legal and regulatory compliance for Facebook marketing in Canada and the US. It provides an overview of privacy laws in both countries, recent social media court cases, and trends. Key points include Canada having a mix of federal and provincial privacy laws while the US lacks a comprehensive privacy framework. Recent FTC cases against Twitter and Facebook involved charges of deceiving consumers about privacy and security. Looking ahead, presenters advise developing social media policies, reviewing privacy policies, and conducting due diligence on digital marketing partners.
This document summarizes developments in data privacy laws across several U.S. states, as presented by partners from the law firm Knobbe Martens. It provides updates on laws in California, Illinois, Maine, and Washington regarding consumer privacy and the use of biometric and genetic data. Specifically, it discusses regulations recently finalized for California's CCPA law, amendments to Illinois' Genetic Information Privacy Act, a new law in Maine protecting online consumer data, and Washington's new law regulating government use of facial recognition technology.
This document discusses social media risks and related laws. It covers how conversations on social media can become publications with legal implications. Some key topics discussed include privacy risks from sharing personal information and companies monitoring employees' social media, intellectual property risks like copyright infringement, and defamation risks from making untrue statements about others. The document also examines how various laws like privacy acts, harassment laws, and intellectual property laws apply in the social media context.
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...Kimberly-Clark
Privacy, particularly on location, is a huge area of concern for all major brands. The opportunity is so big that it’s hard to pass up use of consumer mobile data. But with so much at stake, you don’t want to overplay your hand and get into a legal quagmire. Matthew will cover the latest in the every-changing legal landscape of mobile marketing. This information session covers (a) an overview of the legal framework affecting mobile marketing, (b) federal and state enforcement measures and expectations, (c) emerging issues in mobile privacy expectations, including location-based ads, (d) recent rulings and implications relative to the TCPA.
Maximizing & Exploiting Big Data in Digital Media....LegallyMediaPost
Data, the gold of the online world, can be both an asset and a liability. Online tracking mechanisms and data matching/segmentation techniques have become far more sophisticated and make programmatic media buying more effective. 1st party and 3rd party data can be acquired and used for a wide variety of purposes. Regulators and lawmakers are slowly catching up and raising privacy and consumer protection concerns. Avoiding potential pitfalls should be a key strategic business decision for every player in the programmatic space using services through which data is collected and/or exploited. This session will discuss best practices for exploiting big data in the programmatic and digital media worlds in a compliant manner.
Social media and the future of e-discoveryLogikcull.com
The document summarizes a presentation about social media and e-discovery. It discusses the prevalence of social media use, how social media is used in litigation, and challenges around collecting and authenticating social media data for legal cases. Key points include that over 1 billion people use Facebook, social media content is discoverable like any other electronic records if relevant to a case, and the Stored Communications Act places restrictions on directly subpoenaing social media data from third party providers. Methods discussed for collecting social media include taking screenshots, using download tools, and forensic collection software.
Presentation ncsl - mobile privacy enforcement 130502 (as presented)Jason Haislmaier
This document discusses mobile app privacy and policy issues. It summarizes recent actions by the Federal Trade Commission (FTC) and state of California to enforce privacy laws regarding mobile apps. The FTC has increased enforcement actions against companies for failures to implement reasonable data security and deceptive privacy policies. California has also aggressively enforced its Online Privacy Protection Act against mobile apps that do not adequately disclose data collection and sharing practices. Enforcement actions against major companies like Delta Airlines show increased scrutiny of mobile app privacy practices. Future focus areas are expected to include children's privacy and coordination between regulators and industry.
This document summarizes a presentation on Facebook marketing and legal/regulatory compliance in Canada and the U.S. It discusses Canada's privacy laws, cases related to social media and privacy, and new developments. Key points include that Canada has a mix of federal and provincial privacy laws, the OPCC has investigated Facebook's practices, and the FTC has taken action against companies like Facebook and Twitter for deceiving consumers. Privacy rights continue evolving with potential new regulations in both countries.
This document summarizes a presentation on legal and regulatory compliance for Facebook marketing in Canada and the US. It provides an overview of privacy laws in both countries, recent social media court cases, and trends. Key points include Canada having a mix of federal and provincial privacy laws while the US lacks a comprehensive privacy framework. Recent FTC cases against Twitter and Facebook involved charges of deceiving consumers about privacy and security. Looking ahead, presenters advise developing social media policies, reviewing privacy policies, and conducting due diligence on digital marketing partners.
This document summarizes developments in data privacy laws across several U.S. states, as presented by partners from the law firm Knobbe Martens. It provides updates on laws in California, Illinois, Maine, and Washington regarding consumer privacy and the use of biometric and genetic data. Specifically, it discusses regulations recently finalized for California's CCPA law, amendments to Illinois' Genetic Information Privacy Act, a new law in Maine protecting online consumer data, and Washington's new law regulating government use of facial recognition technology.
This document discusses social media risks and related laws. It covers how conversations on social media can become publications with legal implications. Some key topics discussed include privacy risks from sharing personal information and companies monitoring employees' social media, intellectual property risks like copyright infringement, and defamation risks from making untrue statements about others. The document also examines how various laws like privacy acts, harassment laws, and intellectual property laws apply in the social media context.
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...Kimberly-Clark
Privacy, particularly on location, is a huge area of concern for all major brands. The opportunity is so big that it’s hard to pass up use of consumer mobile data. But with so much at stake, you don’t want to overplay your hand and get into a legal quagmire. Matthew will cover the latest in the every-changing legal landscape of mobile marketing. This information session covers (a) an overview of the legal framework affecting mobile marketing, (b) federal and state enforcement measures and expectations, (c) emerging issues in mobile privacy expectations, including location-based ads, (d) recent rulings and implications relative to the TCPA.
Maximizing & Exploiting Big Data in Digital Media....LegallyMediaPost
Data, the gold of the online world, can be both an asset and a liability. Online tracking mechanisms and data matching/segmentation techniques have become far more sophisticated and make programmatic media buying more effective. 1st party and 3rd party data can be acquired and used for a wide variety of purposes. Regulators and lawmakers are slowly catching up and raising privacy and consumer protection concerns. Avoiding potential pitfalls should be a key strategic business decision for every player in the programmatic space using services through which data is collected and/or exploited. This session will discuss best practices for exploiting big data in the programmatic and digital media worlds in a compliant manner.
Social media and the future of e-discoveryLogikcull.com
The document summarizes a presentation about social media and e-discovery. It discusses the prevalence of social media use, how social media is used in litigation, and challenges around collecting and authenticating social media data for legal cases. Key points include that over 1 billion people use Facebook, social media content is discoverable like any other electronic records if relevant to a case, and the Stored Communications Act places restrictions on directly subpoenaing social media data from third party providers. Methods discussed for collecting social media include taking screenshots, using download tools, and forensic collection software.
Data – the Lifeblood of the Affiliate Marketing industryAffiliate Summit
This presentation is from Affiliate Summit East 2014 (August 10-12, 2014 New York City).
Session Description: Like it or not, you’re in the ‘big data’ industry. I will discuss best practices, privacy concerns, and avoiding legal liability while maximizing opportunities when handling this precious commodity.
Socialize Conference Toronto 2012 - FaceBook Marketing: Adler Law Group
The use of social media for marketing and advertising purposes is one of the fastest growing areas for business and marketers. The advent of social media sites like Facebook, Twitter, LinkedIn, Google+ and others provides the opportunity for authentic interaction and engagement with customers. But with every technological development and opportunity, new legal and business risks present themselves. Understanding and minimizing these risks will help you maximize the opportunities.
A best practices approach to social media marketing involves having the company's philosophy, methodology, and guidelines captured in a comprehensive written policy that is clearly and regularly communicated to the employees, and regularly updated to keep abreast of new developments, opportunities and evolving legal guidance.
This document discusses data protection and risk mitigation under South Africa's Protection of Personal Information Act (POPI). It addresses key issues like identifying personal data and systems impacted by POPI, information security safeguards, records management policies, digital content and app ownership, and considerations for protecting young people's data. The document provides recommendations like conducting a POPI audit, appointing an information officer, and establishing policies regarding privacy, security, and intellectual property.
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
It’s no surprise that a US federal privacy law is the current talk of the privacy community. There have been MANY recent developments with individual US state privacy laws, along with numerous additional legislation on the horizon. With the advent of the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (CDPA) plus activity with the Washington Privacy Act (WPA) and Oklahoma Computer Privacy Safety Act, there's a lot to focus on.
The changing privacy landscape can make it tricky for privacy leaders to stay up to date as they manage their privacy programs. And there's no indication US privacy regulation changes will slow down in 2021. While it may feel like a bad game of "Whack-a-Mole," there are ways to keep your company in-the-know and empowered as more regulations pop up.
This webinar will review:
-Recent developments in US state privacy laws
-US federal privacy law predictions
-Best practices and tips on how your company can keep up
This document summarizes a webinar on the U.S. Quarterly Privacy Update from July 21, 2021. It discusses recent state privacy law developments in Colorado and Ohio, and predicts other states that may pass privacy laws in 2021. Colorado and Ohio recently passed privacy laws. The webinar also covers commonalities and differences between various proposed state privacy laws, and discusses the possibility of federal privacy legislation.
This document is a complaint filed by the United States government against InMobi Pte Ltd. for violations of the Children's Online Privacy Protection Act and Section 5 of the FTC Act. The complaint alleges that InMobi collected location data from mobile devices through its advertising software, even when users had restricted location tracking, in order to target ads to users based on their location. It claims InMobi's practices were unfair and deceptive. The government is seeking civil penalties, injunctive relief, and other equitable remedies for InMobi's violations of federal law protecting children's privacy and prohibiting unfair commercial acts.
Who Will Run My Fantasy Football Team When I’m Gone: The Latest and Greatest ...gallowayandcollens
National Academy of Elder Law Attorneys Webinar 2015 presented by Attorney Howard Collens on the recent updates regarding Fiduciary Access to Digital Assets.
Naela webinar 2015 digital asset powerpoint hhc 11.4.2015 5-eedGideon Ale
- The document discusses the growing issue of gaining access to a deceased individual's digital assets, such as online fantasy sports league accounts and teams. As more aspects of our lives move online, it is important to establish laws governing fiduciary access to digital assets.
- Several states have introduced legislation based on the Uniform Fiduciary Access to Digital Assets Act (UFADAA) to clarify the authority of estate executors, trustees, and other fiduciaries to manage digital assets. Michigan is considering introducing its own version, called the Fiduciary Access to Digital Assets Act.
- The proposed Michigan law would grant fiduciaries access to the catalogs of a deceased's digital communications and, with proper documentation,
1) The panel affirmed the district court's denial of Google's motion to dismiss Wiretap Act claims regarding its collection of payload data from unencrypted Wi-Fi networks while taking Street View photos.
2) The panel held that the data collected was not exempt under the Wiretap Act because it did not meet the definition of an "electronic communication...readily accessible to the general public."
3) Specifically, the panel found that data transmitted over Wi-Fi networks did not constitute a "radio communication" as defined by the Act, and thus was not "readily accessible to the general public" simply by virtue of being unencrypted.
This document discusses recent developments in consumer privacy law as it relates to e-commerce. It summarizes that states have passed numerous privacy laws since 9/11, with Vermont and New Mexico passing laws requiring opt-in consent for sharing financial and health information with third parties. It also discusses the FTC's guidelines for information security programs and considerations for website privacy policies, including passive and active data collection, relationships with third parties, satisfying notice requirements, and jurisdiction.
The document summarizes key aspects of California's new data privacy law, the California Consumer Privacy Act (CCPA). It outlines consumer rights like the right to access, delete, and opt-out of the sale of their data. It also discusses which businesses are impacted, obligations of covered businesses, potential penalties for noncompliance up to $7,500 per violation, and exemptions. There is uncertainty around how the law may be amended or preempted by future federal privacy legislation sought by big tech companies seeking to weaken its protections and reduce penalties.
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
The GDPR forced companies to spend a substantial amount of time, resources and money on becoming compliant. For many companies, it took years to understand, build and manage a compliance program to meet the variety of requirements included in the GDPR.
With new and updated privacy laws and regulations popping up, such as CCPA and Privacy Shield invalidation, companies are now being tasked with assessing the impact to their current privacy program and learning how to weave them into existing practices.
Listen to this webinar to learn how to leverage the substantial amount of work that was done for the GDPR to simplify additional privacy compliance.
1. Behavioral advertising is a form of online advertising where ads are selected based on websites visited, actions taken, or user information to target users.
2. There is debate around whether behavioral advertising violates privacy laws and if self-regulation is sufficient given consumers' growing awareness of privacy issues related to targeted ads.
3. While industry argues that legislation could harm innovation, privacy advocates and lawmakers support regulations to increase transparency around data collection and use for behavioral advertising. Monitoring and evidence are needed to ensure self-regulatory principles are followed.
NIC Inc., Tennessee Division, 2015 Annual ReportNIC Inc | EGOV
The document summarizes the 15-year partnership between NIC and the state of Tennessee to develop and manage online government services on TN.gov. It discusses how over 15 million transactions and $6 billion are processed annually through TN.gov applications. It also highlights new services launched, awards received, and increasing mobile traffic to the site.
This document summarizes various privacy issues related to government surveillance and online advertising. It discusses a DOJ investigation of Megaupload.com, the Fourth Amendment protection against unreasonable searches and seizures, the US v. Jones Supreme Court decision, targeted online behavioral advertising, Facebook privacy policies and apps, the FTC's approach to online privacy, and recent US legislation regarding do-not-track options and online privacy protections. It also briefly touches on surveillance cameras in London and their impact on crime rates and public attitudes.
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
This document summarizes a presentation on legal and regulatory compliance for Facebook marketing in Canada and the US. It discusses Canada's privacy laws, recent social media court cases in Canada, and the outlook of privacy regulators. It also reviews key US social media cases involving consumer deception and privacy risks. Developments like anti-spam laws and "Do Not Track" legislation are mentioned. Overall, privacy rights are still evolving and companies should have social media policies, updated privacy policies, and conduct due diligence on digital partners.
Trending Topics in Data Collection & Targeted MarketingcdasLLP
Slideshow to accompany co-sponsored panel from IAB Ad Lab and Cowan, DeBaets, Abrahams & Sheppard LLP. Participants: Joshua B. Sessler, Eleanor M. Lackman, Sarah Hudgins. For more entertainment and digital media law analysis, go to: http://cdas.com/legal/
Online Behavioral Advertising (OBA) Legal & Regulatory ComplianceAdler Law Group
Online behavioral advertising involves the collection of data about individuals' online activities in order to deliver targeted advertisements. While this allows for personalized ads, many users are concerned about privacy and a lack of anonymity online. Both regulators and legislators have responded by introducing laws and guidelines to increase transparency, consent, and security around the collection and use of personal data for behavioral advertising. Industry groups have also developed self-regulatory principles, but enforcement of these is ongoing.
Businesses that engage in the collection, use, disclosure and management of personal information in Canada need to be cognizant of the regulatory framework governing the privacy landscape in order to stay compliant.
Data – the Lifeblood of the Affiliate Marketing industryAffiliate Summit
This presentation is from Affiliate Summit East 2014 (August 10-12, 2014 New York City).
Session Description: Like it or not, you’re in the ‘big data’ industry. I will discuss best practices, privacy concerns, and avoiding legal liability while maximizing opportunities when handling this precious commodity.
Socialize Conference Toronto 2012 - FaceBook Marketing: Adler Law Group
The use of social media for marketing and advertising purposes is one of the fastest growing areas for business and marketers. The advent of social media sites like Facebook, Twitter, LinkedIn, Google+ and others provides the opportunity for authentic interaction and engagement with customers. But with every technological development and opportunity, new legal and business risks present themselves. Understanding and minimizing these risks will help you maximize the opportunities.
A best practices approach to social media marketing involves having the company's philosophy, methodology, and guidelines captured in a comprehensive written policy that is clearly and regularly communicated to the employees, and regularly updated to keep abreast of new developments, opportunities and evolving legal guidance.
This document discusses data protection and risk mitigation under South Africa's Protection of Personal Information Act (POPI). It addresses key issues like identifying personal data and systems impacted by POPI, information security safeguards, records management policies, digital content and app ownership, and considerations for protecting young people's data. The document provides recommendations like conducting a POPI audit, appointing an information officer, and establishing policies regarding privacy, security, and intellectual property.
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
It’s no surprise that a US federal privacy law is the current talk of the privacy community. There have been MANY recent developments with individual US state privacy laws, along with numerous additional legislation on the horizon. With the advent of the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (CDPA) plus activity with the Washington Privacy Act (WPA) and Oklahoma Computer Privacy Safety Act, there's a lot to focus on.
The changing privacy landscape can make it tricky for privacy leaders to stay up to date as they manage their privacy programs. And there's no indication US privacy regulation changes will slow down in 2021. While it may feel like a bad game of "Whack-a-Mole," there are ways to keep your company in-the-know and empowered as more regulations pop up.
This webinar will review:
-Recent developments in US state privacy laws
-US federal privacy law predictions
-Best practices and tips on how your company can keep up
This document summarizes a webinar on the U.S. Quarterly Privacy Update from July 21, 2021. It discusses recent state privacy law developments in Colorado and Ohio, and predicts other states that may pass privacy laws in 2021. Colorado and Ohio recently passed privacy laws. The webinar also covers commonalities and differences between various proposed state privacy laws, and discusses the possibility of federal privacy legislation.
This document is a complaint filed by the United States government against InMobi Pte Ltd. for violations of the Children's Online Privacy Protection Act and Section 5 of the FTC Act. The complaint alleges that InMobi collected location data from mobile devices through its advertising software, even when users had restricted location tracking, in order to target ads to users based on their location. It claims InMobi's practices were unfair and deceptive. The government is seeking civil penalties, injunctive relief, and other equitable remedies for InMobi's violations of federal law protecting children's privacy and prohibiting unfair commercial acts.
Who Will Run My Fantasy Football Team When I’m Gone: The Latest and Greatest ...gallowayandcollens
National Academy of Elder Law Attorneys Webinar 2015 presented by Attorney Howard Collens on the recent updates regarding Fiduciary Access to Digital Assets.
Naela webinar 2015 digital asset powerpoint hhc 11.4.2015 5-eedGideon Ale
- The document discusses the growing issue of gaining access to a deceased individual's digital assets, such as online fantasy sports league accounts and teams. As more aspects of our lives move online, it is important to establish laws governing fiduciary access to digital assets.
- Several states have introduced legislation based on the Uniform Fiduciary Access to Digital Assets Act (UFADAA) to clarify the authority of estate executors, trustees, and other fiduciaries to manage digital assets. Michigan is considering introducing its own version, called the Fiduciary Access to Digital Assets Act.
- The proposed Michigan law would grant fiduciaries access to the catalogs of a deceased's digital communications and, with proper documentation,
1) The panel affirmed the district court's denial of Google's motion to dismiss Wiretap Act claims regarding its collection of payload data from unencrypted Wi-Fi networks while taking Street View photos.
2) The panel held that the data collected was not exempt under the Wiretap Act because it did not meet the definition of an "electronic communication...readily accessible to the general public."
3) Specifically, the panel found that data transmitted over Wi-Fi networks did not constitute a "radio communication" as defined by the Act, and thus was not "readily accessible to the general public" simply by virtue of being unencrypted.
This document discusses recent developments in consumer privacy law as it relates to e-commerce. It summarizes that states have passed numerous privacy laws since 9/11, with Vermont and New Mexico passing laws requiring opt-in consent for sharing financial and health information with third parties. It also discusses the FTC's guidelines for information security programs and considerations for website privacy policies, including passive and active data collection, relationships with third parties, satisfying notice requirements, and jurisdiction.
The document summarizes key aspects of California's new data privacy law, the California Consumer Privacy Act (CCPA). It outlines consumer rights like the right to access, delete, and opt-out of the sale of their data. It also discusses which businesses are impacted, obligations of covered businesses, potential penalties for noncompliance up to $7,500 per violation, and exemptions. There is uncertainty around how the law may be amended or preempted by future federal privacy legislation sought by big tech companies seeking to weaken its protections and reduce penalties.
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
The GDPR forced companies to spend a substantial amount of time, resources and money on becoming compliant. For many companies, it took years to understand, build and manage a compliance program to meet the variety of requirements included in the GDPR.
With new and updated privacy laws and regulations popping up, such as CCPA and Privacy Shield invalidation, companies are now being tasked with assessing the impact to their current privacy program and learning how to weave them into existing practices.
Listen to this webinar to learn how to leverage the substantial amount of work that was done for the GDPR to simplify additional privacy compliance.
1. Behavioral advertising is a form of online advertising where ads are selected based on websites visited, actions taken, or user information to target users.
2. There is debate around whether behavioral advertising violates privacy laws and if self-regulation is sufficient given consumers' growing awareness of privacy issues related to targeted ads.
3. While industry argues that legislation could harm innovation, privacy advocates and lawmakers support regulations to increase transparency around data collection and use for behavioral advertising. Monitoring and evidence are needed to ensure self-regulatory principles are followed.
NIC Inc., Tennessee Division, 2015 Annual ReportNIC Inc | EGOV
The document summarizes the 15-year partnership between NIC and the state of Tennessee to develop and manage online government services on TN.gov. It discusses how over 15 million transactions and $6 billion are processed annually through TN.gov applications. It also highlights new services launched, awards received, and increasing mobile traffic to the site.
This document summarizes various privacy issues related to government surveillance and online advertising. It discusses a DOJ investigation of Megaupload.com, the Fourth Amendment protection against unreasonable searches and seizures, the US v. Jones Supreme Court decision, targeted online behavioral advertising, Facebook privacy policies and apps, the FTC's approach to online privacy, and recent US legislation regarding do-not-track options and online privacy protections. It also briefly touches on surveillance cameras in London and their impact on crime rates and public attitudes.
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
This document summarizes a presentation on legal and regulatory compliance for Facebook marketing in Canada and the US. It discusses Canada's privacy laws, recent social media court cases in Canada, and the outlook of privacy regulators. It also reviews key US social media cases involving consumer deception and privacy risks. Developments like anti-spam laws and "Do Not Track" legislation are mentioned. Overall, privacy rights are still evolving and companies should have social media policies, updated privacy policies, and conduct due diligence on digital partners.
Trending Topics in Data Collection & Targeted MarketingcdasLLP
Slideshow to accompany co-sponsored panel from IAB Ad Lab and Cowan, DeBaets, Abrahams & Sheppard LLP. Participants: Joshua B. Sessler, Eleanor M. Lackman, Sarah Hudgins. For more entertainment and digital media law analysis, go to: http://cdas.com/legal/
Online Behavioral Advertising (OBA) Legal & Regulatory ComplianceAdler Law Group
Online behavioral advertising involves the collection of data about individuals' online activities in order to deliver targeted advertisements. While this allows for personalized ads, many users are concerned about privacy and a lack of anonymity online. Both regulators and legislators have responded by introducing laws and guidelines to increase transparency, consent, and security around the collection and use of personal data for behavioral advertising. Industry groups have also developed self-regulatory principles, but enforcement of these is ongoing.
Businesses that engage in the collection, use, disclosure and management of personal information in Canada need to be cognizant of the regulatory framework governing the privacy landscape in order to stay compliant.
USA and Europe (EU) do have a different way of looking into privacy. This PPT is about who is responsible and what kind of rules are in place. This is a A Medved Consultants LLC Presentation. This may not be considered as a legal advice.
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
This document summarizes the key events in the history of net neutrality regulation and policy debates in the United States from the 1860 Pacific Telegraph Act to 2014. It discusses major FCC rulings and court cases, political debates, and the impact of events like the Edward Whitacre comments and John Oliver segment. Major milestones included the 2005 Net Neutrality Principles, the 2010 and 2014 Open Internet Orders, and the 2014 DC Circuit decision recognizing FCC authority but limiting its ability to impose common carrier rules on ISPs.
2019-06-11 What New US State Laws Mean For Your BusinessTrustArc
On-Demand Webinar Recording: https://info.trustarc.com/WB-2019-06-11-USDataProtectionLaws_RegPage.html
-------
While the focus over the past two years has been around global privacy regulations such as the EU GDPR regulation, individual US states have been proposing -- and enacting -- a number of privacy-impacting laws that may affect your company in new and challenging ways. From the comprehensive California Consumer Privacy Act (CCPA) to the revisions in data breach laws in Colorado, Oregon and Vermont, it can be difficult to track these changes, and even more difficult to build a compliance program with the flexibility to adapt to the constantly changing environment.
This webinar will provide:
-An overview of major new US state privacy laws and important pending legislation
-An update on the discussions and atmospherics around a comprehensive US privacy law
-Recommendations on incorporating US state privacy law compliance into a global privacy risk management program
2016 was an important year for privacy on many fronts. From Privacy Shield to the imminent arrival of a new U.S. president; from Brexit to ongoing breach law developments; and from FCC changes for ISPs to the upcoming arrival of GDPR—there wasn’t a single dull moment. In this eLunch, Winston’s Privacy & Data Security Practice Chair Liisa Thomas and Partner Rob Newman looked back at 2016 and discussed what to expect in the privacy world in 2017 and beyond.
Pli workplace privacy in the year 2013 2013-6-13mkeane
Addresses privacy issues associated with hiring in a social media world, privacy issues associated with BYOD programs; employee privacy rights associated with off-duty activity including Facebook postings and activity protected by lifestyle laws.
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to the Joint Meeting of ISACA and IIA North Texas on January 12, 2017.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Mitigating Risk of Website Accessibility Lawsuits3Play Media
Attempts to enforce ADA website compliance continue and may be increasing in some business verticals with the effects of the pandemic and the push to an all-on-line era. The need to make your websites more accessible to all is not a matter of if, but rather when. Accessible360’s Co-founder has been teaching CLE classes for several years, come learn what you can do now to make websites and apps available to more people, and how to reduce your risk.
Data has emerged as one of the most important resources of today's world. However, there does not exist clear rules on how to make use of this resource. There are spillover effects and negative externalities in the form of privacy breaches while exploiting this resource. In such a situation, what should be the legal remedy?
The law should find a balance between the interests of the customers and the corporations. The customers want safety and privacy, whereas corporations want commercial use of data which risks the customer's interests.
Who ownes the customer? Privacy in the connected age.jatharrison
The document discusses how customer data ownership has evolved over time as technology has advanced. In the 1980s, customers' personal data was owned by few entities like the government, doctors, and phone directories. With the rise of the internet, data became dispersed across many websites. Now with social media, customers share vast amounts of personal data, but often don't truly own it despite generating value for companies. The document argues that for a fair future, customers should own and manage their own personal data stores, choosing which companies can access it in exchange for valuable services. Laws must evolve to protect privacy and give customers control over their data.
This document summarizes a presentation on the emerging issues related to legalized marijuana. It discusses how marijuana legalization is impacting various areas of law and insurance claims. Legalized marijuana directly impacts professional liability, transportation, employment, premises liability and other areas. While public opinion and usage is increasing, federal law still prohibits marijuana use. States are passing legislation to legalize medical and recreational marijuana use, creating conflicts with federal law. This is generating new types of lawsuits and insurance claims around issues like indemnity agreements and additional insured coverage. Presenters discussed open questions around how these legal and regulatory changes will further impact claims handling and different professions.
This document discusses genetically modified organisms (GMOs) and how they differ from hybrid organisms. It notes that while hybrids involve breeding closely related species and result in sterile offspring, GMOs involve transferring genes between unrelated organisms using genetic engineering techniques. The document outlines some current and potential insurance issues related to GMOs, including whether general liability policies would cover bodily injury or property damage claims. It also lists some past legal cases involving GMOs and potential future labeling lawsuits challenging state laws requiring GMO labeling.
This document discusses social media and its uses in claims handling and litigation. It provides definitions and examples of key terms like social media, web 2.0, and the internet of things. It describes the types of personal information that can be learned from social media and other online data sources. It also discusses ethical considerations and court decisions around using social media information in litigation. The key takeaways are that social media investigations are essential for effective claims handling, public social media information can lead to private insights, and claimants are no longer strangers due to available online data.
This document discusses a panel discussion on cyber liability coverage. It includes:
1) An overview of what constitutes "cyber" liability, including failures of network security, wrongful disclosure of information, privacy/security investigations, and media content issues.
2) Examples of coverage sections in cyber policies, including first party coverage for expenses/business interruption and third party coverage for liability.
3) Hypothetical breach scenarios involving exposed PII, negligent service providers, state-sponsored hacking, and network/property damage.
4) A discussion of social engineering threats and how related losses may be covered under crime policies or financial bonds depending on if hacking or authorized users were involved.
This document discusses a webinar on successfully working with special masters for maximum results. The webinar will feature presentations from experts in special masters including a law professor, retired judge, and partners from litigation firms. They will cover topics such as criteria for appointing special masters, qualifications of special masters, timing of appointments, finding and selecting special masters, mechanics of appointments, effective use of special masters, and ethical issues that may arise.
This document discusses drafting vendor contracts for data security and privacy issues. It provides examples of common insurance requirements in such contracts and issues that can arise. Key requirements discussed include maintaining cyber liability insurance with minimum per-incident and aggregate limits, and coverage for privacy breaches, notification costs, fines, and business interruption. Common issues are unrealistic limits, unclear specifications, and requirements that are unattainable. The benefits of insurance requirements are financial security, but pitfalls include that a contract is separate from a policy.
"Who's Ox is Being Gored? A Comparison of ConsensusDOCS and AIA Form Construc...HB Litigation Conferences
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms.
Additional Insured Issues in the Construction Industry" - Dnjcon14 session 2 ...HB Litigation Conferences
This document summarizes issues related to additional insured coverage in construction contracts. It discusses how construction contracts typically require subcontractors to name the property owner or general contractor as an additional insured on their insurance policies. Disputes often arise when injuries occur on construction sites and multiple parties seek coverage under different insurance policies. The document analyzes several court cases to explain how New Jersey courts interpret the scope of coverage for additional insureds, such as whether the injury must arise out of the subcontractor's work. It also discusses how newer additional insured endorsements have attempted to narrow coverage by using language like "caused in whole or in part by" rather than "arising out of."
This document briefly explains the June compliance calendar 2024 with income tax returns, PF, ESI, and important due dates, forms to be filled out, periods, and who should file them?.
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee
Presentation slides for a session held on June 4, 2024, at Kyoto University. This presentation is based on the presenter’s recent paper, coauthored with Hwang Lee, Professor, Korea University, with the same title, published in the Journal of Business Administration & Law, Volume 34, No. 2 (April 2024). The paper, written in Korean, is available at <https://shorturl.at/GCWcI>.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
Receivership and liquidation Accounts
Being a Paper Presented at Business Recovery and Insolvency Practitioners Association of Nigeria (BRIPAN) on Friday, August 18, 2023.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Genocide in International Criminal Law.pptxMasoudZamani13
Excited to share insights from my recent presentation on genocide! 💡 In light of ongoing debates, it's crucial to delve into the nuances of this grave crime.
सुप्रीम कोर्ट ने यह भी माना था कि मजिस्ट्रेट का यह कर्तव्य है कि वह सुनिश्चित करे कि अधिकारी पीएमएलए के तहत निर्धारित प्रक्रिया के साथ-साथ संवैधानिक सुरक्षा उपायों का भी उचित रूप से पालन करें।
3. Speakers
Lincoln Bandlow
moderator
Partner
Lathrop & Gage LLP
Los Angeles,
California
Dominique Shelton
Partner
Alston & Bird LLP
Los Angeles,
California
Emily Tabatabai
Privacy Attorney
Orrick, Herrington &
Sutcliffe LLP
Washington, D.C.
Christina Tusan
Attorney
Federal Trade
Commission
3
4. Five Big Data Reports in May 2014
• May 1, 2014 - White House release Big Data led by John Podesta. See, Executive Office of the President, Big
Data: Seizing Opportunities, Preserving Values (Executive Office of the President, May 1,2014).
• May 1, 2014: White House releases technological feasibility Big Data report. See, President’s Council of
Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective (the “PCAST Report).
• May 15, 2014: The Senate released a report on malware. Senate Permanent Subcommittee on
Investigations, “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy (May 15,
2014).
• May 21, 2014: CA AG came out with her report on privacy policies See, Att’y Gen. Kamala D. Harris, Making
Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, (Cal. Dep’t of
Justice, May 21, 2014), available at http://tinyurl.com/CAAGMakingYourPrivacyPractices .
• May 27, 2014: Data Broker report. See, F.T.C., Data Brokers: A Call for Transparency and Accountability (May
27, 2014).
4
6. Takeaways
• The Senate, FTC and CA AG are focused on “Big Data” and
behavioral tracking in particular.
• There is a renewed focus on transparency. Regulators are
concerned that consumers don’t understand the advertising/data-broker
ecosystem (i.e., the number of trackers on websites and
mobile apps).
• Use of internal data-tagging can provide a method for companies to
access to Big Data within companies.
• New laws will be proposed.
• FTC will be using Section 5 of the FTC Act to enforce.
6
7. Behavioral Tracking Class Actions
(Privacy Claims under The Electronic
Communications Privacy, Stored
Communications Act and Wiretap Act)
7
8. How Big are “Do Not Track” Class Actions?
– 195 Do Not Track class actions have been filed in the past 36
months, and 12 mobile app class actions have been filed in the past
eight months.
– On June 11, 2013, the largest privacy class action was affirmed by
the 7th Circuit – 1 billion exposure based on behavioral tracking.
– The plaintiffs’ bar is focusing on privacy class actions.
– The FTC has increased its enforcement activity.
– Based upon global and U.S. trends, more focus on privacy and
tracking will occur in 2014.
8
9. Do Not Track Cases
Washington - 3
Montana - 2
California - 108 Arizona - 1
Colorado - 1
Minnesota- 1
Wisconsin - 1
Illinois - 8
Missouri - 4
Arkansas - 17
Louisiana - 1
Texas - 6
Alabama - 2
Michigan- 1 Rhode Island - 1
Georgia - 4
Florida - 4
Ohio - 1
Tennessee - 1
Delaware - 2
N. Carolina - 1
New York - 13
Massachusetts - 2
Virginia - 1
Maryland- 1
Connecticut - 2
New Jersey - 2
Pennsylvania - 1
Puerto Rico - 1
District of Columbia - 2
9
10. How Many Big Data Companies Have Been Named?
– 121 Companies (62% of the 195 actions) have included Big Data companies – e.g., data
analytics, ad networks, exchanges, mobile marketing).
– Software company Carrier IQ (67 class actions).
– Analytic Companies: (32 class actions)
• Google (24 class actions)
• Other analytic companies(e.g., Kissmetrics, Flurry, Millenial Media, comScore) (8 class
actions)
– Ad Networks and Ad Exchanges(21 class actions)
• Quantcast, Clearspring, Mobile Ringleader (no defunct), Traffic Marketplace, Interclick,
Mob Clix, quattro, Admob, PulsePoint
– Cloud: Amazon (1) class action.
10
12. Harris v. comScore
• Plaintiffs alleged tracking based upon downloads
of bundled software that did not disclose tracking
technologies or comScore’s name.
• Plaintiffs alleged inadequate privacy disclosures.
• Sought to certify 10 million user class at $10,000
statutory damages under the stored
communications act.
12
13. Harris v. comScore
• Key takeaways:
– Court held common questions of fact and law
predominated.
– Plaintiffs could self-identify to become members of the
class – Note: This is highly unusual and rarely permitted.
– Emails contained in comScore’s records were considered
sufficient to ascertain class members.
Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).
13
14. Harris v. comScore: June 11, 2013,
7th Cir. Affirms Certification of -1 Billion Class
14
15. Harris v. comScore $1 billion exposure
settled May 30, 2014 for $14 million
15
16. In re Zynga Privacy Litig.,
2014 U.S. App. Lexis 8662 (9th Cir. May 8, 2014)
• The Ninth Circuit affirmed the Northern District of California’s dismissal of two putative class actions
alleging Facebook Inc. and Zynga Game Network Inc. improperly shared consumers' personal information
with advertisers, finding the social network giant and the gaming company didn’t disclose the contents of
communications.
• Plaintiffs claimed that Facebook and Zynga claims violated the Wiretap Act and Stored Communications
Act by sharing referer headings (that included user ids and the web pages viewed by the user with
advertisers and other web analytic companies).
• The Stored Communications Act says that a service provider may divulge records and other information
pertaining to a customer, but may not divulge the contents of communications, the opinion said. Customer
record information including the customer’s name, address and subscriber number, does not qualify as
contents under the federal law.
• The Ninth Circuit upheld the dismissal of the two class actions that alleged violations of the Wiretap Act
and the Stored Communications Act — sections of the Electronic Communications Privacy Act — ruling
that the plaintiffs failed to state a claim because they didn’t allege that either Facebook or Zynga disclosed
the “contents” of a communication, a necessary element of their ECPA claims, according to the opinion.
• Takeaway: No liability under ECPA for sharing referer headers alone with third parties.
16
17. Find Out What Data You Are Collecting
Because the Plaintiff’s Bar Is!
Consider a tool like Ghostery - basic license is free
17
19. VPPA Background
• The VPPA prohibits disclosure of personally
identifiable information (“PII”), including
information identifying a person as
requesting or obtaining specific video
material. 18 U.S.C. § 2710, et seq.
• The VPPA does not define PII directly,
stating that it “includes information which
identifies a person as having requested or
obtained specific video materials or
services from a video tape service
provider.” 18 U.S.C. § 2710(a)(3). This
includes information shared with vendors,
including subject matter categories. Some
vendors argue that generic categories (e.g.,
“likes sports”) are not PII.
19
20. VPPA Background
• VPPA defines “video tape service provider” to mean “any person,
engaged in the business, in or affecting interstate or foreign commerce,
of rental, sale, or delivery of prerecorded video cassette tapes or
similar audio visual materials…” 18 U.S.C. § 2710(a)(4).
• VPPA defines the term “consumer” to mean
“any renter, purchaser, or subscriber of
goods or services from a video tape
service provider.” 18 U.S.C. § 2710(a)(1).
20
21. 2012 VPPA Amendment
• The VPPA was amended in December 2012 to allow video service providers to obtain consent
electronically over the internet for a 2-year advance period with certain requirements. It
requires a separate consent (outside of a Terms of Use and Privacy Policy).
• Section 2710(b)(2)(B) was amended to permit electronic consent. Video Service Providers can
share information with the user’s informed consent as follows:
– written consent that
• Is in a form distinct and separate from any form setting forth other legal or financial
obligations of the consumer;
• At the election of the consumer;
• Is given at the time the disclosure is sought; or
• Is given in advance for a set period of time, not to exceed 2 years or until consent is
withdrawn by the consumer, whichever is sooner and
– the video tape service provider has provided an opportunity, in a clear and
conspicuous manner, for the consumer to withdraw on a case-by-case basis or
to withdraw from ongoing disclosures, at the consumer's election.
21
22. In re Hulu Privacy Litigation Background
• Case filed in 2011.
• August 2012: Two motions to dismiss based on lack of
harm and other statutory defenses failed.
• December 2013: Hulu’s motion for summary judgment
based upon lack of harm failed.
• April 28, 2014: Hulu’s motion for summary judgment re: no
disclosures of PII under the VPPA granted as to comScore
claims, denied as to Facebook.
22
23. April 28, 2014, Hulu Court dismisses Plaintiff’s comScore
claims but denies MSJ as to Facebook
• Takeaways:
– Unique identifiers plus specific titles to data analytics firm – not
a disclosure of PII under the VPPA
– Facebook ID + specific video titles may be PII if Hulu knew that
cookies provided this data before user hit the “Like” button.
– Metrics and advertising not “incident to the ordinary course of
business”
– Dicta: Unique identifiers depending on context could be PII
under VPPA – just not in this case.
23
24. In re Hulu Privacy Litigation: Motion for Class
Certification Denied (June 17, 2014)
• Plaintiffs sought to certify a Facebook class:
– All Hulu and Facebook users that involved disclosures of Facebook’s
c_user cookie (i.e., Facebook cookie that relays information to
Facebook for users that have checked the box to always stay logged
into Facebook and use the same browser to access Hulu).
• Court denied class, without prejudice. Class not ascertainable.
24
25. In re Nickelodeon Consumer Privacy Litig.,
(D.N.J. July 2, 2014) (granting motion to dismiss)
• The claims were against Google and Viacom for data collected
through the Nickelodeon and other Viacom Apps. Google not a
VTSP – all claims dismissed.
• Viacom only disclosed “anonymous information” ( e.g., “anonymous
username; IP address; browser setting; ‘unique device identifier’;
operating system; screen resolution; browser version). Not PII
under the VPPA.
• Leave to amend granted for VPPA claim and intrusion upon
seclusion against Viacom. Wiretap and SCA claims dismissed with
prejudice.
25
26. More VPPA Case to Come
• Six VPPA Class Action Lawsuits were filed in February –September 2014:
– February 17, 2014: Perry v. Cable News Network, Inc. et al., No. 1:14-cv-1194 (N.D. Ill.): On August 25, 2014, the
United States District Court for the Northern District of Illinois entered an order transferring this case to the United
States District Court for the Northern District of Georgia based upon the stipulation of the parties. The order was
executed on September 12, 2014.
– February 19, 2014: Ellis v. The Cartoon Network Inc., No. 1:14-cv-00484,(N.D. Ga): On June 6, 2014, The Cartoon
Network filed a motion to dismiss on the grounds that (1) the disclosure of a serial number for a machine alone is not
PII under the VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and
(3) the plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet
been set.
– March 13, 2014: Locklear v. Dow Jones, No. Case 1:14-mi-99999-UNA (N.D. Ga): On June 23, 2014, Dow Jones filed a
motion to dismiss, on the grounds that (1) the disclosure of a serial number for a machine alone is not PII under the
VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and (3) the
plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet been set.
26
27. More VPPA Case to Come
– March 28, 2014: Eichenberger v. ESPN, No. 2:14-cv-00463 (W.D. Washington): On July 31,
2014, ESPN filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any
disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. The motion is fully
briefed, but a hearing has not yet been set.
– June 9, 2014: Robinson v. Disney, No. 14-cv-4146 (S.D. N.Y.): On August 23, 2014, plaintiffs
filed an amended complaint to properly name the Disney entity sued. On September 12,
2014, Disney filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any
disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. Disney has
requested oral argument, but a hearing has not yet been set.
– August 22, 2014: Austin-Spearman v. AMC Network Entertainment LLC, No. 14-cv-6840 (S.D.
N.Y.): On September 15, 2014, the court entered an order extending the time for AMC to
answer or move to dismiss the complaint until October 23, 2014.
27
29. VPPA Compliance: Degrees of Risk
Keep video titles in referrer headers and use plugins that have tracking capabilities.
Use a landing page similar to Netflix to obtain user consent electronically.
Use subject matter of video in referrer headers (e.g., engineering, transport, shipping).
Obtain “informed written consent” per the VPPA.
Do not use titles of videos in referrer headers.
Do not use social networking plug-ins.
29
30. Takeaways
• Plaintiffs’ bar are attracted to privacy claims that
carry statutory damages.
• They have been able to overcome motions to
dismiss based on lack of Article III standing by
alleging statutory violations.
• More litigation is likely to follow.
30
32. FCC New Regulations Effective October 16, 2013
• Prior express written consent is needed before
commercial telemarketing texts may be sent.
– User must agree to receive autodialed text messages
and evidence understanding that agreement is not a
condition of using the service. 47 C.F.R. 64.1200
– TCPA Class actions were up 70% last year. According
to InsideARM 785 TCPA cases filed in 2012; 1385 filed
in 2013.
32
36. Regulatory Initiatives Regarding Mobile Apps
Five Mobile Guidances Were Released in 2013:
All Call for Just in Time/Short Form Notice
• CA AG Guidance – issued 1/10/2013
• FTC Guidance – issued 2/1/2013
• Article 29 Working Group – issued 3/2013
• NTIA Guidance – issued 7/ 2013
• DAA Guidance – issued 7/2013
• Just in Time/Short Form Notice: Notice for collection of sensitive data must be
“Just in Time,” in short form, above and beyond the privacy policy.
• PII: includes unique identifiers.
36
37. In re Fandango
(FTC Announced Settlement March 28, 2014)
• Failure to secure mobile app credit card information.
• Alleged unreasonable security for failure to
– Validate Secured Socket Layer (SSL) to prevent intervention
by hackers when users used open networks.
– Provide sufficient protection for data while at rest.
37
38. Practice Pointer: Focus on “Readability”
• Use icons – California AG and FTC
recommend it.
– See e.g., CA AG Making Your Privacy Practices
Public at p. 10
– See also,
• CA AG Privacy on the Go at p. 11
(“Graphics or icons can help users to
easily recognize privacy practices and
settings”);
• FTC, Mobile Privacy Disclosures at p.
17 (“Consider developing icons to
depict the transmission of user data”) ;
and
• FTC Protecting Consumer Privacy in an
Era of Rapid Change at p. 62 (“… icons
… show promise as tools to give
consumers the ability to compare
privacy practices among different
companies)
38
40. EU Cookie Rules
• A separate EU directive governs the collection and use of personal
data through the use of cookies and similar technologies
• Like the data protection national laws, the cookie national laws are
broadly similar across the EU, although there are some divergences
• The EU cookie rules require website operators to:
– provide clear notice about cookies and their purposes; and
– obtain users’ consent to cookies,
before any cookies are set
40
41. EU ePrivacy Directive
• Not limited to cookies!
• No distinction between types of technologies used
to store or retrieve information on users’ devices
(e.g., cookies, web beacons, flash cookies, GIFs)
– No distinction between different types of cookies (e.g.,
functionality, performance, targeting), with the exception
of cookies deemed “strictly necessary”
41
43. Prominent Pop-Up Notices
• A pop-up notice that explains that cookies are used and provides a link to more
information.
• May (or may not) request that the user consents to the website’s use of
cookies.
(source: Everything Everywhere)
43
44. Banner Notices
• A banner that informs users that cookies are used, and provides a link to further
information on those cookies.
(source: NatWest)
44
45. Practical Guidance
1 2 3 4 5
• Local Terms
• Global Terms
• Managing Consent
Audit
Managing Compliance
Governance Security Train regarding
your policies
Involve All
Related
Players
Repeat
♦ How is Big Data
being used?
♦ Risk Avoidance and
Mitigation
♦ Protocols
♦ Policies
♦ Procedures
♦ Compliance with
laws and companies
best practices
♦ Technological
♦ Policy
45
46. Big Data Risks
• Alienating customer / brand degradation
– 89% of internet users have stopped using a website over privacy concerns
– “creepy”
– data collection is unexpected or depth of analysis is unanticipated
• “Personalization” of content can lead to discrimination
• Aggregated data may not be anonymous after all
46
47. Big Data Quality Risks
• Working with stale data
– location data gets stale quickly
– data point may be relevant only for small period of time
• Algorithms are not infallible
– you may be relying on inaccurate conclusions
• Data cannot be verified by data subject
– data subjects may not be able to confirm, modify, review or even access data
47
48. Legal Risks of Big Data
• Transparency and notice
– Difficulty of providing effective notice
– Companies often collect data before they have real understanding of how they will use it
– Onward transfers; first party versus third party
• Consent and choice
– Data subjects lack understanding of the implications of consent
– May have no opportunity to opt-out
• Security
48
49. Risks of Collecting Sensitive Data
• Loss of data could trigger state data breach notification laws
– Credit card, bank account, Social Security Numbers, driver’s license numbers
• Children’s data
– COPPA
– FERPA
– State laws re: marketing to children
• Health data
49
50. Industry-Specific Risks
• Educational technology sector
– 36 states introduced legislation to curb collection of student data this year
• Financial institutions
– GLBA
• Credit and employment screening
– FCRA
50
52. FTC Act Fundamentals
• Section 5 of the Federal Trade Commission Act broadly prohibits “unfair
or deceptive acts or practices in or affecting commerce.”
– Deception a material representation or omission that is likely to mislead
consumers acting reasonably under the circumstances
– Unfairness practices that cause or are likely to cause substantial injury to
consumers not reasonably outweighed by countervailing benefits to
consumers or competition.
• Flexible law that can be applied to many different situations, entities,
and technologies
52
53. FTC Act
• To comply, you should:
– Handle consumer information in a way that's
consistent with your promises.
– Avoid practices that create an unreasonable risk
of harm to consumer data.
53
54. FTC Background: Authority
Other statutes and rules apply in particular circumstances:
Safeguards Rule (implements
Gramm-Leach-Bliley Act)
“Financial Institutions” must ensure the security and
confidentiality of sensitive customer information.
Fair Credit Reporting Act
(FCRA)
Requires specific handling and reporting when using
data for certain purposes (e.g., offering credit, hiring)
Red Flags Rule Financial institutions/certain creditors must
implement program to detect identity theft “red flags.”
Children’s Online Privacy
Protection Act (COPPA)
Requires reasonable security for information
collected from children online.
54
57. Law Enforcement: Guiding Principles
• Security must be reasonable and appropriate in light of
the circumstances.
• Breach doesn’t necessarily = lack of reasonable security.
• BUT no breach doesn’t necessarily = reasonable security.
• Data security is an ongoing process.
57
58. Some Common Privacy Failures
• Rolling out a new service or feature that increases sharing
without adequate notice and consent
• Misrepresenting with whom data is being shared
• Misrepresentations about tracking and opting out of
tracking
• Presenting false choices
58
59. Law Enforcement: Section 5 Deception
• Fandango and Credit Karma (2014): mobile security
• GeneWize (2013): oversight of service providers
• PLS Financial Services Inc. (2012): proper disposal and
training
• Goal Financial LLC (2008): data security policies
59
60. Law Enforcement: Section 5 Unfairness
• GMR Transcription Services (2014): oversight of service
providers
• Accretive Health Inc. (2013): laptop security; improper
access
• Ceridian Corporation (2011): service providers liable
60
61. Recent Settlement: Accretive Health (2013)
• Alleged that respondent failed to take reasonable and
appropriate measures to prevent against unauthorized access.
• Among other things:
– Transported laptops containing PII in manner that made them
vulnerable to theft/misappropriation;
– Not adequately restrict access to PII based on employee's need
for info.;
– Didn't ensure that employees removed PII from computers for
which no longer had business need;
– Used consumers' PII in training sessions without ensuring that
this PII was removed from employees' computers after training.
61
62. Recent Settlement: Trendnet (2013)
• Alleged that respondent failed to provide reasonable security to prevent unauthorized access to the
live feeds from its IP cameras, which respondent offered to consumers for the purpose of
monitoring and securing private areas of their homes and businesses.
• Among other things:
– Transmitted user login credentials in readable text, even though have free software that can
secure such transmissions.
– Stored login credentials in readable text on user's mobile device, even though have free
software to secure these credentials.
– Failed to implement process to monitor security vulnerability reports from third-party
researchers, etc.
– Failed to employ reasonable and appropriate security in design/testing of IP software. Failed
to: (i) perform security review/testing of software at key points; (ii) implement reasonable
guidance/training for any employees responsible for security.
62
63. Recent Settlement: HTC (2013)
• Alleged that respondent failed to employ reasonable and appropriate security practices
in the design or customization of the software on its mobile devices.
• Among other things:
– Failed to implement adequate program to assess the security of products it
shipped to consumers.
– Failed to implement adequate privacy and security guidelines/training for its
engineering staff.
– Failed to conduct assessments, etc. to identify potential security vulnerabilities in
its mobile devices.
– Failed to follow well-known and commonly-accepted secure programming
practices.
– Failed to implement a process for receiving and addressing security vulnerability
reports from third-party researchers, etc.
63
64. Deceptive Privacy & Security Claims
• The FTC has brought cases against companies that
misrepresented their privacy & security procedures.
• Companies claimed to have strong procedures in place to
protect the information they collected. In fact, the
companies failed to anticipate or address substantial and
well-known security risks.
64
65. Deceptive Privacy & Security Promises
• Google
– Deceived consumers by using info collected from Gmail users to
generate and populate a new social network, Google Buzz, despite
claims to the contrary
– FTC charged that Gmail users’ associations with their frequent email
contacts became public without the users’ consent
– Order requires Google to implement a comprehensive privacy program
and conduct biennial audits for the next 20 years; provide affirmative
express consent for any change to a product or service that makes
consumer info more widely available
65
66. Deceptive Privacy & Security Promises
• Twitter
– Provided privacy controls to users to keep private “tweets” and
nonpublic user info – including mobile phone numbers – private
– However, because of serious lapses in security, hackers obtained
unauthorized administrative control of Twitter, accessed private info,
and took over user accounts
– Order prohibits misrepresentations about the extent to which Twitter
protects the privacy of communications, requires reasonable security,
and mandates independent, comprehensive security audits
66
67. Fair Credit Reporting Act (FCRA)
• Credit transactions are extremely common in the U.S.
• Consumer reporting agencies collect public record info
(judgments, tax liens, criminal records), credit info,
employment info--both positive and negative
• The information is sensitive and subject to strict
privacy protections under the FCRA
67
68. Fair Credit Reporting Act (FCRA)
• Allows sharing of consumer information by consumer reporting
agency only if such sharing serves a permissible purpose.
• Permissible purpose generally
– Credit transaction
– Insurance
– Employment (with consent)
– Other uses with written consent of consumer
• Requires CRAs to maintain reasonable procedures to ensure
that users have a permissible purpose
68
69. Fair Credit Reporting Act (FCRA)
• Truncation rule: Requires that electronically printed
credit and debit card receipts must shorten -- or truncate
-- the account information. You may include no more
than the last five digits of the card number, and you must
delete the card’s expiration date.
69
70. Fair Credit Reporting Act (FCRA)
• Disposal rule: Requires anyone who obtains consumer report
information to use "reasonable" measures when disposing of it.
• Burn, pulverize, or shred papers and destroy or erase electronic files or
media containing consumer report information so they cannot be read or
reconstructed
• Service Providers/Third Parties:
– Contracts with record owners
– Direct liability as record owners through provision of service directly
to a person subject to the Rule.
– Contracting with legitimate document destruction companies,
outside records retention managers.
– Due diligence
70
71. Case Example: ChoicePoint, Inc.
• The FTC alleged that ChoicePoint failed to use
reasonable procedures to screen prospective
subscribers and monitor their access to sensitive
consumer data
• These failures allowed identity thieves posing as
legitimate businesses to obtain access to the personal
information of many consumers
• At least 800 cases of identity theft arose out of these
incidents.
71
72. Case Example: ChoicePoint, Inc.
• Record $10 million civil penalty for violations of the FCRA
• $5 million in consumer redress for identity theft victims
• Significant injunctive provisions
72
73. Case Example: Spokeo
• Spokeo collected personal information about consumers from hundreds of online and
offline data sources, including social networks. It merges the data to create detailed
personal profiles of consumers.
• The FTC alleged that Spokeo operated as a consumer reporting agency and violated the
FCRA by failing to make sure that the information it sold would be used only for legally
permissible purposes; failing to ensure the information was accurate; and failing to tell
users of its consumer reports about their obligation under the FCRA, including the
requirement to notify consumers if the user took an adverse action against the
consumer based on information contained in the consumer report.
• The FTC alleged that Spokeo deceptively posted endorsements of their service on news
and technology websites and blogs, portraying the endorsements as independent when
in reality they were created by Spokeo's own employees.
73
74. Case Example: Spokeo
• Settlement imposed an $800,000 civil penalty
• Settlement bars Spokeo from future violations of the
FCRA, and bars the company from making
misrepresentations about its endorsements or failing to
disclose a material connection with endorsers
74
75. Case Example: T-J-Maxx
• Stored personal information on, and transmitted it between and within,
in-store and corporate networks in clear text.
• Did not limit wireless access to its networks, allowing an intruder to
connect wirelessly to in-store networks without authorization.
• Did not require network administrators and others to use strong
passwords.
• Failed to limit access among computers and the internet, such as by using
a firewall to isolate card authorization computers.
• Failed to detect and prevent unauthorized access to computer networks
or to conduct security investigations, such as by patching or updating
anti-virus software or following up on security warnings and intrusion
alerts.
75
76. Some Common Remedies
• Injunction against misrepresentations;
• Comprehensive data security or privacy program appropriate to the company’s
size, nature of activities, and information collected;
• Third party assessments of these programs for up to 20 years;
• FTC monitoring of compliance
• Other specific requirements, e.g., disclosures, privacy choices, data deletion, or
software updates; and
• Civil penalties for rule and order violations.
76
78. Information Security:
Four Points that Guide the FTC’s Enforcement
• Information security is an ongoing process.
• A company’s security procedures must be reasonable and
appropriate in light of the circumstances.
• A breach does not necessarily show that a company failed to
have reasonable security measures – there is no such thing as
perfect security.
• Practices may be unreasonable and subject to FTC
enforcement even without a known security breach.
78
79. Protecting Personal Information:
A Guide for Businesses
5 key principles:
1. Take stock. Know what personal information you have in your files and on your computers.
Know who has physical and electronic access to your files.
2. Scale down. Keep only what you need for your business.
3. Lock it. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents. Implement a plan to for physical
security, electronic security, employee training and oversight of service providers.
79
80. Prioritizing Computer System Risks
• Check expert consensus lists that identify and offer defenses for the commonly
exploited vulnerabilities that pose the greatest risk of harm to your information
systems.
– The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) Describes
vulnerabilities in Windows and UNIX. Has links to scanning tools and services at
www.sans.org/top20/tools.pdf.
– The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) Describes
common vulnerabilities for web apps and databases and the most effective ways to address
them. These vulnerabilities are as important as network issues.
• For more FTC tips, see Security Check: Reducing Risks to Your Computer Systems,
http://business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-
systems.
80
81. Protecting Personal Information:
Tips on General Network Security Part 1 of 3
• Identify computers or servers where sensitive personal
information is stored.
• Identify all connections to these computers (e.g., Internet,
electronic cash registers, computers at your branch offices,
computers used by service providers to support your network,
digital copiers, and wireless devices like smartphones, tablets, or
inventory scanners).
• Assess the vulnerability of each connection to commonly known or
reasonably foreseeable attacks.
81
82. Protecting Personal Information:
Tips on General Network Security Part 2 of 3
• Don’t store sensitive consumer data on a computer with an
Internet connection unless it’s essential for your business.
• Encrypt sensitive data that you send to third parties over public
networks (like the Internet), and consider encrypting sensitive
data stored on your network or on portable storage devices.
Consider encrypting emails within your business that contain
personally identifying information.
• Regularly run up-to-date anti-virus and anti-spyware programs
on your network.
82
83. Protecting Personal Information:
Tips on General Network Security Part 3 of 3
• Check expert websites (e.g., www.sans.org) and software vendor
websites regularly, and implement policies for installing vendor-approved
patches.
• Consider restricting employees’ ability to download unauthorized
software.
• Scan computers on your network to identify and profile the
operating system and open network services. Disable services that
you don’t need.
• When you receive or transmit credit card or other sensitive
financial data, use Secure Sockets Layer (SSL) or another secure
connection to protect it in transit.
83
84. Contractors and Service Providers
• Before you outsource a business function (payroll, web hosting, data
processing, etc.) investigate the company’s data security practices and
compare their standards to yours. If possible, visit their facilities.
• Address security issues for the type of data your service providers
handle in your contract with them.
• Insist that your service providers notify you of any security incidents
they experience, even if the incidents may not have led to an actual
compromise of your data.
84
85. Incident Response Plans
• Have a plan to respond to security incidents. Designate a senior staff member to
coordinate and implement the plan.
• If a computer is compromised, disconnect it immediately from your network.
• Investigate security incidents immediately and take steps to close off existing
vulnerabilities or threats to personal information.
• Consider whom to notify in the event of an incident, both inside and outside your
organization. You may need to notify consumers, law enforcement, customers,
credit bureaus, and other businesses that may be affected by the breach. In
addition, many states and the federal bank regulatory agencies have laws or
guidelines addressing data breaches. Consult your attorney.
85
86. Outsourcing
• Businesses subject to U.S. laws that outsource personal
information retain responsibility for ensuring that there are
reasonable procedures in place to safeguard that information.
– This responsibility is the same whether the service
provider is located within the U.S. or offshore.
86
87. Data Brokers and the FTC Report
• FTC issued a report analyzing data from nine data brokers
• Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers’
Knowledge, and Collect and Store Billions of Data Elements on Nearly Every U.S. Consumer
• The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each
Other
• Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them,
Including Potentially Sensitive Inferences, and Combine Online and Offline Data to Market to
Consumers Online
• To the Extent Data Brokers Offer Consumers Choices About Their Data, the Choices are Largely
Invisible and Incomplete
87
88. Findings from Data Broker Report
• Data brokers collect consumer data from extensive online and offline sources, largely without consumers’
knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine
subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.
• Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact,
seven of the nine data brokers in the Commission study had shared information with another data broker in
the study.
• Data brokers combine online and offline data to market to consumers online.
• Data brokers combine and analyze data about consumers to make inferences about them, including
potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age,
and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile
Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes.
The category “Rural Everlasting” includes single men and women over age 66 with “low educational
attainment and low net worths.” Other potentially sensitive categories include health-related topics or
conditions, such as pregnancy, diabetes, and high cholesterol.
88
89. Findings from Data Broker Report
• Many of the purposes for which data brokers collect and use data pose
risks to consumers, such as unanticipated uses of the data. For example, a
category like “Biker Enthusiasts” could be used to offer discounts on
motorcycles to a consumer, but could also be used by an insurance
provider as a sign of risky behavior.
• Some data brokers unnecessarily store data about consumers indefinitely,
which may create security risks.
• To the extent data brokers currently offer consumers choices about their
data, the choices are largely invisible and incomplete.
89
91. FTC Guidance
General Information
Visit www.business.ftc.gov for more information
Mobile
Mobile App Developers: Start with Security
http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security
Marketing Your Mobile App: Get It Right from the Start
http://www.business.ftc.gov/documents/bus81-marketing-your-mobile-app
Mobile Privacy Disclosures Staff Report: Building Trust Through Transparency
http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf
Children’s Online Privacy Protection Act (COPPA)
COPPA: A Six-Step Compliance Plan for Your Business
http://www.business.ftc.gov/documents/bus84-childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business
Complying with COPPA: Frequently Asked Questions
http://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions
91