Slideshow to accompany co-sponsored panel from IAB Ad Lab and Cowan, DeBaets, Abrahams & Sheppard LLP. Participants: Joshua B. Sessler, Eleanor M. Lackman, Sarah Hudgins. For more entertainment and digital media law analysis, go to: http://cdas.com/legal/
4. Agenda
• Technical and Commercial Landscape
• Current Trends in the Law
• US Position on Data Gathering and Compliance Guidelines
• Industry Self-Regulation and Certification
• Questions and Discussion
• Networking
5. Cookies
• Cookies
• Small text files stored on your computer via your Web browser
• Provide continuity between a user’s web browser and a web server by remembering what happens on a
web page.
• Without them, important web functionality would be lost
• Originally designed to let retailers remember shopping cart contents
• Now also useful in storing preferences, content personalization, analytics and targeting advertising
• Web Beacons
• Many terms: Web bug, tag, tracking pixel, clear gif
• Placed on Web pages and emails, often as tiny clear images or as “frames”
• Allow third-party sites to run code on the web page
• Can provide transactional information such as the IP address of the computer that loaded an image, how
long the image was viewed, the browser that was used, etc.
• HTML-5 Storage or Local Store Objects – Super Cookies!
8. Josh Slide 3
Consumer-Focused Privacy Tools
• PrivacyChoice – Launched 04/09.
– Self-funded (?).
– Premise: make managing online privacy easier for consumers and websites through the use of a suite of privacy tools.
• Personal.com – Launched 7/09
– $7.6 million - Grotech Ventures, Revolution LLC, Allen & Company
– Premise: web and mobile service that helps users take control of all their digital information, decide who gets access to it, and
use it for users’ benefit.
• Abine - Launched 6/10
– $5MM - Atlas Venture and General Catalyst.
– Premise: Provides products and privacy subscription services that allow users to regain control over their personal information
while continuing to interact and shop online. Includes the products Do Not Track Plus, DeleteMe, and the PrivacySuite.
• Disconnect.me - Launched 10/11.
– $600K - Highland Capital Partners, Charles River Ventures, and angels investors.
– Premise: We make simple tools to help users understand and control the data they share on the web. Created Collusion plug-in
for Chrome and FB/TWTR/G Disconnect.
• Dashlane – Launched 4/12.
– $5MM - Rho Ventures and FirstMark Capital.
– Premise: All-in-one password, form, and online purchase and checkout manager.
• Mega – latest entry from Kim Dotcom. Launched 1/20/13
– Unknown investment
– Premise: “The Privacy Company” file-storage and sharing system that encrypts files on the user’s computer before they are
uploaded to the site’s servers.
9. Congress and Consumers – worried about “little brother”
“A person who knows all of another’s travels can
deduce whether he is a weekly church-goer, a
heavy drinker, a regular at the gym, an unfaithful
husband, an outpatient receiving medical
treatment, an associate of particular individuals or
political groups – and not just one such fact about a
person, but all such facts.”
– United States v. Maynard, Apr. 6, 2010
9
10. The Legal Landscape: A Hodgepodge of Laws
Federal Statutes
• Section 5 of the Federal Trade Commission Act
• Electronic Communications Privacy Act (ECPA)
• Computer Fraud and Abuse Act (CFAA)
• Video Privacy Protection Act (VPAA)
• Children’s Online Privacy Protection Act (COPPA)
State Laws
• California Online Privacy Protection Act
• Anti-spyware and/or transparency statutes in approx. 15 states
• Various deceptive trade practices statutes in every state
Common Laws (non-statutory)
• Invasion of privacy
• Breach of contract
10
11. Consumer Class Actions
• Usually fail right out of the starting gate
– Question: will lack of success encourage Congress to revise the laws?
• But some have defeated early dismissal (which usually leads
to settlement)
– Lack of transparency or failure to give notice of policy
• AOL: Privacy policy said that the service was “safe, secure and private”
• Facebook Beacon: Display of visits to 3P sites in newsfeeds w/o user
permission
– Failure to get approval of expanded uses or give choice to opt-out
• NebuAd (quiet policy revision), Google Buzz (disclosing information about
Gmail account usage), Fraley v. Facebook (“Sponsored Stories”)
– Failure to guard against security breach
• RockYou: Claimed failure to guard PII after breach
11
12. Government Actions
Federal Trade Commission (FTC) leads the way
• Sets out recommendations and principles (see FTC.gov), brings actions
and obtains settlements
• Frequent themes in FTC enforcement:
– Not complying with terms of policy/lack of transparency
• Frostwire (Oct. 2011), Compete, Inc. (Oct. 2012), MySpace (May 2012)
– Going too far outside scope/material changes without consent
• Sears (June 2009), Chitika (Mar. 2011), Epic Marketplace (Dec. 2012)
– Data security breaches
– Lack of consent for sensitive info (COPPA, financial, health)
Some state AGs (especially California) may be quite active
– December 2012: California AG files lawsuit in San Francisco Superior Court against Delta
Airlines over Fly Delta app for failure to comply with warning letter that requires a
conspicuously posted privacy policy. 12
13. The Children’s Online Privacy Protection Act (COPPA)
• Serves to regulate the collection and use of children’s
information by Internet websites by requiring parental
consent
• Applies to websites that collect personal information from
children under age 13 – those sites that have actual
knowledge they’re collecting personal information from
children or that are directed to children
• Code of Federal Regulations provides factors FTC will consider
in determining whether a website is “directed to children”
• Must post privacy policies, must obtain parental consent
• Only government can bring actions; no standing for private
citizens to sue
13
14. COPPA: Enforcement (mainly FTC, State AG sometimes)
Collection of data without consent
• W3 Innovations (Aug. 2011) – first FTC enforcement case involving
mobile apps: alleged collection of email addresses from kids
without prior, verifiable parental consent
• Social networking sites (Xanga (2006), Imbee (2008), Skid-e-Kids
(2011)), fan sites (Sony BMG (2008), Artist Arena (2012)), online
worlds (Playdom, Inc. (2011))
14
15. COPPA: Enforcement (mainly FTC, State AG sometimes)
Use of data without consent
• EchoMetrix (Nov. 2010): Settles over charges that company failed to
tell parents that their kids’ info would be disclosed to marketers
• TeachMe (July 2012) (NJ Atty Gen): Settles with 24x7 Digital, which
allegedly disclosed the user’s full name and mobile device’s ID to
third-party data analytics firm without advance notice or parental
consent
15
16. COPPA: The New Rule, announced December 19, 2012
• FTC’s modifications include:
– Clarification that “personal information” requiring parental consent includes geolocation
information, photos and videos
– Expanded definition of “operator” to cover operators of child-directed site or service
where it allows outside services (such as plug-ins or ad networks) to collect personal
information
• But does not cover platforms that only offer access to others’ sites or services
– Extended coverage to persistent identifiers that can recognize users over time and
across different websites or online services (such as mobile device IDs)
– Strengthened data security protections by requiring that info be released only to third
parties that are capable of keeping it secure and confidential
• Rule contains a “safe harbor” provision that allows industry groups or
others to seek FTC approval of self-regulatory guidelines
– Those who participate will be subject to annual assessments
• New rule goes into effect July 1, 2013
16
17. The Joint Statement of Principles Between California and
Google, Apple, Amazon, HP, Blackberry, Microsoft and Facebook
• An App that collects PII from a user must conspicuously post a privacy
policy providing clear and complete information on how PII is collected
shared and used
• Include in the submission process an optional field for the text of the PP or
a link thereto and enable access to the PP from the mobile app store
• Implement a means for users to report apps that do not comply with their
PP
• Implement a process for responding to incidents of such non-compliance
• NB: Remedies – Statutory fines – per app/per consumer
($2500/consumer/app)
18. Consumer Data Privacy in a Networked World: A Framework for Protecting
Privacy and Promoting Innovation in the Global Digital Economy
Released 2/23/12 by Department of Commerce
• Recommended the adoption of a new consumer privacy protection regime in the US
• Incorporated a proposed “Consumer Privacy Bill of Rights” that would apply to
personal data – ie any data linked to a specific individual, including that linked to a
specific computer or other device
• Proposed voluntarily created and implemented “Codes of Conduct” for businesses
that would be enforced by the FTC (under Section 5 of the FTCA)
• Department of Commerce working on establishing the parameters of Mobile privacy
via NTIA’s multistakeholder group
19. Josh Slide 1
Mobile Data Collection Actors
• Apps – Access to some data with permission, may embed 3rd party code
• Platform (iOS, Android) – can record and transmit data
• Carrier – access to location and all traffic to and from device, Carrier IQ –
can tweak platform or apps
• Third Parties (advertisers, analytics) – access to app, carrier and other
sources of info, very little transparency or specific control over outgoing
info
• User – installs apps, downloads data, turns on or off location services
20. Josh Slide 1
Pending Legislation
Omnibus Privacy
• Kerry/McCain ― Commercial Privacy Bill of Rights Act
• Data Security/Breach Notification ― Nine bills pending
• Do Not Track – Three bills pending
• Geotracking ― Two bills, including one from Sen. Franken
Specialized Privacy
• Do Not Track Kids Act (Rep. Markey)
21. Josh Slide 1
Privacy Policy Recommendations (1/2)
• Generally
– Err towards describing collection practices for both PII AND Non-PII
– Err towards inclusion even if you don’t actually collect or use consumer information as
described (but you might) – PP is a ceiling not a floor. (Balance with PR impact)
– Adhere to the stated terms
– Use plain English with headings
– Make easily printable
– Consider treating information collected from consumers in different jurisdictions differently –
use different PP’s (note: risk of mistakes) or a unitary policy (of the most restrictive
jurisdiction)
• Changes to PP
– Either segregate data collected under old PP and maintain standards or obtain explicit consent
from owners to use under new PP (or both)
22. Josh Slide 1
Privacy Policy Recommendations (2/2)
• Strategies to Minimize Exposure
– Review and audit your PP and practices
– Review third party contracts with entities that collect or provide PII to you
– Assess your practices w/r/t behavioral advertising, including ad agencies and
other downstream providers
– Include indemnification provisions (deep enough pockets)
– Use arbitration provisions in consumer contracts (incorporate by reference
into TOS)
– Evaluate credit card practices (re: California law)
– Assess security practices
– Technological solutions (browser controls)
– Self regulation/best practices
– Consider insurance - Cyber/Privacy Risk
25. Josh Slide 4
Disclaimer of Legal Advice and Representation
• The materials contained within this slideshow are provided for
informational purposes only, do not constitute legal advice, do not
necessarily reflect the opinions of CDAS or any of its lawyers or
clients, and are not guaranteed to be complete, correct, or up-to-date.
Nothing within this slideshow is intended to create an attorney-client
relationship between you and CDAS.
• Please do not send any confidential information to CDAS until after you
have received from us a written statement that we represent you in that
matter. If you communicate with us through our Website, by e-mail or
otherwise concerning a legal matter for which we do not already
represent you, your communication may not be treated as privileged or
confidential.