This document discusses recent developments in consumer privacy law as it relates to e-commerce. It summarizes that states have passed numerous privacy laws since 9/11, with Vermont and New Mexico passing laws requiring opt-in consent for sharing financial and health information with third parties. It also discusses the FTC's guidelines for information security programs and considerations for website privacy policies, including passive and active data collection, relationships with third parties, satisfying notice requirements, and jurisdiction.
When stars align: studies in data quality, knowledge graphs, and machine lear...
Hengesbaugh
1. E-Commerce
Latest Developments
in Consumer Privacy
Brian Hengesbaugh
Baker & McKenzie (Chicago office)
312-861-3077
brian.hengesbaugh@bakernet.com
www.bakernet.com/ecommerce
2. E-Commerce
“BIG PICTURE”
• State Law Developments
• Information Security Programs
• Privacy Considerations in Developing
and Managing a Website
Baker & McKenzie -- Global E-
Commerce Law
3. E-Commerce
STATE LAW
DEVELOPMENTS
• Legal Context
– GLB, FCRA, HIPAA all minimum standards
– States invited to do more, so long as not
“inconsistent”
– States as laboratories
Baker & McKenzie -- Global E-
Commerce Law
4. E-Commerce
Post September 11
• Legislative Interest in Privacy
– 750+ state privacy bills
– 50+ state financial privacy bills
– 85+ federal privacy bills
Baker & McKenzie -- Global E-
Commerce Law
5. E-Commerce
Vermont Regulation
• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Legal challenge by ACLI, AIA, and more
– exceeds authority
– violates intent of law
• Chances of success???
Baker & McKenzie -- Global E-
Commerce Law
6. E-Commerce
New Mexico Regulation
• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Any legal challenge?
Baker & McKenzie -- Global E-
Commerce Law
7. E-Commerce
California, Illinois, New York,
and others considering more
– Opt-in measures for nonaffiliate sharing
– Limits on sharing within affiliated groups (e.g.
prior CA bill)
– Driving force for federal preemption?
– Financial privacy commission and moratorium
on new state laws (HR 3068)
Baker & McKenzie -- Global E-
Commerce Law
8. E-Commerce
California -- Social Security
Numbers
• Restrictions on:
– transmitting SSNs over Internet
– printing SSNs on mailed materials
• July 1, 2002 implementation, but
grandfather for existing practices if:
– continuous
– notice of right to opt-out
– individual does not opt-out
Baker & McKenzie -- Global E-
Commerce Law
9. E-Commerce
INFORMATION SECURITY
PROGRAMS
• Final Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information (February 1,
2001)
• FTC Proposed Standards for
Safeguarding Customer Information
(Comment Period Closed October 9,
2001)
Baker & McKenzie -- Global E-
Commerce Law
10. E-Commerce
Focus on Process
• Due diligence is 90% of battle (checklist)
• STEP 1: Conduct comprehensive
assessment that examines:
– internal and external threats
– sensitivity of data
– potential damage
Baker & McKenzie -- Global E-
Commerce Law
11. E-Commerce
Focus on Process (cont.)
• STEP 2: Assess sufficiency of existing
policies and procedures:
– access controls on systems and encryption
– physical access restrictions
– automatic reviews of system modifications
– technological and environmental hazards
– Subjective Standard: . . adopt those measures
the bank considers appropriate
Baker & McKenzie -- Global E-
Commerce Law
12. E-Commerce
Focus on Process (cont.)
• STEP 3: Take appropriate
organizational and administrative
actions:
– written information security program
– involve board of directors
– implement a system for regular testing
– information security officer
– service provider arrangements*
Baker & McKenzie -- Global E-
Commerce Law
13. E-Commerce
Service Provider Arrangements
• Due diligence in selecting SPs
• Establish contract to meet “objectives” of
Guidelines*
• Where appropriate, ongoing monitoring
(or review SAS 70 or similar report)
Baker & McKenzie -- Global E-
Commerce Law
14. E-Commerce
Contract with SPs
• Key Issues:
– Appropriate measures to meet “objectives” of
Guidelines (full compliance not required) (e.g.,
board of directors)
– Overly strict limits on use and disclosure
– Scope of “information” covered
Baker & McKenzie -- Global E-
Commerce Law
15. E-Commerce
WEBSITE PRIVACY ISSUES
• Context: entire privacy and consumer
protection legal framework PLUS online
application of that framework
• FTC and State AG dedication to
enforcement
Baker & McKenzie -- Global E-
Commerce Law
16. E-Commerce
Website Privacy Issues
• Passive and active collection
• Relationships with third parties
• Satisfying GLB notice requirements
• Jurisdiction
Baker & McKenzie -- Global E-
Commerce Law
17. E-Commerce
Passive and Active Collection
• Passive collections -- cookies, web bugs,
IP addresses, clickstream data, etc.
– “wooden” obligations to notify under GLB
– broader notification obligations under
consumer protection statutes (e.g. Michigan AG
and New Jersey AG)
• Active collections
– “unfriendly” GLB language for policy
Baker & McKenzie -- Global E-
Commerce Law
18. E-Commerce
Relationships with Third
Parties
• Support Services
– Internet Service Providers
– Web hosting services
– Application Service Providers
– Data analysis firms (Toys R Us)
– *GLB security guidelines apply*
Baker & McKenzie -- Global E-
Commerce Law
19. E-Commerce
Relationships with Third
Parties (cont.)
• Marketing/ Advertisers
– 3rd party advertisers (NAI principles)
– Framing and co-branded websites
– Joint marketers
Baker & McKenzie -- Global E-
Commerce Law
20. E-Commerce
Satisfying GLB Notice
Requirements Electronically
– Reasonable expectation of receipt
– Customer agrees
– Obtains financial product or service
electronically
– Retention and accessibility
Baker & McKenzie -- Global E-
Commerce Law
21. E-Commerce
Jurisdiction
• Reach of New Mexico and Vermont
• Zippo analysis
• How do you know who you are dealing
with?
Baker & McKenzie -- Global E-
Commerce Law
22. E-Commerce
General Website Tips
• Know what you are collecting
• Know what your service providers are
doing
• Disclose, disclose, disclose
• Keep it simple; avoid flowery language
• Keep it flexible; avoid the “never” trap
• Be mindful of jurisdiction
Baker & McKenzie -- Global E-
Commerce Law
23. E-Commerce
Keep track of privacy
developments at:
www.bakernet.com/ecommerce
www/bakernet.com/e-law (weekly newsletter)
Baker & McKenzie
One E-Commerce World. One Firm. Connected.
For companies moving with change