SlideShare a Scribd company logo

Presentation ncsl - mobile privacy enforcement 130502 (as presented)

J
Jason Haislmaier

This document discusses mobile app privacy and policy issues. It summarizes recent actions by the Federal Trade Commission (FTC) and state of California to enforce privacy laws regarding mobile apps. The FTC has increased enforcement actions against companies for failures to implement reasonable data security and deceptive privacy policies. California has also aggressively enforced its Online Privacy Protection Act against mobile apps that do not adequately disclose data collection and sharing practices. Enforcement actions against major companies like Delta Airlines show increased scrutiny of mobile app privacy practices. Future focus areas are expected to include children's privacy and coordination between regulators and industry.

TechnologyNews & Politics
1 of 15
Download to read offline
1 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP May 2, 2013 Jason D. Haislmaier jason.haislmaier@bryancave.com Mobile App Privacy and Policy Issues Copyright 2013 BryanCave LLP Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Mobile Data Privacy
2 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Federal Trade Commission Act (15 U.S.C. 41, et seq) “Unfair or deceptive acts or practices” Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Act contains no specific data security or privacy requirements • Broad prohibition on “unfair or deceptive acts or practices in or affecting commerce” (Section 5) • FTC has used this as a means to prosecute – Failures to implement “reasonable and appropriate” data security measures – Deceptive data privacy policies and promises – Constituting unfair or deceptive acts or practices Enforcement Under the FTC Act Data Privacy Enforcement
3 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Trend toward increasing enforcement – More than 45 actions to date – More than 30 in the last 6 years – Many more investigated but not brought • Covering largely electronically stored data and information • Targeting security breaches as well as privacy violations • Increasing trend toward mobile data privacy and security FTC Activity Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Emerging Models For Compliance Data Privacy Enforcement
4 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • 20 year term • Cease misrepresentations regarding practices for information security, privacy, confidentiality, and integrity • Conduct assessment of reasonably-foreseeable, material security risks • Establish comprehensive written information security and privacy program • Designate employee(s) to coordinate and be accountable for the program • Implement employee training • Conduct biennial independent third party security and privacy assessments • Implement multiple record-keeping requirements • Implement regular testing, monitoring, and assessment • Undergo periodic reporting and compliance requirements • Impose requirements on service providers Legislation by Consent Decree Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Not Just Enforcement. . .
5 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Report: Protecting Consumer Privacy In An Era of Rapid Change – Based on a yearlong series of privacy roundtables held by the FTC – Extensive comment period (more than 450 comments received) – Provides best practices for the protection of consumer privacy – Applicable to both traditional (offline) and online businesses – Intended to assist Congress as it considers privacy legislation • White House Consumer Privacy “Bill of Rights” – Combined effort with the Department of Commerce, and the FTC – Provides a framework for consumer privacy protections – Establishes principles covering personal data privacy – Modeled off of principles adopted by organizations in Europe and Asia Data Privacy Enforcement Setting Standards For Privacy Practices Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Consumer Privacy Bill of Rights promotes industry codes of conduct • Voluntary “multi-stakeholder” process – Encourages inclusive and transparent process – Commerce Department National Telecommunications and Information Administration (NTIA) to facilitate creation – Other federal agencies may also convene industry stakeholders – Industries can also convene stakeholders absent NTIA • Enforcement authority – FTC to enforce codes of conduct – Violation constitutes a deceptive practice under Section 5 of the FTC Act – Adherence to codes to be looked upon “favorably” in FTC investigations • Initial NTIA process is now ongoing Data Privacy Enforcement Industry Codes of Conduct
6 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Increasing Focus On Mobile Privacy Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Report: Mobile Apps for Kids (Feb. 16, 2012) – Large number of apps (75%) targeted at children (under 13) – Apps did not provide solid (or even any) privacy disclosures – Promised additional compliance reviews (under COPPA) over the following 6 months • FCRA Warning letters (Feb. 2012) – FTC sent letters to marketers of 6 mobile apps – Warned that apps may violate Fair Credit Reporting Act (FCRA) – If apps provide a consumer report, must comply with FCRA requirements • FTC Workshops (throughout 2012) – Focusing on multiple mobile privacy topics (advertising, payments, children’s privacy, privacy disclosures, and others) – Input used as guidance for subsequent FTC reports and publications Increasing FTC Focus on Mobile Privacy Data Privacy Enforcement
7 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Guide: Marketing Your Mobile App (Sept. 5, 2012) – Reiterates that the mobile market is no different from the Internet – Provides general guidelines and principles for mobile app developers • FTC Report: Mobile Privacy Disclosures (Feb. 1, 2013) – Predicated on feedback from FTC mobile workshops – Recommendations for mobile best practices – Focused on app platforms • FTC report: Dot Com Disclosures (March 12, 2013) – Long-awaited update to original release in 2000 – Updated guidance not just on web sites, but also on mobile and social media activities – Establishes that the FTC does not agree with many current online advertising privacy disclosure practices Increasing FTC Focus on Mobile Privacy Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP The FTC is not alone. . .
8 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Multiple federal agencies have authority over data privacy and security – Health and Human Services (HHS) – Consumer Financial Products Bureau (CFPB) – Federal Reserve – Department of Defense (DOD) – Department of Transportation (DOT) – And many, many others… • Many states also have relevant laws on the books – State consumer protection statutes (all 50 states) – Data breach notification statutes (at least 46 states, DC, and various US territories) – Data safeguards statutes (significant minority of states) – Data privacy statutes State Activity in Data Privacy and Security Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
9 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Kamala D. Harris Attorney of California (2011) Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Enacted in July 2004 (Cal. Bus. & Prof. Code §§ 22575 -22579) • Applies to operators of any “commercial Web site or online service that collects personally identifiable information through the Internet” from a consumer residing in California • Requires conspicuous posting of a “reasonably accessible” privacy policy • Privacy policy must detail – Kinds of information gathered – How the information may be shared with other parties – Process for user to review and change information (if such a process exists) • Effectively operates as a federal law • Quickly became a de facto national requirement • Amendment recently proposed to mandate simplified privacy policies California Online Privacy Protection Act (Cal OPPA) Cal. Data Privacy Enforcement
10 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces “Joint Statement” of principles (Feb. 22, 2012) Application of Cal OPPA to Mobile Privacy “It is the opinion of the Attorney General that the California Online Privacy Protection Act requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy.” Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces “Joint Statement” of principles (Feb. 22, 2012) • Statement joined by leading mobile platforms: Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research In Motion, and later Facebook • Agreed upon set of privacy principals for mobile applications – Specific privacy notice and consent requirements – Adoption of privacy by design principles for app development – Implementation of a process for policing app publishers – Commitment to work with the California AG to continue to develop best practices • Goals of fostering innovation, promoting transparency, and facilitating compliance with applicable privacy laws • Not intended “to impose legally binding obligations on the Participants or affect existing obligations under law” Application of Cal OPPA to Mobile Privacy Cal. Data Privacy Enforcement
11 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces formation of new Privacy Enforcement and Protection Unit (July 19, 2012) • Charged with enforcement of laws relating to online privacy, health privacy, financial privacy, identity theft, government records, and data breaches • Also will conduct education and outreach regarding privacy issues • Hoof beats of more aggressive enforcement of California privacy laws. . . California Mobile Privacy Protection Unit Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Cal. Data Privacy Enforcement Tweet from Kamala Harris, Attorney General of California, Oct. 12, 2012, 08:27 AM
12 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG issues “non-compliance letters” to 100 mobile application developers (October 30, 2012) • Big names included United Airlines, Delta Airlines, and OpenTable • Asserted mobile applications were not compliant with Cal OPPA • Issued 30 day notice to comply (per Cal OPPA) California’s Shot Across The Bow Cal. Data Privacy Enforcement “An operator of a mobile application . . . that uses the Internet to collect PII is an ‘online service’ within the meaning of Cal OPPA” “Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is ‘reasonably accessible’ to the user within the app.” “Violations . . . may result in penalties of up to $2,500 for each violation, i.e., for each copy of the unlawful app downloaded by California consumers.” Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Cal OPPA itself is silent as to enforcement • Violations of Cal OPPA provide a basis for claims under California’s Unfair Competition law (Cal. Bus. & Prof. Code §17200 et seq.) • Allows State AG to bring claims – For “unlawful, unfair, or fraudulent” business acts or practices – Up to $2,500 per violation • Also permits the possibility of actions by individual consumers • California AG made it clear she would not hesitate to bring enforcement actions of Cal OPPA via California’s Unfair Competition law Actions Under Cal OPPA Cal. Data Privacy Enforcement
13 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Cal. Data Privacy Enforcement People of the State of California v. Delta Air Lines, Inc. No. CGC-12-526741 (Cal. San Francisco Sup. Ct.) Filed: December 6, 2012 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • "Fly Delta" app collects user's personal information – Full name – Telephone number – Email address – Frequent flyer account number and PIN code – Photographs – Geo-Iocation information) • Contains no in-app privacy policy • Policy at www.delta.com is likewise insufficient to cover the app – Does not cover the app – Not “reasonably accessible” from app – Does not disclose collection of geo-location information or photographs California Drops the Hammer on Delta Cal. Data Privacy Enforcement
14 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • State alleges app was downloaded “millions of times” • State seeks $2,500 per non-compliant download • Delta has moved to dismiss • Substantive hearing continued until May 9, 2013 California Drops the Hammer on Delta Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California issued its own mobile privacy recommendations (Jan. 10, 2013) • Includes numerous detailed best practices for mobile platforms and developers • Best practices explicitly “offer greater protection than afforded by existing law” • Two key principles: – Minimize surprises to users due to unexpected practices – Share accountability across platform manufacturers, operating system developers, mobile carriers, ad networks, and app developers Cal. Data Privacy Enforcement Additional Activity By California
15 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Mobile Privacy Enforcement Where To Next? • Mobile market is now treated no different from the Internet • Expect more state activity • No single approach – Discussion – Legislation – Enforcement • Particular focus on mobile apps directed at children • Continued emergence of “guidelines” or “principles” for mobile app platforms and developers • Increased opportunities for coordination between states, FTC, and industry self-regulatory efforts Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP Thank You. Jason Haislmaier jason.haislmaier@bryancave.com @haislmaier http://www.linkedin.com/in/haislmaier

Recommended

Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)
Jason Haislmaier
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Jason Haislmaier
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012
Jason Haislmaier
 
Presentation Yun Li
Presentation Yun LiPresentation Yun Li
Presentation Yun Li
YunLi
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
Jonathan Ezor
 
Social Media and the Law
Social Media and the LawSocial Media and the Law
Social Media and the Law
Christina Gagnier
 
Big Data & Wrongful Collection
Big Data & Wrongful CollectionBig Data & Wrongful Collection
Big Data & Wrongful Collection
HB Litigation Conferences
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
WilmerHale
 

Recommended

Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)
Jason Haislmaier
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Jason Haislmaier
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012
Jason Haislmaier
 
Presentation Yun Li
Presentation Yun LiPresentation Yun Li
Presentation Yun Li
YunLi
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
Jonathan Ezor
 
Social Media and the Law
Social Media and the LawSocial Media and the Law
Social Media and the Law
Christina Gagnier
 
Big Data & Wrongful Collection
Big Data & Wrongful CollectionBig Data & Wrongful Collection
Big Data & Wrongful Collection
HB Litigation Conferences
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
WilmerHale
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
MoEngage Inc.
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
HealthCare Too, LLC
 
Avoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in MarketingAvoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in Marketing
Tokusoudeka
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities Presentation
Armstrong Teasdale
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
Making your privacy_practices_public
Making your privacy_practices_publicMaking your privacy_practices_public
Making your privacy_practices_public
Greg Sterling
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
Endcode_org
 
Data – the Lifeblood of the Affiliate Marketing industry
Data – the Lifeblood of the Affiliate Marketing industryData – the Lifeblood of the Affiliate Marketing industry
Data – the Lifeblood of the Affiliate Marketing industry
Affiliate Summit
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n it
amitmitkar
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago Presentation
Christina Gagnier
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
3Play Media
 
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
Kenneth Riley
 
Hengesbaugh
HengesbaughHengesbaugh
Hengesbaugh
Onkar Sule
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy Primer
Irene Pollak
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
Michael C. Keeling, Esq.
 
Business ethics talk
Business ethics talkBusiness ethics talk
Business ethics talk
Robert Bodle
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
Nor Ayuzi Deraman
 
Online Privacy and Your Company
Online Privacy and Your CompanyOnline Privacy and Your Company
Online Privacy and Your Company
Zach Evans
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)
Jason Haislmaier
 
Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted Marketing
cdasLLP
 
Mobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical ConsiderationsMobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical Considerations
Jason Haislmaier
 

More Related Content

What's hot

Avoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in MarketingAvoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in Marketing
Tokusoudeka
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities Presentation
Armstrong Teasdale
 
Making your privacy_practices_public
Making your privacy_practices_publicMaking your privacy_practices_public
Making your privacy_practices_public
Greg Sterling
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n it
amitmitkar
 
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
Kenneth Riley
 
Online Privacy and Your Company
Online Privacy and Your CompanyOnline Privacy and Your Company
Online Privacy and Your Company
Zach Evans
 

What's hot (19)

*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Avoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in MarketingAvoiding Privacy Pitfalls When Using Big Data in Marketing
Avoiding Privacy Pitfalls When Using Big Data in Marketing
 
USLFG Corporate & Securities Presentation
USLFG Corporate & Securities PresentationUSLFG Corporate & Securities Presentation
USLFG Corporate & Securities Presentation
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Making your privacy_practices_public
Making your privacy_practices_publicMaking your privacy_practices_public
Making your privacy_practices_public
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
 
Data – the Lifeblood of the Affiliate Marketing industry
Data – the Lifeblood of the Affiliate Marketing industryData – the Lifeblood of the Affiliate Marketing industry
Data – the Lifeblood of the Affiliate Marketing industry
 
Ethics in e commerce n it
Ethics in e commerce n itEthics in e commerce n it
Ethics in e commerce n it
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago Presentation
 
Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions Accessibility 101 for Financial Institutions
Accessibility 101 for Financial Institutions
 
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...
 
Hengesbaugh
HengesbaughHengesbaugh
Hengesbaugh
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy Primer
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
Business ethics talk
Business ethics talkBusiness ethics talk
Business ethics talk
 
Ethical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerceEthical, Social, and Political Issues in E-commerce
Ethical, Social, and Political Issues in E-commerce
 
Online Privacy and Your Company
Online Privacy and Your CompanyOnline Privacy and Your Company
Online Privacy and Your Company
 

Similar to Presentation ncsl - mobile privacy enforcement 130502 (as presented)

Online Behavioral Advertising (OBA) Legal & Regulatory Compliance
Online Behavioral Advertising (OBA) Legal & Regulatory ComplianceOnline Behavioral Advertising (OBA) Legal & Regulatory Compliance
Online Behavioral Advertising (OBA) Legal & Regulatory Compliance
Adler Law Group
 
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
VALLOYD
 
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
evonnehoggarth79783
 
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
Kimberly-Clark
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 

Similar to Presentation ncsl - mobile privacy enforcement 130502 (as presented) (20)

Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)
 
Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted Marketing
 
Mobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical ConsiderationsMobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical Considerations
 
Online Behavioral Advertising (OBA) Legal & Regulatory Compliance
Online Behavioral Advertising (OBA) Legal & Regulatory ComplianceOnline Behavioral Advertising (OBA) Legal & Regulatory Compliance
Online Behavioral Advertising (OBA) Legal & Regulatory Compliance
 
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Deve...
 
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
 
Driving change
Driving changeDriving change
Driving change
 
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
Mobile Privacy & Litigation presented by Sedgwick at the #MobiU2013 Summit, 9...
 
Data Privacy and Canadian Anti-Spam Law
Data Privacy and Canadian Anti-Spam LawData Privacy and Canadian Anti-Spam Law
Data Privacy and Canadian Anti-Spam Law
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Pli workplace privacy in the year 2013 2013-6-13
Pli workplace privacy in the year 2013 2013-6-13Pli workplace privacy in the year 2013 2013-6-13
Pli workplace privacy in the year 2013 2013-6-13
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 

More from Jason Haislmaier

More from Jason Haislmaier (13)

When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
 
Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124
 
Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...
 
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
 
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
 
"Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012) "Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012)
 
Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The Cloud
 
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
 
2011 "Crash Course" on Open Source
2011 "Crash Course" on Open Source2011 "Crash Course" on Open Source
2011 "Crash Course" on Open Source
 
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
 
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
 
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Presentation ncsl - mobile privacy enforcement 130502 (as presented)

  • 1. 1 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP May 2, 2013 Jason D. Haislmaier jason.haislmaier@bryancave.com Mobile App Privacy and Policy Issues Copyright 2013 BryanCave LLP Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Mobile Data Privacy
  • 2. 2 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Federal Trade Commission Act (15 U.S.C. 41, et seq) “Unfair or deceptive acts or practices” Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Act contains no specific data security or privacy requirements • Broad prohibition on “unfair or deceptive acts or practices in or affecting commerce” (Section 5) • FTC has used this as a means to prosecute – Failures to implement “reasonable and appropriate” data security measures – Deceptive data privacy policies and promises – Constituting unfair or deceptive acts or practices Enforcement Under the FTC Act Data Privacy Enforcement
  • 3. 3 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Trend toward increasing enforcement – More than 45 actions to date – More than 30 in the last 6 years – Many more investigated but not brought • Covering largely electronically stored data and information • Targeting security breaches as well as privacy violations • Increasing trend toward mobile data privacy and security FTC Activity Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Emerging Models For Compliance Data Privacy Enforcement
  • 4. 4 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • 20 year term • Cease misrepresentations regarding practices for information security, privacy, confidentiality, and integrity • Conduct assessment of reasonably-foreseeable, material security risks • Establish comprehensive written information security and privacy program • Designate employee(s) to coordinate and be accountable for the program • Implement employee training • Conduct biennial independent third party security and privacy assessments • Implement multiple record-keeping requirements • Implement regular testing, monitoring, and assessment • Undergo periodic reporting and compliance requirements • Impose requirements on service providers Legislation by Consent Decree Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Not Just Enforcement. . .
  • 5. 5 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Report: Protecting Consumer Privacy In An Era of Rapid Change – Based on a yearlong series of privacy roundtables held by the FTC – Extensive comment period (more than 450 comments received) – Provides best practices for the protection of consumer privacy – Applicable to both traditional (offline) and online businesses – Intended to assist Congress as it considers privacy legislation • White House Consumer Privacy “Bill of Rights” – Combined effort with the Department of Commerce, and the FTC – Provides a framework for consumer privacy protections – Establishes principles covering personal data privacy – Modeled off of principles adopted by organizations in Europe and Asia Data Privacy Enforcement Setting Standards For Privacy Practices Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Consumer Privacy Bill of Rights promotes industry codes of conduct • Voluntary “multi-stakeholder” process – Encourages inclusive and transparent process – Commerce Department National Telecommunications and Information Administration (NTIA) to facilitate creation – Other federal agencies may also convene industry stakeholders – Industries can also convene stakeholders absent NTIA • Enforcement authority – FTC to enforce codes of conduct – Violation constitutes a deceptive practice under Section 5 of the FTC Act – Adherence to codes to be looked upon “favorably” in FTC investigations • Initial NTIA process is now ongoing Data Privacy Enforcement Industry Codes of Conduct
  • 6. 6 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Increasing Focus On Mobile Privacy Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Report: Mobile Apps for Kids (Feb. 16, 2012) – Large number of apps (75%) targeted at children (under 13) – Apps did not provide solid (or even any) privacy disclosures – Promised additional compliance reviews (under COPPA) over the following 6 months • FCRA Warning letters (Feb. 2012) – FTC sent letters to marketers of 6 mobile apps – Warned that apps may violate Fair Credit Reporting Act (FCRA) – If apps provide a consumer report, must comply with FCRA requirements • FTC Workshops (throughout 2012) – Focusing on multiple mobile privacy topics (advertising, payments, children’s privacy, privacy disclosures, and others) – Input used as guidance for subsequent FTC reports and publications Increasing FTC Focus on Mobile Privacy Data Privacy Enforcement
  • 7. 7 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • FTC Guide: Marketing Your Mobile App (Sept. 5, 2012) – Reiterates that the mobile market is no different from the Internet – Provides general guidelines and principles for mobile app developers • FTC Report: Mobile Privacy Disclosures (Feb. 1, 2013) – Predicated on feedback from FTC mobile workshops – Recommendations for mobile best practices – Focused on app platforms • FTC report: Dot Com Disclosures (March 12, 2013) – Long-awaited update to original release in 2000 – Updated guidance not just on web sites, but also on mobile and social media activities – Establishes that the FTC does not agree with many current online advertising privacy disclosure practices Increasing FTC Focus on Mobile Privacy Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP The FTC is not alone. . .
  • 8. 8 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Multiple federal agencies have authority over data privacy and security – Health and Human Services (HHS) – Consumer Financial Products Bureau (CFPB) – Federal Reserve – Department of Defense (DOD) – Department of Transportation (DOT) – And many, many others… • Many states also have relevant laws on the books – State consumer protection statutes (all 50 states) – Data breach notification statutes (at least 46 states, DC, and various US territories) – Data safeguards statutes (significant minority of states) – Data privacy statutes State Activity in Data Privacy and Security Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
  • 9. 9 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Kamala D. Harris Attorney of California (2011) Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Enacted in July 2004 (Cal. Bus. & Prof. Code §§ 22575 -22579) • Applies to operators of any “commercial Web site or online service that collects personally identifiable information through the Internet” from a consumer residing in California • Requires conspicuous posting of a “reasonably accessible” privacy policy • Privacy policy must detail – Kinds of information gathered – How the information may be shared with other parties – Process for user to review and change information (if such a process exists) • Effectively operates as a federal law • Quickly became a de facto national requirement • Amendment recently proposed to mandate simplified privacy policies California Online Privacy Protection Act (Cal OPPA) Cal. Data Privacy Enforcement
  • 10. 10 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces “Joint Statement” of principles (Feb. 22, 2012) Application of Cal OPPA to Mobile Privacy “It is the opinion of the Attorney General that the California Online Privacy Protection Act requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy.” Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces “Joint Statement” of principles (Feb. 22, 2012) • Statement joined by leading mobile platforms: Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research In Motion, and later Facebook • Agreed upon set of privacy principals for mobile applications – Specific privacy notice and consent requirements – Adoption of privacy by design principles for app development – Implementation of a process for policing app publishers – Commitment to work with the California AG to continue to develop best practices • Goals of fostering innovation, promoting transparency, and facilitating compliance with applicable privacy laws • Not intended “to impose legally binding obligations on the Participants or affect existing obligations under law” Application of Cal OPPA to Mobile Privacy Cal. Data Privacy Enforcement
  • 11. 11 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG announces formation of new Privacy Enforcement and Protection Unit (July 19, 2012) • Charged with enforcement of laws relating to online privacy, health privacy, financial privacy, identity theft, government records, and data breaches • Also will conduct education and outreach regarding privacy issues • Hoof beats of more aggressive enforcement of California privacy laws. . . California Mobile Privacy Protection Unit Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Cal. Data Privacy Enforcement Tweet from Kamala Harris, Attorney General of California, Oct. 12, 2012, 08:27 AM
  • 12. 12 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California AG issues “non-compliance letters” to 100 mobile application developers (October 30, 2012) • Big names included United Airlines, Delta Airlines, and OpenTable • Asserted mobile applications were not compliant with Cal OPPA • Issued 30 day notice to comply (per Cal OPPA) California’s Shot Across The Bow Cal. Data Privacy Enforcement “An operator of a mobile application . . . that uses the Internet to collect PII is an ‘online service’ within the meaning of Cal OPPA” “Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is ‘reasonably accessible’ to the user within the app.” “Violations . . . may result in penalties of up to $2,500 for each violation, i.e., for each copy of the unlawful app downloaded by California consumers.” Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • Cal OPPA itself is silent as to enforcement • Violations of Cal OPPA provide a basis for claims under California’s Unfair Competition law (Cal. Bus. & Prof. Code §17200 et seq.) • Allows State AG to bring claims – For “unlawful, unfair, or fraudulent” business acts or practices – Up to $2,500 per violation • Also permits the possibility of actions by individual consumers • California AG made it clear she would not hesitate to bring enforcement actions of Cal OPPA via California’s Unfair Competition law Actions Under Cal OPPA Cal. Data Privacy Enforcement
  • 13. 13 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Cal. Data Privacy Enforcement People of the State of California v. Delta Air Lines, Inc. No. CGC-12-526741 (Cal. San Francisco Sup. Ct.) Filed: December 6, 2012 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • "Fly Delta" app collects user's personal information – Full name – Telephone number – Email address – Frequent flyer account number and PIN code – Photographs – Geo-Iocation information) • Contains no in-app privacy policy • Policy at www.delta.com is likewise insufficient to cover the app – Does not cover the app – Not “reasonably accessible” from app – Does not disclose collection of geo-location information or photographs California Drops the Hammer on Delta Cal. Data Privacy Enforcement
  • 14. 14 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • State alleges app was downloaded “millions of times” • State seeks $2,500 per non-compliant download • Delta has moved to dismiss • Substantive hearing continued until May 9, 2013 California Drops the Hammer on Delta Cal. Data Privacy Enforcement Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP • California issued its own mobile privacy recommendations (Jan. 10, 2013) • Includes numerous detailed best practices for mobile platforms and developers • Best practices explicitly “offer greater protection than afforded by existing law” • Two key principles: – Minimize surprises to users due to unexpected practices – Share accountability across platform manufacturers, operating system developers, mobile carriers, ad networks, and app developers Cal. Data Privacy Enforcement Additional Activity By California
  • 15. 15 Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Mobile Privacy Enforcement Where To Next? • Mobile market is now treated no different from the Internet • Expect more state activity • No single approach – Discussion – Legislation – Enforcement • Particular focus on mobile apps directed at children • Continued emergence of “guidelines” or “principles” for mobile app platforms and developers • Increased opportunities for coordination between states, FTC, and industry self-regulatory efforts Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP Thank You. Jason Haislmaier jason.haislmaier@bryancave.com @haislmaier http://www.linkedin.com/in/haislmaier