3. Presentation Content
• Privacy Policy vs. Terms of Service
• Process of Creating Your Privacy Policy
• Compliance with the Law
• Avoiding the FTC
• Online Services for Protecting Privacy
4. United States v. Path, Inc.
• Path: mobile app developer
• Contrary to privacy policy,
automatically collected personal info
• Got info from ~3,000 kids under age 13
• FTC charged Path for deception and
violation of COPPA
• Settlement: $800,000; 20 yrs of audits
5. Our Startup: Dragon Digs
• The social hub of Drexel University
• Relies on user-generated content
• Features:
– Create, RSVP to events
– Post pictures, comments
– In-app ticket purchasing
– Promo emails from Dragon Digs
– Third-party advertising
6. Privacy Policy
• Explains how company gathers, uses,
discloses, manages user info
• Separate from TOS
• More specifically:
– Type of data collected and how it’s used, stored,
protected
– How user data is shared with third parties
– Compliance with privacy laws and user control
7. Terms of Service
• Rules users must abide
by on website/app
• Legally binding; subject to change
• More specifically:
– Software license; website/app operation; users’
rights
– Information ownership; copyright;
incorporates privacy policy
– Disclaimers/limitation of liability; notice
8. Ensuring Enforceable Terms
• Forming an enforceable contract
– Notice and assent
• Click-wrap vs. Browse-wrap
• Additional tips and considerations
9. Notice and Assent
• Click-wrap:
– Present users with copy of terms, and
– Require action showing user read and agrees to
terms
10. Notice and Assent
• Browse-wrap:
– Available to users via web links
– Does not require action indicating user agrees
to terms
• Typically state that site use is deemed acceptance of
terms
11. Additional Tips and Considerations
• Use plain English
• Consider device it will be read on
• Place in a conspicuous location
12. Our Startup: Dragon Digs
• The social hub of Drexel University
• Relies on user-generated content
• Features:
– Create, RSVP to events
– Post pictures, comments
– In-app ticket purchasing
– Promo emails from Dragon Digs
– Third-party advertising
13. What Info Should I Collect?
• Relationship with user determines
what should be collected
• De-identify personal identification info
where possible
• Whatever you collect,
give users notice
– Helps create user trust
14. Give Users a Choice
• No consent needed: If collected data is
expected for a relationship with user
– Such as product fulfillment, analytics, security,
and website improvements
• Consent needed: If collected data is
outside what would be expected
• Do Not Track options
15. Tracking
• Cookie: Text file that
collects user information
• Beacon: Graphic image file
that collects user information
• Types: Persistent or session cookies
• Can be used for website operation or
advertising
16. Privacy by Design
• Build in privacy and security at all
stages of design and development
• Implement and enforce strategically
sound privacy practices throughout
company
17. Best Practices
• Data security
– Firewall and virus protection
– SSL encryption
– Encrypt user names and passwords
– Keep security current
• Reasonable collection limits
– Collect only what is needed
18. Best Practices
• Sound retention practices
– Right to be forgotten
– Retention depends on industry
• Data accuracy
– Allow users to access and change their profiles
• Knowledgeable, designated staff
19. Our Startup: Dragon Digs
• The social hub of Drexel University
• Relies on user-generated content
• Features:
– Create, RSVP to events
– Post pictures, comments
– In-app ticket purchasing
– Promo emails from Dragon Digs
– Third-party advertising
21. FTC Act and Regulations
• Unfair or deceptive
• Avoid the FTC:
– Comply
– Notify
– Protect
22. CalOPPA
• California Online Privacy Protection Act
• Conspicuously post your policy
• Comply
• Do Not Track amendment
23. CCaallOOPPPPAA CCoommpplliiaannccee
• Privacy policy must include:
– Collect info
– Sharing policies
– User review/control
– Notification
– Effective date
24. COPPA
• Children’s Online Privacy Protection Act
Are You
Under the
Age of 13?
25. COPPA Compliance
• Who is collecting the info?
• Description of info collected
• Use
• Disclosure to third parties
• Parental review & consent
• User notice
26. CAN-SPAM ACT
• Controlling the Assault of Non-Solicited
Pornography and Marketing Act
• Are you spamming?
• Compliance is simple
27. HIPAA
• Health Insurance Portability and
Accountability Act
37. Seals of Approval
• The best individually
– TRUSTe
– TrustGuard
– Qualys
– Comodo
• The best for you
– Mix-and-match to suit your needs
– Each service has strengths & weaknesses
38. Our Startup: Dragon Digs
• The social hub of Drexel University
• Relies on user-generated content
• Features:
– Create, RSVP to events
– Post pictures, comments
– In-app ticket purchasing
– Promo emails from Dragon Digs
– Third-party advertising
41. Thank You to Our Audience
Apply to be a client at
www.drexel.edu/law/ELC
Editor's Notes
You’ve worked extremely hard to grow your startup from humble beginnings to where it is now really starting to gain traction in the marketplace. Everyday you are gaining new users, new customers, and you are starting to make some real revenues, when all of a sudden you get hit with an $800,000 settlement fine from the FTC. Moreover, you are being forced by the FTC to obtain costly audits for the next twenty years; that is, if the $800,000 fine isn’t so much that it wipes you out before then. Why is the FTC fining you? Simply because you were not careful with what you said in your website or mobile app privacy policy. This happened to a real startup, and provides real lessons on what you should do to safeguard your company. So, what should you do? Protect privacy to protect your startup.
Today’s presenters from the Drexel Entrepreneurial Law Clinic are Dean Bogin, Brittany Esser, James Hill, and me, Joe Zeidner.
We are thrilled to have expert panelists Andy Baer of Baer Crossey and Dina Leytes of Griesing Law, along with our Clinic Director, Steve Rosard, for you to learn about this critical topic: how you can establish sound data collection and use practices and craft a solid privacy policy to build trust with users and avoid the long arm of the FTC and other government entities.
During today’s presentation we’ll be covering a number of important topics. First we’ll be discussing the differences between a privacy policy and a terms of service—what is covered under each type of agreement and how you can make an enforceable terms of service. We’ll then share with you the process for creating your startup’s privacy policy and general best practices for doing so. Next, we’ll cover what you need to do to be in compliance with the law and the statutory regimes related to privacy that you must adhere to if you collect other people’s information. After that we’ll detail what you should do to avoid violations of law to protect your startup against actions by the FTC. We’ll follow that up with our recommendations for online services to protect privacy such as privacy policy generators and privacy seals of approval. Every step of the way we’ll be getting feedback from our experts, and we’ll finish with questions from you, the audience.
Before we get into the meat of our presentation, let me tell you about the startup that actually got hit with an $800,000 settlement fine from the FTC.
Path is a mobile app startup that created a social networking service that allows users to share journals, photos and other information with the users’ network of friends. Path’s privacy policy read very clearly, “Path should be private by default. Forever. You should always be in control of your information and experience.” However, contrary to this policy, Path’s mobile app automatically collected personal information such as first and last names, addresses, phone numbers, email addresses, and dates of birth from users’ mobile devices each time a user logged into the app. Because the company collected birth date information, it was aware that it had collected personal information from approximately 3,000 children under the age of 13 without complying with a federal law called COPPA, the Children’s Online Privacy Protection Act of 1998, which you’ll learn more about later today. Consequently, the Federal Trade Commission charged Path for having a privacy policy that was deceptive under Section 5 of the FTC Act and for violating COPPA, and the company had to pay an $800,000 fine and had to establish a comprehensive privacy program that involves obtaining costly privacy audits for the next twenty years.
This is just one of many companies that have been hit with stiff penalties for not having proper privacy policies. Typical fines through settlements with the FTC have ranged from $300,000 to up to $25 million. So it’s pretty clear that you need to be mindful of how you collect personal information and how you develop your privacy policy. But before we discuss how to create a privacy policy and how it contrasts a terms of service . . .
To make this workshop more interactive, the members of the Clinic have created a fictitious company called Dragon Digs of which we are the four co-founders, and after each presentation section we’ll be asking our panelists for their advice on crafting our privacy policy and about other privacy issues for our startup.
So, what exactly is Dragon Digs? It is the social hub for Drexel University. Our website and mobile app function much like a bulletin board for events. It is perfect for students, faculty, and anyone else at Drexel. Users can make a profile with personal information about themselves, create and RSVP to events, post pictures and videos of the events, and even make comments and chat through our website and app during the event. Users will be able to make in-app purchases to pay for events that require tickets like concerts, athletic events, and cover charges at bars, and will receive emails with reminders about events. We do make the personal information of our users available to local businesses and restaurants to advertise to users based on events to which they RSVP.
Generally speaking, a privacy policy relates only to how a company gathers, uses, discloses, and manages information about its users. It should be a statement completely separate from the terms of service. Privacy policies set out (1) the type of data being collected and how it's collected; (2) how and why the company uses, stores and protects user data; (3) how user information is shared with any third parties, such as for advertising and analytics; (4) how the company complies with privacy laws and how it permits users to control and delete their information and even opt-out of the company practices for collecting user data.
So what is a terms of service? In brief, terms of service prescribe the rules that users must abide by when using a particular website or mobile app. They usually include details such as who are the parties to the agreement (most often the company and the website or app users), the warranties, responsibilities, liabilities and disclaimers associated with use, and who can post and access what content. A legitimate terms of service agreement is legally binding and may be subject to change.
To be more specific, a terms of service generally includes provisions to govern the following: (1) a software license that permits use of the website or mobile app but prohibits users from reverse engineering site code and allows the company to terminate users’ rights to the website or app; (2) a description of how the company will actually operate the website or app; (3) a section on user rights and responsibilities, including proper or expected usage, potential misuse, and user accountability for online actions and conduct; (4) provisions for who has ownership of any information that is posted to the website; (5) a copyright policy that prohibits people from posting copyrighted material if they don’t own it and a take-down policy in compliance with the Digital Millennium Copyright Act for removing posted material that a user has posted but does not own; (6) incorporation of the privacy policy into the terms of service; (7) disclaimers of information and warranties of results, including limitation of the company’s legal liability for damages incurred by users; and (9) notice to users upon modification of the terms of service.
How can you ensure that your terms are enforceable? For more on that, I’ll pass it to Dean.
Thanks Joe.
As was mentioned, a terms of service is intended to be legally binding. However, making it legally binding doesn't just happen.
The mere fact that you had a terms of service drafted doesn’t mean that you are automatically afforded every protection the document describes. Nor does it mean that you can hold users liable for doing something the document says is prohibited. In fact the document has zero effect unless you, the site or application owner, create an enforceable contract with every single one of your users.
Now the question is, how do you make this document become an enforceable contract? For starters, you are not going to send every single user a copy of your terms and get them to sign. That would be far too costly, time consuming and probably impossible. Instead, by using the general principles of contract formation, your terms will create an enforceable contract if your users:
have actual or constructive notice, and
they affirmatively or impliedly assent.
For websites and applications, there two popular methods of providing notice and obtaining assent. These methods are called, Click-Wrap and Browse-Wrap. I will walk you through these two methods and then close this portion of the workshop with a few additional tips and considerations on making both your terms of service and privacy policy enforceable valid and compliant.
Lets start with Click-wrap.
So the first method we are going to discuss is called click-wrap. I’ll explain how it works.
Ideally, before allowing users to move through your site or application, you want to present them with a copy of the your terms of service and require them to take some action to indicate that they have read and agree to the terms.
For example, you may require users to click on an "I agree" button or check a box next to language stating that they have read and accepted the terms.
That is why this method of providing notice and obtaining assent is referred to as click-wrap; your users actually have to click.
If a user does not click the button or check the box indicating acceptance, you need to put measures in place that do not permit the user to move through your site.
Click-wrap terms of service typically have a higher probability of being found enforceable than browse-wrap terms. This is particularly important for websites or applications with e-commerce, social media and other features where enforceable terms of service may provide valuable protection against liabilities. If your site includes features like this, you should require users to acknowledge they have reviewed and affirmatively agree to the terms before permitting them, for example, to:
Make a purchase on an e-commerce site or
Upload or post content using social media.
While it is true that click-wrap has a higher probability of being found enforceable, if used the correct way, browse-wrap too will be found enforceable and it includes features that many website or application owners prefer. Let me explain.
Using the browse-wrap method means merely making your terms available to users through links on your site or application. Users are not required to take any action indicating that they have agreed to the terms. Instead, the terms typically state that use of your site or application is deemed to be acceptance of the terms.
Now, like I said, courts have not uniformly found terms of service presented in this manner to create an enforceable contract. The most common basis asserted for holding browse-wrap terms of service unenforceable is that the user did not have actual or constructive knowledge of the terms and therefore could not have assented to the terms.
For example, in the case of Hines v. Overstock, the court refused to enforce an arbitration clause in the online retailer's website terms of service. The court found that the user did not have actual or constructive knowledge of the arbitration clause because:
The terms were only accessible through a link at the bottom of the homepage and the site did not prompt the user to review the terms.
However, other courts have found browse-wrap terms enforceable if the user had actual knowledge of the terms, for example, through:
A letter from the site owner or
A prominent notice on the site stating that use of the site constitutes agreement to the terms.
Some site or application owners prefer this method because they dislike making their users click to agree. They fear that forcing their users to take action will make them apprehensive about using the site. They balance the risk against the reward and choose more users over certainty of a valid contract.
This is a decision you all must make.
However, if you do choose to go with the browse-wrap method, to increase the likelihood of enforceability you can:
Place the link to the terms of service conspicuously on the homepage so that it is visible "above the fold" (that is, the user should not have to scroll down the screen to see the link).
Also consider placing a link to the terms in the primary navigation bar of the site (that can be seen without scrolling) so that the link is both conspicuous and accessible from all relevant pages of the site.
Next to the link, you can also place a prominent notice that the website is governed by the terms of service and that use of the site constitutes acceptance of the terms
Alternatively, If you chose to go with the click-wrap method, even though it is typically found to create an enforceable contract, you can increase that likelihood by:
Including a prominent statement on or next to the applicable button or check box stating that the user has read and agrees to the terms.
If using a check box to indicate assent, do not preselect the box. Require the user to affirmatively check the box to agree to the terms before being allowed to proceed past the homepage or make a purchase.
When dealing with consumers who may be viewed by the court as unsophisticated users, display the actual terms of use, instead of only a link to them, next to the button or check box. Consider requiring the user to scroll through the entire terms of use before being presented with the button or check box used to indicate assent.
With both methods, if you change your terms of service, for the changes to be enforceable, you must give users notice of the change. Ideally you should require users to affirmatively accept the revised terms of service through the click-wrap method the next time the user logs on to the site or, if applicable, makes a purchase through the site.
In addition to click-wrap or browse-wrap, I want to go over a few more tips and considerations that will aid in finding your terms of service create an enforceable contract.
First, make sure your terms are written in plain English. Do not use any legalese. Your terms should be able to be easily read and understood by all users of your site. Additionally use short sentences. In fact, keep the entire document as short as possible. Not only will this help with user understanding, but also it raises the likelihood that a user will actually read your terms.
The next thing to consider is the device that your terms of service will be viewed on. Specifically with mobile applications, the screen on which your terms will be viewed is typically much smaller than a computer. Therefore you should adjust accordingly. You should cut out some of the content leaving only the most crucial parts. Then you should place a link where the full terms can be found, giving the user the option to read the full terms now or open up the link later on a larger screen.
Lastly, I just want to reiterate that you need to place the link or actual content of your terms in a conspicuous location. This is probably the most important lesson in this section of the workshop. Even if you forget everything else I just went over, just make sure you place your terms, or a link to your terms in a place where they will unquestionably be seen. A user should never be able to argue they did not have knowledge of your terms.
Also just know that all of these tips and considerations apply equally your privacy policy. While you are not trying to create an enforceable contract for your privacy policy, following these tips will keep your policy from being found to be deceptive. We will talk about this in more detail later in the workshop.
We have heard that a privacy policy and terms of service are not just legal documents, but that they are also marketing documents. Can you give us an explanation of what that means?
We plan on collecting user information on both our website and our mobile app. Can we use the same terms of service and privacy policy for both?
Is there any additional advice you can give us to ensure our terms are found to be enforceable?
We have learned about all the different types of information we can possibly collect. Can we just go ahead and collect every type of personal information from our users even though we don’t know how we are going to use or monetize the information and have you write us a privacy policy that allows us to do this?
We don’t use cookies or plan to track our users, but our ad networks and analytics providers may. How can we work with third-party providers that may collect behavioral info and may track our users and do we need to put this into our privacy policy?
We have heard about something called just-in-time disclosures. What are they, what type of collected information do they apply to, and how can we implement them?
Compliance is arguably the most important aspect to privacy policies. If you do not comply with your own policy it is almost worse than not having one. Be sure you read and understand your privacy policy! Get a good lawyer or the ELC to help you draft an easy to read and comprehensive privacy policy.
Remember that thing Joe mentioned in the beginning, well in case you already forgot it’s the Federal Trade Commission Act. It is important that you do as you say in your privacy policy. Always notify users what information is being collected, how it is being collected, and why. While Federal Trade Commission Act does not expressly require that a website have a privacy policy, it does prohibit unfair and deceptive acts or practices. The FTC will actively bring enforcement actions based on the Act against companies that fail to comply with statements made in their posted privacy policies; notify, and in some cases obtain consent from, users before making uses or disclosures of information that are materially different from those disclosed in the privacy policy; provide adequate notice to consumers before making material changes to their privacy policies; and take reasonable and appropriate measures to protect personal information held by the company.
I will cover some but not all of the statutes and regulations that govern privacy policies. The first statute I will cover is CalOPPA. It is the only statute that actually requires you to have a privacy policy. It stands for California Online Privacy Protection Act. It was created to protect Californians privacy online. The act requires that websites or apps that a Californian may use comply to with the statute. Since it is the internet and there is no way to actually tell if you have a Californian using your site we can assume that everyone needs to comply with CalOPPA. What does CalOPPA require? You must conspicuously post a privacy policy! You may think you know what conspicuously means but California has taken the liberty to give its own definition. According to CalOPPA, conspicuously posting a privacy policy means: that the Privacy Policy is displayed on website, there is a link, via an icon that contains the word “privacy”, which appears on the homepage and directly takes consumers to the privacy policy and/or there is a Hypertext link word “privacy,” that is distinguishable. Again, be sure to READ your privacy policy because you must comply with your own terms. Please be sure to note, that in 2013 the act was amended to include disclosures on what is known as Do Not Track technology when basically enables users to communicate their desire not to be tracked. However, many users do not know how sites and services with Do Not Track actually work or how sites actually follow the theory behind Do Not Track, thus, CalOPPA now requires websites to (1) explain in their privacy policies how they respond to web browser DNT signals and (2) disclose applicable third-party data collection and use policies.
So that was just the initial requirements for CalOPPA. To actually be in compliance your privacy policy must state what personally identifiable information is collected. PAUSE. What is personally identifiable information? Information that is personally identifiable means it can be used on its own or with other information to specifically identify, contact, or locate you as a unique person.
It must also state with whom that information is shared, how a user can review & request changes to their information, a process by which to notify users of changes to the policy and the effective date of the privacy policy.
Another statute that you need to be aware of is called COPPA which stands for the Children’s Online Privacy Policy Act. It is meant to provide online protection to users under the age of 13. Who is Subject to COPPA? Figuring Out if Your Site Directed Towards Children for Purposes of COPPA.
Under COPPA, a website or online service, or portion of one, may be deemed directed to children if any of the following apply:
(1)The website or service targets children as its primary audience. (2) The website or service is a mixed-audience website or service that does not take certain age-screening measures set out in the COPPA Rule (3)The operator has actual knowledge that it is collecting personal information directly from a user of another entity's child-directed website or online service. This includes, for example, operators of plug-ins and advertising networks
If any of those provisions apply you will have to be COPPA compliant. Now the fun begins. COPPA generally requires covered website and online service operators to: have A compliant privacy policy should be clear and easy to read and must include: A list of all operators collecting personal information. The privacy policy must list the name of each operator and contact information (postal address, telephone number and e-mail address) for: each operator; or one operator that will respond to inquiries from parents about all operator's privacy policy and practices). A description of the information the operator collects from children, including: the types of personal information collected; how the personal information is collected, for example, by requesting it from the child or through website cookies or other technologies; and whether the site or service enables children to make information publicly available (for example, in public forums). How the operator uses the information (for example, marketing, notifying contest winners or for social media purposes). Whether the site discloses personal information collected from kids to third parties. If so, the privacy policy must list the types of businesses that receive the information to and how they use the information. a child to disclose more information than is reasonably necessary to participate in an activity.That a parent can review his child's personal information, request deletion of a child's collected information and refuse to allow any further collection or use of a child's information. That parents can agree to the collection and use of their child's information, but disallow disclosure to third parties, unless that is part of the service (for example, social networking) Also, the policy must give notice, by including on their websites or online services notices about their practices for information they collect from children under 13 , this notice must be prominent and clearly labeled as:
An operator must post a prominent and clearly-labeled link to an online notice of its information practices concerning children on the home or landing page of its website or online service, as well as at each area of the website or online service where personal information is collected from children. The link must be in close proximity to the requests for information.
You know all those annoying emails you get? Well moving on, those emails are what a statute called CAN-SPAM regulates, which stands for Controlling the Assault of Non-Solicited Pornography and Marketing Act. With the rise of email…in 2003, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act to regulate unsolicited commercial e-mail. Many senders of bulk unsolicited commercial electronic mail use computer programs to gather large numbers of electronic mail addresses on an automated basis from Internet websites or online services where users must post their addresses in order to make full use of the website or service. The CAN-SPAM Act does not flatly prohibit all unsolicited commercial e-mail. Instead, it sets out specific requirements for the content of these messages and to ensure that consumers can opt out of receiving them.
Who is Subject to the CAN-SPAM Act?
The CAN-SPAM Act regulates the transmission of all commercial e-mail messages, not just unsolicited messages. A commercial e-mail message is defined as any e-mail that has a "primary purpose of . . . commercial advertisement or promotion of a commercial product or service. This includes commercial e-mails sent to business e-mail accounts, as well as those sent to individual consumers.
COMPLIANCE
To comply with the CAN-SPAM Act a privacy policy should include a section discussing the company’s e-mail opt-out policies. The CAN-SPAM Act requires the company to include opt-out options in its e-mail marketing and on its website so that its customers have the option of changing or canceling their e-mail notices.
So I have covered some of the broader regulations, now we are wading into more industry specific laws. I think most of you in this room have at least heard of HIPAA. If you didn’t know it stands for the Health Insurance Portability and Accountability Act. HIPAA protects individually identifiable health information. Disclaimer – this picture is 100% wrong.
What is considered to be personally identifiable health information and who is subject to HIPAA?
Personally identifiable health information can mean anything from health care claims, health care general information, health care payments, information relating to health care benefits, enrollment and disenrollment in a health plan, eligibility for a heath plan, and health plan premium payments. If you plan to create, receive, maintain, transmit, collect, organize or do basically anything with personal health information you are subject to HIPAA. ONE TAKE AWAY IS HIPAA- REQUIRES EXPRESS WRITTEN CONSENT NOTICE IS NOT ENOUGH!!!
If you plan to create, receive, maintain, transmit, collect, organize or do basically anything with personal health information you are subject to HIPAA.
If your website intends to collect any personal health information.
HIPAA has its own privacy rule. This privacy rules requires that you:
Notify individuals about their privacy rights and how their information can be used
Enact and implement privacy procedures
Train employees so that they understand the privacy procedures.
Designate an individual responsible for ensuring that privacy procedures are adopted and followed
Secure patient records containing individual identifiable health information
For all you Edtech companies out there this is another industry specific law that you may have heard of before. FERPA, which stands for the Family educational rights and privacy acts. It is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student. As it states, The Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records. Grades, registration and all student records are private unless FERPA is waived by the student.
The GLBA is another industry specific law. The GLBA created provisions protecting the financial information of consumers held by financial institutions. The law's privacy protection provisions have three principal parts:
Financial Privacy Rule
Governs the collection and disclosure of customers' personal financial information by financial institutions. Applies to companies, including financial institutions, that receive this information. Under this rule, recipients of consumer information must furnish to their customers a privacy notice explaining how customer information is shared, used and protected.
Safeguards Rule.
Requires the design, implementation and maintenance of systems to safeguard customers' financial information. Applies to financial institutions and companies, such as credit rating agencies, that receive customer information.
Pretexting provisions
Protects consumers from companies and individuals that obtain their financial information under false pretenses. Privacy Policy must state…Information that the financial institution collects and discloses, Affiliated and non-affiliated entities with which it shares information, How or if an opt-out right is available
The privacy notice must be a clear, conspicuous and accurate statement of the financial institution's privacy practices. It should describe:
The categories of information that the financial institution collects and discloses.
The categories of affiliated and non-affiliated entities with which it shares information.
That the consumer or customer has the right to opt out of some disclosures.
How the consumer or customer can opt out (if an opt-out right is available).
Under GLBA, a financial institution does not need to provide an opt-out right to:
Share non-public personal information for the purpose of administering or enforcing a transaction that a customer requests or authorizes.
Share non-public personal information with outside companies that provide essential services, such as data processing or servicing accounts, if certain conditions are met (such as contractually binding the outside company to protect the confidentiality and security of the data).
In January 2012, the European Commission proposed a sweeping reform of the E.U.’s 1995 data protection rules. Here are the top 9 things you should know about the E.U. e-Privacy Directive (with a little editorial thrown in, as expressed by some top U.S. compliance professionals who spoke recently at PLI’s Privacy and Data Security Law Institute 2012:
1. The E.U. privacy authorities must be notified of any breach – regardless of how great or small, regardless of the level of harm – within 24 hours. No exceptions or “carve-outs.” This raises concern, among other things, about false alarms and creating needless worry. And what if the breach occurs on a Friday or Saturday?
2. All organizations with 250+ employees must appoint at DPO – a Data Protection Officer. There are no guidelines as to what constitutes an employee (does it include agents or consultants?) or what the qualifications of the DPO should be.
3. The DPO will be personally liable for damages caused by data security breaches. Who’s going to take this job??
4. Any company targeting E.U. residents must perform a privacy impact assessment for every “system.” What’s a system? Does it include software? Is it a “process”?
5. All consumers have “the right to be forgotten.” This is very controversial. Under this rule, which is aimed at social networks but applies to all companies, any consumer can ask for all of his or her information to be deleted from an organization’s records. Companies must delete personal info from their business records if requested by the subject, even if the subject is a former employee.
6. the company must also inform anyone else (i.e., other companies) who may have the requester’s personal info that they also must delete all info on the person.
7. Controllers (those who actually control the information) and processors (those who simply process information at the instruction of the controllers) have joint and several liability.
8. Websites must obtain informed consent from users before storing cookies on users’ computers. There are two exceptions
9. The fine for violating any part of the E.U. Directive: 2% of global revenue. I repeat: 2% of global revenue. That’s down from 5%, as it was originally drafted.
It seems like there are a bunch of laws out there that we might have to worry about complying with. Where do we start with our privacy policy?
We are happy to write into our privacy policy that we are in line with the most important laws that we have discussed. But how do we go about actually practicing what we say we will do in our privacy policy to be in compliance with these laws?
You now know that no one federal regulation or law sets forth data security standards that apply to all companies. Brittany reviewed a good number of different statutes that govern data security but by no means did she cover all of them. Not only would that take a long time but it would be incredibly boring. We only selected the statutes we thought would be most relevant to you.
Of all the statutes and topics Brittany discussed, the first topic, the FTC and the FTC statute, is the most important. That’s because if you are going to get sued for a privacy issue, they are going to be the ones to do it. In this web of privacy and data collection laws the FTC has taken it upon themselves to enforce all breaches of privacy whether it be in regards to health, financial or any other type of information. This is because the statute that governs the FTC is so broad it pretty much encompasses all other privacy statutes out there. Some of these other statutes like COPPA have specific language in them granting the FTC the power to enforce them. Other statutes like HIPPA and GLBA, have been found by courts to be compliments to the FTC act. This means that the FTC can pursue these specific types of privacy issues governed by these laws under the FTCs authority to pursue any type of unfair or deceptive act or practice.
With all that being said, it is not impossible to avoid ever seeing or hearing from the FTC. In fact it is quite easy. The number one thing that you have to do is disclose to the public what information you are collecting and what you are using it for. Your acts or practices cannot be found to be deceptive if they are expressed openly.
Secondly, you need to follow the practices you have disclosed. If you want to use data in a manner that is different from what your privacy policy says, revise your policy and put the public on notice that you have changed your policy. Lastly, and this one is a little bit harder to do, keep up to date with the FTCs enforcement actions against other companies. The orders and decrees that come out of these suits essentially become law. Learn from these other companies’ mistakes. Follow what is going on with the FTC and update your practices accordingly. This is another good reason to work with an attorney. It is their job to stay up to date on these changes and they can help you stay compliant.
Lets go through some FTC actions that took place over the past few years and see what we can learn from them.
Google - http://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented
You may have heard about Google’s tangle with the FTC in the news. Google agreed to pay a 22.5 million dollar civil penalty to settle FTC charges that it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC. In addition to the civil penalty, the order also requires Google to disable all the tracking cookies it had said it would not place on consumers’ computers.
The FTC’s complaint stated that Google specifically told Safari users that because the Safari browser is set by default to block third-party cookies, as long as users do not change their browser settings, this setting “effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie].”
Despite these promises, the FTC charged that Google placed advertising tracking cookies on consumers’ computers, in many cases by circumventing the Safari browser’s default cookie-blocking setting.
The earlier settlement which the FTC claimed Google violated was settlement it reached n October 2011, which barred Google from – among other things – misrepresenting the extent to which consumers can exercise control over the collection of their information.
RockYou - http://www.ftc.gov/news-events/press-releases/2012/03/ftc-charges-security-flaws-rockyou-game-site-exposed-32-million
RockYou is the operator of a social game site, agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children's Online Privacy Protection Act (COPPA) in collecting information from approximately 179,000 children. Because the site collected birthdays, they knowingly collected personally identifiable information from children under 13 and therefore needed to comply with COPPA. They did not disclose that they were collecting and using this information; they did not obtain parental consent; and, they failed to maintain reasonable security procedures. The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.
Snapchat - http://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were
Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure. In fact, the case alleges, Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
The Brightest Flashlight App - http://www.ftc.gov/news-events/press-releases/2014/04/ftc-approves-final-order-settling-charges-against-flashlight-app
Finally, in the last action we are going to look at, the FTC approved a final order settling charges against the company that created the Brightest Flashlight App. According to the FTC the company deceived consumers with a privacy policy that did not reflect the app’s use of personal data and presented consumers with a false choice on whether to share their information. Specifically the app collected and broadcasted a user’s location and device ID to advertising networks and other third parties every time a user turned on the app.
The settlement, first announced in December 2013, prohibits the company from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used.
The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.
From all of these cases, you should be able to learn something.
Like Google for instance.
Google makes it clear that you must actually do what you say you are going to do. Follow your policy.
Also, if you already made a mistake, settled with the FTC and promised them that you would not make that mistake again, don’t break that promise.
From the Brightest Flashlight App’s encounter with the FTC you should have learned that if you plan to collect and use information, disclose it. If the information you are planning on collecting and using is something your users would not expect, consider going a step beyond just writing it in your privacy policy. Implement a just-in-time disclosure where a notification pops up and gives a user a choice right before you collect and use the information.
To stay up to date on all of this and learn from other companies’ mistakes, frequently check in on these actions. A good place to start is the FTC’s website.
Are there any privacy practices that require more than just having a privacy policy?
We do not have the money to pay for costly audits let alone settle a civil penalty. Do you have any other tips for us to ensure we do not get sued?
You have heard about what makes a good privacy policy. One question you may have is how can I make a good one myself. There are a lot of privacy policy generators that you can find online, but none of them can prepare a privacy policy that is as customized for your startup and that would protect and be as enforceable for your startup as you can get with the help of an attorney. So in general, if you can afford to hire an attorney to prepare one for you, that would absolutely be our recommendation.
However, you may be at a point where you cannot quite afford an attorney to prepare one and you need to have one in place for your website or mobile app. For that reason the members of the Drexel Entrepreneurial Law Clinic have done the research for you to tell you which in our opinion is the best online privacy policy generator.
We tested twenty-eight different online privacy policy generators by filling out their questionnaires with identical information of a made-up company. We then considered the following criteria to determine which we would recommend. First was ease of use—how easy was it to understand and complete the online survey or questionnaire. We next looked at whether the generator gave any guidance on creating a good privacy policy and how helpful the guidance was. Next, there are a few generators that cost money to complete, but because there are many that are totally free, we only reviewed free generators. Many free generators are only free because they try to up-sell you by offering a more sophisticated generator, but most of these And most importantly, we looked at the actual policy that was generated to determine whether to recommend the generator. This is the most important criteria for a privacy policy generator.
From our review of all of the generators and of the privacy policies that they created, we have four recommendations. The first three are for generating privacy policies for a website, and the last was for creating a privacy policy for a mobile app. Our top recommendation was for FreePrivacyPolicy.com because it gave some guidance for filling out the questionnaire and generated a slightly more extensive policy. The policies created at GeneratePrivacyPolicy.com and SEOToaster.com are nearly identical to one another. And if you need a privacy policy just for a mobile app, TRUSTe.com should be your trusted source.
Other than privacy policy generators, there are also companies online that can certify your startup for privacy and security. For more on that, I’ll pass it to James.
Now that we know what we need to have in our privacy policy, can’t we just take someone else’s privacy policy or use a privacy policy generator and adapt it to our own end? Is one better than the other? And what benefit would hiring an attorney provide?
What are your general thoughts on seals of approval and when might you recommend that we look into getting them for Dragon Digs?