Privacy and Business: What MUST You Be Aware Of?

Privacy and Business: What MUST You Be Aware Of?

Basic Privacy Obligations of a New Business in the US

Andrew T. Mirsky Mirsky & Company, PLLC

Mirsky & Company, PLLC (“Kenyon”) has provided this presentation for general informational purposes only. It is not intended as professional counsel and should not be used as such. You should contact your attorney to obtain advice with respect to any particular issue or problem.

Andrew T. Mirsky, Esq.

• Principal, Mirsky & Company, PLLC, DC and NY (www.mirskylegal.com)

• Formerly in-house counsel with National Journal and Atlantic Monthly magazines

• Clients in new media and technology, including intellectual property, corporate and finance, privacy, joint ventures and partnerships, and employment and HR matters.

• Founder, Media Future Now (www.mediafuturenow.com)

Important Note: This discussion covers

privacy for business as a general matter.

This is not a policy discussion, but rather a discussion of what businesses must be

aware of and what areas expose all

businesses to legal liability. We will not

address consumer privacy, nor HIPAA,

Graham-Leach or employment-specific

privacy, nor non-US (particularly EU).

Those are topics for another day. This is

meant to address privacy from the perspective of the general privacy

considerations for a company doing

business in the United States and

interacting with consumer information.

Introduction

1. From Kelley Drye & Warren’s 2/16/12 seminar, "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends," quoting Peter Swire, Law Professor at Ohio State University: Professor Swire noted that, while it is unclear whether Congress will pass consumer privacy legislation in the current session, the level of ongoing regulatory activity is forcing businesses to reevaluate their existing privacy practices and policies.

http://www.kelleydrye.com/publications/client_advisories/0725

Introduction

2. From John Heitman, in NextDailyDeal.com, discussing Groupon’s recent aggressive changes to its privacy policy: An online marketing business using consumers’ personal information must do so carefully in order to limit its exposure to private class action litigation, Federal Trade Commission (FTC) investigations and enforcement, state attorneys general actions, and more. Groupon’s changes won’t satisfy everyone, but they certainly take the company in the right direction and much of what’s been done can serve as an example for others mindful of (or needing to be mindful of) their corporate privacy posture and the risks that come with it.

http://nextdailydeal.com/groupon-privacy-statement-revisions-reflect-rapid-changes-in-the-marketplace-and-an-evolving-legal-and-regulatory-landscape/

I. Background

1. General theme in US is:

Meaning Disclosure (and compliance with what you

voluntarily disclose and say you'll do) accounts for much of

US privacy law.“

Rather than positive requirements of law. Meaning: As long as you disclose, you can pretty much do anything you

want.

I. Background

2. Disclosure rule is still largely way it is in US: So, for example, new privacy policies of Google (notoriously)

and Groupon (less notoriously) show companies proactively getting out ahead of regulators by “putting

it all out there”.

Groupon: (a) Disclosures to third party partners: Very clear statements of what disclosures you make to third parties. Very clear, very transparent. (Lot of recent caselaw in this

area.)

(b) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI (Network Advertising

Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected

data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g.

analytics/optimization providers) rather than directly.

I. Background

With increasing threats of regulatory scrutiny, enforcement action and class-action litigation, increased noise from Congress and

state legislatures, and increasingly standardized “best practices” issued by non-

governmental SROs, reaction has been to voluntarily become more protective. Not

just in terms of transparency, but in substance as well.

Example: Affirmative consent not generally legally required, but businesses now almost universally seeking affirmative consent to statements of privacy practices

and disclosures on collecting of data, particularly when it comes to OBA.

3. Big caveat: How things

are changing

II. Laws and SROs

1. What privacy laws must businesses be aware of? • Depends on the business:

• Particularly in US, so many different situations could apply. For example, does HIPAA apply? Yes if user medical or healthcare information is involved. Do financial information laws apply? E.g. Gramm-Leach? Yes if personal financial information is involved. What state laws apply? Depends on what states you’re “doing business” in.

• “Which laws apply” can’t be answered in abstract, because “it depends”:

• There are some general “best practices” and guidelines developing, but specifics matter.

II. Laws and SROs

• Data security laws always apply: (1) Federal Trade Commission (FTC): “unfair and deceptive trade practice” under FTC Act Section 5 to hold personal data without providing adequate security. (2) California (+ Illinois + many others) requires companies to implement “reasonable security measures” for handling personal information. (3) Minnesota imposes strict liability on companies that retain credit card data for damages caused by data breaches. (4) COPPA.

II. Laws and SROs

Massachusetts then goes beyond most other states with its requirements for

administrative, technical, and physical safeguards.

II. Laws and SROs

From ongoing employee training and data access controls to encryption, malware

protection and taking responsibility for third party service providers, it looks to me like

Massachusetts, like Nevada, is emulating the standard used by the Payment Card Industry (PCI DSS).And if information security is the goal, that makes sense. Why reinvent the wheel? The Payment Card Industry Data Security Standard has been evolving over

many years through the efforts of card issuers like Visa, MasterCard, Amex, and

Discover. Source: http://www.rendervisionsconsulting.com/blo

g/are-online-privacy-policies-required-by-law/

II. Laws and SROs

Who does it apply to? “Every person that owns or licenses personal information about a

resident of the Commonwealth

”Always Apply: (1) FTC (under Section 5 of FTC Act) “unfair and deceptive trade practice”

statutes governing noncompliance with published privacy policies. (2) State

Attorneys General enforcing same under state “Baby” FTC Acts.

II. Laws and SROs

2. Don’t ever forget contract law: • Class-action and private rights of action for breaches

of published privacy policies, which are binding contracts.

II. Laws and SROs

3. What if you “do business” in every state? • Not unrealistic. How do you possibly comply with every

state law?

• Oftentimes, you might not be able to. What some companies do: Look to “leading” states when it comes to privacy and data security, and realistically comply with the most restrictive.

• What states? California. Massachusetts. Definitely the state you’re based in and all states in which you expect to do most of your business. More and more states have laws like Illinois’ “Personal Information Protection Act”, addressing data security responsibilities, including notification responsibilities, setting up toll-free numbers, credit monitoring services, etc. Reality is that you don’t have to provide these services to residents of all states, but it’s somewhat impractical to set up your business practices based on cherry-picking different state law requirements for different users of your services.

II. Laws and SROs

4. FTC and SROs – Guidelines and “Best Practices”

• FTC Report (3/26/12): The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

• Small Business Exception: What about small businesses? To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.

2. Should you have a privacy policy?

Yes. Is “having a privacy policy” the end of your job? No. Law and practice in the US has evolved to

not only (effectively) having a privacy policy, but also having certain prescribed disclosures in that

policy.

And, some states (e.g. California) have moved toward requiring an actual policy. (Growing trend anyway.) (1) California Online Privacy Protection Act requires a website to “conspicuously post” a

privacy policy if it “collects and maintains personally identifiable information from a consumer residing in California.” And “personally identifiable information” defined broadly. (2) California AG agreement with

Google and Apple app stores requires app makers to submit privacy policies as part of application

submission process.

1. Must you have a privacy policy?

Non-mobile? No. Mobile? Yes (in California from California

users).

III. Actual Privacy Practices

III. Actual Privacy Practices

(a) Information Collected – Categories of personal information the website collects.

(b) Categories of 3rd-parties with whom the company shares the information.

(c) How the user can review and request changes to their information collected by the company.

(d) How the company notifies users of material changes to its privacy policy.

(e) The effective date of the privacy policy.

3. Privacy policy or not, what must you really do?

(From California law:) Conspicuously disclose:

III. Actual Privacy Practices

(f) (Option not to Provide PII) A user of the site must be given the option of not giving their PII if the information collected is not related to the primary purpose for which the information was

collected or the personally identified information was disclosed to third parties. (g) (Unsubscribe Options) All newsletters and promotional email messages that are sent to users, apart from the messages the user has agreed to receive as a condition of using your service, must

include an unsubscribe link. (h) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any personally identifiable information on your site without the knowledge and permission of their parent or guardian. If there are certain web pages within your Site that require users to be at

least 13 years of age, anyone under the age of 13 should be restricted from participating in such web page activities.

(i) (Data Security) You must take reasonable steps when collecting, creating, maintaining, using and disclosing Personally Identifiable Information, to assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also implement reasonable

security procedures, such as encryption, to protect Personally Identifiable Information. (j) (User Access) Inform the user how to access and change the Personally Identifiable

Information provided by them to you. (k) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI

(Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected data is used and (2) easier access to opt-out

options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly.

eTrust (privacytrust.org) requires these additional elements for “seal” privacy certification:

IV. The Whys and Wherefores

1. Compliance and Practicality:

• Part legal compliance, but part also practical: Increasing use of tracking. IE 9 Tracking Protection utilizes Tracking Protection Lists (TPLs) to enable users to control content delivered by third party companies to any website they are visiting. The intent of this feature is to provide consumers with choice regarding both the collection and use of third party tracking information. Obviously getting an “Allow” certification (from TRUSTe or another certification company) overrides “Block” settings in TPLs, allowing delivery of content, products and services.

• http://www.privacytrust.org/certification/privacy/privacy_requirements.html

IV. The Whys and Wherefores

2. User expectations

and, therefore, legal risk:

• The reality: When user expectations are established by a company’s stated privacy policies or through actual practice. For example, on the PrivacyChoice blog, the CEO of PlaceIQ [www.placeiq.com] explained Apple and Android have already established user expectations about consent. Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS. This creates a baseline user expectation about consent for precise location targeting.

• http://blog.privacychoice.org/2012/01/23/geo-ip-location-targetingwhen-is-consent-required/

Significance of “Personally Identifiable Information” (PII)?

Most privacy obligations apply ONLY to handling of users’ PII.

What is PII? (a) PII Generally:

Name (full name or first initial and last name), maiden name

Email address or other online contact information such as instant messaging identifier

Home or other physical address

Telephone number

Credit card or debit card members

Bank account numbers

Social Security number

Driver’s license number or state issued ID card number

Passport number

Taxpayer identification number

Personal characteristics such as photographic images (especially of face or other identifying characteristic), fingerprints, or other biometric data (i.e. retina scan, voice signature, facial geometry)

What is PII?

MA and CA

• Zip Codes are PII.

Trend

• Industry is moving away from overly legal distinctions and simply treating anything that is reasonably “personal” as PII- essentially removing the middle “identifiable”.

What is PII?

•The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be "reasonably linked" to consumers, computers, or devices. The final report concludes that data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.

From FTC Report

(3/26/12):

What is PII? (b) Potential PII (not by themselves):

A persistent identifier such as a generic customer/ user value held in a “cookie”

IP (Internet Protocol) address or host name

Date of birth, age

Racial or ethnic background

Religious affiliation

Gender

Marital status

Employment information

Medical information

Financial information

Credit information

Student information

What is PII?

Sensitive PII

PII which, if lost,

compromised, or disclosed

without authorization

either alone or with other

information,

either alone or with other

information, caries a

significant risk of economic or physical harm.

Or Information related to (i) a

particular medical

condition or a health record

or (ii) the religious

affiliation of an individual.

What is PII?

(d) Not PII:

Browser type

Browser plug-in details

Local time zone

Date and time of each visitor request (i.e. arrival, exit on each web page)

Language preference

Referring site

Device type (i.e. desktop, laptop, or smartphone)

Screen size, screen color depth, and system fonts

Major Laws (generally) applicable to privacy in the US (from business perspective):

FTC Act Section 5

State “Baby” FTC Acts

State (e.g. CA) Privacy Laws

State Data Security Laws (e.g. MA, IL, MN, etc.)

HIPAA (medical and health information)

Gramm-Leach (financial information)

COPPA

Major differences between mobile and non-mobile?

Are there major

differences between mobile

and non-mobile?

• Yes, particularly because of FCC oversight of mobile (N/A for non-mobile), and application of issues like sharing of customer proprietary network information ("CPNI"), including geographic location information. FCC is not claiming oversight of internet beyond mobile, but FTC is claiming oversight of mobile as well (FTC public workshop 5/30/12).

Privacy: What must a business really do?

Conspicuously disclose (absolute

minimums):

(a) Information Collected –

Categories of personal information the website collects.

(b) Categories of 3rd-parties with

whom the company shares the

information.

(c) How the user can review and request

changes to their information collected

by the company.

(d) How the company notifies users of material

changes to its privacy policy.

(e) The effective date of the privacy

policy.

Privacy: What must a business really do?

But also … (from SRO and “seal” program certifications):

(a) (Option not to Provide PII) Users given option of

not giving PII if information collected is not related to primary purpose for which it was collected or the PII was disclosed to

third parties.

(b) (Unsubscribe Options) All newsletters and promotional email

messages that are sent to users, apart from the

messages the user has agreed to receive as a condition of using the

service, must include an unsubscribe link.

Privacy: What must a business really do?

(c) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any

PII on your site without the knowledge and permission of

their parent or guardian. If there are certain web pages within

your Site that require users to be at least 13 years of age, anyone under the age of 13 should be restricted from participating in

such web page activities.

(d) (Data Security) You must take reasonable steps when

collecting, creating, maintaining, using and disclosing PII, to

assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also

implement reasonable security procedures, such as encryption, to protect Personally Identifiable

Information.

Privacy: What must a business really do?

(e) (User Access) Inform users how to access and change the PII provided by them to you.

(f) (Tracking and OBA) What tracking technology, if any (e.g.

cookies), is used on the site. NAI (Network Advertising

Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how

collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization

providers) rather than directly.

For Discussion

Self-regulatory compliance and Industry “best practice” guidelines:

Seal programs: BBB Online (http://www.bbbonline.com), or

TRUSTe, (http://www.truste.com). What significance?

Winter/Spring 2012: FTC/White House/DoC Initiatives

Andrew T. Mirsky [email protected]

(202) 339-0303 www.mirskylegal.com

@mirskylegal

318 West 14th Street

4th Floor

New York, NY 10014

2301 N Street, NW

Suite 313

Washington, DC 20037