Privacy and Business: What MUST You Be Aware Of? Basic Privacy Obligations of a New Business in the US Andrew T. Mirsky Mirsky & Company, PLLC Mirsky & Company, PLLC (“Kenyon”) has provided this presentation for general informational purposes only. It is not intended as professional counsel and should not be used as such. You should contact your attorney to obtain advice with respect to any particular issue or problem.
Basic Privacy Obligations of a New Business in the US-- What must you do to protect your clients' privacy? We emphasize those areas which may expose you to legal liability and which policies you should be aware of. This presentation is a valuable resource for businesses that operate in the U.S. and interact with consumer information.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Privacy and Business: What MUST You Be Aware Of?
Basic Privacy Obligations of a New Business in the US
Andrew T. Mirsky Mirsky & Company, PLLC
Mirsky & Company, PLLC (“Kenyon”) has provided this presentation for general informational purposes only. It is not intended as professional counsel and should not be used as such. You should contact your attorney to obtain advice with respect to any particular issue or problem.
Andrew T. Mirsky, Esq.
• Principal, Mirsky & Company, PLLC, DC and NY (www.mirskylegal.com)
• Formerly in-house counsel with National Journal and Atlantic Monthly magazines
• Clients in new media and technology, including intellectual property, corporate and finance, privacy, joint ventures and partnerships, and employment and HR matters.
• Founder, Media Future Now (www.mediafuturenow.com)
This is not a policy discussion, but rather a discussion of what businesses must be
aware of and what areas expose all
businesses to legal liability. We will not
address consumer privacy, nor HIPAA,
Graham-Leach or employment-specific
privacy, nor non-US (particularly EU).
Those are topics for another day. This is
meant to address privacy from the perspective of the general privacy
considerations for a company doing
business in the United States and
interacting with consumer information.
Introduction
1. From Kelley Drye & Warren’s 2/16/12 seminar, "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends," quoting Peter Swire, Law Professor at Ohio State University: Professor Swire noted that, while it is unclear whether Congress will pass consumer privacy legislation in the current session, the level of ongoing regulatory activity is forcing businesses to reevaluate their existing privacy practices and policies.
2. From John Heitman, in NextDailyDeal.com, discussing Groupon’s recent aggressive changes to its privacy policy: An online marketing business using consumers’ personal information must do so carefully in order to limit its exposure to private class action litigation, Federal Trade Commission (FTC) investigations and enforcement, state attorneys general actions, and more. Groupon’s changes won’t satisfy everyone, but they certainly take the company in the right direction and much of what’s been done can serve as an example for others mindful of (or needing to be mindful of) their corporate privacy posture and the risks that come with it.
voluntarily disclose and say you'll do) accounts for much of
US privacy law.“
Rather than positive requirements of law. Meaning: As long as you disclose, you can pretty much do anything you
want.
I. Background
2. Disclosure rule is still largely way it is in US: So, for example, new privacy policies of Google (notoriously)
and Groupon (less notoriously) show companies proactively getting out ahead of regulators by “putting
it all out there”.
Groupon: (a) Disclosures to third party partners: Very clear statements of what disclosures you make to third parties. Very clear, very transparent. (Lot of recent caselaw in this
area.)
(b) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI (Network Advertising
Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected
data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g.
analytics/optimization providers) rather than directly.
I. Background
With increasing threats of regulatory scrutiny, enforcement action and class-action litigation, increased noise from Congress and
state legislatures, and increasingly standardized “best practices” issued by non-
governmental SROs, reaction has been to voluntarily become more protective. Not
just in terms of transparency, but in substance as well.
Example: Affirmative consent not generally legally required, but businesses now almost universally seeking affirmative consent to statements of privacy practices
and disclosures on collecting of data, particularly when it comes to OBA.
3. Big caveat: How things
are changing
II. Laws and SROs
1. What privacy laws must businesses be aware of? • Depends on the business:
• Particularly in US, so many different situations could apply. For example, does HIPAA apply? Yes if user medical or healthcare information is involved. Do financial information laws apply? E.g. Gramm-Leach? Yes if personal financial information is involved. What state laws apply? Depends on what states you’re “doing business” in.
• “Which laws apply” can’t be answered in abstract, because “it depends”:
• There are some general “best practices” and guidelines developing, but specifics matter.
II. Laws and SROs
• Data security laws always apply: (1) Federal Trade Commission (FTC): “unfair and deceptive trade practice” under FTC Act Section 5 to hold personal data without providing adequate security. (2) California (+ Illinois + many others) requires companies to implement “reasonable security measures” for handling personal information. (3) Minnesota imposes strict liability on companies that retain credit card data for damages caused by data breaches. (4) COPPA.
II. Laws and SROs
Massachusetts then goes beyond most other states with its requirements for
administrative, technical, and physical safeguards.
II. Laws and SROs
From ongoing employee training and data access controls to encryption, malware
protection and taking responsibility for third party service providers, it looks to me like
Massachusetts, like Nevada, is emulating the standard used by the Payment Card Industry (PCI DSS).And if information security is the goal, that makes sense. Why reinvent the wheel? The Payment Card Industry Data Security Standard has been evolving over
many years through the efforts of card issuers like Visa, MasterCard, Amex, and
Who does it apply to? “Every person that owns or licenses personal information about a
resident of the Commonwealth
”Always Apply: (1) FTC (under Section 5 of FTC Act) “unfair and deceptive trade practice”
statutes governing noncompliance with published privacy policies. (2) State
Attorneys General enforcing same under state “Baby” FTC Acts.
II. Laws and SROs
2. Don’t ever forget contract law: • Class-action and private rights of action for breaches
of published privacy policies, which are binding contracts.
II. Laws and SROs
3. What if you “do business” in every state? • Not unrealistic. How do you possibly comply with every
state law?
• Oftentimes, you might not be able to. What some companies do: Look to “leading” states when it comes to privacy and data security, and realistically comply with the most restrictive.
• What states? California. Massachusetts. Definitely the state you’re based in and all states in which you expect to do most of your business. More and more states have laws like Illinois’ “Personal Information Protection Act”, addressing data security responsibilities, including notification responsibilities, setting up toll-free numbers, credit monitoring services, etc. Reality is that you don’t have to provide these services to residents of all states, but it’s somewhat impractical to set up your business practices based on cherry-picking different state law requirements for different users of your services.
II. Laws and SROs
4. FTC and SROs – Guidelines and “Best Practices”
• FTC Report (3/26/12): The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.
• Small Business Exception: What about small businesses? To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.
2. Should you have a privacy policy?
Yes. Is “having a privacy policy” the end of your job? No. Law and practice in the US has evolved to
not only (effectively) having a privacy policy, but also having certain prescribed disclosures in that
policy.
And, some states (e.g. California) have moved toward requiring an actual policy. (Growing trend anyway.) (1) California Online Privacy Protection Act requires a website to “conspicuously post” a
privacy policy if it “collects and maintains personally identifiable information from a consumer residing in California.” And “personally identifiable information” defined broadly. (2) California AG agreement with
Google and Apple app stores requires app makers to submit privacy policies as part of application
submission process.
1. Must you have a privacy policy?
Non-mobile? No. Mobile? Yes (in California from California
users).
III. Actual Privacy Practices
III. Actual Privacy Practices
(a) Information Collected – Categories of personal information the website collects.
(b) Categories of 3rd-parties with whom the company shares the information.
(c) How the user can review and request changes to their information collected by the company.
(d) How the company notifies users of material changes to its privacy policy.
(e) The effective date of the privacy policy.
3. Privacy policy or not, what must you really do?
(From California law:) Conspicuously disclose:
III. Actual Privacy Practices
(f) (Option not to Provide PII) A user of the site must be given the option of not giving their PII if the information collected is not related to the primary purpose for which the information was
collected or the personally identified information was disclosed to third parties. (g) (Unsubscribe Options) All newsletters and promotional email messages that are sent to users, apart from the messages the user has agreed to receive as a condition of using your service, must
include an unsubscribe link. (h) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any personally identifiable information on your site without the knowledge and permission of their parent or guardian. If there are certain web pages within your Site that require users to be at
least 13 years of age, anyone under the age of 13 should be restricted from participating in such web page activities.
(i) (Data Security) You must take reasonable steps when collecting, creating, maintaining, using and disclosing Personally Identifiable Information, to assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also implement reasonable
security procedures, such as encryption, to protect Personally Identifiable Information. (j) (User Access) Inform the user how to access and change the Personally Identifiable
Information provided by them to you. (k) (Tracking and OBA) What tracking technology, if any, (e.g. cookies) is used on the site. NAI
(Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected data is used and (2) easier access to opt-out
options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly.
eTrust (privacytrust.org) requires these additional elements for “seal” privacy certification:
IV. The Whys and Wherefores
1. Compliance and Practicality:
• Part legal compliance, but part also practical: Increasing use of tracking. IE 9 Tracking Protection utilizes Tracking Protection Lists (TPLs) to enable users to control content delivered by third party companies to any website they are visiting. The intent of this feature is to provide consumers with choice regarding both the collection and use of third party tracking information. Obviously getting an “Allow” certification (from TRUSTe or another certification company) overrides “Block” settings in TPLs, allowing delivery of content, products and services.
• The reality: When user expectations are established by a company’s stated privacy policies or through actual practice. For example, on the PrivacyChoice blog, the CEO of PlaceIQ [www.placeiq.com] explained Apple and Android have already established user expectations about consent. Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS. This creates a baseline user expectation about consent for precise location targeting.
Significance of “Personally Identifiable Information” (PII)?
Most privacy obligations apply ONLY to handling of users’ PII.
What is PII? (a) PII Generally:
Name (full name or first initial and last name), maiden name
Email address or other online contact information such as instant messaging identifier
Home or other physical address
Telephone number
Credit card or debit card members
Bank account numbers
Social Security number
Driver’s license number or state issued ID card number
Passport number
Taxpayer identification number
Personal characteristics such as photographic images (especially of face or other identifying characteristic), fingerprints, or other biometric data (i.e. retina scan, voice signature, facial geometry)
What is PII?
MA and CA
• Zip Codes are PII.
Trend
• Industry is moving away from overly legal distinctions and simply treating anything that is reasonably “personal” as PII- essentially removing the middle “identifiable”.
What is PII?
•The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be "reasonably linked" to consumers, computers, or devices. The final report concludes that data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.
From FTC Report
(3/26/12):
What is PII? (b) Potential PII (not by themselves):
A persistent identifier such as a generic customer/ user value held in a “cookie”
IP (Internet Protocol) address or host name
Date of birth, age
Racial or ethnic background
Religious affiliation
Gender
Marital status
Employment information
Medical information
Financial information
Credit information
Student information
What is PII?
Sensitive PII
PII which, if lost,
compromised, or disclosed
without authorization
either alone or with other
information,
either alone or with other
information, caries a
significant risk of economic or physical harm.
Or Information related to (i) a
particular medical
condition or a health record
or (ii) the religious
affiliation of an individual.
What is PII?
(d) Not PII:
Browser type
Browser plug-in details
Local time zone
Date and time of each visitor request (i.e. arrival, exit on each web page)
Language preference
Referring site
Device type (i.e. desktop, laptop, or smartphone)
Screen size, screen color depth, and system fonts
Major Laws (generally) applicable to privacy in the US (from business perspective):
FTC Act Section 5
State “Baby” FTC Acts
State (e.g. CA) Privacy Laws
State Data Security Laws (e.g. MA, IL, MN, etc.)
HIPAA (medical and health information)
Gramm-Leach (financial information)
COPPA
Major differences between mobile and non-mobile?
Are there major
differences between mobile
and non-mobile?
• Yes, particularly because of FCC oversight of mobile (N/A for non-mobile), and application of issues like sharing of customer proprietary network information ("CPNI"), including geographic location information. FCC is not claiming oversight of internet beyond mobile, but FTC is claiming oversight of mobile as well (FTC public workshop 5/30/12).
Privacy: What must a business really do?
Conspicuously disclose (absolute
minimums):
(a) Information Collected –
Categories of personal information the website collects.
(b) Categories of 3rd-parties with
whom the company shares the
information.
(c) How the user can review and request
changes to their information collected
by the company.
(d) How the company notifies users of material
changes to its privacy policy.
(e) The effective date of the privacy
policy.
Privacy: What must a business really do?
But also … (from SRO and “seal” program certifications):
(a) (Option not to Provide PII) Users given option of
not giving PII if information collected is not related to primary purpose for which it was collected or the PII was disclosed to
third parties.
(b) (Unsubscribe Options) All newsletters and promotional email
messages that are sent to users, apart from the
messages the user has agreed to receive as a condition of using the
service, must include an unsubscribe link.
Privacy: What must a business really do?
(c) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any
PII on your site without the knowledge and permission of
their parent or guardian. If there are certain web pages within
your Site that require users to be at least 13 years of age, anyone under the age of 13 should be restricted from participating in
such web page activities.
(d) (Data Security) You must take reasonable steps when
collecting, creating, maintaining, using and disclosing PII, to
assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also
implement reasonable security procedures, such as encryption, to protect Personally Identifiable
Information.
Privacy: What must a business really do?
(e) (User Access) Inform users how to access and change the PII provided by them to you.
(f) (Tracking and OBA) What tracking technology, if any (e.g.
cookies), is used on the site. NAI (Network Advertising
Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how
collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization
providers) rather than directly.
For Discussion
Self-regulatory compliance and Industry “best practice” guidelines:
Seal programs: BBB Online (http://www.bbbonline.com), or
TRUSTe, (http://www.truste.com). What significance?