privacy and data protection cle presentation for touro law center

Perfect for Practice CLE:Privacy and Data Protection

in BusinessProf. Jonathan I. Ezor

Director, Center for Innovation in Business, Law and Technology

jezor@tourolaw.edu

@ProfJonathan on Twitter

Perfect for Practice CLE

Touro Law Center

January 19, 2014

Privacy Has Dual Meaning In Business

World• Freedom from having behavior monitored

– In person– Over the Internet

• Protection of “Personally Identifiable Information”– Any fact(s) that can identify a unique individual– Issues of use, misuse and disclosure

• PII more often subject of laws, policies• Digital age added significant weight to privacy

issues

jezor@tourolaw.edu

Consumer Privacy:Value Versus Value

• Consumers may benefit from information use– Regular customers’ preferences known– Sales linked to previous purchases

• Businesses benefit from collecting, using information– PII– Behavior (purchases, etc.)

• Issue is balancing value to consumer against value of consumer

jezor@tourolaw.edu

E-Commerce Case Study:Who’s Involved inOnline Retailing?

• One major challenge for accurate privacy policy is online retailing

• Many third parties involved• Need to consider all ways information will be shared,

used when creating or modifying policy

jezor@tourolaw.edu

ISP COURIER

SUPPLIER

CUTEFUZZYBEARS.COM HOST

WAREHOUSE

$ ISSUING

BANK

$ CREDIT

CARD PROCESSOR

$ CREDIT

CARD PAYOR

BUYER RECIPIENT

$ CHECKING ACCOUNT

AN E-COMMERCE ROADMAP

VISA/MC/AMEX

©2003 Jonathan I. Ezor

Fair Information Practice Principles

• Evolving set of best practices & recommendations

• Arose at outset of information age (early 1970s)• Revised, restated over time• Inform both self-regulatory and legislative

approaches• Key concept: consumer empowerment

jezor@tourolaw.edu

Fair InformationPractice Principles:

FTC 1998 Privacy Online Report

• Notice/Awareness• Choice/Consent• Access/Participation• Integrity/Security• Enforcement/Redress

jezor@tourolaw.edu

2012 White House Consumer Privacy Bill of Rights

• Individual control over what personal data organizations collect from them and how they use it

• Transparency that allows consumers to easily understand information about privacy and security practices

• Respect for the context in which consumers provide data• Security and responsibility in the way companies handle personal

data• Access to personal data in usable format and an ability to correct

errors• Reasonable limits on the personal data that companies collect and

retain• Accountability as to how companies handle personal data

jezor@tourolaw.edu

Self-Regulation vs. Legal Mandate

• U.S. default generally self-regulation– Organizations responsible for own practices– Enforcement under consumer protection authority (e.g. FTC

Act)• Call for legislation when self-regulation fails or

inappropriate– Vulnerable populations– Overly sensitive information

• FTC monitors self-regulation, reports to Congress• 1999 FTC call for general online privacy law unheeded

jezor@tourolaw.edu

Privacy Policy:Primary Self-Regulatory

Method• Consumers must be informed to make proper

decisions regarding use of their information• As with securities, information provided through

disclosure, via privacy policy• Privacy policies should conform to Fair

Information Practice Principles• Accuracy a key requirement• FTC, others may penalize inaccurate privacy

policiesjezor@tourolaw.edu

Privacy and Electronic Communications:

Three Major Statutes

• Privacy of electronic communications generally protected

• Three major statutes cover these issues:– Wiretap Act: 18 USC §§ 2510-22– Pen Register statute: 18 USC §§3121-27– Stored Communications Act: 18 USC §§2701-11

• Each covers different part of communications• Note that these are separate from constitutional

protections

jezor@tourolaw.edu

CA “Shine The Light” Law Adds Requirements to

Policies

• California Civil Code § 1798.83 went into effect 1/1/05

• Gives CA residents control of how information is shared

• Requires disclosure to CA residents of recipients of information

• Mandates language in privacy policies• Recently revised• MA also has data privacy-related laws requiring

encryption

jezor@tourolaw.edu

EU Data Protection Directive Another

Major Factor

• Restrictive rules covering collection, export of data about EU residents

• Could prevent transfer to US– Problem for multinational companies– Many Web site owners affected

• US Dept. of Commerce worked with EU to create Safe Harbor

• Other countries also have major privacy laws

jezor@tourolaw.edu

COPPA: The Children’s Online Privacy

Protection Act of 1998

• Web sites targeting or appealing to children• Covers information from children under age 13• Requires clear and frequent disclosure• Mandates verifiable parental consent• FTC has enforcement jurisdiction

jezor@tourolaw.edu

COPPA Case Study: Ohio Art Company

• Ohio Art is the maker of Etch-A-Sketch• Site collected information, suggested parent permission

rather than requiring prior parental consent• Fined $35,000 in April 2002 by FTC for COPPA violations in

“Etchy’s Birthday Club” Web site• Mrs. Fields Cookies fined $100,000, Hershey Foods $85,000

in 2003• Universal Music (owners of Motown and others) fined

$400,000 in 2/2004 (lilromeo.com)• Xanga.com fined $1,000,000 in 9/06• Imbee.com fined $130,000 1/30/08• Sony BMG Music fined $1,000,000 12/11/08

jezor@tourolaw.edu

2012: FTCRevision to COPPA Rule

• FTC evaluated, revised COPPA rule in 2012• Sought input on changes due to

– New online technologies– Multiple parties (e.g. advertisers) collecting from single

resource• Published two RFCs:

– http://ftc.gov/os/2011/09/110915coppa.pdf– http://ftc.gov/os/2012/08/120801copparule.pdf

• Published final rule in December 2012 (effective 7/1/13): http://ezor.org/paq3z

• Continues enforcement: $1 million penalty against Artist Arena (http://ftc.gov/opa/2012/10/artistarena.shtm)

jezor@tourolaw.edu

Gramm-Leach-Bliley: Financial Information Disclosure

Requirements• GLB mandates disclosure of information use by

those engaged in “financial activities”• Customers have right to opt-out of planned

disclosure to 3rd parties• FTC defines “financial activities” broadly

– Any entity giving financial or related advice– Attorneys, CPAs have been exempted

jezor@tourolaw.edu

HIPAA Privacy Rules: Wide-Reaching and Burdensome

• Rules enacted by HHS under Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Rules cover receipt and disclosure of “individually identifiable health information” by health plans, health care clearinghouses, and certain health care providers

• Went into effect 4/14/03 for most covered entities• “Business Associates,” companies serving covered

entities, must certify compliance with HIPAA privacy rules in written agreement

• HITECH Act signed 2/17/09 revises HIPAA rules further

jezor@tourolaw.edu

http://ezor.org/nai8d

Data Breach: Prevention and

Disclosure• Increasing number and severity of data breaches

has encouraged legislative and regulatory action• Focus on identifying and addressing potential

risks before occurrences• Growing mandates for disclosing breaches when

they occur

jezor@tourolaw.edu

FTC Red Flags Rule

• Covers all businesses that maintain ongoing billing accounts

• Requires ongoing audits of potential “red flags”• Enforcement repeatedly delayed• http://ezor.org/redflagsrule

jezor@tourolaw.edu

Self-Regulationand Trade

Assocations

• PCI Security Standards (https://www.pcisecuritystandards.org/)

• NAIC draft proposals• Financial security statements in privacy policies• Internal controls

jezor@tourolaw.edu

Privacy Law Enforcers

• Federal Trade Commission• Industry Regulators• State Attorneys General• Class Action Lawsuits

jezor@tourolaw.edu

FTC Promotion of Consumer Privacy

• Enforcement actions• Education• Support for privacy legislation• Encouragement of industry self-regulation

jezor@tourolaw.edu

FTC Enforcement Authority

• Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45

• “[U]nfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”

• Grants the FTC power to investigate and prevent• Judicial action

– Injunctions– Restitution

jezor@tourolaw.edu

2011 Google and Facebook Settlements

• Requires obtaining consumers’ affirmative express consent before materially changing certain data practices;

• Requires adopting company-wide privacy programs that outside auditors will assess for 20 years.

• 2012 enforcement of Google settlement– “misrepresented” to users of Safari Internet browser that it

would not place tracking “cookies” or serve targeted ads to those users

– agreed to pay a record $22.5 million civil penalty

jezor@tourolaw.edu

Other Recent Enforcement Targets

• Online advertising networks that failed to honor consumer opt out of tracking by advertisers.

• Mobile applications that violated the Children’s Online Privacy Protection Act

• Entities that sold consumer lists to marketers in violation of Fair Credit Reporting Act

• Companies that fail to maintain reasonable data security• Applications that set default privacy settings in a way that

caused consumers to unwittingly share their personal data

jezor@tourolaw.edu

2012 FTC Privacy White Paper

http://ezor.org/bbdjq

Purpose and Scope of White Paper

• Articulate best practices• Assist Congress • Limitations

– Not intended to extend existing legal obligations

– Not applicable to business that collect information from less than 5000 consumers a year and do not share with 3rd parties

jezor@tourolaw.edu

“Best Practices” Promoted by White

Paper

• Privacy by Design• Simplified Choice • Greater Transparency

jezor@tourolaw.edu

Initiatives Promoted by FTC

• “Do Not Track”• “Short, meaningful mobile service disclosures • Address consumers’ “lack of control over” data brokers • Scrutinize “comprehensive” tracking of consumers online

by “large platform providers” - e.g. ISPs, operating systems, browsers and social media

• Promoting Enforceable Self-Regulatory Codes– FTC staff working with industry to develop codes– Promoting enforce compliance with codes through FTC Act

enforcement

jezor@tourolaw.edu

Privacy by Design

• “Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services”

• “Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services”

jezor@tourolaw.edu

Implementing Privacy by Design

• Data Security• Reasonable Collection Limits• Sound retention• Disposal Practices• Data accuracy

jezor@tourolaw.edu

Simplified Choice

• “Companies should simplify consumer choice.”• Practices that do not require choice

– Data uses consistent with the context of the transaction– Data uses consistent with company’s relationship with

consumer– Data uses specifically authorized by law

• Practices that require “Affirmative Express Consent”– Using consumer data in a materially different manner

than claimed when the data was collected– Collecting sensitive data for certain purposes

jezor@tourolaw.edu

What Constitutes “Choice”

• Opt-in v. opt-out?• Pre-checked boxes?• Clear and conspicuous disclosure?

jezor@tourolaw.edu

Simplified Choice and“Do Not Track”

• Tracking technologies• “Do Not Track” Tools

– Browser settings– DAA’s Icon-based tool– W3C Development of International Standards– Impact of EU Cookie Directive

• “Do Not Track” and the “Free Internet”

jezor@tourolaw.edu

Transparency

• Companies should increase the transparency of their data practices.”

• Privacy notices– Clearer, shorter, more standardized?– Privacy icons?

• Access– Companies should provide “reasonable access” to

consumers– “Proportionate to the sensitivity of the data and the

nature of its use”

• Educate consumers about privacy practices

jezor@tourolaw.edu

Transparency and Data Brokers

• Regulation under FCRA• FTC Recommendations for Legislation• Senator Rockefeller’s Initiative

jezor@tourolaw.edu

Olshan Frome Wolosky Privacy Policy:

Questionnaire:General Information

– Corporate or other official entity name: – Business address(es) of entity:– Does the entity have offices, facilities or remote workers

based in other states? If so, which?– Does the entity have offices, facilities, remote workers

or customers based in other countries? If so, which?

jezor@tourolaw.edu

More General Information– Names and URL of Web site(s) for which policy is being

created (if any):– Description of Web site(s):– Is/are Web site(s) part of offline business as well?

• If so, describe offline business• Are data shared between online and offline operations?

– Is this policy for a specific site/business unit or across the entire corporation?

jezor@tourolaw.edu

More General Information• Is/are the entity’s Web site(s) hosted by a third party?

• If so, what third party?• Does the third party provide any other services (e.g. e-mail

transmission services) to the entity?• Is there a written agreement with that third party for the hosting

service?• Does the written agreement protect the confidentiality of

information shared by the entity (its own and/or user information collected by the entity)?

– Are goods or other tangible products shipped to users through postal mail and/or couriers?

– Are there any other third party service providers who may have access to the databases or transmission network through which data is collected and stored?

jezor@tourolaw.edu

Data Collection– What specific categories of information are collected

from:• Forms filled in by the user on the Web site?• Purchases made by the user on the Web site?• E-mail sent by the user?• Analysis of server logs?• Postal mail sent by the user?• Telephone calls from the user?• Faxes from the user?• Third-party databases with which the user is matched?• Other (specify)?

jezor@tourolaw.edu

More Data Collection– Is the user’s age or birth date requested or

collected?• If so, is it possible for the user to enter data

indicating the user is under 13 years of age?• If the user indicates he/she is under 13, is that data

collected, segregated or rejected?• If rejected, using what method?

– What method(s) of data protection and access control (if any) are in place?• Physical• Electronic (detail on security measures)

– Are backups of the data stored offsite with a third party?

jezor@tourolaw.edu

Use of Information– How is the information currently used by the entity

collecting it? (Please provide details.)– How may the information be used by the entity in the

future?– Is the entity currently sharing the information with other

corporate affiliates or business units within the same corporation?

– Does it plan to do so in the future?

jezor@tourolaw.edu

More Use of Information– Is the entity currently communicating with users on

behalf of a third party?• If so, through what method(s)?• Is the third party provided with the user information?

– Is the entity currently providing the information to a third party for marketing purposes?

– Is the entity currently providing the information to a third party for internal services (e.g. list management or analysis)?

jezor@tourolaw.edu

User Access to Information

– Can a user request information collected about him/her?• If so, through what method?• In what form/format is the information provided?

– Is there a method through which the user can correct errors?• If so, what is it?• How quickly is the correction done?

jezor@tourolaw.edu

Regulatory and Legal Compliance

– Is the entity a member of any trade associations?• If so, is there a policy about data collection and use

mandated for association members?

– Does the entity have a current privacy policy?• If so, please attach a copy of it to this response.• How is it provided to users?• If online, what is its URL?• Is it currently accurate as to information collection?• Does it provide for a method by which changes can

be made and publicized? If so, what are they?

jezor@tourolaw.edu

More on Compliance

– Has the entity been involved in any legal compliance or enforcement activity related to privacy or data collection?• If so, please describe it.• Has the entity been involved in any other

consumer protection legal compliance or enforcement activity?

jezor@tourolaw.edu

Contact Information– Does the entity have an automated list removal

process?• If so, how does it work?

» Does it remove data from all databases?» Does it apply to 3rd parties to whom information may be

shared?• If not, please provide:

» An e-mail address to which users can address removal requests

» A postal address to which users can address removal requests

jezor@tourolaw.edu

More on Contact Information

– Which person(s) at the entity are responsible for managing removal requests?

– Please provide an address (e-mail or postal) through which California users can request information on how their information has been shared.

jezor@tourolaw.edu

QUESTIONS?

Prof. Jonathan I. Ezorjezor@tourolaw.edu

@ProfJonathan on Twitter