lexisnexis webinar: mobile privacy: an overview of legal and legislative developments including the...

Mobile Privacy: An Overview of Legal and Legislative Developments

A Complimentary LexisNexis® WebinarMay 8, 2013

Mary Ellen Callahan, Jenner & BlockOrrie Dinstein, Chief Privacy Leader and

Senior IT & IP Counsel, GE Capital

2LexisNexis Webinar: Mobile Privacy: An Overview of Legal and Legislative Developments– May 8, 2013

About the Speakers

Mary Ellen Callahan, Chair of Jenner & Block’s Privacy and Information Governance Practice, has unique and broad experience with interfacing the protection of privacy, civil rights, and civil liberties with cybersecurity and national security issues.

A nationally recognized privacy attorney with over a decade of outside counsel experience, she served as Chief Privacy Officer of the U.S. Department of Homeland Security from 2009 until August 2012. She is also a prolific writer and speaker on cutting edge commercial privacy issues.

Mary Ellen is a graduate of the University of Pittsburgh, Bachelor of Philosophy, magna cum laude, and a Juris Doctor from the University of Chicago.


About the Speakers

OrrieDinstein is the Chief Privacy Leader and Senior IT & IP Counsel at GE Capital, a division of the General Electric Company. He has global responsibility for data protection. Orrie works closely with the IT and information security teams as well as other functions to establish policies, procedures, processes and tools related to data privacy and security and social media related matters. He is also the lead intellectual property lawyer at GE Capital. Prior to joining GE, Orrie was Counsel in the Intellectual Property & Technology group of the New York office of King & Spalding, handling litigation, licensing and corporate matters, and an associate at Proskauer Rose LLP in New York. Before moving to the U.S., he worked for several years in one of Israel's premier law firms, and was an assistant professor at the Tel-Aviv University. Orrie is a frequent speaker on privacy, social media and technology matters and is the author of dozens of articles and book chapters on technology and intellectual property related matters. Orrie received an LL.M. law degree (intellectual property) from New York University School of Law and is a graduate of the Hebrew University of Jerusalem School of Law (LL.B.).


Introduction

Overview of Legal and Legislative Developments in Mobile Privacy

• The Mobile Frontier• Regulatory and Policy Updates• Federal Trade Commission• California Attorney General• Securities and Exchange Commission• Top 10 Takeaways from Recommendations

• International Policy Updates • Litigation and Enforcement updates• Proposed State and Federal Legislation• Bring Your Own Device (BYOD) Impacts


The Mobile Frontier

• Mobile growth is exponential:• 70% of shoppers use mobile phone while in retail store• 24% of Black Friday sales were via mobile in 2012• 58% increase of mobile malware reported in 2012 (Symantec)• 28 percent of all mobile phone users and 48 percent of smartphone users

had used mobile banking in the past 12 months(Federal Reserve)

• Federal, state, and international regulators are pushing “privacy by design” in the mobile apps arena

• Similarly, companies (employees) are trending towards allowing employee use of personal mobile devices (“Bring Your Own Device”)

Regulatory and Policy Updates


Domestic Regulatory and Policy Actors

• Federal Trade Commission• Two reports on mobile apps privacy, focusing on kids

• Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing (Feb 2012)

• Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec 2012)

• FTC Recommendations: Mobile Privacy Disclosures: Building Trust Through Transparency (Feb 2013) • Updated dot Com Disclosures includes examples of mobile disclosure• Report on mobile payments, Paper, Plastic, or Mobile? March 2013

• California Attorney General • Joint Statement of Principles with Platform Providers, February 2012• Letters to 100 App Developers on compliance with California Online

Privacy Protection Act (CalOPPA)• CA AG Privacy on the Go Recommendations January 2013

• National Telecommunications and Information Administration Multistakeholder process on mobile transparency


Top Takeaways from “Recommendations”

• Transparency is the key – know what is happening on your device/application, and explain it clearly to consumers

• Have privacy policies that encompass mobile activity; these policies should be easily accessible (if possible, before download)

• “Sensitive” information – a/k/a personal information expanding to include geolocation and device_id(others may be added)

• Consider providing “just in time” notices when accessing sensitive information, or unexpected collection of info

• Customer service – have a mechanism for consumers to ask questions about privacy

• Privacy by design incorporated into application/ data lifecycle

International Policy Updates


Article 29 Working Party Recommendations

• More detailed transparency requirements• Proscriptive requirements about what to include in privacy policy

(available before download)• Only collect information that is “strictly necessary”• Provide ability to delete data• Policy statement that all U.S.-targeted apps need to comply with EU

guidance

Enforcement and Litigation Trends


Federal Trade Commission

FTC Consent Order against mobile device manufacturer HTC America, Inc., February 22, 2013

1. The definition of covered information is very broad, including “individually identifiable information” such as precise geolocation, static IP address, MAC address, cookies, and almost all information on a particular mobile device;

2. The FTC is continuing its pursuit of legal theories against “unfair” data security practices whenever it perceives a security gap; and

3. Although this Consent Order involves a mobile device manufacturer, the conclusions and content could be applied to many participants in the mobile industry.

FTC Consent Order again social network Path, February 8, 20134. Deceptive trade practice for collecting mobile address book info, IP

address, and device ID without consent5. Actual knowledge of collecting personal information about kids under 136. $800,000 fine for violating COPPA


California AG

• October 31, 2012, California AG sends letters to 100 app developers regarding need to display privacy policy before application download

• December 6, 2012 – California AG sues Delta Airlines for violation of CalOPPA, Cal. Bus. & Prof. Code Section 22575(a)• Delta has unique defense, Airline Deregulation Act federal

preemption• Currently in pleadings stage in CA

• California AG has threatened new lawsuits; whether CalOPPA applies to mobile applications as “online service” issue of first impression


Litigation Trends

Litigation is a growing privacy risk faced by mobile companies. In December 2012 alone, six new class actions filed alleging privacy violations using a federal law as a basis for the claim.

Litigation and enforcement can include “unfair or deceptive trade practices” relating to misstatement or omission of mobile app activity/information sharing, or unfair data security, e.g.,

• Cal. Bus. & Prof. Code § 17200

• N.Y. Gen. Bus. Law § 349

Federal Telephone Consumer Protection Act, 47 U.S.C.§ 227

• Prohibits making calls using an “automatic telephone dialing system or an artificial or prerecorded voice.” 47 U.S.C. § 227(b)(1). A “call” includes text messages.

Legislation


Legislation

• U.S. Congress• Application Privacy, Protection, and Security Act of 2013 (APPS Act)

discussion draft (Rep. Hank Johnson)• Franken Location Privacy bill from last Congress (2012)• Markey Mobile Device Privacy bill from last Congress (2012)

• California legislature proposals• 100 word privacy policy• “Right to Know” – amends Shine the Light to include ways when device

IDs shared for marketing purposes• California Medical Information Act proposal;” “[a]ny business that offers

application software that is designed to maintain medical information […] for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . “

Bring Your Own Device


BYOD Overview

• What is BYOD?• What should companies do to prepare for BYOD?• Acceptable use policy / End User Agreement

• Device management; data deletion; audits; privacy• Training• Tech support / use of cloud• Global issues

• What are the risks of BYOD?• Security• Discovery• Loss of control over company data


Question and Answer Session

Thank You!

Mary Ellen CallahanJenner & Block

[email protected]

OrrieDinsteinChief Privacy Leader and Senior IT & IP Counsel

GE [email protected]