2. Comparing Privacy and Security
Privacy
• Concerned with collection and use of data
– What type of data is being collected?
– Why is the data being collected?
– Are you collecting more than needed?
– How may the data be used?
– Are there harms from collecting or
using it?
– Who should be permitted to access
the data?
Security
• Concerned with the protection of data from
unwanted access or loss
• Measures taken to prevent:
– Unwanted intruders
– Loss of data
– Violations of data integrity
3. Privacy is a Fundamental Right
No one shall be subjected to arbitrary interference
with his privacy, family, home or correspondence, nor
to attacks upon his honor and reputation. Everyone
has the right to the protection of the law against such
interference or attacks.
- Universal Declaration of Human Rights – Art. 12
2 of 33
4. Categories of Information
• “Personally identifiable information” (PII)
• Can be linked to a specific individual
o Name, e-mail, full postal address, birth date, social security number, driver’s
license number, account numbers, username, biometric data
• “Non-personally identifiable information” (non-PII) cannot, by itself, be
used to identify a specific individual
› Aggregate data, zip code, area code, city, state, gender, age
• Gray Area: may potentially be PII
› Anonymized, de-identified or pseudonymized data
› Non-PII may become identifiable when linked with other data such as persistent
identifiers
o Geolocation data
o Site history and viewing patterns
2 of 33
5. Privacy Legal Framework
• U.S. has a patchwork of laws and regulations governing the collection, use, and
security of personally identifiable information
• Challenges: which laws apply to which data
• How to comply with multiple laws (often inconsistent)
• FTC
• State laws
• Federal sectoral laws (HIPAA, GLBA, FERPA, etc.)
• Email laws: CAN-SPAM, CASL
• Children’s data (COPPA)
• Telephone Consumer Protection Act
• Various laws applicable if using “big data”
• Self regulatory regimes
• Laws of other countries
2 of 33
6. Federal Trade Commission
Authority from Sec. 5 of FTC Act “unfair and deceptive practices in or
affecting commerce”
• Deceptive: “material representation, omission or practice that is likely to mislead the
consumer acting reasonably in the circumstances, to the consumer’s detriment”
› Use/dissemination of PII in violation of a privacy policy
› Insufficient notice re: data collection/use practices (downloading spyware onto
computer without consent)
› Poor security practices if promised otherwise
• Unfair: likely to cause substantial injury to consumers without countervailing benefit to
consumers or competition, and is not reasonably avoidable
› Retroactive changes, deceitful collection, improper use, unfair design/default
settings, “unfair” data security practices, more
3 of 33
7. Federal Trade Commission (cont.)
Fair Information Practice Principles (FTC in 1998, but concepts around much earlier)
• Notice: provide appropriate notice re: collection, use, other practices
• Choice: provide choice re: actions with data
• Access: individuals should be able to know what is being done with their data
• Security: data should be adequately protected
• Enforcement: sanctions for noncompliance
Privacy policy disclosures (web and mobile):
- Follow FIPPs and disclose accordingly
- Obtain consent as appropriate based upon nature of the data/uses
- Say what you do/do what you say
- Examples of enforcement:
- Misrepresentation re: privacy of information (Facebook)
- Failure to notify re: unexpected data collection practices (Brightest Flashlight Free)
- Insufficient disclosure of location advertising/tracking (Nomi)
4 of 33
8. FTC: CAN-SPAM
FTC enforcement: up to $16,000 per email
Applies to commercial emails “primary purpose of which is
commercial advertisement or promotion”
– Compare with transactional/relationship message
Prohibits knowingly sending of commercial messages with intent to
deceive or mislead recipients
If one company sending on behalf of another, both can be liable for
violations
5 of 33
9. FTC: CAN-SPAM (cont.)
Basic requirements:
– Opt-out – must include unsubscribe link in every email, must
process in 10 business days
› Opt-out means must be functional for 30 days
– No false or misleading header info (sender of message, etc.)
– No deceptive subject lines
– Identify message as an ad
– Include physical address
– Additional requirements for sexually explicit content
6 of 33
10. FTC: COPPA
Children’s Online Privacy Protection Act
• Applies to sites/apps collecting (or enabling collection of info) if:
• Directed at kids or
• Actual knowledge that collecting information from users under age 13 (Yelp)
• Broad definition of information applicable (geolocation, photos, voice, etc.)
• Primary requirements:
– Obtain verifiable parental consent for the collection, use, or disclosure of
personal information from children before collected
– Post notice on site re: what information is collected from children, how used,
and disclosure practices for such information
– Maintain confidentiality & security of information collected from kids
– Prohibit conditioning a child’s participation in a game, the offering of a prize, or another
activity on the child disclosing more personal information than is reasonably necessary
7 of 33
11. State Data Privacy/Security Laws
Applicable based on location of the individual
PII covered varies
• Typically first & last name + SSN, driver’s license, credit/debit card,
financial acct. number w/ password
• Broader in some states (any online acct/pswd, biometric data, etc.)
Variations – some to watch include
• MA is the most stringent re: security
• Requires written policies with specific elements, and includes
computer security requirements, encryption requirements, and
much more
• Must oversee service providers (+ contracts)
– NV incorporates PCI and has encryption requirements
9 of 33
12. State Data Privacy/Security Laws (cont.)
California – leader in data privacy
• Online privacy policies
• Policy must be conspicuous
• Websites must disclose
• how they respond to Do Not Track (DNT) signals from
browsers and other mechanism
• whether third parties use or may use the site to track
(i.e., collect personally identifiable information about)
individual California residents “over time and across third
party websites.”
9 of 33
13. State Data Privacy/Security Laws (cont.)
California (continued)
• “Online eraser” law for minors
• Sites and apps “directed” to minors, or that have actual
knowledge that a user is a minor, must allow registered
users under 18 to remove (or ask the provider to remove or
anonymize) publicly posted content
• Must disclose information shared for direct marketing purposes
(upon request)
• Restricts online advertising of certain categories to under 18
9 of 33
14. State Data Privacy/Security Laws (cont.)
Illinois Biometric Information Privacy Act
• “Biometrics” is the measurement and analysis of an individual’s
physical and behavior characteristics
• May include fingerprints, voice prints, vein patterns in a palm,
retinal scan, etc.
• Requires
• informed consent prior to collection - “written release”
• Disclose specific purpose and length of term for which information
is collected, stored and used
• Recent class actions (Facebook, Shutterfly, employees re: time
tracking tools)
9 of 33
15. State Data Breach Notification Laws
48 states currently have data breach notification laws
Based on location of the data subject
Notification requirements vary among states/countries/provinces
Different definitions of personal information
Triggers for notification obligations (access, risk of harm)
Encryption safe harbor (unless key accessed)
Content of notification
Timing of notification
Parties to be notified (state AG, credit bureaus, others)
Credit monitoring required
Notification to media if can’t contact the data subjects
23 of 33
16. “Little FTC Acts” – State Laws
Focus on unfair/deceptive trade practices
State law elements vary
– Typically private right of action
– Some include punitive damages
CO Consumer Protection Act:
• Private citizen must prove five elements:
(1) unfair or deceptive trade practice;
(2) in the course of the defendant’s business;
(3) significantly impacted actual or potential customers;
(4) the plaintiff suffered an injury to a legally protected interest;
(5) the deceptive trade practice caused the plaintiff’s injury
12 of 33
17. Telephone Consumer Protection Act - TCPA
FCC enforcement
• Prior express consent required for autodialed calls/pre-recorded messages
(includes texting)
– Burden on company to show proof of the consent (track in CRM)
› Best practice: maintain each consumer’s written consent for at least
four (4) years (federal statute of limitations)
– Limited exceptions for established business relationship, nonprofits,
– Consent may not a condition of purchase
• Do not call list – must check against this before making calls
• $11,000 per incident (e.g. per text message)
• Many class actions!
12 of 33
18. 18 of 10Dell-Restricted-Confidential
Federal Sectoral Laws
Several federal sectoral privacy laws have provisions limiting sharing and/or
use of data (in addition to marketing)
• Gramm-Leach Bliley Act – disclosure notices, sharing provisions, opt-out
• HIPAA - limitations on use of protected health information for marketing
• Family Education Rights & Privacy Act – limits use/disclosure of student
records
• Video Privacy Protection Act – limitations on certain disclosures (including
for marketing)
• Many others
12 of 33
19. Location Based Advertising
• Advertisers can identify real-world location of cell phone and serve targeted
ads based on location (GPS, RFID)
• Enables targeting consumers when they are most likely to make a purchase
• Near the shoe store = coupon on phone
• “Geofencing” – create virtual perimeters to facilitate delivery of content
based on position of mobile device
• “Beacons” – transmitter using Bluetooth technology to transmit signals to
mobile device
• ALWAYS obtain user consent before collecting precise location data
14 of 33
20. Self Regulation – Online Behavioral Advertising
• Leading marketing and advertising industry associations
collaborated to form the Digital Advertising Alliance (DAA)
• Initiated a, self-regulatory effort and standards for online
behavioral advertising (OBA)
• Goal of answering the FTC’s calls to foster transparency,
knowledge and choice for consumers re: OBA
• Guidance re: ads on websites, mobile, cross device
• Use DAA icon or otherwise notify that OBA taking place
• Will refer to FTC for enforcement
14 of 33
21. International Privacy Laws - Canada
PIPEDA - Personal Information Protection and Electronic Documents Act
• Applies to all personal data - information ‘about’ identifiable individuals
The Canada Anti Spam Law (CASL) – “Commercial Electronic Messages”
– Messages that encourage commercial activity
– Not messages re: existing business (e.g. invoice)
– Includes SMS
Must ID sender
Consent required (burden on entity to prove this)
– Must opt-in (e.g. checkbox)
– Must allow opt-out
– Can transfer consent, but complex
– Implied consent if inquiry (6 mo. ONLY)
19 of 33
22. International Laws – EU/UK
• EU Data Protection Directive and GDPR (other speaker covering this)
• Extremely broad definition of covered personal data (relating to identified or
identifiable person)
• EU Cookie Consent Banner/Policy
• Advance notice/consent for non-essential cookies
• Opt-in required for marketing in EU (double opt in for Germany)
• May only transfer EU personal data to countries w/ “adequate” protections (U.S.
not adequate)
• Privacy Shield
• Model Clause Agreements
• Binding Corporate Rules
15 of 33
23. Big Data
• Where does it come from?
• Purchases/other transactions
• Social media
• US Census
• Technology
• Use of websites/applications
• Cookies (track across sites even unrelated)
• Wi-fi, beacons, sensors
• Emails
• Advanced algorithms are used to interpret data, develop profiles and make
predictions about individuals
• Profiles validated and enhanced from data brokers and other sources
15 of 33
24. Potential for Big Data to do good or harm
• Ethical issues will arise…having a framework to consider and
mitigate is a best practice and an emerging legal requirement.
• Weigh benefits and risks of harm, as well as other factors.
• Ensure no disparate treatment/impact (violates equal protection laws)
Ethical issues include
Privacy Concerns
Using data in a way your employees or
customers would not have expected
Discrimination Concerns
Using data in a way that adversely
impacts a segment of stakeholders
29 of 33
25. Best Practices – Do a Privacy Audit
- Determine sources of data
- Do consumers understand how/why it is collected?
- Is the collection “creepy” in any way? More than needed?
- How is data being used?
- Would consumers expect this type of use?
- Has consent been received for the use?
- How long do you need to keep data? (also security issue)
- Which vendors have access to PII
- Limitations on use? Handling of breach? Indemnification?
- Agreements with third party “partners” – data license
15 of 33
26. Best Practices –Privacy Policies
- Needed if collecting any PII online/mobile apps
- Sources of collection
- How data will be used
- If/when it will be shared, and with whom
- Third parties obtaining data through the site/links
- How to opt out of stated practices
- How to contact the company to delete/modify data
- How to obtain a copy of data in the company’s possession
- CA requirements re: tracking
- Notice when privacy practices change
- Legal requirements re: kids, cookies, transfers, etc.
- Don’t make promises you can’t keep!
15 of 33
27. Best Practices – Data Governance
- Determine “data owners” in your company within departments
or for different types of data:
- HR
- Sales
- Marketing
- Finance
- Legal
- IT
- Establish who grants permission for data sharing/uses
- Describe data actions require permission
15 of 33
28. Questions?
Please contact me any time!
dhowitt@lewisbess.com
303-228-2502
Lewis Bess Williams & Weese
1801 California St. #3400
Denver, CO 80202
23 of 33