1 / 27

Strategies to Avoid Big Privacy “Don’ts” With Personal Data

Strategies to Avoid Big Privacy “Don’ts” With Personal Data. Strata Conference Santa Clara, CA. Alysa Z. Hutnik. February 27, 2013. Topics of Discussion. Recent Consumer Privacy Developments (and what they mean for the rest of 2013) Federal and state regulator activity

arden
Download Presentation

Strategies to Avoid Big Privacy “Don’ts” With Personal Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Strategies to Avoid Big Privacy “Don’ts” With Personal Data Strata Conference Santa Clara, CA Alysa Z. Hutnik February 27, 2013

  2. Topics of Discussion • Recent Consumer Privacy Developments (and what they mean for the rest of 2013) • Federal and state regulator activity • Increased focus on the mobile ecosystem • Relevant enforcement and inquiries • How to Avoid Big Privacy “Don’ts”

  3. Big Data Snapshot • 68% of online users would select an easy-to-use Do Not Track mechanism • Only 14% of online users believe Internet companies are honest about their use of personal data “You are getting this squeeze between a hardening consumer attitude and tighter regulation.” - Mark Little, Ovum

  4. Recent Consumer Privacy Developments “This is a critical juncture in consumer privacy….” - FTC Congressional Testimony, May 2012

  5. Final FTC Privacy Report • A call to action: • Companies to implement best practices on privacy, as set forth in Report • Congress to enact baseline privacy/data security legislation with civil penalties • Industry to accelerate pace of self-regulation • Scope • Commercial entities collecting/using consumer datareasonably linked to specific consumer, computer, or other devices, unless the entity collects only non-sensitive data from fewer than 5,000 consumers/year and does not share it with third parties

  6. Final FTC Privacy Report cont. Privacy Framework Greater Transparency Privacy By Design Simplified Choice

  7. The Latest on “Do Not Track” FTC • Key principles • Universal implementation • Easy to find, understand, use • Persistent choices • Comprehensive, effective, and enforceable • Extend beyond opt-out for targeted ads • New call for DNT in the mobile environment Industry • DNT standards progress slowed • Ad industry seeking exemptions from certain types of tracking and “off” default for DNT setting • Privacy groups want anonymization requirements and limits on data retention • W3C continues to seek a standard that alters the status quo

  8. Comprehensive Online Data Collection • Concerns • Potential for “databases of ruin” through the use of DPI/other technologies • Infringes “intellectual privacy” • Easy to link data to users due to increased use of mobile Internet • Benefits • Enables “free content” model and encourages innovation • Produces novel public benefits by “making information visible”

  9. States’ Focus on Big Data Collection and Use • Maryland AG Doug Gansler elected NAAG President in 2012 • 2012-2013 priority includes online commerce, which could lead to greater state-level scrutiny of online ecosystem participants • January 2013 – launch of new Internet Privacy Unit New privacy initiative will bring “the energy and legal weight of NAAG to investigate, educate, and. . .protect online privacy . . . .”

  10. “[I]t is critical that we keep pace with technological developments that implicate privacy issues.” - FTC Chairman Leibowitz, February 2013 Increased focus on Mobile Privacy

  11. FTC Guidance on Mobile App Privacy • Privacy Recommendations • Shared responsibility among ecosystem stakeholders • Self-policing/enforcement by platform and OS operators • Communication between developers and ad networks / other third-parties • Data Security Guidance • Assign individuals to data security function • Understand security features across different platforms and OS systems

  12. Mobile Apps and Children’s Privacy Under the revised rule, child-directed content providers are strictly liable for personal information collected by third parties through their sites. “FTC is launching multiple nonpublic investigations to determine whether certain entities have violated [COPPA],or engaged in unfair or deceptive trade practices….” - FTC Staff Report, Dec. 2012

  13. States’ Mobile Privacy Efforts California AG • Agreement with mobile platform operators requires apps to provide privacy policy prior to data collection • Lawsuit filed against Delta Airlines for failing to post a privacy policy in its mobile app • Recent mobile app report recommendations focus on “surprise minimization” • Ad groups argue that the report recommendations extend “far beyond” existing California laws

  14. Draft Legislation on Mobile App Privacy The APPS Act • Require disclosure on data collection, use, storage, and sharing • Allow users to signal their wish to have their personal data deleted • FTC would be responsible for enforcement Rep. Hank Johnson (D-Ga.)

  15. Enforcement and Inquiries Privacy policy/User Guide misrepresentations Privacy By Design Flaws Inadequate safeguards Surreptitious PII collection Unauthorized third-party access Deceptive opt-out / PII deletion provisions Alleged COPPA violations Noncompliance with FCRA 15

  16. A Closer Look – Compete, Inc. • Allegations • Web analytics firm failed to disclose extent of data collection • Tracking software used to assess user opinions on products and services collected financial info, SSNs, user passwords, etc. • Settlement Terms • Disclose the data that the firm collects and how such data will be used/shared • Delete the collected personal data and provide users with instructions on how to uninstall the tracking software • Implement a comprehensive data security program with third party audits every 2 years for 20 years

  17. A Closer Look cont. – Path, Inc. Allegations • Path allows users to share personal journals with a network of up to 150 friends • Apple version of app automatically collected personal data for contacts in the user’s mobile device address book • Path violated COPPA by collecting personal data from 3,000 children with parental consent Settlement Path must implement comprehensive privacy program subject to biennial audits The firm agreed to pay $800,000 civil penalty

  18. A Closer Look - HTC Allegations Privacy by Design Flaws in settings modifications Allowed 3P apps to “re-delegate” permissions to access personal information, and Download/install more apps from any server without the user’s knowledge or consent Insecure logging w/ device’s trouble-shooting and diagnostics functions Privacy claims in user guide/interface differed from practices Settlement Offer patches to fix security vulnerabilities Implement comprehensive security program that includes administrative, technical, and physical safeguards 20-year independent security audit requirement

  19. How to Avoid Big Privacy “Don’ts” • Online and Mobile Developers • Platform Providers • Ad Networks and Other Third Parties

  20. Product Developers • Bake It in - Don’t Make Privacy an Afterthought • Empower Consumer Choice • Reassess Your Data Drilling • Say What You Do & Do What You Say Developer Consumer

  21. “Bake It In” – Don’t Make Privacy an Afterthought Build-in Privacy Considerations at the Outset • Incorporate privacy protections • Limit the data that you collect • Securely store the data that you retain • Limit third-party access to a need-to-know basis • Safely dispose of data that you no longer need

  22. Empower Consumer Choice Simplified Choice • Give Users Tools that Enable Choice • Privacy settings • Opt-outs • Mechanisms to control how PII is collected and shared • Make it easy for people to find the tools you offer • Design the tools so they’re simple and easy to use • Honor users’ choices

  23. Reassess Your Data Drilling Regularly Reassess Your Data Collection Practices • Does the data collection include name, contact details, or other PII on the user or their contacts? • Does your app collect location data or a unique ID per user or device? • Is there a valid purpose for this type of data collection and access? • Do you retain the data for a period of time consistent with the reason for collecting it? • Can third parties access and use the data to make a personally identifiable profile of your users?

  24. Say What You Do & Do What You Say Transparency – Clearly explain key terms • Collection and protection of information • Consumer control and access • Accessibility to third parties New or Additional Sharing • Disclosures • Consent Honor Your Promises

  25. Platforms Providers • Enhance frequency and prominence of disclosures within API • Educate developers on obligations and enforce requirements as needed • Offer tools that allow consumers to report non-compliance with privacy policies and terms of service Developer Platform Consumer

  26. Ad Networks and Other Third Parties • Ad Networks / Analytics Co.’s • Create and provide a privacy policy to the developers • Avoid device-specific identifiers or delivering ads outside the context of the app • Operating Systems • Develop global settings and overrides so that users can set privacy controls • Collaborate with device manufacturers on setting cross-platform privacy standards Ad Network / Analytics Co., etc. Developer Platform Consumer

  27. Questions? Alysa Z. Hutnik PARTNERKelley Drye & Warren LLP Advertising, Privacy & Information Security Phone: (202) 342-8603 ahutnik@kelleydrye.com Connect with Kelley Drye web: www.kelleydrye.com blog: www.adlawaccess.com

More Related