210 likes | 379 Views
Privacy Policy Workshop. M. Ryan Calo, Center for Internet and Society, Stanford Law School Mali Friedman , Covington & Burling LLP, San Francisco Office January 28, 2009. Overview . Legal Landscape How to Write an Effective Privacy Policy The Future of Notice. Legal Landscape.
E N D
Privacy Policy Workshop M. Ryan Calo, Center for Internet and Society, Stanford Law School Mali Friedman, Covington & Burling LLP, San Francisco Office January 28, 2009
Overview • Legal Landscape • How to Write an Effective Privacy Policy • The Future of Notice
Legal Landscape California Law FTC Fair Information Principles Commission Guidance Enforcement Proceedings State Attorneys General Enforcement Actions General Guidance Additional Considerations Children International 3
Legal Landscape: California Law • Online Privacy Protection Act of 2003 • Cal. Bus & Prof. Code §§22575-22579 • Basic Requirements • “Commercial Web site or online service that collects personally identifiable information through the Internet” • “About individual consumers residing in California” • “Conspicuously post”
Legal Landscape: California Law • Google Controversy
Legal Landscape: California law • Substantive Requirements • Identify categories of personally identifiable information collected. • Identify categories of third parties with whom personally identifiable information may be shared. • If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information. • Describe the consumer notification process for material changes to the Privacy Policy. • Identify the effective date for the Privacy Policy.
Legal Landscape 1. Identify categories of personally identifiable information collected and how this information is used. • FTC Fair Information Principles • Privacy policy should identify ways consumer information is collected and used. • This includes notifying consumers of “what will happen to the personal information they are asked to divulge.” • State Mini-FTC Acts • Suggestion that it is an unfair or deceptive trade practice not to notify consumers about the collection of information. • Amazon (2002) • Specify collection and use. • DoubleClick (2000) • Describe cookies.
Legal Framework Identify categories of third parties with whom personally identifiable information may be shared. FTC Fair Information Principles Encourage identification of any recipients of the data. State AGs Required entities to inform consumers about third-party recipients. New York (Alta Vista, 2001) Missouri (More.com, 2000) Washington State State whether third parties are bound by operator’s privacy policy with respect to disclosed information. Disclose whether information will be shared with third parties for third parties’ direct marketing purposes. 8
Legal Framework • If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information. • No general requirement in the United States that websites allow consumers to access personal information. • FTC Fair Information Principles • Recommends providing opportunity to access and dispute the accuracy and completeness of the personal information provided.
Legal Framework • Describe the consumer notification process for material changes to the Privacy Policy. • No federal or state law specifically defines “material change.” • FTC: When new practices are inconsistent with the company’s previous representations to its customers. • FTC staff opinion: To be considered “material,” change must affect a company. • Washington AG: May include “new use[s] of personal data as well as changes to the list of parties with whom the business shares information.”
Legal Framework • Identify the effective date for the Privacy Policy • No explicit definition. • Even minor changes to the policy may require a change to the effective date.
Legal Landscape • Generally, format and content should be easy for a reasonable consumer to understand. • FTC Fair Information Principles • Amazon.com Example • Privacy policy alleged in 2000 to confuse consumers. • State attorneys general convinced the company to revise the policy by: • (1) Narrowing the scope of exceptions; and • (2) Adding examples to improve clarity.
Additional Considerations • Children’s Online Privacy Protection Act (“COPPA’) • Applies to websites that collect information from children under the age of 13 that are either: • (1) directed to children; or • (2) general audience sites with actual knowledge that they collect information from such children. • Requires additional, child-specific privacy disclosures. • Requires notification to and consent from parents. • International
How To Write An Effective PP • Identify actual privacy practices. • Find or develop a questionnaire. • Get input from all levels of the organization. • Good time to audit for legal compliance. • Look to peers / competitors. • What is your organization doing differently? • What might your organization improve or highlight to its advantage? • Compare multiple models to see the range of disclosure options.
How To Write An Effective PP • Anatomy of a privacy policy: • Information collection • Personally identifiable information • Non-PII (including cookies, web bugs, logs) • Information use • Individual vs. aggregate • Information disclosure • Types of third-parties (contractors, partners, gov’t) • Purpose of disclosure • Consumer choices • Opt out • Access (view, alter, delete)
How To Write An Effective PP • Anatomy of a privacy policy cont.: • Communications from website • Retention • Security • Business transitions (including mergers) • Effective date • Material changes • Contact information • Example: Navigenics
How To Write An Effective PP • Next steps: • Focus-group the text with non-lawyers • Monitor for developments • More resources: • OECD Privacy Policy Generator • BBB Privacy Planner • Direct Marketing Association • TRUSTe Model Policy and Whitepaper • Federal Trade Commission Guidance
The Future of Notice • Problems: • Constant innovation means that privacy policies must be broadly worded. • Consumers do not have time to read policies. • Carnegie Mellon study calculated that it would take the average American 200 hours / year to read policies. • Consumers assume protective privacy practices from the mere existence of a privacy policy link. • In a Samuelson Clinic / Annenberg study, 57% of adults agreed strongly that where a company has a privacy policy, it will not share user data with other companies.
The Future of Notice • Potential Solutions: • Automation • In Code, Lawrence Lessig explores a potential design-based solution to online privacy called P3P. • Privacy Finder leverages P3P in a search engine. • Students from Berkeley’s School of Information are currently scoring top privacy policies (KnowPrivacy.org). • The Internet Governance Forum is looking for a way to translate privacy policies into machine-readable blocks. • Icons • The Center for Democracy and Technology and others suggested “standardized disclosures” in FTC comments.
The Future of Notice Icons Cont. Source: Matthias Mehdau Jan Gerner (font)
Questions? / Contact Information Mali Friedman Covington & Burling LLP mfriedman@cov.com 415.591.7059 M. Ryan Calo Stanford Law School Center for Internet and Society rcalo@stanford.edu