280 likes | 299 Views
Strategies for Avoiding Big Privacy “Don’ts” With Personal Data. Strata Conference Santa Clara, CA. Alysa Z. Hutnik Lauri Mazzuchetti. February 19, 2015. Topics of Discussion. Consumer Privacy Update (and what it means for 2015) The Internet of Things
E N D
Strategies for Avoiding Big Privacy “Don’ts” With Personal Data Strata Conference Santa Clara, CA Alysa Z. Hutnik Lauri Mazzuchetti February 19, 2015
Topics of Discussion • Consumer Privacy Update (and what it means for 2015) • The Internet of Things • Federal and state regulators’ focus on privacy and Big Data • Enforcement trends • Risks with text/phone outreach to consumers • How to Avoid Big Privacy “Don’ts”
Big Data Snapshot • 91% of Americans feel that consumers have lost control over how personal information is collected and used by companies • 80% of respondents who use social networking expressed concern about third parties such as advertisers accessing their online data Concerns are translating into consumer action . . . 86% of consumers have taken steps to remove or mask their digital footprints: • Clearing cookies • Encrypting email • Avoiding use of real name • Adopting virtual networks to mask IP addresses
Recent Consumer Privacy Developments “The FTC continually assesses new developments and emerging trends and threats in the privacy area.” - Jessica Rich, Director, FTC Bureau of Consumer Protection, June 2014 “[B]y law and practice, the FTC weighs market benefits and harms as part of its enforcement and policy work.” - Jessica Rich, January 2015
The Internet of Things • Objective: to help businesses “provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” • Focus: “smart home,” health and fitness devices/apps, and connected cars • Security risks identified • Enabling unauthorized access to and misuse of personal information • Facilitating attacks on other systems • Creating risks to personal safety
IoT Report Recommendations Best Practices Security By Design Data Minimization Notice and Choice • Risk assessments • Encryption • Access control • Continued monitoring • Impose reasonable limits on collection and retention • Collect less sensitive/ de-identified data Offer flexible options - opt-in at purchase - privacy tutorials - icon/menu/dashboard
Using Big Data to Categorize Consumers Concern: categorizing consumers in ways that may affect them unfairly (or unlawfully) • Different prices/discounts to different consumers • Tailoring/limiting financial products (e.g., “gold level” to high earners) • “Aggregate scoring models” that assess credit risks based on aggregate credit characteristics of groups of consumers who shop at certain stores • Health-related determinations
Another Privacy Cop on the Beat? “Privacy and security concerns have been cited as reasons consumers do not use mobile banking and mobile financial management services.” -- CFPB, June 2014 Areas of Interest • Privacy and data security concerns for mobile devices • Mechanisms to disable lost/stolen mobile devices that provide financial services • Steps consumers should take to protect their data and identity when using mobile devices
States’ Focus on Risks re: Consumer Data 2015 Areas of Focus • Data breaches • Consumer risks from big data • Cybersecurity threats (e.g., cloud data, BYOD policies) FTC Areas of Collaboration • Protecting user-generated health information • Risks re: Internet of Things • Mobile payments/mobile security
States’ DNT Efforts California AG • CalOPPA: privacy policies must disclose how website operators respond to DNT signals that allow consumer choice re: data collection • Make policies “more effective and meaningful” to consumers: • Clear and conspicuous, plain straightforward language • Describe how and what PII is collected and used and shared with third parties • Provide a readily-identifiable section on DNT with a clear header (e.g., “Online Tracking”)
Enforcement Trends: Flawed Notice, Choice, and Security • Location: Privacy Policy— Snapchat does not ask for, track, or access location-specific information • Analytics tracking service collected location information • Snaps Disappear?: Widely publicized methods to save snaps • Address Book: Friend finder accessed phone address book without consent • Registration: Security issue that allowed user to create an account using another person’s phone number
Enforcement Trends: Bypassing Notice and Choice • Site allegedly harvested personal data from Facebook without user consent to create 73MM “Jerk” profiles, including children • Alleged deception under Section 5 • Data broker allegedly purchased payday loan applications of financially at risk consumers and sold the application data to unscrupulous merchants • Alleged unfairness under Section 5
Enforcement Trends: Platforms and Third-Party Liability App storefront/platform Wireless Service Provider Merchants / App Developers
Timely Issue on Use of Consumer Contact Data – TCPA Compliance TCPA (federal law) prohibits: • Autodialed calls/texts to cell phones without appropriate consent • Prerecorded message calls to cell phones and landlines without appropriate consent and disclosures • Telemarketing calls to numbers on the National DNC Registry or company-specific DNC lists Liability can attach for… • Telemarketing calls/texts • Informational calls/texts • Debt collection calls/texts
Old Law; Why is TCPA a hot topic now? • Statutory damages • $500 per violation • $1,500 max per “willful” violation • Numbers can get very high, very quickly • Ex: $500,000 for 1000 texts; $5 million for 10,000 texts; $50 million for 100,000 texts, etc. • No requirement to show actual injury • Liability typically can go back 4 years
Why is TCPA a hot topic now? (cont’d…) • Law is in state of flux due to case law, FCC rulings, and pending petitions • An explosion of TCPA lawsuits • 2010 – 272 lawsuits • 2011 – 660 lawsuits • 2012 – 1100 lawsuits • 2013 – 1860 lawsuits • 2014 – 2000+ new lawsuits • 2015 ‒ no sign of slowing down . . . • Exposure for service providers and name brands to be on the hook, even if others made the unlawful calls
Representative TCPA Class Settlements • Bank of America agreed to pay $32MM in cash into a settlement fund. Stephanie Rose v. Bank of America Corp., Case No. 5:11-cv-02390 (N.D. Cal.) • $24.1MM settlement based on auto-dialed debt collection calls to cell phones not listed on loan application. Arthur v. Sallie Mae, 2:10-cv-00198 (W.D. Wa.) • $6.25MM settlement for national text-message campaign. Kazemi v. Payless Shoesource, Inc., 3:09-cv-05142 (N.D. Cal.) • Capital One agrees to pay $73MM in cash into a settlement fund. (N.D. Ill)
Avoiding Big Privacy “Don’ts” • Online and Mobile Developers • Platform Providers • Ad Networks and Other Third Parties • Sellers and Marketers
Product/Device Developers • Think Privacy from the Start • Empower Consumer Choice • Reassess Your Data Drilling • Transparency is Paramount
Think Privacy from the Start Privacy and Security By Design • Incorporate privacy and data security protections • Limit/de-identify the data that you collect • Securely store the data that you retain • Limit third-party access “need-to-know” • Safely dispose of data that you no longer need
Empower Consumer Choice • Give Users Tools that Enable Choice • Privacy settings • Opt-outs • Mechanisms to control PII collection and sharing • Make it easy for people to find the tools you offer • Design the tools so they’re simple and easy to use • Honor users’ choices
Reassess Your Data Drilling Regularly Reassess Your Data Collection Practices • Does the data collection include name, contact details, or other PII on the user or their contacts? • Does your app collect location data or a unique ID per user or device? • Is there a valid purpose for this type of data collection and access? • Do you retain the data for a period of time consistent with the reason for collecting it? • Can third parties access and use the data to make a personally identifiable profile of your users?
Transparency is Paramount Clearly explain key terms • Collection and protection of data • Consumer control and access • Accessibility to third parties New or Additional Sharing • Disclosures • Consent Honor Your Promises
Platforms Providers • Enhance frequency and prominence of disclosures within API • Offer tools that allow consumers to report non-compliance with privacy policies and terms of service • Educate developers on obligations and enforce requirements as needed
Ad Networks and Other Third Parties • Ad Networks / Analytics Co.’s • Create and provide a privacy policy to the developers • Avoid device-specific identifiers or delivering ads outside the context of the app • Operating Systems • Develop global settings and overrides so that users can set privacy controls • Collaborate with device manufacturers on setting cross-platform privacy standards
Sellers and Marketers • Just phone? Text too? • Type of message (commercial/informational) • Autodial/prerecorded message? • Customer, former, prospect? • Length of campaign • Consent • Is it valid? • Do I need it in writing? • Vendor due diligence • Stay informed • Quickly evolving legal landscape • Potential significant liability Carefully plan each consumer outreach campaign . . .
Questions? Alysa Z. Hutnik PARTNERKelley Drye & Warren LLP Advertising, Privacy & Information Security Phone: (202) 342-8603 ahutnik@kelleydrye.com Lauri A. Mazzuchetti PARTNERKelley Drye & Warren LLP Litigation Phone: (973) 503-5910 lmazzuchetti@kelleydrye.com Connect with Kelley Drye web: www.kelleydrye.com blog: www.adlawaccess.com