Post on 07-Jul-2015
description
Protect Privacy to Protect Privacy to Protect Your Protect Your
StartupStartupDon’t catch an FTC (Action), Don’t catch an FTC (Action), practice safe data collectionpractice safe data collection
Thank You to Our Sponsors
Presentation Content
• Privacy Policy vs. Terms of Service• Process of Creating Your Privacy Policy• Compliance with the Law• Avoiding the FTC• Online Services for Protecting Privacy
United States v. Path, Inc.
• Path: mobile app developer• Contrary to privacy policy,
automatically collected personal info• Got info from ~3,000 kids under age 13• FTC charged Path for deception and
violation of COPPA• Settlement: $800,000; 20 yrs of audits
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
Privacy Policy
• Explains how company gathers, uses, discloses, manages user info
• Separate from TOS• More specifically:
– Type of data collected and how it’s used, stored, protected
– How user data is shared with third parties– Compliance with privacy laws and user control
Terms of Service
• Rules users must abide by on website/app
• Legally binding; subject to change• More specifically:
– Software license; website/app operation; users’ rights
– Information ownership; copyright; incorporates privacy policy– Disclaimers/limitation of liability; notice
Ensuring Enforceable Terms
• Forming an enforceable contract– Notice and assent
• Click-wrap vs. Browse-wrap
• Additional tips and considerations
Notice and Assent
• Click-wrap: – Present users with copy of terms, and– Require action showing user read and agrees to
terms
Notice and Assent
• Browse-wrap:– Available to users via web links– Does not require action indicating user agrees
to terms• Typically state that site use is deemed acceptance of
terms
Additional Tips and Considerations
• Use plain English• Consider device it will be read on• Place in a conspicuous location
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
What Info Should I Collect?
• Relationship with user determines what should be collected
• De-identify personal identification info where possible
• Whatever you collect, give users notice
– Helps create user trust
Give Users a Choice
• No consent needed: If collected data is expected for a relationship with user– Such as product fulfillment, analytics, security,
and website improvements
• Consent needed: If collected data is outside what would be expected
• Do Not Track options
Tracking
• Cookie: Text file that collects user information
• Beacon: Graphic image file that collects user information
• Types: Persistent or session cookies• Can be used for website operation or
advertising
Privacy by Design
• Build in privacy and security at all stages of design and development
• Implement and enforce strategically sound privacy practices throughout company
Best Practices
• Data security– Firewall and virus protection– SSL encryption– Encrypt user names and passwords– Keep security current
• Reasonable collection limits– Collect only what is needed
Best Practices
• Sound retention practices– Right to be forgotten– Retention depends on industry
• Data accuracy– Allow users to access and change their profiles
• Knowledgeable, designated staff
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
Compliance
Be Sure You Read Be Sure You Read Your Your Own Own Policy!Policy!
FTC Act and Regulations
• Unfair or deceptive• Avoid the FTC:
– Comply– Notify– Protect
CalOPPA
• California Online Privacy Protection Act• Conspicuously post your policy• Comply • Do Not Track amendment
CalOPPA ComplianceCalOPPA Compliance
• Privacy policy must include:– Collect info– Sharing policies – User review/control – Notification– Effective date
COPPA
• Children’s Online Privacy Protection Act
Are You Under the Age of 13?
COPPA Compliance
• Who is collecting the info?• Description of info collected • Use • Disclosure to third parties• Parental review & consent• User notice
CAN-SPAM ACT
• Controlling the Assault of Non-Solicited Pornography and Marketing Act
• Are you spamming?• Compliance is simple
HIPAA
• Health Insurance Portability and Accountability Act
FERPA
• Family Educational Rights and Privacy Act
Gramm-Leach-Bliley Act
• Governs financial information
European Union E-Privacy Directive
• The right to be forgotten, among other things
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
Avoiding the FTC
• FTC– Statutory authority to remedy privacy
infringements• Power to prohibit unfair and deceptive practices
• Statutory requirements– CalOPPA; COPPA; CAN-SPAM; HIPAA; FERPA; GLBA
FTC Actions
• Google• RockYou• Snapchat• The Brightest Flashlight App
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
Privacy Policy Generators
• Tested 28 online generators• Factors: ease of use, guidance, cost, and
policy generated• Recommendations:
– FreePrivacyPolicy.com– GeneratePrivacyPolicy.com; SEOToaster.com– TRUSTe.com (for mobile apps)
What Needs Protection?
Seals of Approval
• The best individually– TRUSTe– TrustGuard– Qualys– Comodo
• The best for you– Mix-and-match to suit your needs– Each service has strengths & weaknesses
Our Startup: Dragon Digs
• The social hub of Drexel University• Relies on user-generated content• Features:
– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising
Questions?
Thank You to Our Sponsors
Thank You to Our Audience
Apply to be a client at
www.drexel.edu/law/ELC