Alan Sutin - Privacy

Location data andprivacy

©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.

GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM

The legal perspective

September 23, 2009

Alan N. SutinChair, Global Intellectual Property & Technology Practice

September 23, 2009 [ 1 ]

Topics we will cover

What activities give rise to privacy

concerns?

When is location data regulated and do

any restrictions apply even if it is not itself

personal data?

Special issues relating to children?

How can service providers and

developers limit legal exposure?

September 23, 2009 [ 2 ]

What uses are being made of location data

Government uses

□ Investigation

□ Evidence

Commercial Uses

□ Telecom services

□ Navigation

□ Directories

□ Targeted advertising

September 23, 2009 [ 3 ]

Online Marketing’s New Tack

How Marketers Hone

Their Aim Online

Finding the Holy Grailof Web Advertising

Online Customized Ads Move

a Step Closer

The Quest for thePerfect Online Ad

Marketing Works by

Targeting Consumers

Today’s Niche Marketing is AboutNarrow, Not Small

Behavioral Targeting Grows

September 23, 2009 [ 4 ]

What can happen when location data iscombined with other Personally

Identifiable Information?

September 23, 2009 [ 5 ]

Privacy LawOverview

September 23, 2009 [ 6 ]

Sources of Relevant Privacy Law

United States Constitution

FCC CPNI-related rules

FTC Regulations and Guidelines

The Electronic Communications Privacy Act (ECPA)

The Computer Fraud and Abuse Act (CFAA)

The Children’s Online Privacy Protection Act (COPPA)

EU Data Directives

State Laws

September 23, 2009 [ 7 ]



□ 4th Amendment: default

standard governing

evidence collection in

criminal investigations

□ Technology raises new

issues in 4th Amendment

analysis

September 23, 2009 [ 8 ]

Fourth Amendment

□ Bans only “unreasonable”searches and seizures

□ Searches and seizures are“reasonable” if authorizedby a warrant or a warrantexception

□ 4th Amendment is notimplicated if there is no Search

Seizure


September 23, 2009 [ 9 ]

Federal and state court decisions

inconsistent, but the trend is to

find that a warrant is required

This summer alone:

□ May 12, 2009 – NY’s highest

court rules that GPS tracking is

a constitutional “search” that

requires a warrant.

□ September 18, 2009 – MA’s

highest court rules that warrant

required for GPS tracking


September 23, 2009 [ 10 ]

Relevant Privacy Laws

The Communications Act and CPNI

□ Who must comply?

The FCC’s CPNI rules apply to carriers, including

interconnected VoIP providers

The Telephone Records and Privacy Protection Act of 2006

(“TRPPA”) is a generally applicable criminal statute

□ What activities and information are covered?

FCC’s CPNI rules govern the collection and use of

customer proprietary information by carriers and their

partners and contractors.

When does location information qualify as CPNI?

September 23, 2009 [ 11 ]


CPNI

□ What are the key rules under the FCC’s CPNI Orders?

Carriers may only use CPNI to provide requested services

to the customer, or as the customer authorizes/directs in

writing

Can use customer info in aggregate form

□ What are the key rules under TRPPA?

It’s a crime to

□ Obtain CPNI from a carrier without authorization or using

fraudulent means

□ Knowingly sell or transfer CPNI obtained improperly

September 23, 2009 [ 12 ]


FTC Act, and Related Guidelines

□ FTC Act grants the FTC broad powers to protect

consumers against unfair, deceptive acts or practices

□ Personal information collection best practices for adult

consumers

Notice/awareness

Choice/consent

Access/participation

Integrity/security

Enforcement/redress

September 23, 2009 [ 13 ]


FTC

□ Under the FTC Act, the FTC actively pursues unfair and

deceptive practices related to personal information

Deceptive practices include a company’s failure to follow

or implement its own privacy policy to the detriment of

consumers

□ Unfair practices include failure to adopt minimal levels of

security

De facto standard directs companies to implement

reasonable information security programs to protect

consumer personal information

September 23, 2009 [ 14 ]


FTC

□ FTC promotes effective industry self regulation

New behavioral marketing guidelines

□ Issued principles after town hall meeting in 2007

□ Staff report on Self-Regulatory Principles for Online Behavioral

Marketing issued February 2009

Currently considering location information privacy

issues

□ FTC Town Hall meeting scheduled for December 7, 2009

discussing, among other things, privacy implications of

location information tracking services

September 23, 2009 [ 15 ]


Electronic Communications Privacy Act (ECPA)


ISPs, online service providers (wired and wireless),

and remote computing service providers

But only if they provide services to the public


Disclosure of any wireless or wired transmission

Access to electronically stored information

September 23, 2009 [ 16 ]


ECPA

□ What are the key rules?

No person or entity may intercept electronic

communications without authorization

Service providers may not knowingly use any

electronic, mechanical or other devices to intercept,

use or disclose contents of in-transit or stored

electronic communications including customer

account records unless a statutory exception applies

September 23, 2009 [ 17 ]


Computer Fraud and Abuse Act (CFAA)


Generally applicable federal criminal statute


Accessing protected computer resources

Intercepting information or communications

Accessing government computers or national security

information

Accessing computers to commit a crime

Causing damage to a protected computer

Trafficking in passwords

September 23, 2009 [ 18 ]


CFAA


May not access computer resources (withoutauthorization) to intentionally engage in any ofprohibited acts

Exceeding authorization and then engaging inprohibited act is also a crime

Damage threshold of $5,000 over 12 month-periodfor civil actions and felony criminal prosecution

Does CFAA apply to unauthorized collection ofpersonal information without notifying customers?□ Probably, but satisfying the loss threshold is the trick

□ Aggregating claims across victims and time requires a singleact

September 23, 2009 [ 19 ]


Children’s Online Privacy Protection Act (COPPA)


Operators of commercial web sites and online

services satisfying either of the following:

□ Directed at children

□ General purpose service with actual knowledge that children

are providing personal information

FTC has accelerated review of rules for application

to mobile services to 2010


Collection of personal information from children

under 13

September 23, 2009 [ 20 ]


EU Data Directive 95/46/EC


Any person or entity can be subject to the EU Data

Directive, even companies without operations in the EU


Transfer of personal data from any EU Country

Covered data is information that personally identifies an

individual


Personal data from the EU may not be transferred to any

country unless that country has adequate privacy

protections

U.S. laws generally not considered adequate

September 23, 2009 [ 21 ]


EU Data Directive 95/46/EC

□ To provide U.S. companies clarity, U.S. and EU agreed on

certain safe harbor principles

They do not apply to non-U.S. companies, or transfers

within and between EU member states

Compliance with principles is presumptive

compliance with EU Data Directive

Methods of compliance

□ Participate in self-regulatory industry standards

□ Self-certify with submission to U.S. DoC

September 23, 2009 [ 22 ]


EU Directive on Privacy and Electronic Communications

2002/58/EC

□ Covers real-time and historic location information

□ Providers can process location information to enable

transmission, process bills, and manage traffic

□ Location data (other than traffic data) can be processed

(without consent) if the individual isn’t identified

□ For value added services, location can be tracked with

informed consent of the user or subscriber

□ User or subscriber must be able to withdraw consent

□ Use of non-anonymous location data only to the extent

necessary to provide the value-added service within the

scope of the consent

September 23, 2009 [ 23 ]


Invasion of privacy under state common law

□ Elements: (1) unauthorized intrusion; (2) level of intrusion

is offensive to a reasonable person; (3) intrusion relates

to private matters; and (4) results in anguish or suffering

□ Most states recognize the tort

NY - no

CA - yes

September 23, 2009 [ 24 ]


45 States (+P.R.) have breach - notice Laws

Typical statutory elements

□ Protected personal information covered

Name plus one or more identifying element

□ SS#, driver’s license #, other government ID #, financial account numbers and

account access credentials

Health insurance or medical records

Applies to owners or delegated custodians of covered personal

information of a citizen of the state

Location information not widely recognized . . . yet

□ Notice triggering events

Actual unauthorized access or disclosure of unencrypted personal

information

Reasonable belief of unauthorized access to such data

September 23, 2009 [ 25 ]

What Should Providersand Developers Do?

September 23, 2009 [ 26 ]

LBS providers and developers - best practices

Include privacy-enhancing features into location-tracking

services for consumer markets in the U.S.

□ Have a clear written privacy policy

Say what you do and do what you say

□ Opt-in feature, with ability to opt-out easily

□ Allow users to select/de-select which and when third partiescan obtain their location information

□ Enable users to temporarily turn off location tracking

□ If device or service is targeted for children or likely to attractchildren, follow COPPA if you want kids or block users youngerthan 13 years old if you don’t want child users

□ Encrypt or redact personal information at rest and in storage

□ Destroy personal information after it is no longer useful

September 23, 2009 [ 27 ]

Follow FTC general rule of reason approach

□ Employ privacy protections based on the sensitivity of the data

and the nature of provider’s business operations, the risks

faced and the reasonable protections available to

avoid/mitigate those risks.

Adopt and implement data breach and notice policies that

comply with applicable state laws

□ Start with the states where your customer personal data is

stored

□ Look to the states where you have principal offices

□ Examine states where you’ll likely have customers

□ Decide which laws are most applicable

□ Safe harbors are available for data handlers that encrypt


September 23, 2009 [ 28 ]

Adopt security program that is, at a minimum, consistent

with FTC’s guidelines

□ Designate a security program responsible party

□ Initial risk assessment for each area of relevant operation

Employee training and management;

Examine relevant information systems for vulnerabilities;

and

Prevention, detection, and response to attacks,

intrusions, or other systems failures

□ Design and implement reasonable safeguards

□ Regularly test and monitor the safeguards

□ Evaluate and adjust the key controls


September 23, 2009 [ 29 ]

Carefully choose downstream/upstream providers and act

on information of non-compliance

Negotiate effective service and product agreements

□ Bind all providers and data handlers

□ Representations and warranties

□ Indemnifications covering losses/liabilities for non-compliance

□ Create remedies that address true cost of data breach

□ Remove indemnification liabilities from the cap on damages


Thank You!

©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.

GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM

Alan N. SutinChair, Global Intellectual Property & Technology Practice

Tel: 212-801-9286

Email: [email protected]

Alan Sutin - Privacy

Technology

Transcript of Alan Sutin - Privacy