Alan Sutin - Privacy
-
Upload
ben-allen -
Category
Technology
-
view
1.045 -
download
0
description
Transcript of Alan Sutin - Privacy
Location data andprivacy
©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.
GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM
The legal perspective
September 23, 2009
Alan N. SutinChair, Global Intellectual Property & Technology Practice
September 23, 2009 [ 1 ]
Topics we will cover
What activities give rise to privacy
concerns?
When is location data regulated and do
any restrictions apply even if it is not itself
personal data?
Special issues relating to children?
How can service providers and
developers limit legal exposure?
September 23, 2009 [ 2 ]
What uses are being made of location data
Government uses
□ Investigation
□ Evidence
Commercial Uses
□ Telecom services
□ Navigation
□ Directories
□ Targeted advertising
September 23, 2009 [ 3 ]
Online Marketing’s New Tack
How Marketers Hone
Their Aim Online
Finding the Holy Grailof Web Advertising
Online Customized Ads Move
a Step Closer
The Quest for thePerfect Online Ad
Marketing Works by
Targeting Consumers
Today’s Niche Marketing is AboutNarrow, Not Small
Behavioral Targeting Grows
September 23, 2009 [ 4 ]
What can happen when location data iscombined with other Personally
Identifiable Information?
September 23, 2009 [ 5 ]
Privacy LawOverview
September 23, 2009 [ 6 ]
Sources of Relevant Privacy Law
United States Constitution
FCC CPNI-related rules
FTC Regulations and Guidelines
The Electronic Communications Privacy Act (ECPA)
The Computer Fraud and Abuse Act (CFAA)
The Children’s Online Privacy Protection Act (COPPA)
EU Data Directives
State Laws
September 23, 2009 [ 7 ]
United States Constitution
United States Constitution
□ 4th Amendment: default
standard governing
evidence collection in
criminal investigations
□ Technology raises new
issues in 4th Amendment
analysis
September 23, 2009 [ 8 ]
Fourth Amendment
□ Bans only “unreasonable”searches and seizures
□ Searches and seizures are“reasonable” if authorizedby a warrant or a warrantexception
□ 4th Amendment is notimplicated if there is no Search
Seizure
United States Constitution
September 23, 2009 [ 9 ]
Federal and state court decisions
inconsistent, but the trend is to
find that a warrant is required
This summer alone:
□ May 12, 2009 – NY’s highest
court rules that GPS tracking is
a constitutional “search” that
requires a warrant.
□ September 18, 2009 – MA’s
highest court rules that warrant
required for GPS tracking
United States Constitution
September 23, 2009 [ 10 ]
Relevant Privacy Laws
The Communications Act and CPNI
□ Who must comply?
The FCC’s CPNI rules apply to carriers, including
interconnected VoIP providers
The Telephone Records and Privacy Protection Act of 2006
(“TRPPA”) is a generally applicable criminal statute
□ What activities and information are covered?
FCC’s CPNI rules govern the collection and use of
customer proprietary information by carriers and their
partners and contractors.
When does location information qualify as CPNI?
September 23, 2009 [ 11 ]
Relevant Privacy Laws
CPNI
□ What are the key rules under the FCC’s CPNI Orders?
Carriers may only use CPNI to provide requested services
to the customer, or as the customer authorizes/directs in
writing
Can use customer info in aggregate form
□ What are the key rules under TRPPA?
It’s a crime to
□ Obtain CPNI from a carrier without authorization or using
fraudulent means
□ Knowingly sell or transfer CPNI obtained improperly
September 23, 2009 [ 12 ]
Relevant Privacy Laws
FTC Act, and Related Guidelines
□ FTC Act grants the FTC broad powers to protect
consumers against unfair, deceptive acts or practices
□ Personal information collection best practices for adult
consumers
Notice/awareness
Choice/consent
Access/participation
Integrity/security
Enforcement/redress
September 23, 2009 [ 13 ]
Relevant Privacy Laws
FTC
□ Under the FTC Act, the FTC actively pursues unfair and
deceptive practices related to personal information
Deceptive practices include a company’s failure to follow
or implement its own privacy policy to the detriment of
consumers
□ Unfair practices include failure to adopt minimal levels of
security
De facto standard directs companies to implement
reasonable information security programs to protect
consumer personal information
September 23, 2009 [ 14 ]
Relevant Privacy Laws
FTC
□ FTC promotes effective industry self regulation
New behavioral marketing guidelines
□ Issued principles after town hall meeting in 2007
□ Staff report on Self-Regulatory Principles for Online Behavioral
Marketing issued February 2009
Currently considering location information privacy
issues
□ FTC Town Hall meeting scheduled for December 7, 2009
discussing, among other things, privacy implications of
location information tracking services
September 23, 2009 [ 15 ]
Relevant Privacy Laws
Electronic Communications Privacy Act (ECPA)
□ Who must comply?
ISPs, online service providers (wired and wireless),
and remote computing service providers
But only if they provide services to the public
□ What activities and information are covered?
Disclosure of any wireless or wired transmission
Access to electronically stored information
September 23, 2009 [ 16 ]
Relevant Privacy Laws
ECPA
□ What are the key rules?
No person or entity may intercept electronic
communications without authorization
Service providers may not knowingly use any
electronic, mechanical or other devices to intercept,
use or disclose contents of in-transit or stored
electronic communications including customer
account records unless a statutory exception applies
September 23, 2009 [ 17 ]
Relevant Privacy Laws
Computer Fraud and Abuse Act (CFAA)
□ Who must comply?
Generally applicable federal criminal statute
□ What activities and information are covered?
Accessing protected computer resources
Intercepting information or communications
Accessing government computers or national security
information
Accessing computers to commit a crime
Causing damage to a protected computer
Trafficking in passwords
September 23, 2009 [ 18 ]
Relevant Privacy Laws
CFAA
□ What are the key rules?
May not access computer resources (withoutauthorization) to intentionally engage in any ofprohibited acts
Exceeding authorization and then engaging inprohibited act is also a crime
Damage threshold of $5,000 over 12 month-periodfor civil actions and felony criminal prosecution
Does CFAA apply to unauthorized collection ofpersonal information without notifying customers?□ Probably, but satisfying the loss threshold is the trick
□ Aggregating claims across victims and time requires a singleact
September 23, 2009 [ 19 ]
Relevant Privacy Laws
Children’s Online Privacy Protection Act (COPPA)
□ Who must comply?
Operators of commercial web sites and online
services satisfying either of the following:
□ Directed at children
□ General purpose service with actual knowledge that children
are providing personal information
FTC has accelerated review of rules for application
to mobile services to 2010
□ What activities and information are covered?
Collection of personal information from children
under 13
September 23, 2009 [ 20 ]
Relevant Privacy Laws
EU Data Directive 95/46/EC
□ Who must comply?
Any person or entity can be subject to the EU Data
Directive, even companies without operations in the EU
□ What activities and information are covered?
Transfer of personal data from any EU Country
Covered data is information that personally identifies an
individual
□ What are the key rules?
Personal data from the EU may not be transferred to any
country unless that country has adequate privacy
protections
U.S. laws generally not considered adequate
September 23, 2009 [ 21 ]
Relevant Privacy Laws
EU Data Directive 95/46/EC
□ To provide U.S. companies clarity, U.S. and EU agreed on
certain safe harbor principles
They do not apply to non-U.S. companies, or transfers
within and between EU member states
Compliance with principles is presumptive
compliance with EU Data Directive
Methods of compliance
□ Participate in self-regulatory industry standards
□ Self-certify with submission to U.S. DoC
September 23, 2009 [ 22 ]
Relevant Privacy Laws
EU Directive on Privacy and Electronic Communications
2002/58/EC
□ Covers real-time and historic location information
□ Providers can process location information to enable
transmission, process bills, and manage traffic
□ Location data (other than traffic data) can be processed
(without consent) if the individual isn’t identified
□ For value added services, location can be tracked with
informed consent of the user or subscriber
□ User or subscriber must be able to withdraw consent
□ Use of non-anonymous location data only to the extent
necessary to provide the value-added service within the
scope of the consent
September 23, 2009 [ 23 ]
Relevant Privacy Laws
Invasion of privacy under state common law
□ Elements: (1) unauthorized intrusion; (2) level of intrusion
is offensive to a reasonable person; (3) intrusion relates
to private matters; and (4) results in anguish or suffering
□ Most states recognize the tort
NY - no
CA - yes
September 23, 2009 [ 24 ]
Relevant Privacy Laws
45 States (+P.R.) have breach - notice Laws
Typical statutory elements
□ Protected personal information covered
Name plus one or more identifying element
□ SS#, driver’s license #, other government ID #, financial account numbers and
account access credentials
Health insurance or medical records
Applies to owners or delegated custodians of covered personal
information of a citizen of the state
Location information not widely recognized . . . yet
□ Notice triggering events
Actual unauthorized access or disclosure of unencrypted personal
information
Reasonable belief of unauthorized access to such data
September 23, 2009 [ 25 ]
What Should Providersand Developers Do?
September 23, 2009 [ 26 ]
LBS providers and developers - best practices
Include privacy-enhancing features into location-tracking
services for consumer markets in the U.S.
□ Have a clear written privacy policy
Say what you do and do what you say
□ Opt-in feature, with ability to opt-out easily
□ Allow users to select/de-select which and when third partiescan obtain their location information
□ Enable users to temporarily turn off location tracking
□ If device or service is targeted for children or likely to attractchildren, follow COPPA if you want kids or block users youngerthan 13 years old if you don’t want child users
□ Encrypt or redact personal information at rest and in storage
□ Destroy personal information after it is no longer useful
September 23, 2009 [ 27 ]
Follow FTC general rule of reason approach
□ Employ privacy protections based on the sensitivity of the data
and the nature of provider’s business operations, the risks
faced and the reasonable protections available to
avoid/mitigate those risks.
Adopt and implement data breach and notice policies that
comply with applicable state laws
□ Start with the states where your customer personal data is
stored
□ Look to the states where you have principal offices
□ Examine states where you’ll likely have customers
□ Decide which laws are most applicable
□ Safe harbors are available for data handlers that encrypt
LBS providers and developers - best practices
September 23, 2009 [ 28 ]
Adopt security program that is, at a minimum, consistent
with FTC’s guidelines
□ Designate a security program responsible party
□ Initial risk assessment for each area of relevant operation
Employee training and management;
Examine relevant information systems for vulnerabilities;
and
Prevention, detection, and response to attacks,
intrusions, or other systems failures
□ Design and implement reasonable safeguards
□ Regularly test and monitor the safeguards
□ Evaluate and adjust the key controls
LBS providers and developers - best practices
September 23, 2009 [ 29 ]
Carefully choose downstream/upstream providers and act
on information of non-compliance
Negotiate effective service and product agreements
□ Bind all providers and data handlers
□ Representations and warranties
□ Indemnifications covering losses/liabilities for non-compliance
□ Create remedies that address true cost of data breach
□ Remove indemnification liabilities from the cap on damages
LBS providers and developers - best practices
Thank You!
©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.
GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM
Alan N. SutinChair, Global Intellectual Property & Technology Practice
Tel: 212-801-9286
Email: [email protected]