Analyzing the Privacy of Smartphone Apps, for CMU Cylab Talk on April 2013
What Privacy Law Applies to Apps?
-
Upload
shaun-dakin -
Category
Documents
-
view
220 -
download
0
Transcript of What Privacy Law Applies to Apps?
-
8/6/2019 What Privacy Law Applies to Apps?
1/6
1What Privacy Law Applies to Apps?*
There is no across-the-board privacy law in the United States, and there is no United States
privacy law specifically applicable to Apps. Nevertheless, persons or entities that collect, use,
share and or/retain personal information including App Developers are subject to various
privacy laws at the federal and state level, including those that apply based on the nature of thedata involved, such as financial, health or childrens data. i
The information below summarizes the privacy laws App Developers should obey.
Section 5 of the FTC Act: The Prohibition Against False or Deceptive Practices
Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. 45(a), prohibits and makes
unlawful unfair methods of competition in or affecting commerce, and unfair or deceptive acts
or practices in or affecting commerce. The FTC enforces against companies that make privacy
promises in privacy policies, but fail to keep those promises. That is, the companies collect, use,
share or retain personal information in a way that is inconsistent with the representations they
made in their privacy policies.ii The FTC also has enforced against companies whose privacy
policies do not adequately inform consumers about the companys actual practices. iii To the
extent mobile Apps similarly contain privacy policies and consumer representations about
personal information, the FTC is empowered to take similar enforcement action against App
Developers.
Laws Governing Specific Information
There is a range of various federal laws governing the privacy of specific kinds of personal
information.
The federal Health Insurance Portability and Accountability Act (HIPAA) governing health data
collected by covered entities, the Gramm-Leach-Bliley (GLB) Act covering financial data, and
the Children's Online Privacy Protection Act (COPPA) covering data collected by children under
13 are examples of laws applicable to specific kinds of data, and to the extent Apps are covered
by such laws because of their functions and collection of data, then these laws are App privacy
laws.
State Laws
In addition to law enacted at the federal level, states also have privacy and data security laws.
Most states have so-called mini-FTC Acts under which they have authority similar to that of
the FTC to take enforcement actions in response to unfair or deceptive trade practices. This
could include tracking consumers without proper notice or when a promise has been made not to
1
-
8/6/2019 What Privacy Law Applies to Apps?
2/6
track consumer behavior.iv A number of state attorneys general have been vigilant in enforcing
against entities collecting personal information from consumers.
Some states have specific privacy laws covering particular kinds of data and data collection, such
as California.v It would appear that many of these specific laws apply to Apps and the
companies that operate them.
Forty-six states also have data security breach notification laws that require entities holding
personal data to provide notices in the event of breaches of the security of that data, and those
laws apply regardless of how the data may have been collected, meaning that data that is
collected by Apps that is subject to a security breach will trigger notification obligations.
Certain states have specific data security obligations, as well.
Private Litigation
Private party litigation is not a significant source of legal rules applicable to App privacy.
As a general matter, plaintiffs class action attorneys attempting to bring civil actions against
companies alleged to have violated consumer privacy rights by improperly collecting, using,
sharing or retaining personal information have been unsuccessful. The cases either have been
settled by defendants for relatively modest amounts to avoid the cost of litigation and/or undue
publicity or are unsuccessful because of the absence of legally cognizable damages flowing from
the alleged misuse of the personal data.vi
A number of privacy lawsuits concerning Apps and privacy are pending, but none have
proceeded past the preliminary stage.
Proposals for Improvements to Privacy and Their Impact on Legal Obligations
In December 2010, both the staff of the FTC and the US Department of Commerce (DOC)
issued preliminary reports proposing significant improvements in the way businesses handle
consumer information and changes in the controls consumers should have over their information.
As these reports ripen into final versions, which are expected later in 2011, App Developers
should take the contents into account as they implement privacy protections for mobile Apps.
The draft FTC Staff Report, entitled Protecting Consumer Privacy in an Era of Rapid Change:
A Proposed Framework for Businesses and Policymakersvii (FTC Report), makes clear that the
agencys existing privacy framework, developed by over forty years of FTC guidance andenforcement (e.g., Fair Information Practice Principles, notice-and-choice models), remains in
place. The FTC Report, however, makes equally clear that improvements to the existing
framework are necessary given technological advances in the collection, use, sharing, and
retention of information about consumers by businesses, and signals the direction that the FTC
staff believes privacy protections should move in the future.viii
The new framework, which the FTC staff stated should apply to all businesses that collect,
-
8/6/2019 What Privacy Law Applies to Apps?
3/6
maintain, share, or otherwise use consumer data either online or offline, contains three top-level
maxims:
Privacy by Design: Companies should promote consumer privacy throughout their
organizations and at every stage of the development of their products and services. This
includes incorporating substantive privacy protections such as data security and retentionpractices into business processes and maintaining comprehensive data management
procedures throughout the lifecycle of products and services (Note: in the mobile context,
the FTC used as an example that if a mobile App is providing traffic and weather information
to a consumer based on his or her location information, it does not need to collect contact
lists or call logs from the consumers deviceix).
Simplifying Consumer Choice: Companies should simplify consumer choice, not just
through notice about privacy practices prior to the use of a product or service in a lengthy
privacy policy, but also by offering choice at a time and in a context in which the consumer
is making a decision about his or her data (such as when the consumer is presented with atargeted online behavioral advertisement).x
Increasing Consumer Transparency: Companies should increase the transparency of
their data practices, such as by (i) clarifying, shortening, and standardizing privacy notices;
(ii) providing reasonable access to the consumer data they maintain; (iii) providing prominent
disclosures and obtaining affirmative express consent before using consumer data in a
materially different manner than claimed when the data was collected; (iv) obtaining
affirmative express consent when sensitive information such as financial information is
collected and used for online behavioral advertising; and (v) working to educate consumers
about commercial data privacy practices.
The Department of Commerce Green Paper entitled Privacy and Information Innovation: A
Dynamic Privacy Framework for the Internet Age,xi (DOC Green Paper) argued that preserving
consumer privacy online and thereby bolstering consumer trust in the Internet is essential for
businesses to succeed online.xii Like the draft staff FTC Report, the DOC Green Paper proposed
increasing protections privacy principles, including by enhancing transparency, encouraging
greater detail in purpose specifications and use limitations, and fostering the development of
verifiable auditing and accountability programs.
As mentioned above, both the draft staff FTC Report and the DOC Green Paper are expected to
affect and influence U.S. privacy law and enforcement in the coming years, including withrespect to mobile Apps.
Selected International Laws
-
8/6/2019 What Privacy Law Applies to Apps?
4/6
European Union. Unlike the US, EU privacy regulation stems from a fundamental rights
approach. Rather than regulating practices to avoid specific harms,xiii the EU regulatory
framework is designed to preserve privacy rights outlined in the EU Charter and various
Directives of the European Commission (EC). Individual EU member states promulgate their
own data protection rules but those rules must substantially adopt the principles of the various
EC Directives. For example, Directive 95/46/EC, also known as the Data Protection Directive,focuses on protecting the fundamental rights of individuals to be informed about and exercise
control over the processing of their personal information.xiv It requires each member state to pass
a data protection law adopting the thrust of the Directives principles. The Data Protection
Directive imposes obligations to inform individuals of how their data are being used/processed.xv
Generally speaking, data cannot be used for purposes further than originally specified without
additional consent.xvi
Canada. The basic premise of all Canadian private sector privacy statutes, including PIPEDA,
is that an organization must obtain informed consent from the individual to any collection, use,
or disclosure of personal information unless an exemption from the consent requirement applies.Personal information is defined as information about an identifiable individual; anonymized or
aggregated information is therefore not personal information unless it is reasonably possible that
the information can be de-anonymized or otherwise used to identify an individual person,
whether through combination with other information or otherwise.
Hong Kong. Data protection in Hong Kong is regulated by the Data Protection (Privacy)
Ordinance (PDPO). The essence of the legislation for the purposes of this advice is that personal
data is permitted to be used for the purposes for which it was collected. The data subjects must
be given notice of such purposes at the time of collection. Data can also be used for other
purposes if the data subject subsequently consents to these uses and for incidental purposes as
well.
-
8/6/2019 What Privacy Law Applies to Apps?
5/6
*This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws potentially
applicable to apps.i The materials here relate only to the privacy law obligations of App Developers (the persons or entities offering
Apps through App platforms) and not the platform providers. Section 230 of the Communications Decency Act,
47 U.S.C. 230, immunizes interactive computer services through which the content of third parties, such as
Apps, are provided. Thus, while the platform providers may have privacy rules for App Developers, they cannot
be held responsible for violations of those rules by the App Developers nor, under current law, are they required
to have privacy rules at all. Note, however, that Californias Online Privacy Protection Act of 2003 requiresoperators of commercial web sites or online services that collect personal information on California residents
through a web site [which is an undefined term] to conspicuously post a privacy policy on the site and to complywith its policy. The privacy policy must, among other things, identify the categories of personally identifiable
information collected about site visitors and the categories of third parties with whom the operator may share the
information. An operator is in violation for failure to post a policy within 30 days of being notified ofnoncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply
with the provisions of its policy. (emphasis supplied)
http://www.privacyprotection.ca.gov/privacy_laws.htm#six
iiSee, e.g., Gateway Learning Corp., FTC File No. 042-3047 (2004), available athttp://ftc.gov/opa/2004/07/gateway.shtm(settlement of enforcement action against company that shared
information with third parties contrary to statements in its online privacy policy);FTC v. ReverseAuction.com,Inc., FTC File No. 002-3046 (D.D.C. consent decree filed Jan. 6, 2000), available at:http://www.ftc.gov/os/2000/01/reverseconsent.htm (settlement of enforcement action against company that
promised users that it would not sell or share their information without prior consent, but in fact sold users
personal information).
iiiSee, e.g., Sears Holdings Mgmt. Corp., FTC File No. 082-3099 (2009), available at
http://www.ftc.gov/opa/2009/06/sears.shtm(obtaining a consent decree from a company that did not adequately
disclose to consumers participating in a promotion that it would download tracking software onto their
computers that collected extensive amounts of information about them, including sensitive information such as
the contents of encrypted web visits to the websites of their financial institutions);Natl Research Ctr. forCollege & Univ. Admissions, Inc., FTC File No. 022-3005 (2003), available athttp://ftc.gov/opa/2003/01/fyi0308.shtm(settlement of enforcement action against company that claimed it was
only sharing information collected from participating high school students with colleges and universities, when itfact it was also selling the information to commercial entities for marketing purposes).
ivSee, e.g., Connecticut Unfair Trade Practices Act, CONN. GEN. STAT. 42-110a 42-110q (specifically noting
42-110b, Unfair trade practices prohibited which resembles 15 U.S.C. 45(a)).
vSeehttp://www.privacyprotection.ca.gov/privacy_laws.htm.
viSeehttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728.
vii FTC STAFF REPORT: PROTECTING CONSUMERPRIVACYINAN ERAOF RAPID CHANGE, available at
http://ftc.gov/os/2010/12/101201privacyreport.pdf.
viii The FTC also supported a "Do Not Track" mechanism that could be advanced either by legislation or
enforceable industry self-regulation. Such a mechanism would require businesses to comply with a consumer'scentralized opt-out of online behavioral tracking.
ix FTC Report at 46.
x The FTC also sought further comment on effective ways to obtain informed consent in the mobile context,
given the multiple parties involved in the data collection and the smaller screen. Id. at 60-61, 70-72, A-3, A-5.
xi U.S. DEPTOF COMMERCE INTERNET POLY TASKFORCE, COMMERCIAL DATA PRIVACYAND INNOVATIONINTHE INTERNET
ECONOMY: A DYNAMIC POLICY FRAMEWORK(Dec. 16, 2010), available athttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf.
http://www.privacyprotection.ca.gov/privacy_laws.htm%23sixhttp://ftc.gov/opa/2004/07/gateway.shtmhttp://www.ftc.gov/os/2000/01/reverseconsent.htmhttp://www.ftc.gov/opa/2009/06/sears.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://www.privacyprotection.ca.gov/privacy_laws.htmhttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://ftc.gov/os/2010/12/101201privacyreport.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfhttp://www.privacyprotection.ca.gov/privacy_laws.htm%23sixhttp://ftc.gov/opa/2004/07/gateway.shtmhttp://www.ftc.gov/os/2000/01/reverseconsent.htmhttp://www.ftc.gov/opa/2009/06/sears.shtmhttp://ftc.gov/opa/2003/01/fyi0308.shtmhttp://www.privacyprotection.ca.gov/privacy_laws.htmhttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=150728http://ftc.gov/os/2010/12/101201privacyreport.pdfhttp://ntia.doc.gov/reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf -
8/6/2019 What Privacy Law Applies to Apps?
6/6
xii The Green Paper was authored by the Internet Policy Task Force at DOC a joint effort of the Office of
Commerce Secretary Gary Locke, the National Telecommunications and Information Administration (NTIA),
the International Trade Administration, and the National Institute of Standards and Technology.
xiiiSee US Legal Analysis memorandum (Part 2 of 4), III.A.2.c.i.(a).
xivSee, e.g., 1995 O.J. (L 281) 32, available athttp://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm
(Directive 95/46/EC) ([w]hereas the object of the national laws on the processing of personal data is to
protect the fundamental rights and freedoms, notably the right to privacy . . .).
xvSee Directive 95/46/EC at 33 (. . . in the right conferred on individuals, the data on whom are the subject of
processing, to be informed that processing is taking place, to consult the data, to request corrections and even to
object to processing in certain circumstances);see also Directive 95/46/EC at 42 (Member States shall
guarantee every data subject the right to obtain from the controller . . . confirmation as to whether or not data
relating to him are being processed . . . .).
xviSee Directive 95/46/EC at 34 (whereas the purposes of processing further to collection shall not be
incompatible with the purposes as they were originally specified).
http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htmhttp://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm