Strategies to Avoid Big Privacy “Don’ts” With Personal Data

Strata Conference

Santa Clara, CA

February 27, 2013

Alysa Z. Hutnik

Topics of Discussion

Recent Consumer Privacy Developments (and what they mean for the rest of 2013)

Federal and state regulator activity

Increased focus on the mobile ecosystem

Relevant enforcement and inquiries

How to Avoid Big Privacy “Don’ts”

2

Big Data Snapshot

68% of online users would select an easy-to-use Do Not Track mechanism

Only 14% of online users believe Internet companies are honest about their use of personal data

3

“You are getting this squeeze between a hardening consumer attitude and tighter regulation.”

- Mark Little, Ovum

Recent Consumer Privacy Developments

4

“This is a critical juncture in consumer privacy….” - FTC Congressional Testimony, May 2012

Final FTC Privacy Report

A call to action:

Companies to implement best practices on privacy, as set forth in Report

Congress to enact baseline privacy/data security legislation with civil penalties

Industry to accelerate pace of self-regulation

Scope

Commercial entities collecting/using consumer data reasonably linked to specific consumer, computer, or other devices, unless the entity collects only non-sensitive data from fewer than 5,000 consumers/year and does not share it with third parties

5

Final FTC Privacy Report cont.

6

Privacy Framework

Simplified ChoicePrivacy By DesignGreater

Transparency

The Latest on “Do Not Track”

FTC

Key principles

Universal implementation

Easy to find, understand, use

Persistent choices

Comprehensive, effective, and enforceable

Extend beyond opt-out for targeted ads

New call for DNT in the mobile environment

7

Industry

DNT standards progress slowed

Ad industry seeking exemptions from certain types of tracking and “off” default for DNT setting

Privacy groups want anonymization requirements and limits on data retention

W3C continues to seek a standard that alters the status quo

Comprehensive Online Data Collection

Concerns

Potential for “databases of ruin” through the use of DPI/other technologies

Infringes “intellectual privacy”

Easy to link data to users due to increased use of mobile Internet

Benefits

Enables “free content” model and encourages innovation

Produces novel public benefits by “making information visible”

8

States’ Focus on Big Data Collection and Use

9

Maryland AG Doug Gansler elected NAAG President in 2012

2012-2013 priority includes online commerce, which could lead to greater state-level scrutiny of online ecosystem participants

January 2013 – launch of new Internet Privacy Unit

New privacy initiative will bring “the energy and legal weight of NAAG to investigate, educate, and. . .protect online privacy . . . .”

Increased focus on Mobile Privacy

10

“[I]t is critical that we keep pace with technological developments that implicate privacy issues.”

- FTC Chairman Leibowitz, February 2013

11

FTC Guidance on Mobile App Privacy

Privacy Recommendations

Shared responsibility among ecosystem stakeholders

Self-policing/enforcement by platform and OS operators

Communication between developers and ad networks / other third-parties

Data Security Guidance

Assign individuals to data security function

Understand security features across different platforms and OS systems

Mobile Apps and Children’s Privacy

12

“FTC is launching multiple nonpublic investigations to determine whether certain entities have violated [COPPA],or engaged in unfair or deceptive trade practices….”

- FTC Staff Report, Dec. 2012

• Under the revised rule, child-directed content providers are strictly liable for personal information collected by third parties through their sites.

States’ Mobile Privacy Efforts

California AG Agreement with mobile platform operators

requires apps to provide privacy policy prior to data collection

Lawsuit filed against Delta Airlines for failing to post a privacy policy in its mobile app

Recent mobile app report recommendations focus on “surprise minimization”

Ad groups argue that the report recommendations extend “far beyond” existing California laws

13

Draft Legislation on Mobile App Privacy

The APPS Act

Require disclosure on data collection, use, storage, and sharing

Allow users to signal their wish to have their personal data deleted

FTC would be responsible for enforcement

14

Rep. Hank Johnson (D-Ga.)

1515

Enforcement and Inquiries

Privacy policy/User Guide misrepresentations

Privacy By Design Flaws

Inadequate safeguards

Surreptitious PII collection

Unauthorized third-party access

Deceptive opt-out / PII deletion provisions

Alleged COPPA violations

Noncompliance with FCRA

A Closer Look – Compete, Inc.

Allegations

Web analytics firm failed to disclose extent of data collection

Tracking software used to assess user opinions on products and services collected financial info, SSNs, user passwords, etc.

Settlement Terms

Disclose the data that the firm collects and how such data will be used/shared

Delete the collected personal data and provide users with instructions on how to uninstall the tracking software

Implement a comprehensive data security program with third party audits every 2 years for 20 years

16

A Closer Look cont. – Path, Inc.

Allegations

Path allows users to share personal journals with a network of up to 150 friends

Apple version of app automatically collected personal data for contacts in the user’s mobile device address book

Path violated COPPA by collecting personal data from 3,000 children with parental consent

17

Settlement

Path must implement comprehensive privacy program subject to biennial audits

The firm agreed to pay $800,000 civil penalty

A Closer Look - HTC

18

Allegations

Privacy by Design Flaws in settings modifications

Allowed 3P apps to “re-delegate” permissions to access personal information, and

Download/install more apps from any server without the user’s knowledge or consentInsecure logging w/ device’s trouble-shooting and diagnostics functionsPrivacy claims in user guide/interface differed from practices

Settlement

Offer patches to fix security vulnerabilities

Implement comprehensive security program that includes administrative, technical, and physical safeguards

20-year independent security audit requirement

How to Avoid Big Privacy “Don’ts”

Online and Mobile Developers

Platform Providers

Ad Networks and Other Third Parties

19

20

Product Developers

Bake It in - Don’t Make Privacy an Afterthought

Empower Consumer Choice

Reassess Your Data Drilling

Say What You Do & Do What You Say

Developer

Consumer

21

“Bake It In” – Don’t Make Privacy an Afterthought

Build-in Privacy Considerations at the Outset

Incorporate privacy protections

Limit the data that you collect

Securely store the data that you retain

Limit third-party access to a need-to-know basis

Safely dispose of data that you no longer need

22

Empower Consumer Choice

Simplified Choice

Give Users Tools that Enable Choice

Privacy settings

Opt-outs

Mechanisms to control how PII is collected and shared

Make it easy for people to find the tools you offer

Design the tools so they’re simple and easy to use

Honor users’ choices

Reassess Your Data Drilling

Regularly Reassess Your Data Collection Practices

Does the data collection include name, contact details, or other PII on the user or their contacts?

Does your app collect location data or a unique ID per user or device?

Is there a valid purpose for this type of data collection and access?

Do you retain the data for a period of time consistent with the reason for collecting it?

Can third parties access and use the data to make a personally identifiable profile of your users?

23

24

Say What You Do & Do What You Say

Transparency – Clearly explain key terms

Collection and protection of information

Consumer control and access

Accessibility to third parties

New or Additional Sharing

Disclosures

Consent

Honor Your Promises

Platforms Providers

Enhance frequency and prominence of disclosures within API

Educate developers on obligations and enforce requirements as needed

Offer tools that allow consumers to report non-compliance with privacy policies and terms of service

25

Developer

Consumer

Platform

Ad Networks and Other Third Parties

Ad Networks / Analytics Co.’s

Create and provide a privacy policy to the developers

Avoid device-specific identifiers or delivering ads outside the context of the app

Operating Systems

Develop global settings and overrides so that users can set privacy controls

Collaborate with device manufacturers on setting cross-platform privacy standards

26

Consumer

Developer

Ad Network / Analytics Co.,

etc.

Platform

27

Questions?

Alysa Z. HutnikPARTNER

Kelley Drye & Warren LLP

Advertising, Privacy &

Information Security

Phone: (202) 342-8603

ahutnik@kelleydrye.com

Connect with Kelley Dryeweb: www.kelleydrye.com

blog: www.adlawaccess.com