Upload
arden
View
26
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Strategies to Avoid Big Privacy “Don’ts” With Personal Data. Strata Conference Santa Clara, CA. Alysa Z. Hutnik. February 27, 2013. Topics of Discussion. Recent Consumer Privacy Developments (and what they mean for the rest of 2013) Federal and state regulator activity - PowerPoint PPT Presentation
Citation preview
Strategies to Avoid Big Privacy “Don’ts” With Personal Data
Strata Conference
Santa Clara, CA
February 27, 2013
Alysa Z. Hutnik
Topics of Discussion
Recent Consumer Privacy Developments (and what they mean for the rest of 2013)
Federal and state regulator activity
Increased focus on the mobile ecosystem
Relevant enforcement and inquiries
How to Avoid Big Privacy “Don’ts”
2
Big Data Snapshot
68% of online users would select an easy-to-use Do Not Track mechanism
Only 14% of online users believe Internet companies are honest about their use of personal data
3
“You are getting this squeeze between a hardening consumer attitude and tighter regulation.”
- Mark Little, Ovum
Recent Consumer Privacy Developments
4
“This is a critical juncture in consumer privacy….” - FTC Congressional Testimony, May 2012
Final FTC Privacy Report
A call to action:
Companies to implement best practices on privacy, as set forth in Report
Congress to enact baseline privacy/data security legislation with civil penalties
Industry to accelerate pace of self-regulation
Scope
Commercial entities collecting/using consumer data reasonably linked to specific consumer, computer, or other devices, unless the entity collects only non-sensitive data from fewer than 5,000 consumers/year and does not share it with third parties
5
Final FTC Privacy Report cont.
6
Privacy Framework
Simplified ChoicePrivacy By DesignGreater
Transparency
The Latest on “Do Not Track”
FTC
Key principles
Universal implementation
Easy to find, understand, use
Persistent choices
Comprehensive, effective, and enforceable
Extend beyond opt-out for targeted ads
New call for DNT in the mobile environment
7
Industry
DNT standards progress slowed
Ad industry seeking exemptions from certain types of tracking and “off” default for DNT setting
Privacy groups want anonymization requirements and limits on data retention
W3C continues to seek a standard that alters the status quo
Comprehensive Online Data Collection
Concerns
Potential for “databases of ruin” through the use of DPI/other technologies
Infringes “intellectual privacy”
Easy to link data to users due to increased use of mobile Internet
Benefits
Enables “free content” model and encourages innovation
Produces novel public benefits by “making information visible”
8
States’ Focus on Big Data Collection and Use
9
Maryland AG Doug Gansler elected NAAG President in 2012
2012-2013 priority includes online commerce, which could lead to greater state-level scrutiny of online ecosystem participants
January 2013 – launch of new Internet Privacy Unit
New privacy initiative will bring “the energy and legal weight of NAAG to investigate, educate, and. . .protect online privacy . . . .”
Increased focus on Mobile Privacy
10
“[I]t is critical that we keep pace with technological developments that implicate privacy issues.”
- FTC Chairman Leibowitz, February 2013
11
FTC Guidance on Mobile App Privacy
Privacy Recommendations
Shared responsibility among ecosystem stakeholders
Self-policing/enforcement by platform and OS operators
Communication between developers and ad networks / other third-parties
Data Security Guidance
Assign individuals to data security function
Understand security features across different platforms and OS systems
Mobile Apps and Children’s Privacy
12
“FTC is launching multiple nonpublic investigations to determine whether certain entities have violated [COPPA],or engaged in unfair or deceptive trade practices….”
- FTC Staff Report, Dec. 2012
• Under the revised rule, child-directed content providers are strictly liable for personal information collected by third parties through their sites.
States’ Mobile Privacy Efforts
California AG Agreement with mobile platform operators
requires apps to provide privacy policy prior to data collection
Lawsuit filed against Delta Airlines for failing to post a privacy policy in its mobile app
Recent mobile app report recommendations focus on “surprise minimization”
Ad groups argue that the report recommendations extend “far beyond” existing California laws
13
Draft Legislation on Mobile App Privacy
The APPS Act
Require disclosure on data collection, use, storage, and sharing
Allow users to signal their wish to have their personal data deleted
FTC would be responsible for enforcement
14
Rep. Hank Johnson (D-Ga.)
1515
Enforcement and Inquiries
Privacy policy/User Guide misrepresentations
Privacy By Design Flaws
Inadequate safeguards
Surreptitious PII collection
Unauthorized third-party access
Deceptive opt-out / PII deletion provisions
Alleged COPPA violations
Noncompliance with FCRA
A Closer Look – Compete, Inc.
Allegations
Web analytics firm failed to disclose extent of data collection
Tracking software used to assess user opinions on products and services collected financial info, SSNs, user passwords, etc.
Settlement Terms
Disclose the data that the firm collects and how such data will be used/shared
Delete the collected personal data and provide users with instructions on how to uninstall the tracking software
Implement a comprehensive data security program with third party audits every 2 years for 20 years
16
A Closer Look cont. – Path, Inc.
Allegations
Path allows users to share personal journals with a network of up to 150 friends
Apple version of app automatically collected personal data for contacts in the user’s mobile device address book
Path violated COPPA by collecting personal data from 3,000 children with parental consent
17
Settlement
Path must implement comprehensive privacy program subject to biennial audits
The firm agreed to pay $800,000 civil penalty
A Closer Look - HTC
18
Allegations
Privacy by Design Flaws in settings modifications
Allowed 3P apps to “re-delegate” permissions to access personal information, and
Download/install more apps from any server without the user’s knowledge or consentInsecure logging w/ device’s trouble-shooting and diagnostics functionsPrivacy claims in user guide/interface differed from practices
Settlement
Offer patches to fix security vulnerabilities
Implement comprehensive security program that includes administrative, technical, and physical safeguards
20-year independent security audit requirement
How to Avoid Big Privacy “Don’ts”
Online and Mobile Developers
Platform Providers
Ad Networks and Other Third Parties
19
20
Product Developers
Bake It in - Don’t Make Privacy an Afterthought
Empower Consumer Choice
Reassess Your Data Drilling
Say What You Do & Do What You Say
Developer
Consumer
21
“Bake It In” – Don’t Make Privacy an Afterthought
Build-in Privacy Considerations at the Outset
Incorporate privacy protections
Limit the data that you collect
Securely store the data that you retain
Limit third-party access to a need-to-know basis
Safely dispose of data that you no longer need
22
Empower Consumer Choice
Simplified Choice
Give Users Tools that Enable Choice
Privacy settings
Opt-outs
Mechanisms to control how PII is collected and shared
Make it easy for people to find the tools you offer
Design the tools so they’re simple and easy to use
Honor users’ choices
Reassess Your Data Drilling
Regularly Reassess Your Data Collection Practices
Does the data collection include name, contact details, or other PII on the user or their contacts?
Does your app collect location data or a unique ID per user or device?
Is there a valid purpose for this type of data collection and access?
Do you retain the data for a period of time consistent with the reason for collecting it?
Can third parties access and use the data to make a personally identifiable profile of your users?
23
24
Say What You Do & Do What You Say
Transparency – Clearly explain key terms
Collection and protection of information
Consumer control and access
Accessibility to third parties
New or Additional Sharing
Disclosures
Consent
Honor Your Promises
Platforms Providers
Enhance frequency and prominence of disclosures within API
Educate developers on obligations and enforce requirements as needed
Offer tools that allow consumers to report non-compliance with privacy policies and terms of service
25
Developer
Consumer
Platform
Ad Networks and Other Third Parties
Ad Networks / Analytics Co.’s
Create and provide a privacy policy to the developers
Avoid device-specific identifiers or delivering ads outside the context of the app
Operating Systems
Develop global settings and overrides so that users can set privacy controls
Collaborate with device manufacturers on setting cross-platform privacy standards
26
Consumer
Developer
Ad Network / Analytics Co.,
etc.
Platform
27
Questions?
Alysa Z. HutnikPARTNER
Kelley Drye & Warren LLP
Advertising, Privacy &
Information Security
Phone: (202) 342-8603
Connect with Kelley Dryeweb: www.kelleydrye.com
blog: www.adlawaccess.com