Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Transcription

1 Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

2 BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security, identity management, authentication, and authorization problems. He is currently a member of ExactTarget s privacy working group. Twitter Maltie Maraj: Senior Counsel at ExactTarget supporting the sales organization with the drafting and negotiation of agreements, amendments and other related matters. She also provides support and counsel to various groups within ExactTarget regarding privacy and security regulations, practices and policies and intellectual property matters. She is currently a member of ExactTarget s privacy working group. Nicholas Merker: Associate in Ice Miller's Intellectual Property and Litigation Group. His practice includes patent drafting and prosecution; advice and counsel to companies regarding privacy and security regulations, practices and policies; drafting and negotiation of commercial agreements including software and SaaS agreements; infringement risk assessments; information technology audit preparation; and litigation support. Twitter Handle:@nmerker

3 PRIVACY AND THE MARKETER We want one-on-one conversations with consumers. This means collecting as much data as we can. BUT At what point does the consumer revolt? At what point does the government clamp down?

4 CONSUMER PRIVACY In a globally connected world, who protects the consumer? What laws, regulations, and jurisdictions are relevant?

5 TODAY S REGULATORY ENVIRONMENT CAN-SPAM EU Cookie Directive Do Not Track German Federal Data Protection Act

6 CAN-SPAM Well-defined, well understood legal and regulatory framework for FTC, States Attorneys General, and ISPs can sue under CAN- SPAM, however de facto adoption in many non-u.s. locales Functions on opt-out rather than opt-in Defines what type of content must be present Doesn t address privacy per se addresses spam Very specific to &hl=en&as_sdt=2&as_vis=1&oi=scholarr

7 EU COOKIE DIRECTIVE EU directive regulating the use of cookies on websites EU leaves implementation to member states Very specific to web sites and very specific to cookies (for now) ExactTarget 3sixty The ExactTarget Online Community

8 DO NOT TRACK Proposed HTTP header Web application requests that a web site disable tracking Very specific to HTTP Completely voluntary

9 GERMAN PRIVACY LAW Federal Data Protection Act (Bundesdatenschutzgesetz) Telemedia Act (Telemediengesetz) Speaks to privacy, consent, and tracking, irrespective of technology Describes in detail what must be disclosed and what type of consent must be obtained Relevant to anyone communicating to subscribers in Germany

10 UNITED STATES & THE CATEGORICAL APPROACH HIPAA Gramm-Leach-Bliley COPPA State Privacy Laws FTC National Labor Relations Board

11 PERSONALLY IDENTIFIABLE INFORMATION COPPA State Privacy Laws FTC National Labor Relations Board

12 STATE PRIVACY LAWS California Distinctive and easily-found Privacy Policy Information Gathered How the Information is Shared Process to Review and Request Changes to Stored Information Nebraska and Pennsylvania Prohibits false and/or misleading statements in privacy policies

13 STATE DATA BREACH LAWS Require enterprises to inform impacted consumers of the disclosure of personally identifiable information to an unauthorized third party Non-encrypted Definition of personally identifiable information varies Disclosure requirements vary

14 State Data Breach Laws Require enterprises to inform impacted consumers of the disclosure of personally identifiable information to an unauthorized third party Non-encrypted Definition of personally identifiable information varies Disclosure requirements vary

15 PRIVACY POLICY (FTC V. FACEBOOK) As a result of the settlement, Facebook is now: barred from making misrepresentations about the privacy or security of consumers' personal information; required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences; required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account; required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

16 FTC v. FACEBOOK AFTERMATH Misrepresentation Modifications Account Deletion

17 ACTIVITY TRACKING (FTC V. GOOGLE)

18 PRIVATE AGREEMENTS / TERMS OF USE (FACEBOOK)

19 PRIVATE AGREEMENTS (B2B) Contract provisions may create privacy obligations Representations and Warranties Provisions With Material Breach BAA, Security Agreements, Confidentiality

20 EU DATE PROTECTION DIRECTIVE - UK May 26 th 2011, the UK regulations implementing the amended EU Privacy and Electronic Communications ( E-Privacy ) Directive came into effect. Key changes include: Breach notification telecommunication operators and ISPs are required to notify the ICO of a breach Cookies organizations are required to obtain the consent of users to the organization s storage of cookies on their devices Enforcement powers for breaches of the Privacy regulations impose civil penalties up to 500,000 for serious breaches of the Privacy Regulations of there is: there is a serious breach of the data protection principles; this is likely to cause substantial damage or substantial distress; and the breach is deliberate or reckless The ICO has been especially active this past year and as stated in their 2011/2012 Annual Report, 10 civil penalty notices were issued totaling 1,171,000 in addition to 2 enforcement notices and 76 undertakings. General trend towards harsher penalties for breach throughout the EU (e.g., CNIL/Google)

21 SANCTIONS IN THE UK The ICO can issue an Enforcement Notice for breaches of the data protection principles. Failure to comply with an Enforcement Notice is a criminal offence, punishable by an unlimited fine (also for directors). Both failure to notify and the unlawful obtaining/disclosing of personal data are criminal offences punishable by unlimited fines (also for directors). The Government has the power to increase the sentence for unlawfully obtaining or disclosing personal data to two years imprisonment. The ICO regularly asks for undertakings from organizations in breach in order to name and shame them. Commissioner Christopher Graham at the ICO Data Protection Officer Conference 2011, pushing for increased use of prison sentences.

22 SCOPE OF THE LAW Data protection laws impose standards on data controllers and grant rights to data subjects; data controllers are defined as individuals or entities who decide the purposes for which and manner in which data is processed; personal data is defined as information by which a living individual may be identified.

23 JURISDICTION Data Controllers established in the UK and Data Controllers that are not established in the EEA but use equipment located in the UK to carry out data processing activities (other than merely for the purposes of transit) Use of equipment may include the hosting of a website in the UK or the use of cookies.

24 DATA PROTECTION DIRECTIVE PRINCIPLES Data must be fairly and lawfully processed with the consent of the individual. Data may only be obtained for specified legal purposes, and may not be further processed in any manner incompatible with that purpose. Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected. Data must be accurate and, where necessary, kept up to date. Data must not be kept longer than necessary. Data must be processed in accordance with the rights of the data subject under the Directive (right to inspect and correct data). Security measures must be taken against unauthorized/unlawful processing and against accidental loss, destruction or damage of data. Data must not be transferred outside the EEA unless the recipient country provides adequate data protection. Also: notification, data transfer permission, security documentation.

25 CONSENT The ICO s legal guidance on the DP Act explains that in order for the Data Subject to signify his agreement to Personal Data relating to him being processed: there must be some active communication between the parties; the adequacy of any consent or purported consent must be evaluated; and consent must be appropriate to the particular circumstances.

26 ONLINE / ELECTRONIC CONSENT Electronic consent will suffice if appropriate safeguards are taken to ensure a Data Subject is aware of the Data Controller s data processing notice: has granted consent (e.g., inclusion of a hyperlink directly above a consent button); and prevent consent by mistake (e.g., a double click acceptance process). The Data Controller should be able to evidence that such safeguards have been put in place (e.g., the Data Controller should be able to demonstrate that the user was provided with sufficient notice and that consent was informed and voluntary).

27 ONGOING DEVELOPMENTS Proposed changes to the EU General Data Protection Regulations still being considered throughout the member states: Increased requirements around consent The right to be forgotten

28 US TRENDS February 2012 Online Privacy Principles released by the White House: Consumer Data Privacy in a Networked World NOT Law simply sets out the Obama Administration's policies for developing a comprehensive online privacy framework The Paper also describes a process for implementation and FTC enforcement.

29 DIGITAL ADVERTISING ALLIANCE ( DAA ) Browser based do not track regime proposed by DAA Endorsed by the White House Not deemed acceptable by the EU because the browser based option is still an opt-out rather than an opt-in mechanism for web surfers

30 FEDERAL TRADE COMMISSION S POSITION In March 2012, the FTC released its final privacy report, Protecting Consumer Privacy in an Era of Rapid Change. Applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties Calls for companies to incorporate privacy by design into their practices; Offer consumers choice about how their data is collected; and Provide consumers with more transparency about their practices Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.

31 FTC s POSITION The FTC intends that the report be used by Congress in crafting baseline legislation. Like the White House s Paper, this is NOT Law. The FTC makes clear that to the extent that the best practices stated in the report extend beyond existing legal requirements, they are not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.

32 FTC s IMPLEMENTATION OF THE FRAMEWORK OVER THE NEXT YEAR Do Not Track: The Commission praises industry s progress in implementing an online Do Not Track mechanism, and it plans to work with industry to complete the implementation of an easyto-use, persistent, and effective mechanism. Mobile: The Commission calls on companies providing mobile services to work toward improved privacy protections, including the development of short, meaningful disclosures. Commission staff hosted a public workshop on May 30, 2012, to address, among other issues, mobile privacy disclosures and how they can be short, effective, and accessible to consumers on small screens. According to the report, the Commission hopes that the workshop will lead to further industry self-regulation in this area. Data brokers: The Commission supports targeted legislation that would provide consumers with access to the information about them held by a data broker. The Commission also calls on data brokers that compile data for marketing purposes to further increase the transparency of their practices by considering the creation of a centralized website where data brokers could: (1) identify themselves to consumers and describe how they collect and use consumer data; and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain. Large platform providers: The Commission to host a public workshop during the second half of 2012 to explore the privacy issues associated with the comprehensive tracking of consumers online activities by large platforms, such as ISPs, operating systems, browsers, and social media. Enforceable self-regulatory codes: The Commission will work with the Department of Commerce and industry stakeholders to create sector-specific codes of conduct. Commission staff will participate in that project.

33 FUTURE US TRENDS Federal law on data security and privacy imminent Federal breach notification Opt-in instead of Opt-out for consent More pressure on industry to accelerate the pace of selfregulations

34 EXACTTARGET AND PRIVACY Honor each individual's unique preferences one of the core tenets of ExactTarget How permission is granted, what is required, and how it is enforced will always be changing We will honor permission, period We will always help you to honor permission We will always be transparent about our privacy policies We will always work very hard to protect the privacy of your subscribers

35 QUESTIONS