Litigator DEVOTED TO INTELLECTUAL PROPERTY LITIGATION & ENFORCEMENT. Edited by the Law Firm of Grimes & Battersby SEPTEMBER/OCTOBER 2012

Transcription

1 SEPTEMBER/OCTOBER 2012 VOLUME 18 NUMBER 5 DEVOTED TO INTELLECTUAL PROPERTY LITIGATION & ENFORCEMENT Litigator Edited by the Law Firm of Grimes & Battersby

2 Privacy Issues in Social Media Christopher Loeffler Christopher M. Loeffler is an attorney at Kelley Drye & Warren LLP in Washington, DC. He has a transactional and regulatory practice focused on advertising, licensing, new media, sponsorships, e-commerce, promotions, data security, privacy, and other consumer protection issues. He may be contacted at cloeffler@kelleydrye.com. This article discusses the various influences that are shaping the legal landscape for privacy issues in social media. It identifies statutes, administrative policies and guidance, regulatory scrutiny, and recent US Congressional activities that all come to bear when evaluating whether social media practices trigger privacy and data security considerations. Further, it provides practical tips for in-house attorneys and outside counsel on steps to take to minimize privacy risks associated with social media practices. New Technologies and Old Laws There has been an explosion in the use of social media in the last half decade. Two-thirds (66 percent) of online adults use social media, 1 and hundreds of millions of people regularly use social media and social networking tools. 2 People are visiting social media sites every day to connect with friends and family, or otherwise interact with businesses, brands, and Web sites. Yet, social media users are increasingly more aware of the value of their online information whether it is information that the user intentionally shares over a social networking site, or information collected by a social media platform for marketing purposes. Additionally, investigative reporters, legislators, regulators, and privacy advocates have paid increasingly more attention to online and mobile privacy issues. As a result, privacy issues in the online environment have moved to the forefront. While technological capabilities and user adoption continue to grow at an amazing rate, social media is governed by the same privacy laws applicable to the online environment and certain types of data (whether collected online or offline). As traditional privacy laws may not have anticipated the social media environment, best practices in the social media space can be gleaned from regulatory actions, reports, and guidance; statements and proposed bills from legislators; and by staying aware of the types of activities that have resulted in private litigation. The Legal Framework Currently in the United States, there is no comprehensive privacy legislation. Instead, the privacy law framework is made up of a patchwork of laws and regulations that address privacy issues for different segments of personal information, consumers, or industries. Federal Laws The Federal Trade Commission (FTC) is the primary federal regulator in the privacy arena. The FTC has brought numerous privacy and data security related investigations and actions against businesses using its general authority under Section 5 of the FTC Act, 3 which broadly prohibits unfair or deceptive acts or practices. Similarly, the FTC also enforces the Gramm-Leach-Bliley Act (GLB Act), 4 which regulates similar conduct by financial institutions. The GLB Act and its promulgating privacy regulation 5 include requirements such as providing consumers with initial and recurring privacy notices and the opportunity to opt out of having the consumer s nonpublic personal information shared with a nonaffiliated third party. Personal information collected online from children under the age of 13 is governed by the Children s Online Privacy Protection Act (COPPA), 6 and its implementing rule the Children s Online Privacy Protection Rule. 7 Notably, the COPPA rule has a broader definition of personal information than is found under the GLB Act and several other laws. Additionally, any business that collects consumer credit information may be required to safeguard customer information in a manner consistent with the Fair and Accurate Credit Transactions Act (FACTA), 8 which added new provisions to the Fair Credit Reporting Act (FCRA) 9 to address identity theft. FCRA and FACTA limit how certain types of customer information may be used and shared by a business, in addition to requiring certain information security practices. Further, under the FCRA Red Flags Rule, most recently amended by the Red Flag Program Clarification Act, 10 a business that acts as a creditor must maintain reasonable procedures to develop and implement an identity theft prevention program designed to identify the red flags of identity theft and protect customer information. The Health Insurance Portability and Accountability Act (HIPAA) 11 restricts how covered entities can use health information, and also requires covered entities to generally implement appropriate administrative, technical, and SEPTEMBER/OCTOBER 2012 IP Litigator 1

3 physical safeguards to protect such health information. 12 Additionally, a student s education records and personal information must be protected by educational institutions in accordance with the Family Educational Rights and Privacy Act 13 and its promulgated regulation. 14 Further, electronic communications generally are covered by the Electronic Communications Privacy Act (ECPA), 15 which addresses issues such as eavesdropping, wiretaps, and protection of stored communications. State Laws In addition to federal laws, several state laws add to the patchwork of key privacy laws. The state Attorney General is the principal regulator at the state level to enforce appropriate privacy and data security practices. The tools available to state regulators and litigants have increased in recent years because of recently enacted state laws on privacy and information security. For example, California law requires operators of commercial Web sites that collect personal information from California residents to post a privacy policy that identifies the types of personal information collected on the Web site and the types of third parties with whom this information may be shared. 16 California law also requires any company that discloses personal information to a third party for that party s own marketing purposes to disclose such practice to the consumer and either provide certain information about the types of information shared and the third parties with whom it is shared, or provide the consumer with the ability to opt-out of such sharing. 17 Massachusetts has enacted the most robust regulations expressly addressing the types of information security safeguards that must be put in place to protect the personal information of Massachusetts residents. 18 For states that have not enacted specific privacy and information security laws, the state Attorneys General may use their general authority to prohibit unfair or deceptive acts or practices under the relevant state consumer protection law. Administrative and Regulatory Activity The FTC continues to drive the establishment of privacy and security standards using its position as a bully pulpit to advance policy issues and its broad enforcement authority. Other administrative and regulatory activities also provide guidance on developing best practices. Federal Trade Commission Final Privacy Report On March 26, 2012, the FTC released its much anticipated final Privacy Report, entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. 19 The final report calls on companies to implement best practices to protect consumers private information (both online and offline), on Congress to enact baseline privacy and data security legislation with civil penalties, and on industry to accelerate the pace of self-regulation. The Privacy Report also supports legislation to provide consumers with access to information stored by data brokers and the opportunity to dispute the accuracy of such data. The final Privacy Report applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties. 20 For companies that fall within such scope, the FTC recommends that companies implement the following best practices, and adds that, to the extent such recommended practices go beyond existing law, the privacy framework is not intended to be a template for law enforcement actions or regulations currently enforced by the FTC. Privacy By Design: Promote consumer privacy throughout the organization and at every stage of development of products and services, including through data security, reasonable data collection limits, sound retention and disposal practices, data accuracy, and accountability. Simplified Choice for Businesses and Consumers: Businesses do not need to provide a choice to consumers before collecting and using their data for practices consistent with the context of the transaction or the company s relationship with the consumer, or where required or specifically authorized by law. Businesses should provide consumers with a choice for all other practices, and offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Affirmative express consent should be obtained before using consumer data in a materially different manner than claimed when the data was collected, or collecting sensitive data for certain purposes. Greater Transparency: Privacy notices utilized by companies should be clearer, shorter, and more standardized to enable better comprehension by consumers and comparison of privacy practices. The Privacy Report also explains that policymakers have a role in assisting with the implementation of selfregulatory principles in five key areas, which the FTC will focus on over the next year: 1. Do Not Track: The FTC will be working with relevant stakeholders in completing implementation of an easyto-use, persistent, and effective Do Not Track system. 2 IP Litigator SEPTEMBER/OCTOBER 2012

4 2. Mobile: The FTC calls on companies providing mobile services to work towards improved privacy protections, including the development of short, meaningful disclosures. 3. Large Platform Providers: To the extent that large platform providers, such as Internet Service Providers (ISPs), operating systems, browsers, and social media, seek to comprehensively track consumers online activities, the FTC notes its privacy concerns. 4. Promoting Self-Regulatory Codes: FTC Staff will work with the Department of Commerce in facilitating the development of industry-sector specific codes of conduct. To the extent that robust privacy codes of conduct are developed from such efforts, the FTC will view adherence to such codes favorably in connection with its law enforcement work, and will also enforce actions under Section 5 of the FTC Act when companies fail to abide by self-regulatory programs they join. 5. Data Brokers: The FTC calls on data brokers that compile data for marketing purposes to explore creating a centralized Web site where data brokers could identify themselves to consumers and describe how they collect and use consumer data, and detail the access rights and other choices they provide with respect to the consumer data they maintain. The proposals within the report are not directly enforceable regulations, but they are instructive and provide insight on what businesses can expect in privacy enforcement trends in the future. Department of Commerce Green Paper In December 2010, the US Department of Commerce released its version of an online commercial data privacy framework in a report entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. 21 The report is the result of a review by the Commerce Department s Internet Policy Task Force, which included staff from the National Telecommunications and Information Administration (NTIA), the International Trade Administration, and the National Institute for Standards and Technology. The report presented possible approaches to developing an online data privacy framework and proposed questions for further comment. It included four broad categories of strictly commercial data privacy policy recommendations: (1) recognize a set of baseline Fair Information Practice Principles; (2) develop industryspecific privacy codes of conduct; (3) encourage global interoperable privacy frameworks; and (4) create a federal commercial data security breach notification law. The report recommended use of privacy principles that do not conflict with the patchwork of laws that currently protect privacy and that allow participation by the states. It also called for a review of ECPA regarding cloud computing and location-based services. White House Privacy Report On February 22, 2012, the White House released its privacy report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. 22 The framework builds on the consumer privacy recommendations issued in December 2010 by the Department of Commerce Internet Policy Task Force. The White House framework includes four primary elements: 1. Consumer Privacy Bill of Rights: Creation of a Consumer Privacy Bill of Rights designed to maintain consumer trust as online businesses continue to adopt and deploy new technologies and to encourage innovation by providing online operators with greater certainty as to acceptable personal data collection and use practices. The Consumer Privacy Bill of Rights based on general Fair Information Practice Principles (FIPPs) and is designed around seven core principles relating to personal data: (1) individual control, (2) transparency, (3) respect for context, (4) security, (5) access and accuracy, (6) focused collection, and (7) accountability. 2. Multi-Stakeholder Process: The Administration will convene a multi-stakeholder process, led by the NTIA, to develop voluntary, yet legally enforceable, codes of conduct that implement the bill of rights. 3. FTC Enforcement: The framework recognized the FTC as the federal government s leading consumer privacy enforcement authority and positioned the FTC as the primary entity to enforce the Bill of Rights as well as the commitments of companies that voluntarily agree to adopt the codes of conduct. 4. Global Interoperability: The framework recognized the impact of disparate national legal standards on cross-border data flows and encouraged increased engagement with international partners to increase interoperability in privacy laws. Within the framework, the Administration urged Congress to pass legislation establishing the Bill of Rights as the legal baseline that governs consumer data privacy in the United States, and encouraged industry stakeholders to move forward in adopting the principles within the Bill of Rights in the absence of legislation. The Administration s legislative proposal would permit the FTC and State Attorneys General to directly enforce the Bill of Rights, as well as give the FTC the authority to approve SEPTEMBER/OCTOBER 2012 IP Litigator 3

5 (or reject) codes of conduct developed under the multistakeholder approach and grant a safe harbor to companies that follow a code of conduct that the FTC has reviewed and approved. Lastly, the Administration supported the creation of a national personal data breach notification standard that would preempt the existing patchwork of state laws. FTC Enforcement Activity, Rulemaking, and Guidance FTC settlements with social media and social networking entities, recent rulemaking proceedings involving privacy issues, and updates to guidance documents also provide direction on best practices in the privacy and security space. While the settlements are only binding on the entities that entered into them, the FTC has urged that the Google and Facebook settlements be used as a model for best practices. Twitter Consent Order In June 2010, Twitter settled claims that it failed to protect consumers personal information, which led to hackers obtaining unauthorized administrative control of Twitter including access to non-public user information, private tweets, and the ability to send out phony tweets from any account. The settlement included injunctive provisions lasting 20 years, as well as requires Twitter to be audited by a third party forensic auditor every other year for 10 years. Google Consent Order In March 2011, Google agreed to settle FTC claims alleging that the 2010 launch of Google Buzz, a social networking feature linking Gmail users with other people on Google s network, involved deceptive tactics and violated Google s privacy policy. The settlement 23 included two firsts for the FTC: First FTC settlement that requires a company to implement a comprehensive privacy program First FTC settlement involving alleged violations of the US-EU Safe Harbor Framework privacy requirements In its administrative complaint, the FTC alleged that: (1) some Gmail users who declined to enroll in Google Buzz were enrolled anyway; (2) Gmail users that enrolled in Google Buzz were not adequately informed that the people they most frequently would be publicly disclosed through the following/followers function; and (3) the identities of Gmail users that later turned off Google Buzz were not removed from the social network. Google s privacy policy stated that information would never be used in a manner different than the purpose for which it was collected without the user s prior consent; however, the FTC alleged that use of information provided to Gmail was used for another purpose, the Google Buzz social networking feature, without the users consent. Also, the FTC alleged that the practices were deceptive as they did not adequately disclose that certain private information identifying who the Gmail user ed most frequently would be made public, and that certain user privacy settings in Gmail were not carried over to the privacy settings in Google Buzz. Further, the FTC alleged that these practices violated the US Safe Harbor Privacy Principles of Notice and Choice, as Gmail users were not given adequate notice that information collected in Gmail would be used for a new purpose, and were not given adequate choice about whether they agreed to such new use. The consent order imposes robust requirements on Google, including the following: Before sharing user information with a third party in a manner different from Google s practices in effect when the information was collected, and which results from a change, addition, or enhancement to its products or services, Google must: Disclose (1) the information that will be shared, (2) the identity or categories of the third parties that will receive the information, and (3) the purpose for sharing the information. Notably, this disclosure must be separate from any end user license agreement, privacy policy, or terms of use; and Obtain express affirmative consent to the sharing from the user. Google must develop, implement, and maintain a written comprehensive privacy program including designated employees responsible for the program, identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establish steps to select and retain service providers. Google must hire a third party privacy and data security professional to conduct assessments of Google s practices every two years for the next 20 years. Facebook Consent Order On November 29, 2011, the FTC announced a settlement agreement with social networking service Facebook following allegations that Facebook misrepresented its privacy policy to users and failed to protect sensitive consumer data. 24 The FTC alleged that, despite Facebook s representations to users that sensitive information would not be disclosed without their consent, third party applications and advertisers had widespread access to users 4 IP Litigator SEPTEMBER/OCTOBER 2012

6 personal information, and that these misrepresentations were deceptive under the FTC Act. Further, the FTC claimed that certain information that may have been designated as private was made public without prior notice to users, and such information remained publicly accessible even after users had deactivated or deleted their accounts. Under the terms of the settlement, Facebook is barred from making any further deceptive privacy claims. The settlement also requires Facebook to obtain consumer approval before making any changes to the manner in which it shares user data, and the company must submit to comprehensive reviews of its privacy practices by independent, third-party auditors for the next 20 years. The FTC has entered into similar settlements with other entities in the social media space such as RockYou 25 and MySpace 26 based on events arising out of data breaches or advertising practices. When evaluating privacy and security practices in the social media space, companies should not focus exclusively on settlements with social media entities. The privacy lessons learned from the Twitter, Google, Facebook, and other social media settlements also are reflected in numerous FTC actions including settlements involving mobile applications and the use of cookies to track online activities. Proposed Revisions to COPPA Rule On September 15, 2011, and August 1, 2012, the FTC issued proposed amendments to the Children s Online Privacy Protection Act rule. COPPA requires commercial Web sites and online services that specifically target children to obtain verifiable parental consent before collecting personal information from children under the age of 13. The proposed amendments would modify or expand key definitions within COPPA, including the definition of personal information, and would update the rule s requirements concerning parental notice and consent, and existing safe harbor provisions. The proposed amendments also would include new safeguard requirements, including provisions that involve personal data minimization and disposal obligations. The FTC s proposed revisions come in response to the substantial changes in consumer technology that have occurred since COPPA became effective in Specifically, the proposed revisions are intended to ensure that COPPA continues to provide privacy protections for children who increasingly participate in social networking and interactive gaming or engage in online activities through a mobile device. Mobile There has been a concerted focus on privacy considerations for mobile applications (or apps). Mobile apps are a popular access point for many social media platforms and recent activities in the mobile app ecosystem serve as an important guide for social media generally. Requested Comments to Dot Com Disclosure Guide In May 2011, FTC staff requested public comments on updates to its guidance document Dot Com Disclosures: Information about Online Advertising. FTC staff specifically noted the changes in the online environment since the guidance document was published in 2000, stating mobile marketing has become a reality, the App economy has emerged, the use of pop-up blockers has become widespread, and online social networking has emerged and grown popular. 27 FTC Warning to Mobile Apps Marketers for Possible FCRA Violations In March 2012, the FTC sent a warning to six mobile apps providing background screening services that they may be violating the Fair Credit Reporting Act (FCRA), which protects the accuracy and privacy of consumer report information, which includes information on individual s character, reputation, or personal characteristics used for employment, housing, or credit purposes. 28 The FTC alleged some apps include criminal record histories, which bear on an individual s character and general reputation and typically are used in employment and tenant screening. FTC Mobile App Settlements During the last several months of 2011, the FTC confirmed statements that it had made earlier in the year that it was actively investigating a number of privacy issues associated with mobile devices when it announced settlements with two separate mobile application developers for alleged privacy violations. 29 The allegations included collection of personal information from children under age 13 in violation of COPPA, and misrepresentations regarding the file-sharing features of certain apps using default settings to allow the app to publicly share personal files stored on users mobile devices. FTC Staff Report on Mobile Apps for Kids In February 2012, the FTC released a staff report regarding disclosures in mobile applications directed to kids, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. 30 The report highlights the lack of information available to parents prior to downloading mobile apps for children and calls on the industry to provide greater transparency about its data SEPTEMBER/OCTOBER 2012 IP Litigator 5

7 practices. The results of a survey of mobile apps for children showed neither app stores nor app developers provide information parents need to determine what data is being collected from children, how it is being shared, or who will have access to it. In response, the report includes the following recommendations: Provide data collection, usage, and sharing information through simple, short disclosures Alert parents if an app connects with any social media or allows targeted advertising Third parties that collect user information through apps should also disclose their privacy practices As gatekeepers of the app marketplace, app stores should enforce disclosure requirements and provide a more consistent way for developers to display information regarding data collection practices and interactive features FTC Chairman Jon Leibowitz asked companies to step up to the plate and provide easily accessible, basic information, so that parents can make informed decisions about the apps their kids use. California Attorney General Agreement with Mobile Application Stores The California Attorney General announced an agreement committing the following six leading operators of mobile app platforms to improve privacy protections: Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion. 31 Specifically, the agreement requires that mobile app developers provide a privacy policy before consumers download an app and disclose the extent to which they collect, use, and share a user s personal information. Mobile app developers that fail to comply with their privacy policies will be subject to prosecution under California consumer protection laws. The agreement was subsequently extended to social apps when Facebook agreed to participate. 32 Legislative Activity The 112th Congress has included a significant amount of legislation addressing online privacy. Most bills established statutory definitions for personal information (or personally identifiable information or PII). Currently, there are at least 18 different bills introduced in Congress or released for discussion on the topic. While the scope of the bills has shifted over time, key topics have included online privacy and behavioral advertising generally, 33 geolocational information, 34 data security and breach notification, 35 and mobile devices. 36 Additionally, numerous Congressional committees have used their authority to issue inquiries and hold hearings, which provide key guidance into legislators concerns and positions regarding the developing privacy framework. Much of the activity has focused on the collection of personal information through mobile devices and privacy practices related to mobile applications. Privacy considerations for social media, mobile applications, and general online privacy are tightly intertwined. Practical Tips to Minimize Privacy Risks Although best practices for privacy continue to develop, implementation of a few key practices can help reduce privacy risks associated with social media practices. Incorporate Privacy By Design: This would include a comprehensive privacy program reasonably designed to: (1) assess privacy risks related to the development and management of new and existing products or services; (2) implement controls to protect consumer information against identified risks; (3) select and retain service providers capable of protecting such information; (4) continually adjust the program based on new risks. Program should be audited by a qualified, independent third party. Provide Consumers with Choice: Consumers should have choices about the collection and sharing of their information. This should be provided in plain language and at the time and in the context in which they are making decisions. Transparency and Follow Through: There should be clear statements about how consumer information is collected, used, protected, and shared, as well as what types of consumer controls are available. All practices should be consistent with these promises made to consumers. In the event of new or changed practices, there should be a clear and prominent disclosure and consumer consent should be obtained. 1. Pew Research Center, Why Americans Use Social Media, 2 (Nov. 14, 2011), available at Why%20Americans%20Use%20Social%20Media.pdf. 2. Facebook, the largest social networking site, reports more than 901 million monthly active users as of March Seehttp://newsroom.fb.com/content/ default.aspx?newsareaid= U.S.C. 41 et seq U.S.C GLB Privacy Rule, 16 C.F.R. Part U.S.C C.F.R. Part U.S.C et seq. 9. Id. 10. S (enacted Dec. 18, 2010). 6 IP Litigator SEPTEMBER/OCTOBER 2012

8 U.S.C The HIPAA Security Rule, 45 C.F.R , also sets forth more detailed provisions governing the security standards for protecting electronic health information U.S.C. 1232g C.F.R. Part U.S.C California Online Privacy Protection Act, Cal. Bus. & Prof. Code California Shine the Light Law, Cal. Civ. Code Code. Mass Regs et seq. 19. FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, available at os/2012/03/120326privacyreport.pdf. The FTC previously had released its preliminary staff report on privacy in December The preliminary staff report proposed a new privacy framework for businesses and policymakers and addressed the FTC s view that self-regulation has, up to now, failed to provide adequate consumer protection. The proposed framework would be applicable to the online and offline data handling practices of consumer data that can be reasonably linked to a specific consumer, computer, or device. The report was based largely on a series of three public roundtables held over 2010 that explored current privacy approaches. 20. Id. at US Department of Commerce, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, (December 2010), available at iptf-privacy-green-paper.pdf. 22. Available at white_paper.pdf. 23. In re Google Inc., FTC No. C-4336, available at /111024googlebuzzdo.pdf. 24. In re Facebook Inc., FTC No , available at elist/ /111129facebookagree.pdf. 25. United States of Am. v. RockYou, Inc. No., 3:12-cv SI (N.D. Cal. Mar. 28, 2012), available at kyouorder.pdf. 26. In re Myspace LLC, FTC No , available at elist/ /120508myspaceorder.pdf. 27. Press Release, FTC Seeks Input for Revising Its Guidance to Businesses About Disclosures in Online Advertising, (May 2011), available at Press Release, FTC Warns Marketers that Mobile Apps May Violate Fair Credit Reporting Act, (Feb. 2012), available at opa/2012/02/mobileapps.shtm. 29. See, e.g., United States of Am. v. W3 Innovations, LLC and Justin Maples, No. CV (N.D. Cal. Sept. 8, 2011), available at caselist/ /110908w3order.pdf ; United States of Am. v. Frostwire LLC and Angel Leon, No. 1:11-cv DLG (S.D. Fla. Oct. 12, 2011), available at Available at Press Release, Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications, (Feb. 2012), available at Press Release, Attorney General Kamala D. Harris Announces Expansion of California s Consumer Privacy Protections to Social Apps as Facebook Signs Apps Agreement, (June 22, 2012), available at news/press-releases/attorney-general-kamala-d-harris-announces-expansioncalifornia%e2%80%99s-consumer. 33. See, e.g., BEST PRACTICES Act, H.R. 611, 112th Cong. (2011), available at pdf; Do Not Track Me Online Act, H.R. 654, 112th Cong. (2011), available at pdf; Commercial Privacy Bill of Rights Act of 2011, S. 799, 112th Cong. (2011), available at BILLS-112s799is.pdf; Consumer Privacy Protection Act of 2011, H.R. 1528, 112th Cong. (2011), available at 112hr1528ih/pdf/BILLS-112hr1528ih.pdf; Data Accountability and Trust Act, H.R. 1707, 112th Cong. (2011), available at BILLS-112hr1707ih/pdf/BILLS-112hr1707ih.pdf; Do-Not-Track Online Act of 2011, S. 913, 112th Cong. (2011), available at BILLS-112s913is/pdf/BILLS-112s913is.pdf; Data Accountability and Trust Act, H.R. 1841, 112th Cong. (2011), available at BILLS-112hr1841ih/pdf/BILLS-112hr1841ih.pdf; Do Not Track Kids Act of 2011, H.R. 1895, 112th Cong. (2011), available at pkg/bills-112hr1895ih/pdf/bills-112hr1895ih.pdf. 34. See, e.g., Geolocational Privacy and Surveillance Act, H.R. 2168, 112th Cong. (2011), available at pdf/bills-112hr2168ih.pdf ; Location Privacy Protection Act of 2011, S. 1223, 112th Cong. (2011), available at 112s1223is/pdf/BILLS-112s1223is.pdf. 35. See, e.g., Personal Data Privacy and Security Act of 2011, S. 1151, 112th Cong. (2011), available at pdf/bills-112s1151rs.pdf ; Data Security and Breach Notification Act of 2011, S. 1207, 112th Cong. (2011), available at pkg/bills-112s1207is/pdf/bills-112s1207is.pdf ; SAFE Data Act, H.R. 2577, 112th Cong. (2011), available at 112hr2577ih/pdf/BILLS-112hr2577ih.pdf ; Data Breach Notification Act of 2011, S. 1408, 112th Cong. (2011), available at BILLS-112s1408rs/pdf/BILLS-112s1408rs.pdf ; Data Security Act of 2011, S. 1434, 112th Cong. (2011), available at 112s1434is/pdf/BILLS-112s1434is.pdf ; Personal Data Protection and Breach Accountability Act of 2011, S. 1535, 112th Cong. (2011), available at ; Cybersecurity Act of 2012, S. 2105, 112th Congress (2012), available at gpo.gov/fdsys/pkg/bills-112s2105pcs/pdf/bills-112s2105pcs.pdf. 36. See Mobile Device Privacy Act, H.R. [discussion draft] 112th Cong. (2012), available at Mobile%20Device%20Privacy%20Act%20--%20Rep.%20Markey% _0.pdf. Copyright 2012 CCH Incorporated. All Rights Reserved. Reprinted from IP Litigator, September/October 2012, Volume 18, Number 5, pages 12-18, with permission from Aspen Publishers, Wolters Kluwer Law & Business, New York, NY, ,