THE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS

Similar documents
3/17/2015. Overview HIPAA. Who s Covered? Who s Not Covered? PRIVACY & SECURITY. Regulatory Patchwork: Mobile Health

TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS

Privacy Policy and Notice of Information Practices

PRIVACY ON THE GO RECOMMENDATIONS FOR THE MOBILE ECOSYSTEM. January Kamala D. Harris, Attorney General California Department of Justice

SHORT FORM NOTICE CODE OF CONDUCT TO PROMOTE TRANSPARENCY IN MOBILE APP PRACTICES. I. Preamble: Principles Underlying the Code of Conduct

EXHIBIT 2. CityBridge Privacy Policy. Effective November 4, 2014

Privacy Policy. If you have questions or complaints regarding our Privacy Policy or practices, please see Contact Us. Introduction

Estée Lauder Companies Global Jobs Website Privacy Policy

GSM Association 2012 February 2012

Advanced Diagnostics Limited ( We ) are committed to protecting and respecting your privacy.

KEY LEGAL ISSUES IN TODAY S MOBILE MARKETING:

SKoolAide Privacy Policy

NBA Math Hoops Privacy Statement and Children s Privacy Statement Updated October 17, 2013.

PRIVACY POLICY. I. Introduction. II. Information We Collect

Privacy Policy EMA Online

PRIVACY POLICY. To start, it is important for you to know two definitions that are key to understanding our programs and privacy practices:

BUSINESS CHICKS, INC. Privacy Policy

Privacy Policy Version 1.0, 1 st of May 2016

Staying Out of Trouble: Key Privacy, Data Security, and Advertising Mistakes That Can Put You in the Enforcement Crosshairs

ZOOMIN.TV PRIVACY POLICY Last updated: 5 August 2014

RDM on Demand Privacy Policy

Talen Energy Corporation Website Privacy Notice

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

IAPP PRIVACY ACADEMY

SOLITEC products or services for which a separate privacy policy is provided.

LIDL PRIVACY POLICY. Effective Date: June 11, 2015

Privacy Policy. PortfolioTrax, LLC v1.0. PortfolioTrax, LLC Privacy Policy 2

TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS

Best Practices for Mobile Application Developers. App Privacy Guidelines by the Future of Privacy Forum and the Center for Democracy & Technology

The Digital Marketing Ecosystem: Trends, Risks and Obligations

WHAT DOES THE FUTURE LOOK LIKE FOR MARKETING IN CYBERSPACE?

Federal Trade Commission Privacy Impact Assessment for:

PRIVACY POLICY Effective Date:, INTRODUCTION AND OVERVIEW

Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

What's Up with Apps in Hong Kong July 2013

BEFORE THE DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY. Request for Comments Docket #

Privacy Policy Last Updated September 10, 2015

ONLINE PRIVACY POLICY

Privacy Policy. log in to the Services with social networking credentials;

BEFORE THE DEPARTMENT OF COMMERCE

MRIA CODE OF CONDUCT FOR MARKET AND SOCIAL RESEARCH. Appendix B

Johnson Controls Privacy Notice

Privacy Policy. Introduction. Scope of Privacy Policy. 1. Definitions

Privacy Policy/Your California Privacy Rights Last Updated: May 28, 2015 Introduction

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

Maximum Global Business Online Privacy Statement

BBVA Wallet Application Privacy Policy

PRIVACY POLICY. Types of Information Collected

Privacy Policy for culinarydreamsinc.com

Practical Legal Aspects of BYOD

Apple Deployment Programs Apple ID for Students: Parent Guide

Information Collected. Type of Information Collected. We may collect two general types of information when you use the Site:

Mind Your Business: Privacy, Data Security & Regulatory Compliance Best Practices & Guidance

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

ConteGoView, Inc. Privacy Policy Last Updated on July 28, 2015

Personal Information - How Do We Collect?

PRIVACY POLICY. Last Revised: October 1st, 2015 Effective: October 1st, 2015

This Privacy Policy applies to all of our sites. This Privacy Policy does not apply to our in store public WiFi.

Federal Trade Commission Privacy Impact Assessment for:

Internet Explorer Services - What Makes Them Different?

2015 NMSBA SCHOOL LAW CONFERENCE

Privacy Policy. Peeptrade LLC ( Company or We ) respect your privacy and are committed to protecting it through our compliance with this policy.

Type of Personal Data We Collect and How We Use It

NAI Mobile Application Code

Privacy Statement. What Personal Information We Collect. Australia

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Zubi Advertising Privacy Policy

Policy Implications: Privacy, Security and Liability Big Data in Telecom. June TIA 2012: INSIDE THE NETWORK Dallas TX

ASSURANCE OF DISCONTINUANCE. The Office of the Attorney General of the State of New York (sometimes referred to as

Measurabl, Inc. Attn: Measurabl Support 1014 W Washington St, San Diego CA,

stacktools.io Services Device Account and Profile Information

NAI Code 2013 of Conduct

DailyMailz may collect and process the following personal information about you:

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS

Optum Website Privacy Policy

Federal Trade Commission Privacy Impact Assessment. Conference Room Scheduling PIA

Mobile Application Privacy Policy Framework

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

WESTLAW JOURNAL COMPUTER & INTERNET

Rise Broadband Networks, Inc. Privacy Policy and Customer California Privacy Rights. Effective date: January, 2016

ARYZTA PRIVACY POLICY

COMMENTARY Scope & Purpose Definitions I. Education. II. Transparency III. Consumer Control

cbox YOUR FILES GO MOBILE! FOR ANDROID SMARTPHONES AND TABLETS USER MANUAL

Federal Trade Commission Privacy Impact Assessment

1. The information we collect and how we collect it.

Overview This Policy discloses the online data collection and usage policies and practices for this Site only, including an explanation of:

Review and Assessment of Uber s Privacy Program

Privacy Policy. Definitions

Leonardo Hotels Group Page 1

Student Online - First of January 0

Android Developer Applications

3Degrees Group, Inc. Privacy Policy

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

LIVE CHAT CLOUD SECURITY Everything you need to know about live chat and communicating with your customers securely

2008 NAI PRINCIPLES THE NETWORK ADVERTISING INITIATIVE S SELF-REGULATORY CODE OF CONDUCT

Privacy Law Basics and Best Practices

Children s Privacy in the Mobile Data Environment

Your Privacy Center. Online Privacy Statement. About the Information We Collect

OUTLINE AND OBJECTIVES

Transcription:

THE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS Clarissa Cerda, EVP, Chief Legal Officer and Secretary, LifeLock Kimberly Cilke, CIPP/US Deputy General Counsel, GoDaddy.com Timothy Sparapani Vice President, Law, Public Policy & Government Relations, Application Developers Alliance Principal, SPQR Strategies, PLLC

PRIVACY IN THE MOBILE ENVIRONMENT Booming Mobile Marketplace 1 85% Adults In US Own A Cell Phone, 50% Use It To Access The Internet 1600 New Apps For Mobile Devices Added Daily, 1M+ Total In Existence Consumers Care 1 Over Half of Americans Had Uninstalled Or Decided Not To Install An App Because Of Concerns About Its Privacy Practices Privacy Policies Are Complex And Difficult To Read 2 Amount Of Time To Read Policies Is Too Great 3 Misconceptions: Majority of Americans Believe That Websites With Privacy Policies Cannot Sell Data 4 ¹California Attorney General s Office, Privacy on the Go at 12-13 (Jan. 2013) 2 Milne/Culnan and Greene 2006 ²McDonald/Cranor 2008 ³ 4urow/Hoofnagle 2009-2010

FTC AND WHITE HOUSE INITIATIVES By 2012 The Goals Of The FTC And White House (Privacy White Paper) Were Unambiguous: FTC It is of utmost importance that privacy policies should be clear and conspicuous and written language that is simple and easy to understand White House Consumer[s] have a right to easily understandable and accessible information about privacy practices in a form that is easy to read on devices consumers use

TRANSPARENCY PLAYERS Advocates FTC Attorney Generals NTIA Industry

THE FTC Standardized, Easy-to-Understand Privacy Notices Have Been At The Core Of FTC Efforts On Privacy For More Than A Decade. FTC Emphasizes Clear And Prominent Notice Of Information Collection, Use And Disclosure & Informed Consent For Sensitive Information. FTC COPPA Rule (mobile apps, "just in time" and close proximity) (2012) Early FTC Reports (1998, 2000) FTC Privacy Report (2012) FTC Staff Report on Mobile Privacy Disclosures (2013)

THE FTC FTC Staff Report Recommends Icons: Icons offer the ability to communicate key terms and concepts in a clear and easily digestible manner. Icons Allow Consumers To View Data Practice Highlights With A Quick Glance, Then Hover Or Click Through For More Detailed Information. Use Of Icons And Other Short Disclosures Will Have Greater Success If There Is Some Consistency In Approaches. 2013 FTC Staff Report on Mobile Privacy Disclosures

ATTORNEYS GENERAL January 2013: California Attorney General Releases Privacy Recommendations for Mobile Industry These always-on, always-on-us devices pose additional privacy challenges that are unique to mobile space. Consumers deserve meaningful information about privacy choices on small screens [in an environment] with many players who may have access A centerpiece of these Guidelines are prominent, timely, special notices or short-form privacy notices designed to be read on a mobile device of data practices that involve sensitive information or are not required for an app s basic functionality California Attorney General s Office, Privacy on the Go at 12-13 (Jan. 2013)

NTIA Multi-Stakeholder Process Developing Voluntary Code of Conduct for Mobile Application Transparency. Clear, Short Form Notice of Mobile App Collection of Unexpected or Sensitive Data Elements and Sharing of that Info with Third Parties. Proposal Developed by App Developers Alliance, World Privacy Forum, ACLU, Consumer Action and Industry Representatives.

INDUSTRY FTC Privacy Report Calls on Industry Sectors to Work Together to Develop Standard Formats and Terminology for Privacy Statements Applicable to Their Particular Industries. Clearly Need A Standardized, User-friendly Approach Designed With Industry Input. Must Effectively And Succinctly Explain Data Collection, Use And Disclosure Practices. HOW DO WE DO THIS? Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, at iii, 19-20, 26-28, 44, 60, 70-72 (Dec. 1, 2010).

TWO-PHASED PROPOSAL Phase 1: Standardized Privacy Notice Elements Phase 2: Standardized Icon System Improved Transparency and Enhanced Consumer Choice

PHASE 1 Standardized Privacy Notice Elements Increase Transparency by Allowing Consumers To Compare Privacy Practices Of Different Providers. Encourage Competition Among Companies In The Privacy Protections They Afford. Utilize Standardized Descriptions As Outlined By FTC. Eliminate Legalese - Use Plain English To Effectively Provide Information On Data Collection, Use, And Disclosure.

PHASE 2 A Simple Icon Solution to Solve Transparency Color And Symbol Icon/seal System. Works Offline, Online & On Mobile Devices. Simple, Quick Solution Requiring Minimal Technical Work. Easy-to-Understand. Incentivizes Parties With Relationship With Consumers Not To Proliferate Personal Data.

CASE STUDY: GODADDY.COM World s largest domain name registrar and hosting provider. 3,300+ employees, 600+ in-house software developers, 9 global locations including U.S., Canada, UK, Netherlands, Singapore and India. More than 10.7 million customers. 10+ corporate websites, 1 mobile website, 3 mobile apps with over 1.7 million downloads. 2.5 million paid hosted customer websites; another 2.5 million free hosted sites. Mobilized more than 700,000 customer websites as part of November 2012 Website Builder product launch. Bolstered Mobile First strategy with acquisition of M.Dot in February 2013.

REFRESHER: PRIVACY BY DESIGN 1. Proactive, not reactive - Preventative, not remedial. 2. Privacy as the default setting. 3. Privacy embedded into design. 4. Full functionality Positive sum, not zero-sum. 5. End-to-end security Full lifecycle protection. 6. Visibility and transparency Keep it open. 7. Respect for user privacy Keep it user-centric.

GO DADDY S PRIVACY PROGRAM Customer privacy owned by Go Daddy Legal Department. Team with IT Security, Internal Audit, Product and Marketing Managers, Lead Developers, and HR. Every new product, IT project, and marketing program, as well as project/program updates, undergoes privacy review as part of legal screening. Customer Information Privacy Policy in Employee Handbook specifies Privacy Policy requirements for all employees. Legal/privacy review embedded into Software Development Lifecycle (SLD). Technical collection of PII undergoes additional security review by Privacy Tech Committee.

CUSTOMER INFORMATION PRIVACY POLICY Defines PII Any and all personal information about a Customer that can be used to uniquely identify, contact or locate the Customer. Defines Sensitive PII PII subject to heightened degree of internal protection and review, generally follows data breach PII definitions. Sets Company Policy PII shall never be collected unless such collection is necessary for a legitimate business purpose related to Go Daddy s business. Where the collection of PII is necessary, only the minimum amount of information necessary to satisfy the legitimate business purpose may be collected.

CUSTOMER INFORMATION PRIVACY POLICY Prohibits disclosure of user PII to third-parties without privacy review. Provides for internal security procedures and authorized locations for PII. Provides process for notifying Privacy team in the event of an inadvertent or unauthorized disclosure of PII to any thirdparty. Addresses use of external storage devices.

CUSTOMER INFORMATION PRIVACY POLICY Provides process for privacy review; in our case, simple as email to Legal Department in connection with any new product, IT project, or marketing program, with: Summary of project, including measures to be used to secure PII. All categories of PII involved in the project. Who will have access to the PII and/or to whom it will be disclosed. The real or best estimate of the number of users whose PII will be collected/affected. Date project is scheduled to commence and/or deploy. Any relevant documents or creatives.

THE FIRST QUESTIONS 1. With what types of operating systems will the app be compatible? 2. With which Web browsers will the app be compatible? 3. Will we store app-related data in the cloud or on our own servers? 4. What is the extended cyber-enterprise related to the app? Will it access third-party apps, such as ad networks and analytics companies? 5. In which app stores will our app be available? Are we in compliance with the app stores privacy requirements? Consider all third-party agreement/tos requirements (e.g., device, OS, browser, cloud provider, ad network, etc.).

WHAT DATA WILL WE COLLECT? In addition to traditional PII, consider: Unique device identifier? Geo-location (GPS, WiFi, user-entered) Mobile phone number Email address User s name Text messages or email Call logs Contact/address book Financial and payment information Health and medical information Photos or videos Web browsing history Other apps downloaded or used

HOW WILL WE USE THE DATA? For each type of data, consider: Is the data type necessary for your app s basic functionality (ie, within the expected context of the app s functions as described to users)? Is the data type necessary for business reasons (ie, billing)? How will you use the data? Will it be necessary to store data off the device, on your servers? How long will you need to store the data on your servers? Will you share the data with third-parties (eg, ad networks, analytics companies, service providers)? If so, with whom? How will third-parties use the data? Who in your organization will have access to user data? What parts of the mobile device do you have permission to access? Can users modify their permissions?

KEY PRIVACY BY DESIGN ELEMENTS Transparency, Choice, and Control Give prior who-what-why notice and obtain a user s active consent for the collection, use, and sharing of personal information, as well as any application changes affecting privacy ( active consent occurs where a user has the opportunity to agree to the specific use of personal information) Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information. Collect and use only reasonable amounts of information within the scope of the user s expectations Allow users to control the frequency of reminders about features which use personal information Provide users with information and choice regarding an application s privacy settings

KEY PRIVACY BY DESIGN ELEMENTS Data Retention and Security Ensure applications using unique identifiers are linked to the rightful user Protect personal information from unauthorized access or disclosure and establish justifiable retention and deletion periods Social Networking and Social Media Ensure default settings protect privacy and allow easy control of profile information Provide additional, heightened privacy measures for underage users Obtain consent for any access, use, and/or sharing of location data Mobile Advertising Inform users, prior to download and/or activation, if applications are ad-supported Obtain active consent for targeted advertising, profiling, and/or viral marketing Ensure content is appropriate for the audience

KEY PRIVACY BY DESIGN ELEMENTS Children and Adolescents Provide age-targeted information regarding the consequences of using an application Ensure the default location setting prevents a user from publishing his or her location Comply with applicable jurisdictional laws regarding the protection of children Where possible, include an age verification mechanism Accountability and Enforcement Assign responsibility for privacy issues throughout the application s lifespan Provide a means for users to report application problems.

MOBILE PRIVACY POLICY

MOBILE PRIVACY POLICY

SPECIAL NOTICES Supplement your mobile privacy policy with enhanced measures to alert users to : Collection, use or disclosure of PII not required for app s basic functionality. Accessing text messages, call logs, contacts or potentially privacy sensitive features such as camera, dialer and microphone. A change in your data practices that involves new, unexpected uses or disclosures of PII. The collection or use of sensitive information, such as precise geo-location, financial or medical information, passwords, etc. The disclosure of PII to third-parties for their own use, including use for advertising.

SPECIAL NOTICES Deliver notice in context, just before the data is to be collected. Explain the intended use and any third-parties to which data will be disclosed. Provide an easy way for users to choose whether or not to allow the collection of the data. If use of the app is contingent on collection of the data, make that clear. Include a link to the general privacy policy.

WHEN YOU GET BACK TO THE OFFICE Make someone responsible for mobile app privacy. Take stock of the data you collect and retain. Carefully scrutinize collection/integration of PII data and sensitive information such as geo-location data and user contacts access. Conduct due diligence on libraries and other third-party code. Consider any special requirements related to financial, health or kids data. Understand the differences between mobile platforms.

WHEN YOU GET BACK TO THE OFFICE Don t rely on the platform alone to protect your users. Ensure that you are generating user credentials securely. Use transit encryption for usernames, passwords and other important data. Don t store passwords in plaintext. Protect data stored on a user s device. Protect your servers. Audit app regularly following deployment.

ADDITIONAL READING AND RESOURCES Privacy On The Go - CA Attorney General's set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process. CA Business Privacy Resources - CA Attorney General's links to helpful resources concerning privacy, data breach, Child Online Privacy Protection Act (COPPA) and other relevant privacy laws. CA AG's Developer Agreement - CA AG's agreement committing the leading operators of mobile application platforms to improve privacy protections for millions of consumers around the globe who access the Internet through applications ( apps ) on their smart phones, tablets and other mobile devices. Marketing Your Mobile App - FTC publication presenting guidelines to help developers comply with truth-in-advertising standards and basic privacy principles. Protecting Consumer Privacy In An Era Of Rapid Change - FTC report with recommended best practices for mobile transparency and protecting consumer privacy.

QUESTIONS?

THE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS Clarissa Cerda, EVP, Chief Legal Officer and Secretary, LifeLock Kimberly Cilke, CIPP/US Deputy General Counsel, GoDaddy.com Timothy Sparapani Vice President, Law, Public Policy & Government Relations, Application Developers Alliance Principal, SPQR Strategies, PLLC

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information