Social Media and Mobile Privacy Janine MacNeil, Partner, Competition & Marketing Group Robert Hester, Associate, Business Law Group

Social Media and Mobile Privacy

Janine MacNeil, Partner, Competition & Marketing GroupRobert Hester, Associate, Business Law Group

Outline

Mobile Data, Geolocation and Near-Field Communication

Behavioural Advertising

Product Promotion and Social Media

Canada’s Anti-Spam Law – CRTC Guidance and Mobile Computing

2

MOBILE DATA + GEOLOCATION +NEAR-FIELD COMMUNICATION


NFCTwo modes: (a) active communication, where two NFC devices are communicating with each other; and (b) passive mode, where an NFC device communicates with an NFC chip.

Popular uses:Social networking and peer-to-peer data transfer (e.g., business contacts, photos, web links)Payment systems (e.g., credit cards, debit cards, loyalty rewards programs and transit passes)Bootstrapping to other communication platforms (e.g., initiating Bluetooth connection)

Near-Field Communication (NFC) and Quick Response (QR) Codes

4

Key privacy concern:When used in smartphones, potential to access significant amount of personal informationData protection, which may involve personal information, is now more reliant on secure hardware and softwareAccidental taps or disclosures between NFC devicesHidden NFC tagsGreater potential for collecting information which, in aggregate would be considered personal e.g., payment activities, tracking one’s routine movements (e.g., subway routes)


5

QR (Quick Response)

2D barcode and can contain any form of data:oa website URLolocation / GPS coordinatesovCard contact informationolinks to download a mobile appoopen a pre-formatted email message


6

Key privacy concern:

QR codes, just like phishing websites, can be used to mislead users into providing their personal information.

Often, the QR code itself doesn’t act as the source of the content (an “indirect code” versus a “direct code”) but rather works as a pointer to online content. Just like any unknown web source, when loading a barcode you are not certain about the source of the application or link that you will be taken to.

7


8

9

“Although the phone user is able to see the process taking place, hitting back on the device will not stop the reset. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.”

CarrierIQ

Apple UDID

Path app

Apple iPhone location tracking

Lessons from recent privacy gaffes

11

Purported to be installed on over 140 million devices

Capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location

Runs as a background process, difficult or sometimes impossible to disable or uninstall

Clients of CarrierIQ determine what information is collected

12

So… what does it actually collect?

13

“We automatically receive certain types of information whenever you use our Services. We may collect information about your device such as the type, version of operating system, signal strength, whether it is on and how it is functioning, as well as information about how you use the device and services available through it, such as your call and data usage and history, your location, web sites you have visited, applications purchased, applications downloaded or used, and other similar information.”

Privacy Policy

14

"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," said Sprint in an email to Mobile Burn.

“We are further evaluating options regarding this diagnostic software as well as Sprint's diagnostic needs."

15

Know exactly what’s being collected, used or disclosed

If third parties are processing information on your behalf, have written contractual arrangements with provision for adequate privacy protection standards and allow opportunities to audit the compliance

16

UDID (Unique Device Identifier)

Hardware-based (i.e., forever linked to an end-user’s device)

Used by app developers and advertisers as an “anonymized” token in place of personal information

2010 Bucknell University study showed that many apps would upload UDID together with pieces of personal information

All iOS apps have access to the same UDID token - privacy advocates worried that risk of “reidentification” was too high

17

18

“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.

19

Privacy Commissioners (Fed., B.C., A.B.): Apps should be designed in a way that does not require you to collect any device-unique identifiers if it is not essential to the functioning of the app.

Privacy Commissioners (Fed., B.C., A.B.): Avoid associating data across apps unless it is obvious to the user and necessary to do so. If you must make links, ensure that sensitive data is not linked to a user’s identifier for longer than it needs to be.

20

UDIDs

21

22

FTC: “If you need to disclose information to make what you say accurate, your disclosures have to be ‘clear and conspicuous.’ What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say.”

FTC: “For collection or sharing that’s not obvious or readily apparent, to users, provide added disclosure and obtain express consent.”

Privacy Commissioners (Fed., B.C., A.B.): “While your app’s privacy policy tells the user about your practices, you should also provide specific, targeted notifications to users when they need to make a decision about whether to consent to the collection of their personal information.”

Privacy Commissioners (Fed., B.C., A.B.): “Should you make updates to your app’s privacy policy, inform users in advance and give them reasonable time to provide feedback before you implement changes.”

23

Disclosure in a privacy policy may not be sufficient:

Bill C-12: An Act to amend the Personal Information Protection and Electronic Documents Act: “For the purposes of clauses 4.3 to 4.3.8 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.”

Mobile screen sizes present challenges for making effective privacy disclosures. Consider using graphics, sounds or different colours to grab users’ attention.

Privacy Commissioners (Fed., B.C., A.B.): not sufficient to inform only at time of app download.

Tell users in advance what will be collected, used or disclosed, and then again in real time when the activity is about to be executed (e.g., location sharing or uploading of photos).

24

Disclosure in a privacy policy may not always be sufficient:

Up to 1 year’s worth collected in “consolidated.db” file

25

Apple + location logging

Apple, in responding to questions of US House of Representatives, points it its privacy policy as providing disclosure of its location-grabbing activities:

26

“…The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.”

27

PIPEDA Principle 4 — Limiting Collection:

o 4.4. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

o 4.4.1. Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.

o 4.8. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle.

28

Collect and keep only what your app needs to function, and secure it:

Privacy Commissioners (Fed., B.C., A.B.): If you cannot explain how a piece of information is related to the functioning of your app, then you probably should not be collecting it.

Privacy Commissioners (Fed., B.C., A.B.): Avoid collecting information about a user's movements and activities through the use of location and movement sensors unless it relates directly to the app and you have the user's informed consent.

29

Collect and keep only what your app needs to function, and secure it:

So, how to anticipate?

30

BEHAVIOURAL ADVERTISINGSocial Media and Mobile Privacy

Technology that creates a profile of a website user based on an individual’s online activities including browsing history, use of a web device, particular links clicked, and information shared online

The data is used to serve advertisements suited to the individual’s interests and preferences. Advertisers are happy to pay more to website hosts that allow behavioural advertising, since it allows them to direct certain advertisements to individuals who are known to have a level of interest in the product or product segment

Behavioural Advertising

32

PIPEDA: “personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization

The test: Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information

Do behavioural profiles constitute “personal information”?

33

Office of the Privacy Commissioner of Canada - Position: Taking a broad, contextual view of the definition of personal information, the Office of the Privacy Commissioner of Canada will generally consider information collected for the purpose of online behavioural advertising to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising

34

Do behavioural profiles constitute “personal information”?

Obtaining consent

Privacy Commissioner: Consent to behavioural advertising must be “meaningful”

Privacy Commissioner: Avoid making behavioural advertising a term or condition for using the service

If users cannot block or otherwise prevent a given method from being used for online behavioural advertising, do not use it

No behavioural advertising on youth-focused websites

Implied or opt-out consent MAY be acceptable

35

Opt-out must take effect immediately, must be persistent

Information collected and used must be limited, if practical, to non-sensitive information

Information is destroyed or de-identified as soon as possible

Individuals are informed of the purposes and the parties involved in the behavioural advertising

36

“the purposes must be made obvious and cannot be buried in a privacy policy”

Consider: online banners, layered approaches or interactive tools. Above all, be transparent.

37

Do Not Track

When browsers send requests or data, they can include extra information in “headers”

A new proposed header for do not track (DNT) would include data about whether the user wishes not to be tracked (opt-out), wishes to be tracked (opt-in) or has not made a preference known (null)

DNT header is now supported by Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome and Opera web browsers

In Internet Explorer 10, Microsoft has enabled the opt-out DNT header by default. On other browsers users must make an active choice by changing their browser settings

38

Currently a voluntary standard – it indicates a preference and doesn’t actively block tracking activities

The World Wide Web Consortium (WC3) develops web standards (e.g., HTML5) and has created a Working Group on Tracking Preference Expression (DNT) and a draft standard has been provided for comment

Advertising groups prefer self-regulatory standards and are resisting any move to make DNT on by default

With joint support from the White House, Department of Commerce and the FTC, the Digital Advertising Alliance (DAA) agreed to include recognition of browser-based choices in its Self Regulatory Program for Online Behavioural Advertising. The consortium’s tool is available on over 900 billion ad impressions served monthly

39

Do Not Track

Revise your privacy policy to include a complete description of your use of behavioural advertising practices, keeping in mind that mere privacy policy disclosure will not satisfy the Federal Privacy Commissioner’s guidelines

Create a pop-up or other obvious notice specifically related to behavioural advertising

When contemplating your opt-out disclosure procedures, think about your advertising partners. Can you take advantage of an existing private-sector tool, and refer to its opt-out procedure?

Revise web presences (including mobile) to be DNT-aware Don’t overstate the ability of an individual to opt-out of tracking

(the FTC recently entered a settlement with one ad network who had offered opt-out cookies that expired 10 days after the preference was selected)

40

Compliant disclosure

PRIVACY + PROMOTIONS + SOCIAL MEDIA


The “Why’s” of Social Media Marketing

Encourage involvement of new and/or existing customers (e.g. through fan pages, blogs, wikis, interactive contests or promotions) with a company, product or brand

Attract new customers or encourage public awareness through virtual campaigns

Enhance customer service by providing certain functionality online

42

Socialnomics 101

43

Social Networking/UGC

44

Privacy, Promotions and Social Media

Privacy, Promotions and Third Party SNS

o Promotions administered using a third party SNS’ platform will be governed by such SNS’ privacy policy, community guidelines and/or terms of use

o Organizations that administer promotions in connection with a third party SNS’ will typically not be permitted to post their own terms of use and/or privacy policies on their SNS pages

45


o Has the consumer been adequately notified about the nature of the PI that will be collected and with whom it will be shared? Where are the links to your terms of use and privacy policy?

o If a third party application is being used, what, if any, PI is being collected by the app developer? Have the terms of use and privacy policy of the developer have been adequately disclosed? Are they consistent with your terms of use and privacy policy?

46



o What platform are you using to build the promotion, and does use of that platform impose any additional, specific obligations or constraints with respect to collection, use and/or disclosure of PI? For example:

Foursquare (API Platform Policy): • Disclose that both sponsor and Foursquare collect and use

personal location data

• Obtain consent from participants before collecting and using their location

• Do not use Foursquare data to create a location database or improve or supplement venue information in your own places or location database

47


Privacy, Promotions and Third Party SNSo What platform are you using, and does use of that platform

impose any additional, specific obligations or constraints with respect to collection, use and/or disclosure of PI? For example:

Foursquare (cont.): • You may cache data, provided you keep the data up to date

and delete all old data; however, you have no rights to cached data and cannot cache any data for more than 30 days

YouTube (Contest Policies and Guidelines):• May only use PI collected from entrants for contest

administration and cannot reuse the PI for marketing purposes, even if an entrant has expressly consented to such use

48



o Does the promotion raise any other privacy concerns (e.g., children’s privacy issues, testimonials, CASL)?

49


Social Networking Policies:o Use of a third party SNS will constitute acceptance

of that SNS’ terms of use and privacy policyo Consider whether this is sufficient, or whether a set

of external guidelines governing the activities of users of your page on a third party SNS site is necessary

50


Social Networking Policy Examples:o NABS: Social Networking Policy

www.nabs.org/en/bottomnav/social-networking-policy.aspx

o Nestlé Purina: Terms and Conditions for User-Generated Content www.purina.ca/terms-conditions-user-generated.aspx

o Wal-mart: Social Media Guidelines (Twitter and Facebook Engagement Guidelines) www.corporate.walmart.com/social-media-guidelines

51


http://www.nabs.org/en/bottomnav/social-networking-policy.aspx

http://www.nabs.org/en/bottomnav/social-networking-policy.aspx

http://www.corporate.walmart.com/social-media-guidelines

52

Privacy, Promotions and Social Media:

Viral Marketing

53

Viral Marketing: A Case Study

Marketing techniques that use pre-existing social networks to increase brand awareness or achieve other marketing objectives through self-replicating viral processes

Viral marketing can be delivered by word-of-mouth or enhanced by the network effects of the internet

Viral promotions may take the form of video clips, interactive Flash games, brandable software, images or text messages

54


Some viral marketing campaigns have been quite successful….

55


Others, not so much…

56

Privacy compliance issues:

o Will be closely linked to the type of viral campaign you are executing, and the media you use

o Challenge is to find ways to normalize privacy choices within the SNS context in a manner that actively engages both existing and new users

o Data collector/marketer must be able to prove that it obtained consent to collection, use, etc. of PI – should document, even if consent was verbal

57


Privacy compliance issues (cont.):

o Prospect must be aware that his or her PI is being provided to the data collector and a minimum awareness of the purposes

o Data collector may not collect names of prospects who have not consented or are not aware that their PI is being provided

o However, consent on referral may be limited to an initial contact, at which time the prospect is asked if he/she is interested in receiving more detailed information about services, etc. and may provide more detailed PI

58



CANADA’S ANTI-SPAM LAW – CRTC GUIDANCE + MOBILE COMPUTING

60

CRTC Guidelines (October 10, 2012)

CRTC 2012-548 Guidelines on the interpretation of the Electronic Commerce Protection Regulations

CRTC 2012-549 Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

All CEMs must clearly and prominently disclose required information as follows:

o Identity of sender and, if applicable sender’s principal (on whose behalf message is sent)

o Description of relationship between sender and principal (as applicable)

o Disclosure of any carrying-on-business names…

61

CRTC Guidelines (October 10, 2012)—Key Messages

Recall… CASL’s CEM Content Requirements

Contact information for sender and principal (as applicable):

i. Mailing address, and one of:ii. Telephone no. with active response

voicemail iii. Email addressiv. Web address

62


Recall… CASL’s CEM Content Requirements

63


o Tweets are 140 characters

o Text messages are 160 characters

o Your business had better be located on a street with a very short name!

64

CRTC Guidelines (October 10, 2012)—Key Messages Information to be included in commercial electronic

messages

o (2) If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is

sent at no cost to them by means of a link that is clearly and prominently set out in the message

Identification of sender

o No need to include prescribed information for intermediaries if they act only as intermediary and have no role in the CEM content or choice of recipients

o If a CEM is sent on behalf of multiple persons (e.g., multiple affiliates of a company), all such persons must be identified

o “Mailing address” means a physical postal address, and must be valid for at least 60 days after CEM is sent

65


Form of commercial electronic messages

o 3. (2) The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be readily performed

66


Recall… CRTC’s Regulations – Unsubscribe

Unsubscribe mechanism – CRTC guidance:

o “readily performed” means “accessed without difficulty or delay, and should be simple, quick and easy for the consumer to use”

o “an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.”

o Previous draft regulations had stated “two clicks or another method of equivalent efficiency” – revision in final regs stated to be for technological neutrality - perhaps providing some leeway in permitting how to unsubscribe e.g., providing options for opting-out of all messages, or just some categories…

67


Unsubscribe mechanism – CRTC guidance:

o Example of technological neutrality? Text “STOP” to opt-out

68


Requests for consent

o CRTC regulations state that consent must be “sought separately”

o Guidelines clarify that it doesn’t mean for each instance (e.g., per email); rather, for each type of activity:

Sending CEMs

Altering transmission of data

Installing computer programs

69


Requests for consent

NO PRE-CHECKED BOXES

“The Commission… considers that a default toggling state that assumes consent cannot be used as a means of obtaining express consent under the Act for the purposes of sending CEMs”


70

Requests for consent (cont.)

Obtaining consent orally is permitted but in practice will likely be unworkable

“The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:

o where oral consent can be verified by an independent third party; or

o where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.”

71


Requests for consent (cont.)

Obtaining written consent is no walk in the park either

“The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:

o Can be obtained electronicallyo BUT:

o Must be able to be verified o So behind the checkbox, there must be a record of the

date, time, purposes, and manner of the consent, stored in a database

o Proving oral + written consent = more personal information collection = revise your privacy policies!

72


McMillan LLPBrookfield Place181 Bay Street, Suite 4400Toronto, OntarioM5J 2T3

For further information please contact:

Janine MacNeilPartnerDirect:[email protected]

Robert HesterAssociateDirect: [email protected]