Upload
sharyl-francis
View
212
Download
0
Embed Size (px)
Citation preview
Social Media and Mobile Privacy
Janine MacNeil, Partner, Competition & Marketing GroupRobert Hester, Associate, Business Law Group
Outline
Mobile Data, Geolocation and Near-Field Communication
Behavioural Advertising
Product Promotion and Social Media
Canada’s Anti-Spam Law – CRTC Guidance and Mobile Computing
2
MOBILE DATA + GEOLOCATION +NEAR-FIELD COMMUNICATION
Social Media and Mobile Privacy
NFCTwo modes: (a) active communication, where two NFC devices are communicating with each other; and (b) passive mode, where an NFC device communicates with an NFC chip.
Popular uses:Social networking and peer-to-peer data transfer (e.g., business contacts, photos, web links)Payment systems (e.g., credit cards, debit cards, loyalty rewards programs and transit passes)Bootstrapping to other communication platforms (e.g., initiating Bluetooth connection)
Near-Field Communication (NFC) and Quick Response (QR) Codes
4
Key privacy concern:When used in smartphones, potential to access significant amount of personal informationData protection, which may involve personal information, is now more reliant on secure hardware and softwareAccidental taps or disclosures between NFC devicesHidden NFC tagsGreater potential for collecting information which, in aggregate would be considered personal e.g., payment activities, tracking one’s routine movements (e.g., subway routes)
Near-Field Communication (NFC) and Quick Response (QR) Codes
5
QR (Quick Response)
2D barcode and can contain any form of data:oa website URLolocation / GPS coordinatesovCard contact informationolinks to download a mobile appoopen a pre-formatted email message
Near-Field Communication (NFC) and Quick Response (QR) Codes
6
Key privacy concern:
QR codes, just like phishing websites, can be used to mislead users into providing their personal information.
Often, the QR code itself doesn’t act as the source of the content (an “indirect code” versus a “direct code”) but rather works as a pointer to online content. Just like any unknown web source, when loading a barcode you are not certain about the source of the application or link that you will be taken to.
7
Near-Field Communication (NFC) and Quick Response (QR) Codes
8
9
“Although the phone user is able to see the process taking place, hitting back on the device will not stop the reset. For QR code readers that automatically load whatever website has been stored to each code, or indeed NFC readers that do the same with NFC tags, the user would have no warning – and no hope of stopping – their handset from running the malicious code.”
CarrierIQ
Apple UDID
Path app
Apple iPhone location tracking
Lessons from recent privacy gaffes
11
Purported to be installed on over 140 million devices
Capable of logging user keystrokes, recording telephone calls, storing text messages, tracking location
Runs as a background process, difficult or sometimes impossible to disable or uninstall
Clients of CarrierIQ determine what information is collected
12
So… what does it actually collect?
13
“We automatically receive certain types of information whenever you use our Services. We may collect information about your device such as the type, version of operating system, signal strength, whether it is on and how it is functioning, as well as information about how you use the device and services available through it, such as your call and data usage and history, your location, web sites you have visited, applications purchased, applications downloaded or used, and other similar information.”
Privacy Policy
14
"We have weighed customer concerns and we have disabled use of the tool so that diagnostic information and data is no longer being collected," said Sprint in an email to Mobile Burn.
“We are further evaluating options regarding this diagnostic software as well as Sprint's diagnostic needs."
15
Know exactly what’s being collected, used or disclosed
If third parties are processing information on your behalf, have written contractual arrangements with provision for adequate privacy protection standards and allow opportunities to audit the compliance
16
UDID (Unique Device Identifier)
Hardware-based (i.e., forever linked to an end-user’s device)
Used by app developers and advertisers as an “anonymized” token in place of personal information
2010 Bucknell University study showed that many apps would upload UDID together with pieces of personal information
All iOS apps have access to the same UDID token - privacy advocates worried that risk of “reidentification” was too high
17
18
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.
19
Privacy Commissioners (Fed., B.C., A.B.): Apps should be designed in a way that does not require you to collect any device-unique identifiers if it is not essential to the functioning of the app.
Privacy Commissioners (Fed., B.C., A.B.): Avoid associating data across apps unless it is obvious to the user and necessary to do so. If you must make links, ensure that sensitive data is not linked to a user’s identifier for longer than it needs to be.
20
UDIDs
21
22
FTC: “If you need to disclose information to make what you say accurate, your disclosures have to be ‘clear and conspicuous.’ What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say.”
FTC: “For collection or sharing that’s not obvious or readily apparent, to users, provide added disclosure and obtain express consent.”
Privacy Commissioners (Fed., B.C., A.B.): “While your app’s privacy policy tells the user about your practices, you should also provide specific, targeted notifications to users when they need to make a decision about whether to consent to the collection of their personal information.”
Privacy Commissioners (Fed., B.C., A.B.): “Should you make updates to your app’s privacy policy, inform users in advance and give them reasonable time to provide feedback before you implement changes.”
23
Disclosure in a privacy policy may not be sufficient:
Bill C-12: An Act to amend the Personal Information Protection and Electronic Documents Act: “For the purposes of clauses 4.3 to 4.3.8 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.”
Mobile screen sizes present challenges for making effective privacy disclosures. Consider using graphics, sounds or different colours to grab users’ attention.
Privacy Commissioners (Fed., B.C., A.B.): not sufficient to inform only at time of app download.
Tell users in advance what will be collected, used or disclosed, and then again in real time when the activity is about to be executed (e.g., location sharing or uploading of photos).
24
Disclosure in a privacy policy may not always be sufficient:
Up to 1 year’s worth collected in “consolidated.db” file
25
Apple + location logging
Apple, in responding to questions of US House of Representatives, points it its privacy policy as providing disclosure of its location-grabbing activities:
26
“…The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.”
27
PIPEDA Principle 4 — Limiting Collection:
o 4.4. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
o 4.4.1. Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
o 4.8. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle.
28
Collect and keep only what your app needs to function, and secure it:
Privacy Commissioners (Fed., B.C., A.B.): If you cannot explain how a piece of information is related to the functioning of your app, then you probably should not be collecting it.
Privacy Commissioners (Fed., B.C., A.B.): Avoid collecting information about a user's movements and activities through the use of location and movement sensors unless it relates directly to the app and you have the user's informed consent.
29
Collect and keep only what your app needs to function, and secure it:
So, how to anticipate?
30
BEHAVIOURAL ADVERTISINGSocial Media and Mobile Privacy
Technology that creates a profile of a website user based on an individual’s online activities including browsing history, use of a web device, particular links clicked, and information shared online
The data is used to serve advertisements suited to the individual’s interests and preferences. Advertisers are happy to pay more to website hosts that allow behavioural advertising, since it allows them to direct certain advertisements to individuals who are known to have a level of interest in the product or product segment
Behavioural Advertising
32
PIPEDA: “personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization
The test: Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information
Do behavioural profiles constitute “personal information”?
33
Office of the Privacy Commissioner of Canada - Position: Taking a broad, contextual view of the definition of personal information, the Office of the Privacy Commissioner of Canada will generally consider information collected for the purpose of online behavioural advertising to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising
34
Do behavioural profiles constitute “personal information”?
Obtaining consent
Privacy Commissioner: Consent to behavioural advertising must be “meaningful”
Privacy Commissioner: Avoid making behavioural advertising a term or condition for using the service
If users cannot block or otherwise prevent a given method from being used for online behavioural advertising, do not use it
No behavioural advertising on youth-focused websites
Implied or opt-out consent MAY be acceptable
35
Opt-out must take effect immediately, must be persistent
Information collected and used must be limited, if practical, to non-sensitive information
Information is destroyed or de-identified as soon as possible
Individuals are informed of the purposes and the parties involved in the behavioural advertising
36
“the purposes must be made obvious and cannot be buried in a privacy policy”
Consider: online banners, layered approaches or interactive tools. Above all, be transparent.
37
Do Not Track
When browsers send requests or data, they can include extra information in “headers”
A new proposed header for do not track (DNT) would include data about whether the user wishes not to be tracked (opt-out), wishes to be tracked (opt-in) or has not made a preference known (null)
DNT header is now supported by Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome and Opera web browsers
In Internet Explorer 10, Microsoft has enabled the opt-out DNT header by default. On other browsers users must make an active choice by changing their browser settings
38
Currently a voluntary standard – it indicates a preference and doesn’t actively block tracking activities
The World Wide Web Consortium (WC3) develops web standards (e.g., HTML5) and has created a Working Group on Tracking Preference Expression (DNT) and a draft standard has been provided for comment
Advertising groups prefer self-regulatory standards and are resisting any move to make DNT on by default
With joint support from the White House, Department of Commerce and the FTC, the Digital Advertising Alliance (DAA) agreed to include recognition of browser-based choices in its Self Regulatory Program for Online Behavioural Advertising. The consortium’s tool is available on over 900 billion ad impressions served monthly
39
Do Not Track
Revise your privacy policy to include a complete description of your use of behavioural advertising practices, keeping in mind that mere privacy policy disclosure will not satisfy the Federal Privacy Commissioner’s guidelines
Create a pop-up or other obvious notice specifically related to behavioural advertising
When contemplating your opt-out disclosure procedures, think about your advertising partners. Can you take advantage of an existing private-sector tool, and refer to its opt-out procedure?
Revise web presences (including mobile) to be DNT-aware Don’t overstate the ability of an individual to opt-out of tracking
(the FTC recently entered a settlement with one ad network who had offered opt-out cookies that expired 10 days after the preference was selected)
40
Compliant disclosure
PRIVACY + PROMOTIONS + SOCIAL MEDIA
Social Media and Mobile Privacy
The “Why’s” of Social Media Marketing
Encourage involvement of new and/or existing customers (e.g. through fan pages, blogs, wikis, interactive contests or promotions) with a company, product or brand
Attract new customers or encourage public awareness through virtual campaigns
Enhance customer service by providing certain functionality online
42
Socialnomics 101
43
Social Networking/UGC
44
Privacy, Promotions and Social Media
Privacy, Promotions and Third Party SNS
o Promotions administered using a third party SNS’ platform will be governed by such SNS’ privacy policy, community guidelines and/or terms of use
o Organizations that administer promotions in connection with a third party SNS’ will typically not be permitted to post their own terms of use and/or privacy policies on their SNS pages
45
Privacy, Promotions and Third Party SNS
o Has the consumer been adequately notified about the nature of the PI that will be collected and with whom it will be shared? Where are the links to your terms of use and privacy policy?
o If a third party application is being used, what, if any, PI is being collected by the app developer? Have the terms of use and privacy policy of the developer have been adequately disclosed? Are they consistent with your terms of use and privacy policy?
46
Privacy, Promotions and Social Media
Privacy, Promotions and Third Party SNS
o What platform are you using to build the promotion, and does use of that platform impose any additional, specific obligations or constraints with respect to collection, use and/or disclosure of PI? For example:
Foursquare (API Platform Policy): • Disclose that both sponsor and Foursquare collect and use
personal location data
• Obtain consent from participants before collecting and using their location
• Do not use Foursquare data to create a location database or improve or supplement venue information in your own places or location database
47
Privacy, Promotions and Social Media
Privacy, Promotions and Third Party SNSo What platform are you using, and does use of that platform
impose any additional, specific obligations or constraints with respect to collection, use and/or disclosure of PI? For example:
Foursquare (cont.): • You may cache data, provided you keep the data up to date
and delete all old data; however, you have no rights to cached data and cannot cache any data for more than 30 days
YouTube (Contest Policies and Guidelines):• May only use PI collected from entrants for contest
administration and cannot reuse the PI for marketing purposes, even if an entrant has expressly consented to such use
48
Privacy, Promotions and Social Media
Privacy, Promotions and Third Party SNS
o Does the promotion raise any other privacy concerns (e.g., children’s privacy issues, testimonials, CASL)?
49
Privacy, Promotions and Social Media
Social Networking Policies:o Use of a third party SNS will constitute acceptance
of that SNS’ terms of use and privacy policyo Consider whether this is sufficient, or whether a set
of external guidelines governing the activities of users of your page on a third party SNS site is necessary
50
Privacy, Promotions and Social Media
Social Networking Policy Examples:o NABS: Social Networking Policy
www.nabs.org/en/bottomnav/social-networking-policy.aspx
o Nestlé Purina: Terms and Conditions for User-Generated Content www.purina.ca/terms-conditions-user-generated.aspx
o Wal-mart: Social Media Guidelines (Twitter and Facebook Engagement Guidelines) www.corporate.walmart.com/social-media-guidelines
51
Privacy, Promotions and Social Media
52
Privacy, Promotions and Social Media:
Viral Marketing
53
Viral Marketing: A Case Study
Marketing techniques that use pre-existing social networks to increase brand awareness or achieve other marketing objectives through self-replicating viral processes
Viral marketing can be delivered by word-of-mouth or enhanced by the network effects of the internet
Viral promotions may take the form of video clips, interactive Flash games, brandable software, images or text messages
54
Viral Marketing: A Case Study
Some viral marketing campaigns have been quite successful….
55
Viral Marketing: A Case Study
Others, not so much…
56
Privacy compliance issues:
o Will be closely linked to the type of viral campaign you are executing, and the media you use
o Challenge is to find ways to normalize privacy choices within the SNS context in a manner that actively engages both existing and new users
o Data collector/marketer must be able to prove that it obtained consent to collection, use, etc. of PI – should document, even if consent was verbal
57
Viral Marketing: A Case Study
Privacy compliance issues (cont.):
o Prospect must be aware that his or her PI is being provided to the data collector and a minimum awareness of the purposes
o Data collector may not collect names of prospects who have not consented or are not aware that their PI is being provided
o However, consent on referral may be limited to an initial contact, at which time the prospect is asked if he/she is interested in receiving more detailed information about services, etc. and may provide more detailed PI
58
Viral Marketing: A Case Study
Social Media and Mobile Privacy
CANADA’S ANTI-SPAM LAW – CRTC GUIDANCE + MOBILE COMPUTING
60
CRTC Guidelines (October 10, 2012)
CRTC 2012-548 Guidelines on the interpretation of the Electronic Commerce Protection Regulations
CRTC 2012-549 Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation
All CEMs must clearly and prominently disclose required information as follows:
o Identity of sender and, if applicable sender’s principal (on whose behalf message is sent)
o Description of relationship between sender and principal (as applicable)
o Disclosure of any carrying-on-business names…
61
CRTC Guidelines (October 10, 2012)—Key Messages
Recall… CASL’s CEM Content Requirements
Contact information for sender and principal (as applicable):
i. Mailing address, and one of:ii. Telephone no. with active response
voicemail iii. Email addressiv. Web address
62
CRTC Guidelines (October 10, 2012)—Key Messages
Recall… CASL’s CEM Content Requirements
63
CRTC Guidelines (October 10, 2012)—Key Messages
o Tweets are 140 characters
o Text messages are 160 characters
o Your business had better be located on a street with a very short name!
64
CRTC Guidelines (October 10, 2012)—Key Messages Information to be included in commercial electronic
messages
o (2) If it is not practicable to include the information referred to in subsection (1) and the unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act in a commercial electronic message, that information may be posted on a page on the World Wide Web that is readily accessible by the person to whom the message is
sent at no cost to them by means of a link that is clearly and prominently set out in the message
Identification of sender
o No need to include prescribed information for intermediaries if they act only as intermediary and have no role in the CEM content or choice of recipients
o If a CEM is sent on behalf of multiple persons (e.g., multiple affiliates of a company), all such persons must be identified
o “Mailing address” means a physical postal address, and must be valid for at least 60 days after CEM is sent
65
CRTC Guidelines (October 10, 2012)—Key Messages
Form of commercial electronic messages
o 3. (2) The unsubscribe mechanism referred to in paragraph 6(2)(c) of the Act must be able to be readily performed
66
CRTC Guidelines (October 10, 2012)—Key Messages
Recall… CRTC’s Regulations – Unsubscribe
Unsubscribe mechanism – CRTC guidance:
o “readily performed” means “accessed without difficulty or delay, and should be simple, quick and easy for the consumer to use”
o “an example of an unsubscribe mechanism that can be readily performed is a link in an email that takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.”
o Previous draft regulations had stated “two clicks or another method of equivalent efficiency” – revision in final regs stated to be for technological neutrality - perhaps providing some leeway in permitting how to unsubscribe e.g., providing options for opting-out of all messages, or just some categories…
67
CRTC Guidelines (October 10, 2012)—Key Messages
Unsubscribe mechanism – CRTC guidance:
o Example of technological neutrality? Text “STOP” to opt-out
68
CRTC Guidelines (October 10, 2012)—Key Messages
Requests for consent
o CRTC regulations state that consent must be “sought separately”
o Guidelines clarify that it doesn’t mean for each instance (e.g., per email); rather, for each type of activity:
Sending CEMs
Altering transmission of data
Installing computer programs
69
CRTC Guidelines (October 10, 2012)—Key Messages
Requests for consent
NO PRE-CHECKED BOXES
“The Commission… considers that a default toggling state that assumes consent cannot be used as a means of obtaining express consent under the Act for the purposes of sending CEMs”
CRTC Guidelines (October 10, 2012)—Key Messages
70
Requests for consent (cont.)
Obtaining consent orally is permitted but in practice will likely be unworkable
“The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:
o where oral consent can be verified by an independent third party; or
o where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.”
71
CRTC Guidelines (October 10, 2012)—Key Messages
Requests for consent (cont.)
Obtaining written consent is no walk in the park either
“The Commission considers the following forms as sufficient to discharge the onus of demonstrating oral consent:
o Can be obtained electronicallyo BUT:
o Must be able to be verified o So behind the checkbox, there must be a record of the
date, time, purposes, and manner of the consent, stored in a database
o Proving oral + written consent = more personal information collection = revise your privacy policies!
72
CRTC Guidelines (October 10, 2012)—Key Messages
McMillan LLPBrookfield Place181 Bay Street, Suite 4400Toronto, OntarioM5J 2T3
For further information please contact:
Janine MacNeilPartnerDirect:[email protected]
Robert HesterAssociateDirect: [email protected]