Embed Size (px)
Citation preview
Strategies for Avoiding Big Privacy “Don’ts” With Personal Data
Strata Conference
Santa Clara, CA
February 19, 2015
Alysa Z. Hutnik
Lauri Mazzuchetti
Topics of Discussion
Consumer Privacy Update (and what it means for 2015)
The Internet of Things
Federal and state regulators’ focus on privacy and Big Data
Enforcement trends
Risks with text/phone outreach to consumers
How to Avoid Big Privacy “Don’ts”
2
Big Data Snapshot
91% of Americans feel that consumers have lost control over how personal information is collected and used by companies
80% of respondents who use social networking expressed concern about third parties such as advertisers accessing their online data
3
Concerns are translating into consumer action . . . 86% of consumers have taken steps to remove or mask their digital footprints:
Clearing cookies
Encrypting email
Avoiding use of real name
Adopting virtual networks to mask IP addresses
Recent Consumer Privacy Developments
4
“The FTC continually assesses new developments and emerging trends and threats in the privacy area.” - Jessica Rich, Director, FTC Bureau of Consumer Protection, June 2014
“[B]y law and practice, the FTC weighs market benefits and harms as part of its enforcement and policy work.” - Jessica Rich, January 2015
The Internet of Things
Objective: to help businesses “provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
Focus: “smart home,” health and fitness devices/apps, and connected cars
Security risks identified
Enabling unauthorized access to and misuse of personal information
Facilitating attacks on other systems
Creating risks to personal safety
5
IoT Report Recommendations
6
Best Practices
Data MinimizationSecurity By Design Notice and ChoiceRisk assessments
Encryption
Access control
Continued monitoring
Impose reasonable limits on collection and retention
Collect less sensitive/ de-identified data
Offer flexible options
- opt-in at purchase
- privacy tutorials
- icon/menu/dashboard
7
Federal Regulators’ Focus on Big Data
Using Big Data to Categorize Consumers
Concern: categorizing consumers in ways that may affect them unfairly (or unlawfully)
8
Different prices/discounts to different consumers
Tailoring/limiting financial products (e.g., “gold level” to high earners)
“Aggregate scoring models” that assess credit risks based on aggregate credit characteristics of groups of consumers who shop at certain stores
Health-related determinations
Another Privacy Cop on the Beat?
“Privacy and security concerns have been cited as reasons consumers do not use mobile banking and mobile financial management services.” -- CFPB, June 2014
Areas of InterestPrivacy and data security concerns for mobile devicesMechanisms to disable lost/stolen mobile devices that provide financial servicesSteps consumers should take to protect their data and identity when using mobile devices
9
States’ Focus on Risks re: Consumer Data
10
2015 Areas of Focus
Data breaches
Consumer risks from big data
Cybersecurity threats (e.g., cloud data, BYOD policies)
FTC Areas of Collaboration
Protecting user-generated health information
Risks re: Internet of Things
Mobile payments/mobile security
States’ DNT Efforts
California AG CalOPPA: privacy policies must disclose how
website operators respond to DNT signals that allow consumer choice re: data collection
Make policies “more effective and meaningful” to consumers:
Clear and conspicuous, plain straightforward language
Describe how and what PII is collected and used and shared with third parties
Provide a readily-identifiable section on DNT with a clear header (e.g., “Online Tracking”)
11
Enforcement Trends: Flawed Notice, Choice, and Security
Location: Privacy Policy— Snapchat does not ask for, track, or access location-specific information
Analytics tracking service collected location information
Snaps Disappear?: Widely publicized methods to save snaps
Address Book: Friend finder accessed phone address book without consent
Registration: Security issue that allowed user to create an account using another person’s phone number
12
Enforcement Trends: Bypassing Notice and Choice
Site allegedly harvested personal data from Facebook without user consent to create 73MM “Jerk” profiles, including children
Alleged deception under Section 5
13
Data broker allegedly purchased payday loan applications of financially at risk consumers and sold the application data to unscrupulous merchants
Alleged unfairness under Section 5
Enforcement Trends: Platforms and Third-Party Liability
14
Merchants / App Developers
Wireless Service Provider
App storefront/platform
Timely Issue on Use of Consumer Contact Data – TCPA Compliance
TCPA (federal law) prohibits:
Autodialed calls/texts to cell phones without appropriate consent
Prerecorded message calls to cell phones and landlines without appropriate consent and disclosures
Telemarketing calls to numbers on the National DNC Registry or company-specific DNC lists
Liability can attach for…
Telemarketing calls/texts
Informational calls/texts
Debt collection calls/texts
15
Old Law; Why is TCPA a hot topic now?
Statutory damages
$500 per violation
$1,500 max per “willful” violation
Numbers can get very high, very quickly
Ex: $500,000 for 1000 texts; $5 million for 10,000 texts; $50 million for 100,000 texts, etc.
No requirement to show actual injury
Liability typically can go back 4 years
16
Why is TCPA a hot topic now? (cont’d…)
Law is in state of flux due to case law, FCC rulings, and pending petitions
An explosion of TCPA lawsuits 2010 – 272 lawsuits
2011 – 660 lawsuits
2012 – 1100 lawsuits
2013 – 1860 lawsuits
2014 – 2000+ new lawsuits
2015 ‒ no sign of slowing down . . .
Exposure for service providers and name brands to be on the hook, even if others made the unlawful calls
17
Representative TCPA Class Settlements
Bank of America agreed to pay $32MM in cash into a settlement fund. Stephanie Rose v. Bank of America Corp., Case No. 5:11-cv-02390 (N.D. Cal.)
$24.1MM settlement based on auto-dialed debt collection calls to cell phones not listed on loan application. Arthur v. Sallie Mae, 2:10-cv-00198 (W.D. Wa.)
$6.25MM settlement for national text-message campaign. Kazemi v. Payless Shoesource, Inc., 3:09-cv-05142 (N.D. Cal.)
Capital One agrees to pay $73MM in cash into a settlement fund. (N.D. Ill)
18
Avoiding Big Privacy “Don’ts”
Online and Mobile Developers
Platform Providers
Ad Networks and Other Third Parties
Sellers and Marketers
19
20
Product/Device Developers
Think Privacy from the Start
Empower Consumer Choice
Reassess Your Data Drilling
Transparency is Paramount
21
Think Privacy from the Start
Privacy and Security By Design
Incorporate privacy and data security protections
Limit/de-identify the data that you collect
Securely store the data that you retain
Limit third-party access “need-to-know”
Safely dispose of data that you no longer need
22
Empower Consumer Choice
Give Users Tools that Enable Choice
Privacy settings
Opt-outs
Mechanisms to control PII collection and sharing
Make it easy for people to find the tools you offer
Design the tools so they’re simple and easy to use
Honor users’ choices
Reassess Your Data Drilling
Regularly Reassess Your Data Collection Practices
Does the data collection include name, contact details, or other PII on the user or their contacts?
Does your app collect location data or a unique ID per user or device?
Is there a valid purpose for this type of data collection and access?
Do you retain the data for a period of time consistent with the reason for collecting it?
Can third parties access and use the data to make a personally identifiable profile of your users?
23
24
Transparency is Paramount
Clearly explain key terms
Collection and protection of data
Consumer control and access
Accessibility to third parties
New or Additional Sharing
Disclosures
Consent
Honor Your Promises
Platforms Providers
Enhance frequency and prominence of disclosures within API
Offer tools that allow consumers to report non-compliance with privacy policies and terms of service
Educate developers on obligations and enforce requirements as needed
25
Ad Networks and Other Third Parties
Ad Networks / Analytics Co.’s
Create and provide a privacy policy to the developers
Avoid device-specific identifiers or delivering ads outside the context of the app
Operating Systems
Develop global settings and overrides so that users can set privacy controls
Collaborate with device manufacturers on setting cross-platform privacy standards
26
Sellers and Marketers
Just phone? Text too?
Type of message (commercial/informational)
Autodial/prerecorded message?
Customer, former, prospect?
Length of campaign
Consent
Is it valid?
Do I need it in writing?
Vendor due diligence
Stay informed
Quickly evolving legal landscape
Potential significant liability
27
Carefully plan each consumer outreach campaign . . .
28
Questions?
Alysa Z. HutnikPARTNER
Kelley Drye & Warren LLP
Advertising, Privacy &
Information Security
Phone: (202) 342-8603
Connect with Kelley Dryeweb: www.kelleydrye.com
blog: www.adlawaccess.com
Lauri A. MazzuchettiPARTNER
Kelley Drye & Warren LLP
Litigation
Phone: (973) 503-5910
