By Andy Serwin, Miriam Wugmeister & Adam Fleisher, Morrison & Foerster LLP
Privacy and data security are top-of-mind issues that have garnered significant regulatory and media attention, both in the United States and Europe. As these subjects receive more attention, there is a new focus brought to old issues, as well as issues that emerge as technology and societal changes drive new thinking regarding privacy. This Top Ten examines ten hot-button privacy and data security issues and presents questions to help you gauge whether your organization is at risk, in the U.S. or abroad.
1. Policy vs. Practice
The Federal Trade Commission (FTC) has made clear that companies need to practice what they preach when it comes to disclosures in privacy policies. Utilizing its Section 5 authority to prohibit unfair and deceptive practices, the FTC is attempting to hold companies to the promises they make in their privacy policies. For instance, the FTC recently settled with an online advertising network that stated in its privacy policy that it only collected information about consumers' visits to sites in its network, but actually tracked users across the web, including on sensitive websites.
In Europe, we have seen recent enforcement actions where authorities have scrutinized companies' privacy practices according to their published privacy policies. In an investigation into a large grocery store chain, the Dutch data protection authority (DPA) reviewed the chain's practices in light of the information provided to consumers in its privacy policy, and found they were not consistent. The chain was forced to suspend certain practices pending an update (and renewed consent) from consumers.
Questions you should ask:
- Do your privacy policy's statements - such as how you track users across other websites, use cookies, or collect data from users' mobile devices - match your company practices with regard to data collection? Does your organization represent that it complies with any industry-wide standards or self-regulatory codes?
- If so - even though they are voluntary - they can become binding and enforceable against you if you have made these representations in your policy.
2. Mobile Apps
California Attorney General (AG) Kamala Harris has begun to aggressively enforce rules against apps that gather personal information from California residents. The California Online Privacy Protection Act (CalOPPA) requires apps to conspicuously post a privacy policy that describes personal information collected. In January 2013, AG Harris released Privacy on the Go: Recommendations for the Mobile Ecosystem, emphasizing transparency, limiting data collection and retention, robust security safeguards, and having an easy to read, easy to understand privacy policy that clearly describes practices regarding collection, use, sharing, disclosure and retention of personally identifiable data. At both the state and federal level, regulators are emphasizing privacy by design, meaning the incorporation of privacy considerations into the development of an app from the very beginning. One slight setback for AG Harris in the mobile space was the enforcement action brought against Delta Airlines, which was dismissed on issues that are somewhat unique to the airline industry.
At the federal level, the FTC released Mobile Privacy Disclosures, a report that strongly encourages apps to have privacy policies and to provide special disclosures and obtain affirmative consent for the collection or sharing of sensitive information. In addition, the FTC's Order in the Path case (Case No. C 13 0448) suggests that companies should provide separate notice and obtain express affirmative consent before collecting certain personal information.
In Europe, the debate about clear and adequate privacy notice has been spurred by the discussion surrounding Google's overhaul of its privacy policy in 2012. Google has been under a great deal of regulatory oversight because of the 'merger' of data across all of its services. Subsequently, the Article 29 Working Party reiterated that companies should be clear about what privacy implications the use of their services (including apps) entails, particularly when this involves geolocation data and unique identifiers (e.g., device IDs). Generally, companies that want to use geolocation data should obtain prior consent.
- Does your mobile app have a compliant privacy policy? Is the privacy policy readily accessible, clear about the information you collect, use and share, and easy to read? Do you provide clear notice and obtain opt-in consent before sensitive information or geolocation data is collected or shared? Does your mobile app comply with the revised Children's Online Privacy Protection Act (COPPA) rule?
- Do you knowingly collect personal information from children under the age of 13? If so, do you obtain verifiable parental consent before doing so?
3. Cookies and Online Behavioral Advertising
Most countries in Europe have by now implemented cookie legislation in their national laws. As a result, companies using cookies or other technologies that store or access information on the user device require notice and consent, notwithstanding the differences in national legislation that remain. Some EU countries require explicit opt-in consent (e.g., Netherlands, Portugal), while most allow for implied consent. Elsewhere in the world, countries are tightening their requirements for online tracking.
The FTC and consumer advocacy groups in the U.S. have consistently pushed for enhanced consumer transparency and control, and enabling some opt-out mechanism from online tracking is an important component of this push. Canadian and Australian regulators require consent for engaging in online behavioral advertising, while Hong Kong has an increased notice requirement.
- Have you determined your cookie policy and strategy for the EU?
4. Do Not Track
In response to the FTC's 2012 Privacy Report, and pressure from interested parties, all participants in the online ecosystem have been working on the creation of technical standards for "Do Not Track" (DNT). DNT would give consumers choice about how their online behavior is tracked; many browsers currently have such an option. Participants in the online advertising ecosystem have not yet been able to agree on the meaning of DNT, in spite of lengthy efforts to date by the World Wide Web Consortium (W3C). Meanwhile California added a DNT disclosure requirement to CalOPPA that takes effect on January 1, 2014.
- Are you prepared for potential limits on online tracking? Are you engaging in discussions surrounding DNT? How would you disclose your website's policy with regard to DNT?
5. Data Breaches
In the absence of federal data security legislation, the FTC has moved to aggressively police data security. The FTC recently reiterated its belief that regardless of any representations that you may make about the collection and storage of user data, you must take reasonable steps to keep sensitive data secure. Furthermore, the FTC has also stated its belief that any representations made in a privacy policy or any other documents with regard to data security must be adhered to. In addition to FTC oversight, class action lawsuits for data breaches are becoming more common. Meanwhile, an Executive Order on cyber security regulations was issued. As a result, the U.S. government is encouraging collaboration between agencies and the private sector to find new ways to ensure the protection of assets, critical infrastructure and data.
Elsewhere in the world, more and more countries are adopting security guidelines, with increased movement towards data breach notification laws-and enforcement. Several EU DPAs (e.g., Spain, France and the Netherlands) have recently issued guidelines for the security of personal data, which they will use to determine whether companies have complied with their security obligations. At the same time, we see enforcement increasing. The UK DPA was very active in 2012 in imposing fines on organizations and government entities for inadequately securing personal data. Sony was fined $250,000 for the breach involving its PlayStation platform, whereby large amounts of sensitive data (credit card details) were lost. But outside the EU, enforcement is increasing. A Korean court recently awarded financial damages to nearly 3,000 complainants participating in a data breach class action against a social media and Internet search services company.
An issue with the most attention relates to the disclosures made by Edward Snowden regarding the government surveillance program in the United States. This has caused an examination of the practices by the United States government, as well as criticism from other foreign governments. These disclosures may have a long-term impact on rules such as the Safe Harbor Framework and other laws in the United States.
- Do you have a formal and written data security compliance program? Do you provide a "reasonable" level of security with regard to the data you collect and the systems you operate? If you are active in Europe, have you reviewed your security policies in light of the security guidelines issued by European DPAs? If your privacy policy represents that you follow best practices with regard to data security (and it probably should), are you actually using best practices to secure data? Do you collect only the data you need, and do you keep it for only as long as you need it? Do you have a security breach response plan? Do you have senior-level officials focused on data security management?
6. Regulatory Oversight of Big Data?
Everybody from developers to marketers to health insurers to data analytics companies to hedge funds is excited about the potential of "big data" to drive insights, encourage new technologies, and spur new product development. The FTC hosted a workshop in December 2012 on comprehensive data collection, and while there hasn't yet been any policy guidance issued, FTC commissioners have recently begun to air their concerns about the privacy implications of the collection, use, storage and sharing of all of this data.
In Europe, regulators have put "big data" and consumer profiling at the top of their agendas. The proposed amendment to the EU Privacy Regulation provides for very strict rules on consumer profiling, which, in essence, is only permitted with prior opt-in consent.
- Is your company using "big data" analytics? Are you collecting or storing data that you are not using? Are you using or sharing data in a manner inconsistent with the letter or spirit of your privacy policy? Are you informing your customers how you are using, combining and potentially aggregating data that they provide to you or you collect from them? Are you collecting data from social media application programming interfaces (APIs), such as the Facebook Open Graph or the Twitter firehose? Are you obtaining consent for analyzing and using individuals' data where required?
7. Cloud Computing
As more and more businesses outsource their IT back offices to the "cloud," new privacy and security risks arise, as does regulatory and legislative attention. In July 2012, the Federal Financial Institutions Examination Council (FFIEC) released a white paper listing best practices for risk management with regard to IT cloud computing. In addition, any breaches of data stored in the cloud could lead to the same challenges with regulators and class action litigators that ordinary data breaches might create. As the FFIEC notes, "Storage of data in the cloud could increase the frequency and complexity of security incidents." In June 2012, the European Article 29 Working Party issued its cloud computing opinion, calling for certain specific safeguards and contractual arrangements companies should ensure when engaging cloud computing providers. A number of national European DPAs (notably, in France, the UK, the Netherlands) followed with guidelines of their own.
- Have you considered the sensitivity of the data that will be in the cloud? Will data be shared in the cloud?
- Do you have appropriate segregation procedures in place so that, for instance, financial data will not be shared with other cloud clients?
- Does your cloud provider have disaster contingency plans?
- How does it ensure continued service?
- Have you agreed on specific obligations with your cloud provider on the security, availability, continuity and international transfer of the data?
- Is personal information appropriately encrypted?
8. Social Media in Today's Workplace
Now that social media is everywhere, and nearly every company has its own Facebook page and Twitter feed, it is becoming essential to have policies in place to govern the personal and professional use of social media. There are still more questions than answers with regard to social media in the workplace. To name a few of the currently unsettled regulatory issues: Can employers examine the social media accounts of their employees? Can they fire employees for inappropriate Facebook posts? Can they control company-focused social media accounts managed by individual employees? What happens to those accounts when the employee leaves the company, on good terms or bad? Can employees use social media for their own purposes when they are at work? Can employees' use of IT equipment be monitored? Can they tweet or post about the company on their private accounts? In light of this regulatory uncertainty, you want to be as prepared as you can.
- Does your company have a social media policy and social media guidelines in place?
- Do you and your employees know where personal social media usage ends and work-related social media usage begins?
- Do you know who owns your brand's social media accounts?
- Are you compliant with the Facebook and Twitter platform policies, as well as the policies of any other social media platforms you use?
9. Bring Your Own Device (BYOD)
More and more employees would rather carry one smartphone (e.g., their own) that can access their work emails and other necessary work-related tools than carry two separate devices. This emerging BYOD trend is likely to continue in 2014 and beyond. Like issues relating to the use of social media, BYOD raises questions about where work ends and private personal lives begin. It also calls further attention to the security of company data, as well as matters relating to employee privacy.
- If you allow BYOD, do you have "reasonable" security measures in place to facilitate data security? Do you have a clear policy about company access to personal devices?
- Is use of BYOD voluntary or compulsory?
- Do you let employees hold sensitive data on smartphones or other non-encrypted devices like personal laptops that could be vulnerable to theft and, in turn, data breaches?
- Do you have the ability to remotely wipe the employee's device?
- How is backup of the secured device performed?
10. The New COPPA Rule
The revised Children's Online Privacy Protection Act, effective July 1, 2013, includes new compliance requirements for apps that collect personal information from children under the age of 13. The definition of "personal information," for purposes of COPPA, now includes, among other things, a photo, video or audio file that contains a child's image or voice, online contact information such as an email address, a persistent identifier such as a customer number held in a cookie or an IP address, and even geolocation information. The revised rule also creates strict liability for third party compliance with COPPA, if the third party collects personal information about children under 13 through your website or app. COPPA applies to apps and websites that are "directed to children," and general audience sites that have actual knowledge that they collect personal information from children under 13.
- Could your website be considered "directed to children"?
- Do you have actual knowledge that you collect personal information from users under 13?
- Do third parties collect information from users through your site (including the use of social sign-in or even YouTube)?
- Do you collect data that is considered personal information under COPPA, such as geolocation, a persistent identifier, or online contact information?
Conclusion
As more and more information is created and stored virtually, privacy and data security risks are increasing as well. Understanding what you collect, what you store, what your policies are, and how your practices compare to your policies is now more important than ever. Regulators, both domestic and global, are turning to these issues with increasing focus and organizations must be aware of the myriad ways their business practices intersect with privacy and data security concerns.