Privacy & Security Source

An interactive forum exploring the latest legal developments and industry news

Complying With the Cookie Directive for Email Communications

Posted by Peter F. McLaughlin on Posted in Legislation

The Cookie Directive has caused a great deal of concern among firms with a web presence in Europe. However, across the European Union governments have gradually adopted either legislation or regulatory enforcement stances that are based on an opt out approach – that is prior explicit consent for cookie dropping is not required.

The Cookies Directive does not, on its face, apply to electronic communications through email. However, because email and similar consumer communications increasingly contain tags, clear gifs, the ability to place cookies, and other technology tools, the potential overlap between the email rules and the cookie rules has resulted in questions about whether the cookies provisions of the Cookies Directive applies to email marketing.

This is not generally the case. The Cookies Directive is specifically focused on first or third party cookie dropping for advertising, or ‘retargeting’ purposes, and obliges a higher degree of transparency disclosure and an opportunity to opt out, as exemplified by the Internet Advertising Beau’s Your Online Choices recommendations. Cookies dropped by a third party email marketing vendor operating under contract from a client would not require a separate consent, but applying an opt out rationale, we have the following recommendations for organisations who send email marketing to their customers which contain tags and similar devices.

 Practical Tips

1.  Make sure you have a reliable means to identify which of your communications contain tracking tools and which tools are used in each message.

 2.  Develop a policy statement specific to the inclusion of such tools within email and similar communications. While this can be based on provisions you have developed for web pages, it is important to confirm that modifications to that statement accurately reflects how cookies and other tags are used in the messaging context.

 3.  In addition to whatever privacy policy link you may already include with your communications, we recommend a separate, easily visible footer link, that is specific to the use of cookies and other tools. The reason for this is that even an increasingly sophisticated audience does not always think of tracking technology associated with electronic communications.

 4.  As with the familiar Unsubscribe requirement, it is important that you have a means to either a) delivering messages without tracking tools to those who opt out or b) removing those recipients broadly from your communications white lists.

 

FTC Privacy Framework Report – Key Takeaways and Significant Implications for Business From FTC’s “Protecting Consumer Privacy in an Era of Rapid Change”

Posted by Foley & Lardner on Posted in FTC

By: Chanley Howell, Peter McLaughlin, Nancy Stagg

On March 26th, the Federal Trade Commission (FTC) released a much-anticipated report reflecting the Commission’s views on what constitutes “best practice” for privacy protection and additional recommendations for future legislative action. While the report reflects much of the content of the preliminary report (December 2010), the FTC considered over 450 public comments before arriving upon final recommendations. While the report does not constitute a direct law or regulatory obligation for business, it reflects the Commission’s view on what is good or best practice and all businesses would be wise to take these points into serious consideration for current and future handling of personal information.

The privacy framework is divided into three main sections:

     •     Privacy by Design: Build in privacy at every stage of product development;

     •     Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism, while reducing the burden on business of providing ‘unnecessary’ choices; and

     •     Greater Transparency: Make information collection and use practices transparent.

While providing this framework, the FTC continues its call for baseline privacy legislation at the federal level as well as data security legislation. The FTC renews its urging to businesses to “accelerate the pace of self-regulation” in five particular contexts or platforms:

     •     Do Not Track: While browser developers have tools to help consumers reduce or eliminate tracking, the FTC considers this and other efforts to be a good first step but requiring more. Commissioner Julie Brill has also stated publicly that she believes Do Not Track really means Do Not Collect. This remains a significant open item.

     •     Mobile: Effective notice and choice is even more difficult on a device with significantly smaller screens, and the FTC has initiated a project to develop further guidance about online disclosures.

     •     Data Brokers: While receiving significant attention elsewhere in the report, the FTC has recommended industry-specific legislation so that consumers would gain access to information that a data broker holds about them.

     •     Large Platform Providers: Those developing platforms such as web browsers, social networks, and Internet Service Providers are perceived as trying to collect as much information as possible online about individuals. Often referred to as Online Behavioral Advertising and other practices, the FTC anticipates future workshops to address what it perceives to be “comprehensive tracking.”

     •     Promoting Enforceable Self-Regulatory Codes: The FTC anticipates cooperating with the Commerce Department’s effort to develop industry-specific codes of conduct, which if adopted would be subject to the FTC’s continuing enforcement authority under Section 5 of the FTC Act against unfair and deceptive acts or practices.

 With that introduction, we will provide a series of bullet points reflecting the 100+ pages of materials issued by the FTC so that readers will have more accessible summaries of key points.

 

SCOPE

     •     The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless:

            o          The entity collects only non-sensitive data

            o          From fewer than 5,000 consumers per year

            o          And does not share that data with third parties

     •     Concept of Proportionality. This reflects the FTC’s opinion that first party collection and use of non-sensitive data (data that is not a SSN or about financial, health, children’s or geolocation information) is less of a risk to consumers. This also reflects the FTC’s implicit adoption of the proportionality principle, proposed originally by our colleague Andrew Serwin in several papers.

     •     Exclusions for Existing Regulatory Frameworks. Businesses currently directly regulated by HIPAA, GLBA and similar regimes would not be subject to duplicative rules. However, to the extent that the FTC framework is a) not inconsistent with and b) more protective than the sectoral rules, the FTC encourages financial services, health providers, and others to adopt the framework guidance.

     •     Online and offline. The framework applies to personal information in any medium, specifically offline as well as online data.

     •     Personal Information that is Reasonably Linkable. The concept of personal information is expanded to include that which is reasonably linkable to a specific consumer, computer or device. The FTC notes that individual devices often can be associated with a specific consumer, even though that linkage may not be known to the collector of information from the device. The Commission also refers to a 2006 incident when AOL released what was intended to be anonymized search data, but was later determined to be detailed enough so that individual searchers could be identified. However, the FTC limits this to what is “reasonably linkable.”

     •     Data is not reasonably linkable to the extent:

            o          A given data set that is not reasonably identifiable;

            o          The company publicly commits not to re-identify it; and

            o          The company requires any third parties using the data not to re-identify it.

 

PRIVACY BY DESIGN

     •     The baseline principle is that companies should develop new and revise existing products and services such that consumer privacy is rigorously incorporated through the product lifecycle and the organization

            o          This would include default settings that are private, closed, or off instead of public, open, or on.

            o          The intention is to shift the burden of applying privacy controls away from consumers.

     •     These should be reflected in effective practices regarding data security, reasonable collection limits, suitable retention and disposal practices, and steps to ensure data accuracy.

            o          Referencing Section 5 of the FTC Act, the expectation is that companies must provide reasonable security for consumer data.

            o          The concept of data minimization or minimum collection is a relatively new one for mostUScompanies. If you don’t need it, then don’t collect it. Don’t collect it simply because you think you might need or want it in the future.

     •     Comprehensive data management procedures would apply for the lifecycle of products and services.

            o          As has been seen in recent FTC consent orders, the Commission increasingly expects companies to develop and maintain a comprehensive information management (meaning privacy and security) program to help ensure appropriate protections for personal information.

            o          Firms should prioritize legacy data systems for remediation or Privacy by (Re)Design based on the sensitivity of the information held.

 

SIMPLIFIED CONSUMER CHOICE

     •     Practices that do not require choice. Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.

     •     For example, reasonable disclosures to delivery agents after purchasing a product or perhaps disclosures to reduce the risk of fraud.

     •     Context of the transaction / relationship between the consumer and the company. A key element of situations where consumer choice is not required involves focusing on the “context of the transaction.” That is, based on the context of the interaction between the business and consumer, is it reasonable to expect the consumer would understand the particular data practice to be part of and consistent with the overall relationship?

     •     Example. The Report gave the example of the purchase of an automobile. Using the consumer’s address to send a coupon for a free oil change, or notice of an upcoming sale on the type of tires that came with the car, or information about new models of the car, would all be consistent with the context of the transaction and the consumer’s relationship with the dealer. On the other hand, the dealership selling personal information to a data broker for selling to marketers would not be consistent with the transaction or the customer’s relationship with the dealership.

     •     Practices highlighted in the preliminary report are illustrative. In its preliminary report, the FTC provided five situations where consumer choice may not be required – fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing. The final Report uses the “context of the transaction” as the primary principle for determining whether choice is required. The FTC notes the examples from the preliminary Report may not be sufficient in every situation, but provide illustrative guidance where consumer choice would typically not be required. It is important to note that this moves in the opposite direction of European notice rules, which remain oriented toward greater detail.

     •     For example, the FTC noted that while improving existing products or services is typically an “internal operation” that would not require choice, repurposing and sharing data with third parties may very well remove the practice from being an “internal operation” consistent with the context of the consumer’s interaction with the company.

     •     First-party marketing generally does not require choice, but certain practices raise special concerns, such as tracking across third-party websites, sharing with unknown affiliates, data enhancement and sensitive data for first party marketing.

     •     Tracking / Behavioral Advertising / Retargeting. The framework requires companies to provide consumers with a choice whether to be tracked across other parties’ websites. The FTC noted that tracking a consumer after the consumer leaves the company’s website is typically not consistent with the context of the consumer’s interaction with the company. Accordingly, where a company has a first-party relationship with a consumer on its own website, and it engages in third-party tracking of the consumer across other websites, the company should provide meaningful choice to the consumer. How this meaningful choice is to be implemented remains to be seen.

     •     Affiliates are third parties unless the affiliate relationship is clear to consumers. If the relationship is made clear to consumers, such as through common branding, the affiliate will not be considered a third-party. On the other hand, if the relationship is not visible to the consumer – for example an online publisher that also maintains an ad network that invisibly tracks consumers’ activities on the site – the affiliated ad network would be considered a third-party for purposes of choice.

     •     Cross-channel marketing is generally consistent with the context of a consumer’s interaction with the company. The Report finds that marketing to consumers through multiple channels (e.g. Internet, e-mail, mobile apps, text messaging or offline context) is generally consistent with the consumer’s relationship with the company. Tracking a consumer on third-party websites, however, would not be consistent, and choice should be required.

    •     Companies should implement measures to improve the transparency of data enhancement. The Report provides guidelines for adding data obtained from third-party sources to data collected by the company directly from the consumer. The FTC declined to require choice with respect to such enhancement, however, noted that effective implementation of the framework’s other components should address privacy concerns (e.g. privacy by design, limiting data collection, limiting the length of time for retention of data, adopting reasonable security measures, providing choice when a company shares consumer data with a third-party, etc.).

     •     Companies should generally give consumers a choice before collecting sensitive data for first-party marketing. The FTC defines sensitive data, at a minimum, as data about children, financial and health information, Social Security numbers, and certain geo-location data.

     •     Choice – For practices requiring choice, companies should provide choices at a time and in a context in which the consumer is making a decision about his or her data. While this concept is flexible, the FTC states that in most cases, providing choice before or at the time of collection will be necessary to gain consumers’ attention and ensure that the choice presented is meaningful and relevant. For example, if data is being submitted online, the consumer choice should be offered directly adjacent to where the consumer is entering his or her data.

     •     Take-it-or-leave-it choice for important products or services raises concerns when consumers have few alternatives. The FTC did not provide substantial detail of what is an important product or service with few alternatives, however, the FTC provided a patented medical device and broadband Internet access as two examples. The implications for ISPs are obvious; less obvious might be access to other Internet-based services perceived as ubiquitous.

     •     Businesses should provide a do not track mechanism to give consumers control over the collection of their web surfing data. The FTC noted the progress made to date regarding do not track, including browser-based solutions, self-regulatory efforts led by the Digital Advertising Alliance (DAA), and the World Wide Web Consortium (W3C). Accordingly, the FTC expects to see continued progress in this area as the DAA members and other key stakeholders continue discussions within the W3C process to work to reach consensus on an effective Do Not Track system in the coming months.

     •     Large platform providers that can comprehensively collect data across the Internet present special concerns. The FTC singles out for special attention ISPs, operating systems and browsers as these technologies are essentially able to track most if not all of a user’s online activities. The Report notes that while Google and Facebook are rapidly expanding their reach, they currently are not so widespread that they can track a consumer’s every movement across the Internet. Accordingly, the FTC is hosting a workshop in the second half of 2012 to explore privacy issues raised by all of these large platform providers.

    •     Companies should obtain affirmative express consent before making material retroactive changes to privacy representations. The FTC reaffirmed its commitment to this requirement noting the recent Google and Facebook settlements. A material change includes sharing consumer information with third parties after committing at the time of collection not to share the data or expanding the scope of these disclosures. Other situations require a case-by-case analysis based on the context of the consumer’s interaction with the business.

     •     Companies should obtain consumers’ affirmative express consent before collecting sensitive data. As noted above, sensitive information includes information about children, financial and health information, Social Security numbers and precise, individualized, geo-location data.

 

GREATER TRANSPARENCY

     •     Baseline principle: Companies should increase the transparency of their data practices.

     •     Prominence. The Report stressed that choices should be presented to consumers in a prominent, relevant and easily accessible place at a time and in a context when it matters to them.

     •     Clarity. The Commission calls on industry to make privacy statements shorter, clearer and more standardized; to give consumers reasonable access to the data and to undertake to educate consumers as to how they collect use and share their data.

     •     Major Principles:

            o          Simplification. Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy policies.

            o          Access. Companies should provide reasonable access to the consumer data they maintain; the extent of the access should be proportionate to the sensitivity of the data and the nature of its use.

            o          Data Brokers. The FTC particularly focuses on data brokers, urging Congress to legislate with respect to establishing a procedure for consumers to access information held by data brokers.  Additionally, the Commission recommended that data brokers explore the idea of creating a centralized website where they could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information.

            o          Teen Data. The FTC supports an “eraser button,” particularly for teens who can be more impulsive than adults, implementing the principle of the “right to be forgotten.”

            o          Consumer Education. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices. 

 

CONCLUSION

The Report concludes by recommending that Congress consider baseline privacy legislation while industry implements the final privacy framework through individual company initiatives and through strong and enforceable self-regulatory initiatives. The FTC notes there are a number of specific areas where policy makers have a role in assisting with the implementation of the self-regulatory principles that make up the privacy framework, and the Commission’s plans for the upcoming year reflect these.

     •     FTC Action Plan for the next year:

            o          Do Not Track. The Commission will work with privacy groups and industry to complete implementation of an easy-to use, persistent, and effective Do Not Track system.

            o          Mobile privacy disclosures. On May 30, 2012, the FTC will hold a workshop to provide business guidance about online advertising disclosures.

            o          Data Brokers. The Commission supports introduction of targeted legislation to provide consumers with access to the information about them held by data brokers.

            o          Large Platform Providers. The FTC will hold a workshop in the latter half of 2012 to explore privacy and other issues related to comprehensive tracking by large platform providers (ISPs, operating systems, browser vendors and social media providers).

            o          Promote enforceable self-regulatory codes. The FTC will assist the Commerce Department in undertaking a project to facilitate the development of sector specific codes of conduct.

            o          Significance of Self-Regulatory Codes. To the extent that strong privacy codes are created through self-regulation, the FTC will view adherence to the codes favorably in connection with its law enforcement activities. The FTC will continue to enforce the Act to take action against companies that engage in unfair or deceptive practices, including the failure to abide by the self-regulatory programs they join. 

The Report is a wealth of information for businesses that collect personal information and must comply with data privacy laws. As the most comprehensive and concrete framework provided by the FTC to date, companies should use the Report as a roadmap for developing their privacy compliance programs and adapting existing privacy programs.

 

European Mobile Operators Agree To Mobile App Privacy Guidelines

Posted by Chanley T. Howell on Posted in Mobile

Fresh on the heels of a similar agreement by US app platform providers, Europe’s major mobile operators have agreed to implementing guidelines for the development and privacy of mobile apps. The GSM Association published the guidelines which have been agreed to by Vodaphone, Deutsche Telecom, France Telecom SA Orange and others. The guidelines will likely apply not only to the European operators, but will also help shape standards and guidelines for US and other operators worldwide.

The guidelines note that the technological capabilities of mobile apps are a powerful enabler for innovative business models, they may also provide a vehicle for malicious or surreptitious access to a user’s personal information. Applications that legitimately access and use personal information may fail to meet the privacy expectation of users and undermine their confidence and trust in organizations and the wider mobile industry. Problems occur when users are not given clear and transparent notice of an application’s access to and use of their personal information, or when they are not given an opportunity to express meaningful choice and control over the use of their information for secondary purposes and beyond that necessary to the operation of an application or service.

Under the guidelines, companies should effectively notify users about what personal information the mobile app will collect, store and share, as well as the purposes for using the information. The guidelines are intended for all, that means that collect and use personal information collected from mobile users, including the mobile providers, platform operators, app developers, app distributors and device makers.

Notice of the privacy practices should be made available before an app is downloaded. Users should know if the app ordered by advertisements, and advertising to the mobile user should only use information that was properly obtained in accordance with the guidelines and applicable law. The guidelines also include standards for data retention, security, consumer education, social networking, location data and use be children and adolescents.

Express opt-in permission should be obtained when the collection of personal information is not necessary for the primary purpose of the app, when information is shared with a third party, and when information is retained after use of the app. Additionally, if the company desires to modify its collection, sharing of personal information, should notify and obtain appropriate consent from the user before implementing the changes.

NIST Issues Draft Computer Security Breach Incident Handling Guide

Posted by Chanley T. Howell on Posted in Security Breach

The National Institute of Standards and Technology (NIST) has published for public comment a draft update to a guide for organizations managing their responses to computer security incidents such as hacking attacks. The Guide notes that computer security incident response has become an important component of information technology (IT) programs. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently.

NIST acknowledges that performing incident response effectively is a complex undertaking. Establishing a successful incident response capability requires substantial planning and resources. The Guide is intended to help both established and newly formed incident response teams. Unlike most threats several years ago, which tended to be short-lived and easy to notice, many of today’s threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time.

The Guide discusses seven (7) requirements and recommendations to enhance the efficient and effective incident response activities.

            1.         Create, provision, and operate a formal incident response capability.

            2.         Reduce the frequency of incidents by effectively securing networks, systems, and applications.

            3.         Document guidelines for interactions with other organizations regarding incidents.

            4.         Be prepared to handle any type of incident, and particularly common incident types.

            5.         Emphasize the importance of incident detection and analysis throughout the organization.

            6.         Create written guidelines for prioritizing incidents.

            7.         Use the lessons learned process to gain value from incidents.

             While the Guide is directed to Federal departments and agencies, the recommendations throughout the Guide are instructive and useful for private businesses as well. Having a well-designed security breach incident response plan to use during and after an attack provides guidance and structure to what is often a complex situation. Well-drafted incident response plans can assist in minimizing loss and theft of sensitive information, and service disruptions after an attack is identified.

 

Tech Giants Agree to Require App Developers to Post Privacy Policies

Posted by Megan E. O'Sullivan on Posted in Mobile

           On February 22, 2012, California’s Office of the Attorney General announced that Amazon, Apple, Google, Hewlett Packard, Microsoft and Research in Motion (the “Companies”) have all agreed to require their application (“app”) developers to post clear privacy policies for their apps wherever those apps can be downloaded (“Agreement”).  Together, these Companies account for 95 percent of all app downloads.  According to the Attorney General’s office, of the top 30 most downloaded apps, only 8 have posted privacy policies.

             In recent weeks, this issue has come to the forefront as Path, a social networking app, admitted to collecting and storing information from users’ address books without first notifying its users.  After Path’s revelation, Twitter, Foursquare, and Instagram all acknowledged that they collect users’ address book information without consent as well.  Apple also announced a change to its app developer guidelines, saying that iOS applications that collect user data without consent are prohibited. 

             Under the new Agreement, the Companies will ask app developers include either the text of, or a hyperlink to, the privacy policy that will notify users about what data the apps can access and how that data will be stored by the app.  Generally, apps have access to data regarding users’ location, contacts, and photos. 

             According to Attorney General Kamala Harris,  “[t]his [A]greement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps.  By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used.” 

             If an app developer does not comply with the privacy policies as required by the Agreement, developers can be prosecuted under California’s Unfair Competition Law or False Advertising Law.  No timeline for compliance has been set, but the Attorney General said that she would meet with the Companies in six months to assess developers’ progress.

California Businesses Targeted For Inadequate Website Privacy Disclosures

Posted by Chanley T. Howell on Posted in Information Privacy and Cloud Computing

It may be form over substance, but sometimes form counts.

California’s “Shine The Light” law (Cal. Civ. Code. §1798.83) requires businesses that collect California residents’ personal information and share it for marketing purposes to disclose to the consumers what information they share, and with whom, upon request. The law also has civic requirements for labeling the link to the disclosure. Failure to comply can subject violators to $3,000 in statutory damages for each violation, according to a series of class action complaints recently filed in California (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men’s Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12).

Under the law, businesses may comply by providing California residents with the ability to opt out of the sharing of their personal information. The disclosures regarding a company’s information sharing practices and an individual’s opt out rights can be provided in the company’s website privacy policy. Notably, the link to the privacy policy must be on the website homepage and clearly labeled “Your Privacy Rights”.

The law allows customers to request a list of categories of personal information disclosed by the company during the prior year, and the contact information for the companies receiving the personal information. The definition of “personal information” is broad, including basic information such as names and addresses, as well as other information such as height, weight, race, religion, occupation, political affiliation, medical conditions, and types of purchases made. Additionally, businesses should note that the law is triggered by disclosures to affiliates and commonly owned companies.

Each defendant company allegedly failed to label links to their privacy policies as “Your Privacy Rights” or to comply with the statute’s other requirements. The defendants’ failure to comply deprived plaintiffs of their statutorily guaranteed right to monitor and control the disclosure and dissemination of their valuable personal information, they alleged.

Small businesses with less than 20 employees are not covered by the law. Businesses may also comply by sharing personal information for marketing purposes only if individuals affirmatively consent to such sharing, and by giving individuals a no-cost way of opting out. Additionally, certain disclosures do not trigger the law, such as disclosing personal information to transaction processors and other service providers so long as the provider does not use the information for marketing purposes, and marketing to individuals with whom the company has an established business relationship.

Bottom line:  Companies that share personal information with third parties (including affiliates) for the third party to market to the individual should examine their privacy policies, including labels and placement of links to privacy policies, to ensure compliance with California’s Shine the Light law. Plaintiffs in the recently filed class action cases claim that failure to use a link on the home page labeled “Your Privacy Rights” violates the law.

FTC Disappointed with Privacy on Kids’ Mobile Apps

Posted by Foley & Lardner on Posted in FTC

By Ariel Fox Johnson and Chanley Howell

Today, the FTC staff released a Report [http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf] which raised concerns about the privacy polices and practices of mobile apps for children. The Report contains the results of a survey the FTC staff conducted of mobile apps targeted at kids. While tailored for children focused apps, the Report provides useful guidance with respect to FTC concerns applicable to all categories of mobile apps.

 The Report explains that in today’s growing mobile market, there are over 500,000 mobile apps in the Apple App Store and 380,000 in the Android Market. On the positive side, the Report found that there are a wide variety of apps now available from children, both educational and entertaining, and that the apps are for the most part inexpensive.

 The Report also found that despite the wide variety and accessibility of kids’ apps, there is a lack of information about apps’ data collection and sharing practices available to parents when they are downloading apps. In the app stores and at developer’s sites, it was often very difficult to determine what the actual scope and reach of the app’s data collection and sharing functionality. The Report noted that mobile apps can capture lots of information from a device automatically and without a user’s awareness, such as geolocation, phone numbers, contacts, call logs, and unique identifiers. Furthermore, some children’s apps—like adult apps—allow for social networking and the display of advertising, which can raise additional privacy concerns for parents.

 The Report recommended that app developers and app stores, such as the Android Market and the Apple App Store, should work together to provide necessary privacy information to parents in a clear, simple and timely manner. For example, app stores should provide information about an app’s privacy practices the same way they provide “category” or price information, perhaps by displaying symbols indicating various privacy collection and sharing practices.

 The Report further recommended that app developers need to write clear and short policies using plain language (not “legalese”) that can be effectively displayed on a mobile device. Writing such policies may be an exercise in creativity for the app developers—privacy policies appearing on websites have been criticized for length and density, and those concerns apply even more to policies displayed on a screen only inches wide. They should also disclose whether the app connects with social media, and whether it contains ads.

 Finally, the FTC encouraged app developers, app stores, and third parties providing services within apps to make information clear so that parents can make informed choices about their children’s apps.

Companies should note that when the FTC refers to “app developers,” it uses the term broadly to include the sponsor, seller or distributor of the app, not just the company that actually does the development work. In other words, companies that sell and distribute mobile apps are responsible for requiring its developers to comply with the privacy requirements imposed and enforced by the FTC.

The FTC also indicated that it would be conducting a review of certain mobile apps in the coming months to determine if the apps are complying with the Children’s Online Privacy Protection Act (COPPA).  The COPPA Rule is currently undergoing a review at the FTC.

Concerns about mobile app privacy, and in particular the lack of transparency regarding what mobile apps do, extend beyond kid’s apps. As highlighted in New York Times post yesterday (http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/?src=me&ref=technology), certain popular apps may be routinely gathering personal information from address books and uploading it to servers without a user’s knowledge. As technology evolves and more companies create mobile apps, companies should take care to accurately explain their privacy practices and comply with best practices in this arena. While the guidelines provide useful guidance for all apps,  compliance in this areas is especially important for developer’s of children’s mobile apps, given the FTC’s mandate under COPPA and its particular concern with children’s privacy as a top priority.

NIST Issues Privacy and Security Guidelines for Cloud Computing

Posted by Chanley T. Howell on Posted in Cloud Computing; Information Security

The National Institute of Standards and Technology recently issued its Guidelines on Security in Privacy in Public Cloud (SP 800-144). The Guidelines can be found at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

They stress the importance of user responsibility in practicing sound security practices. NIST provides useful guidance when outsourcing data, applications and infrastructures to a vendor utilizing a cloud-based delivery model.

The recommendations include:

Continue reading this entry

European Commission Releases Much Anticipated Data Protection Regulation: Questions Remain About What Will Finally Be Implemented

Posted by Peter F. McLaughlin on Posted in International

On January 25th, the European Commission published a proposal for a new data protection regulation to replace the 1995 Data Protection Directive. The 1995 Directive has come under considerable criticism due largely to the significant variation in implementation by the 27 EU member states. While the Commission had announced a review of the Directive in the last few years, the proposal of a Regulation is intended to reduce the myriad approaches across the EU while also updating the rules to reflect such things as social networks, increased and more complex international processing, online behavioral advertising, and breach notification, to name just a few.

Highlights

The stated goals of the Commission in revamping the data protection rules have for some time included the expansion of an individual’s privacy rights, including the somewhat optimistic ‘right to be forgotten’, and for those subject to the rules, the simplification and consistency of compliance whether it be the use of cloud computing, international data transfer mechanisms, or marketing to European consumers. To those ends, the Commission has proposed the following:

Continue reading this entry

The Business Implications of the U.S. v Jones CPS Tracking Decision

Posted by Chanley T. Howell on Posted in Geolocation

On Monday, January 23, 2012, the US Supreme Court ruled that law enforcement violated the Fourth Amendment by attaching a GPS tracking device to a suspect’s car in connection with a drug investigation. We provide a brief summary of the decision followed by our views on the implications of the decision for businesses and employers.

The Decision

The Court unanimously ruled that law enforcement was required to obtain a search warrant before placing the GPS tracking device on the suspect’s car. Although the Justices were unanimous in upholding the lower court decision, the Justices differed on certain points, resulting in three separate opinions.

Based on traditional principles of trespass and the Fourth Amendment, the Court held “Where, as here, the Government obtains information by physically intruding on a constitutionally protected area, such a search undoubtedly occurred.” Because a search occurred, the police were required to first obtain a search warrant. The police did not obtain a search warrant, meaning the GPS tracking evidence would likely be inadmissible in the event of a retrial.

Continue reading this entry