Digital Privacy and Data Protection
Download
Report
Transcript Digital Privacy and Data Protection
Digital Privacy and Data Protection
ACC Colorado
Happy Hour CLE
March 13, 2014
1
© 2014 Lathrop & Gage LLP
Presenters
Tom Leland - Partner and Co-Chair, Business
Litigation Team, Lathrop & Gage LLP, Denver
Bryan Clark – Associate, Digital Privacy and Data
Protection Practice Group, CIPP/US, Lathrop &
Gage LLP, Chicago
Michael Jones – Global Privacy Program Manager,
CIPP/US, Monster Worldwide, Inc., Boston
2
© 2014 Lathrop & Gage LLP
Overview of Agenda
United States statutory framework
EU privacy framework
Technological background
Recent regulatory developments
Recent litigation developments
3
© 2014 Lathrop & Gage LLP
Key Privacy Laws in the United States
Graham Leach Bliley Act for financial information
Health Information Portability and Accountability
Act (HIPAA) for health information
FTC Act for all other personal information
• Section 5 prohibits unfair or deceptive trade
practices
4
© 2014 Lathrop & Gage LLP
EU Privacy Laws and Directives
Privacy is a fundamental human right
Data Protection Directive 95/46/EC
•
•
Not prescriptive
Required each member country to pass a data
protection law
Directive on Privacy and Electronic Communication
2002/58
•
Amended by Directive 2009/136 (“Cookie Directive”)
5
© 2014 Lathrop & Gage LLP
Privacy in the EU
Differs from privacy in the US
•
•
In the US, little privacy rights in public
In the EU, right to privacy extends farther
Consent based model
Convictions of Google executives in Italy
Google fought Spain’s AEPD in EU court over forced
removal of names from Google search results.
Google ultimately won
6
© 2014 Lathrop & Gage LLP
Data Transfers
EU generally prohibits transfer of personal information
outside of the EU
Enter Safe Harbor
•
•
Negotiated by the US Department of Commerce
US orgs voluntarily agree to EU standards in exchange
for being permitted to export personal data to US
7
© 2014 Lathrop & Gage LLP
Social Networking
Marketing
•
•
CAN-SPAM
Canada’s Anti-Spam Legislation (CASL)
Takes effect on July 1, 2014
Prohibits sending unsolicited commercial electronic messages
More stringent than CAN-SPAM
Employment
•
Many states have prohibited requesting social media account credentials as
part of a job application
• False friending – “A lawyer may not attempt to gain access to a social
networking website under false pretenses, either directly or through an agent” –
NY State Bar Association – Formal Opinion
8
© 2014 Lathrop & Gage LLP
Social Networking
CAN-SPAM
National Labor Relations Act
•
•
•
•
Costco Wholesale Corp., 358 NLRB No. 106 (Sept. 7, 2012)
Costco employee handbook stated “statements posted electronically (such as
[to] online message boards or discussion groups) that damage the Company,
defame any individual or damage any person’s reputation, or violate the
policies outlined in the Costco Employee Agreement, may be subject to
discipline”
NLRB found this policy was overbroad because is has a tendency to inhibit
protected employee activity
Lesson: ensure social media policy does not prohibit any protected activity
9
© 2014 Lathrop & Gage LLP
Online Advertising
Beacons, and cookies, and trackers, oh my!
10
© 2014 Lathrop & Gage LLP
11
© 2014 Lathrop & Gage LLP
User Tracking
Analytics
User Experience
Advertising
• First-party
• Contextual
• Behavioral
• Third-party
• Behavioral
• Retargeting
12
© 2014 Lathrop & Gage LLP
Tracking Technology
Cookies
•
•
•
•
HTTP
HTML
Flash
Cache
Device fingerprinting
• Combines browser data to uniquely identify a computer
• Fingerprint not stored on local user’s machine
Deep packet inspection
• Done at the ISP level
• Observers all traffic going through the user’s internet connection
13
© 2014 Lathrop & Gage LLP
Advertiser Ad Network
1. User enters URL into browser
6
2. User’s computer contacts
ISP’s DNS to resolve URL into
an IP address
5
3. User’s browser contacts IP
address
7
4. HTML builds site, including
instructions for user’s
computer to contact ad server
3
User
1
2
4
Website
(Publisher)
5. User transmits cookie data to
ad network
6. Ad network chooses
advertiser to match cookie
7. Ad network serves targeted ad
ISP
14
© 2014 Lathrop & Gage LLP
Trends and Initiatives in OBA
US
• FTC Principles
• Self Regulatory Principles for Online Behavioral Advertising
• FTC Preliminary Staff Report
• Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking.
• FTC criticizes the industry for moving too slowly.
• DOC Preliminary Greenpaper
• Icon (Currently Rolling Out)
• BBB and DMA are beginning enforcement
• Google and Yahoo moving to the DAA’s icon
• Chitika
EU
• Cookie Directive
• A coalition of the leading European advertising and publishing trade associations is
planning to roll out a self-regulatory program similar to the US program.
• Yahoo has just rolled out its ad icon in the EU, similar to that available in the US.
15
© 2014 Lathrop & Gage LLP
Data Security
Several states have data security laws: CA, MA, TX
46 states have breach notification laws
• Financial account information, state-issued
identification number, SSN
Federal data security standard set by NIST Special
Publication 800-53 (Rev 4)
• Currently voluntary standard
16
© 2014 Lathrop & Gage LLP
Encryption
Data in
transit
SFTP
Data at
AES 256
rest
• Secure file
transfer protocol
• Meets FIPS 1402 requirements
for government
encryption
HTTPS
Hash functions
• Secure delivery
of web pages
• For data that
does not need to
be read, only
verified
17
© 2014 Lathrop & Gage LLP
Security Trends in Privacy
Encryption
Role based access
•
Limiting access to those who need it
Information-centric security
•
Protecting information based on type of data, not location of data
Increased attention to authentication
•
•
Token protection
APIs that let you interact with a site while on a third party site
(e.g., Facebook’s “like” button)
18
© 2014 Lathrop & Gage LLP
Recent Regulatory Developments
Points of emphasis for FTC
•
Comments from Commissioner last week
New regulations under Telephone Consumer Protection
Act, 47 U.S.C. 227 (“TCPA”)
•
•
Went into effect October 16, 2013
Written express consent is the key
19
© 2014 Lathrop & Gage LLP
Recent Litigation Developments
Article III standing
Mooting
Attempts to strike class allegations pre-discovery
Hobbs Act
Implied consent
ATDS/capacity
Confirmatory opt-out
20
© 2014 Lathrop & Gage LLP
Article III Standing
Under Article III, a plaintiff must allege facts sufficient to show (1)
injury in fact, (2) causation, and (3) redressability. See Lujan v.
Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).
LaCourt v. Specific Media, Inc., 2011 WL 1661532, at *5 (C.D. Cal.
Apr. 28, 2011) (“If Plaintiffs are suggesting that their computers’
performance was compromised . . . they need to allege facts
showing that this is true.”).
Yunker v. Pandora Media, Inc., 2013 WL 1282980, *5-6 (N.D. Cal.
March 26, 2013) (reasoning in part that amorphous claims of
decreased memory space and potential future harm were insufficient
to establish standing).
21
© 2014 Lathrop & Gage LLP
Mooting
“[O]nce the defendant offers to satisfy the plaintiff’s entire demand,
there is no dispute over which to litigate, and a plaintiff who refuses
to acknowledge this loses outright . . . because [he] has no remaining
stake.” Damasco v. Clearwire Corp., 662 F.3d 891, 895 (7th Cir.
2012).
“If an intervening circumstance deprives the plaintiff of a ‘personal
stake in the outcome of the lawsuit,’ at any point during litigation, the
action can no longer proceed and must be dismissed as moot.. . .
[T]he mere presence of collective-action allegations in the complaint
cannot save the suit from mootness once the individual claim is
satisfied.” Id. at 1529. Genesis Healthcare v. Symczyk, 133 S.Ct.
1523, 1528-29 (2013).
22
© 2014 Lathrop & Gage LLP
Striking Class Allegations
Theory is to attack class allegations and defeat certification
before expending significant resources in discovery.
Approach has had limited success, but it is gaining some
traction lately.
See, e.g., Labou v. Cellco Partnership, 2014 WL 824225
(E.D. Cal. March 3, 2014)
23
© 2014 Lathrop & Gage LLP
Hobbs Act
The question here is the degree to which the Court can rule on FCC interpretations
(such as whether a text message is a call under the TCPA).
The Hobbs Act provides in part that “[t]he court of appeals ... has exclusive
jurisdiction to enjoin, set aside, suspend (in whole or in part), or to determine the
validity of all final orders of the Federal Communications Commission made
reviewable by section 402(a) of title 47.” 28 U.S.C. § 2342(1).
Courts have treated this in different ways. Compare Leyse v. Clear Channel
Broadcasting, Inc., 697 F.3d 360 (6th Cir. 2012) (“A case that is not a proceeding to
enjoin or annul an FCC order lies outside the ambit of [the Hobbs Act]”); Nack v.
Walburg, 715 F.3d 680 (8th Cir. 2013) (holding that the court is bound by the FCC
interpretation of the TCPA because of the Hobbs Act).
24
© 2014 Lathrop & Gage LLP
Implied Consent (TCPA)
A hot issue in the TCPA context is whether a consumer can
give consent to receive a text message by providing his or
her cell phone number.
Baird v. Sabre, Inc., 2014 WL 320205 (C.D. Cal. Jan. 28,
2014), was one of the most recent federal decision to hold
that provision of a cell phone number is consent to receive
a text message.
Other cases to watch: Coca-Cola cases in S.D. Cal. and
N.D. Ala.
25
© 2014 Lathrop & Gage LLP
ATDS/Capacity (TCPA)
Another key issue in TCPA cases relating to the autodialer
provision is whether the equipment at issue has merely the
“capacity” to autodial, or whether that capacity is actually
being used.
Gragg v. Orange Cab Co., 2014 WL 801305 (W.D. Wash.
Feb. 28, 2014) is one of the most recent authorities in this
area and holds that mere capacity is not enough.
However, many courts have held (based on the strict
statutory language) that capacity is all that is required.
26
© 2014 Lathrop & Gage LLP
Confirmatory Opt-Out (TCPA)
Mixed results.
Ibey v. Taco Bell Corp., Case No. 12-cv-0583 (S.D.
Cal.): Dismissal where case was based on single,
confirmatory text.
Ryabyshchuk v. Citibank (South Dakota) N.A.,
Case No. 11-cv-1236, (S.D. Cal.): Denying motion
to dismiss where case was based on single,
confirmatory text.
27
© 2014 Lathrop & Gage LLP