Digital Privacy and Data Protection ACC Colorado Happy Hour CLE March 13, 2014 1 © 2014 Lathrop & Gage LLP Presenters Tom Leland - Partner and Co-Chair, Business Litigation Team, Lathrop & Gage LLP, Denver Bryan Clark – Associate, Digital Privacy and Data Protection Practice Group, CIPP/US, Lathrop & Gage LLP, Chicago Michael Jones – Global Privacy Program Manager, CIPP/US, Monster Worldwide, Inc., Boston 2 © 2014 Lathrop & Gage LLP Overview of Agenda United States statutory framework EU privacy framework Technological background Recent regulatory developments Recent litigation developments 3 © 2014 Lathrop & Gage LLP Key Privacy Laws in the United States Graham Leach Bliley Act for financial information Health Information Portability and Accountability Act (HIPAA) for health information FTC Act for all other personal information • Section 5 prohibits unfair or deceptive trade practices 4 © 2014 Lathrop & Gage LLP EU Privacy Laws and Directives Privacy is a fundamental human right Data Protection Directive 95/46/EC • • Not prescriptive Required each member country to pass a data protection law Directive on Privacy and Electronic Communication 2002/58 • Amended by Directive 2009/136 (“Cookie Directive”) 5 © 2014 Lathrop & Gage LLP Privacy in the EU Differs from privacy in the US • • In the US, little privacy rights in public In the EU, right to privacy extends farther Consent based model Convictions of Google executives in Italy Google fought Spain’s AEPD in EU court over forced removal of names from Google search results. Google ultimately won 6 © 2014 Lathrop & Gage LLP Data Transfers EU generally prohibits transfer of personal information outside of the EU Enter Safe Harbor • • Negotiated by the US Department of Commerce US orgs voluntarily agree to EU standards in exchange for being permitted to export personal data to US 7 © 2014 Lathrop & Gage LLP Social Networking Marketing • • CAN-SPAM Canada’s Anti-Spam Legislation (CASL) Takes effect on July 1, 2014 Prohibits sending unsolicited commercial electronic messages More stringent than CAN-SPAM Employment • Many states have prohibited requesting social media account credentials as part of a job application • False friending – “A lawyer may not attempt to gain access to a social networking website under false pretenses, either directly or through an agent” – NY State Bar Association – Formal Opinion 8 © 2014 Lathrop & Gage LLP Social Networking CAN-SPAM National Labor Relations Act • • • • Costco Wholesale Corp., 358 NLRB No. 106 (Sept. 7, 2012) Costco employee handbook stated “statements posted electronically (such as [to] online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement, may be subject to discipline” NLRB found this policy was overbroad because is has a tendency to inhibit protected employee activity Lesson: ensure social media policy does not prohibit any protected activity 9 © 2014 Lathrop & Gage LLP Online Advertising Beacons, and cookies, and trackers, oh my! 10 © 2014 Lathrop & Gage LLP 11 © 2014 Lathrop & Gage LLP User Tracking Analytics User Experience Advertising • First-party • Contextual • Behavioral • Third-party • Behavioral • Retargeting 12 © 2014 Lathrop & Gage LLP Tracking Technology Cookies • • • • HTTP HTML Flash Cache Device fingerprinting • Combines browser data to uniquely identify a computer • Fingerprint not stored on local user’s machine Deep packet inspection • Done at the ISP level • Observers all traffic going through the user’s internet connection 13 © 2014 Lathrop & Gage LLP Advertiser Ad Network 1. User enters URL into browser 6 2. User’s computer contacts ISP’s DNS to resolve URL into an IP address 5 3. User’s browser contacts IP address 7 4. HTML builds site, including instructions for user’s computer to contact ad server 3 User 1 2 4 Website (Publisher) 5. User transmits cookie data to ad network 6. Ad network chooses advertiser to match cookie 7. Ad network serves targeted ad ISP 14 © 2014 Lathrop & Gage LLP Trends and Initiatives in OBA US • FTC Principles • Self Regulatory Principles for Online Behavioral Advertising • FTC Preliminary Staff Report • Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking. • FTC criticizes the industry for moving too slowly. • DOC Preliminary Greenpaper • Icon (Currently Rolling Out) • BBB and DMA are beginning enforcement • Google and Yahoo moving to the DAA’s icon • Chitika EU • Cookie Directive • A coalition of the leading European advertising and publishing trade associations is planning to roll out a self-regulatory program similar to the US program. • Yahoo has just rolled out its ad icon in the EU, similar to that available in the US. 15 © 2014 Lathrop & Gage LLP Data Security Several states have data security laws: CA, MA, TX 46 states have breach notification laws • Financial account information, state-issued identification number, SSN Federal data security standard set by NIST Special Publication 800-53 (Rev 4) • Currently voluntary standard 16 © 2014 Lathrop & Gage LLP Encryption Data in transit SFTP Data at AES 256 rest • Secure file transfer protocol • Meets FIPS 1402 requirements for government encryption HTTPS Hash functions • Secure delivery of web pages • For data that does not need to be read, only verified 17 © 2014 Lathrop & Gage LLP Security Trends in Privacy Encryption Role based access • Limiting access to those who need it Information-centric security • Protecting information based on type of data, not location of data Increased attention to authentication • • Token protection APIs that let you interact with a site while on a third party site (e.g., Facebook’s “like” button) 18 © 2014 Lathrop & Gage LLP Recent Regulatory Developments Points of emphasis for FTC • Comments from Commissioner last week New regulations under Telephone Consumer Protection Act, 47 U.S.C. 227 (“TCPA”) • • Went into effect October 16, 2013 Written express consent is the key 19 © 2014 Lathrop & Gage LLP Recent Litigation Developments Article III standing Mooting Attempts to strike class allegations pre-discovery Hobbs Act Implied consent ATDS/capacity Confirmatory opt-out 20 © 2014 Lathrop & Gage LLP Article III Standing Under Article III, a plaintiff must allege facts sufficient to show (1) injury in fact, (2) causation, and (3) redressability. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). LaCourt v. Specific Media, Inc., 2011 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011) (“If Plaintiffs are suggesting that their computers’ performance was compromised . . . they need to allege facts showing that this is true.”). Yunker v. Pandora Media, Inc., 2013 WL 1282980, *5-6 (N.D. Cal. March 26, 2013) (reasoning in part that amorphous claims of decreased memory space and potential future harm were insufficient to establish standing). 21 © 2014 Lathrop & Gage LLP Mooting “[O]nce the defendant offers to satisfy the plaintiff’s entire demand, there is no dispute over which to litigate, and a plaintiff who refuses to acknowledge this loses outright . . . because [he] has no remaining stake.” Damasco v. Clearwire Corp., 662 F.3d 891, 895 (7th Cir. 2012). “If an intervening circumstance deprives the plaintiff of a ‘personal stake in the outcome of the lawsuit,’ at any point during litigation, the action can no longer proceed and must be dismissed as moot.. . . [T]he mere presence of collective-action allegations in the complaint cannot save the suit from mootness once the individual claim is satisfied.” Id. at 1529. Genesis Healthcare v. Symczyk, 133 S.Ct. 1523, 1528-29 (2013). 22 © 2014 Lathrop & Gage LLP Striking Class Allegations Theory is to attack class allegations and defeat certification before expending significant resources in discovery. Approach has had limited success, but it is gaining some traction lately. See, e.g., Labou v. Cellco Partnership, 2014 WL 824225 (E.D. Cal. March 3, 2014) 23 © 2014 Lathrop & Gage LLP Hobbs Act The question here is the degree to which the Court can rule on FCC interpretations (such as whether a text message is a call under the TCPA). The Hobbs Act provides in part that “[t]he court of appeals ... has exclusive jurisdiction to enjoin, set aside, suspend (in whole or in part), or to determine the validity of all final orders of the Federal Communications Commission made reviewable by section 402(a) of title 47.” 28 U.S.C. § 2342(1). Courts have treated this in different ways. Compare Leyse v. Clear Channel Broadcasting, Inc., 697 F.3d 360 (6th Cir. 2012) (“A case that is not a proceeding to enjoin or annul an FCC order lies outside the ambit of [the Hobbs Act]”); Nack v. Walburg, 715 F.3d 680 (8th Cir. 2013) (holding that the court is bound by the FCC interpretation of the TCPA because of the Hobbs Act). 24 © 2014 Lathrop & Gage LLP Implied Consent (TCPA) A hot issue in the TCPA context is whether a consumer can give consent to receive a text message by providing his or her cell phone number. Baird v. Sabre, Inc., 2014 WL 320205 (C.D. Cal. Jan. 28, 2014), was one of the most recent federal decision to hold that provision of a cell phone number is consent to receive a text message. Other cases to watch: Coca-Cola cases in S.D. Cal. and N.D. Ala. 25 © 2014 Lathrop & Gage LLP ATDS/Capacity (TCPA) Another key issue in TCPA cases relating to the autodialer provision is whether the equipment at issue has merely the “capacity” to autodial, or whether that capacity is actually being used. Gragg v. Orange Cab Co., 2014 WL 801305 (W.D. Wash. Feb. 28, 2014) is one of the most recent authorities in this area and holds that mere capacity is not enough. However, many courts have held (based on the strict statutory language) that capacity is all that is required. 26 © 2014 Lathrop & Gage LLP Confirmatory Opt-Out (TCPA) Mixed results. Ibey v. Taco Bell Corp., Case No. 12-cv-0583 (S.D. Cal.): Dismissal where case was based on single, confirmatory text. Ryabyshchuk v. Citibank (South Dakota) N.A., Case No. 11-cv-1236, (S.D. Cal.): Denying motion to dismiss where case was based on single, confirmatory text. 27 © 2014 Lathrop & Gage LLP