Pay Attention to Privacy
or Else... ?
Jim Rennie
Source Boston - April 19, 2012
Bio
Currently in Compliance at TRUSTe in San Francisco
Advise and do gap reviews on US / EU privacy best practices
3 years of experience as a Public Defender in Las Vegas
Graduate of Benjamin N. Cardozo School of Law, 2007
Prior to law, over 3 years of experience as a software
developer
Disclaimer
Although I am a lawyer, I am not YOUR lawyer.
This is not legal advice.
We do not have an attorney-client relationship.
Agenda
What is privacy?
Why should I care?
What is the current state of privacy regulation in the US?
Some recent FTC cases
Future US privacy regulation
A brief stop in the EU
Questions
Privacy
What is Privacy?
Privacy
What is Privacy?
An Individual’s ability to control Personally Identifiable
Information about themselves.
Privacy
What is Privacy?
An Individual’s ability to control Personally Identifiable
Information about themselves.
Privacy != Anonymity
Privacy != Secrecy
Privacy != Security
Privacy v. Security
Privacy v. Security
In terms of practices / regulation today...
Privacy today is like Security 15 years ago.
Privacy
Why should I pay attention?
Privacy
Why should I pay attention?
1. It's the right thing to do
Privacy
Why should I pay attention?
1. It's the right thing to do
2. Consumers like businesses they can trust
Privacy
Why should I pay attention?
1. It's the right thing to do
2. Consumers like businesses they can trust
3. If you don't, the FTC will show up
Privacy Law in the US
No constitutional right to privacy
No general federal privacy law (yet)
Sector-specific Privacy Laws:
GLBA
HIPAA
COPPA
Privacy Law in the US
FTC (Federal Trade Commission)
Protects consumers from business practices that are
Unfair
or
Deceptive
Less direct power than you might think
Privacy Law in the US
California Privacy Law
Constitutional right to privacy
Privacy Statement required for any internet service
doing business in CA
Recently expanded to include mobile apps
Privacy Law in the US
California Privacy Law
You have to have a privacy statement
+
FTC
Protects consumers if your privacy statement or practices
are unfair / deceptive
FTC v. Google
Google Settles with FTC over Google Buzz rollout
• Google's privacy policy said "if we use [your] information in a
manner different than the purpose for which it was collected,
then we will ask for your consent prior to such use..."
• But user info was automatically used to populate Google
Buzz without informing users or giving users a chance to say
no.
• Did not provide users enough information to make an
informed choice.
• Failed to follow US/EU SafeHarbor requirements
FTC v. Google
Google Settles with FTC over Google Buzz rollout
• Fix the problems identified by FTC
• 20 years of FTC oversight
• Independent Privacy audits every other year
• Possible fines for non-compliance
FTC v. Facebook
Facebook Settles because of... lots of stuff
• Information that was private became public without informing
users
• Policy claimed Apps could only access information they
needed to operate, but they could access almost anything
• Setting data to "Friends Only" didn't prevent third-party Apps
from accessing data
• Content that was "deleted" was still available
• Failed to follow US/EU Safeharbor requirements
FTC v. Facebook
Facebook Settles because of... lots of stuff
•
•
•
•
Fix the problems identified by FTC
20 years of FTC oversight
Independent Privacy audits every other year
Possible fines for non-compliance
FTC v. Chitika
Chitika Settles because of faulty opt-out mechanism
• Privacy policy said users could opt-out of tracking
• Using the opt-out mechanism did drop an opt-out cookie and
told the user they opted-out
• But the cookie only lasted for 10 days (oops!)
FTC v. Chitika
Chitika Settles because of faulty opt-out mechanism
• Required all opt-outs last for 5 years
• Delete any consumer data obtained during period of
malfunctioning opt-out
• Possible fines for non-compliance
FTC v. RockYou
Rock You Settles because of Security and COPPA violations
• Rockyou's privacy policy claimed they took adequate
security measures to protect personal information
• But in reality, they stored usernames / passwords in
plain text
• Not living up to security assurances is "deceptive"
(consistent with prior FTC v. Twitter settlement)
• COPPA violation for knowingly collecting information from
users < 13 years old
FTC v. RockYou
Rock You Settles because of Security and COPPA violations
• $250,000 fine
• Fix the problems identified by FTC
• 20 years of FTC oversight
• Independent Privacy audits every other year
• Possible higher fines for future violations
Current State of Regulation
Say you do / Do what you say
Notify users before changing how you use their data
Future: FTC
FTC Final Recommendations for Business and Policymakers
March 2012
Calls for Privacy by Design
Simplify Choices for Consumers & Greater Transparency
Do Not Track
Mobile
Data Brokers
Large Platform Providers
Promoting Enforceable Self-Regulation
Future: White House
White House Releases Blueprint for
Consumer Privacy Bill of Rights
February 2012
•
•
•
•
•
•
Transparency
Respect for Context
Security
Access and Accuracy
Focused Collection
Accountability
Briefly: The EU
Constitutional right to privacy
Much more privacy protective that US
Policy set on EU level, enforcement by individual countries'
Data Protection Agencies (DPAs)
If you're transferring personal data out of the EU, and you're
not: in the safe harbor / have model contracts / have binding
corporate rules ... you're doing it wrong.
Future: EU
They're going to hit companies where it hurts...
Draft Regulations:
• More aggressive regulation
• Ability for NGOs to sue DPAs if they fail to enforce
• Huge fines for violations (up to % of yearly profits)
Conclusion
Privacy is important to consumers
Say what you do / Do what you say
FTC stepping up enforcement in privacy-related matters
More Privacy regulation is coming (US and EU)
Privacy by Design is the future
Questions
???