The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Yesterday at FTC, President Obama Announced Plans for new data privacy and security laws: Comprehensive Data Privacy Law, Consumer Privacy Bill of Rights, and Student Digital Privacy Act

Yesterday afternoon, President Barak Obama gave a quip-filled speech at the Federal Trade Commission where he praised the FTC’s efforts in protecting American consumers over the past 100 years and unveiled his plans to implement legislation to protect American consumers from identity theft and to protect school children’s personal information from being used by marketers.   These plans build upon past legislative efforts and the Administration’s focus on cybersecurity, Big Data, and Consumer Protection.  Specifically, On February 23, 2012, the White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Blueprint”) and in January 2014, President Obama asked his Counselor, John Podesta, to lead a working group to examine Big Data’s impact on government, citizens, businesses, and consumers.  The working group produced Big Data: Seizing Opportunities, Preserving Values on May 1, 2014.

In his speech, the President highlighted the need for increased privacy and security protections as more people go online to conduct their personal business—shop, manage bank accounts, pay bills, handle medical records, manage their “smart” homes, etc.—stating that “we shouldn’t have to forfeit our basic privacy when we go online to do our business”.  The President referenced his “Buy Secure” initiative that would combat credit card fraud through a “chip-and-pin” system for credit cards and credit-card readers issued by the United States government.  In that system, a microchip would be imbedded in a credit card and would replace a magnetic strip since microchips are harder than magnetic strips for thieves to clone.   A pin number would also need to be entered by the consumer into the credit card reader just as with an ATM or debit card.  The President praised those credit card issuers, banks, and lenders that allowed consumers to view their credit scores for free.   He also lauded the FTC’s efforts in the efforts to help identity theft victims by working with credit bureaus and by providing guidance to consumers on its website, identitytheft.gov.

The first piece of legislation the President discussed briefly was a comprehensive breach notification law that would require companies to notify consumers of a breach within 30 days and that would allow identity thieves to be prosecuted even when the criminal activity was done overseas. Currently, there is no federal breach notification law and many states have laws requiring companies to notify affected consumers and/or regulators depending on the type of information compromised and the jurisdiction in which the organization operates.  The state laws also require that breach notification letters to consumers should include certain information, such as information on the risks posed to the individual as a result of the breach along with steps to mitigate the harm.   This “patchwork of laws,” President Obama noted, is confusing to customers and costly for companies to comply with.  The plan to introduce a comprehensive breach notification law adopts the policy recommendation from the Big Data Report that Congress pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal.  Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.

The President next discussed the second piece of legislation he would propose, the Consumer Privacy Bill of Rights.  This initiative is not new.  Electronic Privacy Bills of Rights of 1998 and 1999 have been introduced.  In 2011, Senators John Kerry, John McCain, and Amy Klobucher introduced S.799 – Commercial Privacy Bill of Rights Act of 2011.   The Administration’s  Privacy Blueprint of February 23, 2012 set forth the Consumer Privacy Bill of Rights and, along with the Big Data Report, directed The Department of Commerce’s The National Telecommunications and Information Administration (NTIA) to seek comments from stakeholders in order to develop legally-enforceable codes of conduct that would apply the Consumer Privacy Bill of Rights to specific business contexts.

The Big Data Report of May 1, 2014 recommended that The Department of Commerce seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights draft and consider legislative text for the President to submit to Congress.  On May 21, 2014, Senator Robert Menendez introduced S.2378 – Commercial Privacy Bill of Rights Act of 2014.  The Consumer Privacy Bill of Rights set forth seven basic principles:

1) Individual control – Consumers have the right to exercise control over what information data companies collect about them and how it is used.

2) Transparency – Consumers have the right to easily understandable and accessible privacy and security practices.

3) Respect for context – Consumers expect that data companies will collect, use, and disclose the information they provided in ways consistent with the context it was provided.

4) Security – consumers have the right to secure and responsible handling of personal data.

5) Access and accuracy – Consumers have the right to access and correct their personal data in usable formats in a manner that is appropriate to the data’s sensitivity and the risk of adverse consequences if the data is not accurate.

6) Focused Collection – Consumers have the right to reasonable limits on the personal data that companies collect and retain.

7) Accountability – Consumers have the right to have companies that collect and use their data to have the appropriate methods in place to assure that they comply with the consumer bill of rights.

The President next discussed the third piece of legislation he would propose, the Student Digital Privacy Act.  The President noted how new educational technologies including tailored websites, apps, tablets, digital tutors and textbooks transform how children learn and help parents and teachers track students’ progress.  With these technologies, however, companies can mine student data for non-educational, commercial purposes such as targeted marketing.  The Student Privacy Act adopts the Big Data Report’s policy recommendation of ensuring that students’ data, collected and gathered in an educational context, is used for educational purposes and that students are protected against having their data shared or used inappropriately.  The President noted that the Student Digital Privacy Act would not “reinvent the wheel” but mirror on a federal level state legislation, specifically the California law to take effect next year that bars education technology companies from selling student data or using that data to target students with ads.   The current federal law that protects student’s privacy is the Family Educational Rights and Privacy Act of 1974, which does not protect against companies’ data mining that reveals student’s habits and profiles for targeted advertising but rather protects against official educational records from being released by schools. The President highlighted current self-regulation, the Student Privacy Pledge, signed by 75 education technology companies committing voluntary not to sell student information or use education technologies to send students targeted ads.  It has been discussed whether self-regulation would work and whether the proposed Act would go far enough.  The President remarked that parents want to make sure that children are being smart and safe online, it is their responsibility as parents to do so but that structure is needed for parents to ensure that information is not being gathered about students without their parents or the kids knowing about it.  This hinted at a notification requirement and opt-out for student data mining that is missing from state legislation but is a requirement of the Children’s Online Privacy Protection Act of 1998.  Specifically, COPPA requires companies and commercial website operators that direct online services to children under 13, collect personal information from children under 13, or that know they are collecting personal information from children under to children under 13 to provide parents with notice about the site’s information-collection practices, obtain verifiable consent from parents before collecting personal information, give parents a choice as to whether the personal information is going to be disclosed to third parties, and give parents access and the opportunity to delete the children’s personal information, among other things.

President Obama noted that his speech marked the first time in 80 years—since FDR—that a President has come to the FTC.   His speech at the FTC on Monday was the first of a three-part tour leading up to his State of the Union address.  Next, the President also planned to speak at the Department of Homeland Security on how the government can collaborate with the private sector to ward off cyber security attacks.  His final speak will take place in Iowa, where he will discuss how to bring faster, cheaper broadband access to more Americans.

Advertisements


Leave a comment

California Veto of Electronic Communication Bill Makes Case for Federal Action

This past weekend, California Gov. Jerry Brown vetoed legislation (SB 467) which would have would have required California law enforcement officials to get a warrant to access online communications. The current Federal statute governing the search and seizure of these records is the Electronic Communications Privacy Act, known as ECPA for short. Enacted in 1986, many commentators believe that portions of ECPA have outlived their usefulness and that the law must be changed; that was the goal of SB 467.

ECPA consists of three main parts: Title III which outlaws unauthorized wiretaps while establishing procedures for law enforcement; the Stored Communications Act which deals with government access to stored electronic communications; and procedures governing the installation and use of pen registers. It is the Stored Communications Act portion that has become the focus of reform attempts. Written at a time when only a fraction of the population was using computer networks to communicate, it permits law enforcement to obtain the contents of electronic communications without a warrant so long as they are at least 180 days old and stored on a third party computer. With the advent of remote servers, cloud computing, and other realities of the internet age, advocates have been hoping for a broad rewrite of this seemingly arcane standard.

Efforts to reform the Stored Communications Act had a fair bit of momentum in the Senate prior to the 2012 election but stalled before Congress adjourned. In March of this year, Judiciary Chairman Sen. Patrick Leahy (D-Vt) and Sen. Mike Lee (R-Ut) again introduced ECPA reform legislation to create a search warrant requirement for electronic communications stored on third party computers. The bill also requires a notice to the individual whose communications have been seized within ten days of the warrants execution. Similar legislation has been introduced in the House. Both chambers seemed poise to act, but like so many other issues in the current Congress, efforts have become stalled over budget and fiscal issues.
The proposed California law paralleled the proposed Senate legislation in many ways, but departed significantly in its notice requirement. SB 467 would have mandated that individuals receive notice of the warrant within three days, a time frame that is more compressed than the 10-days outlined in Chairman Leahy’s bill. This requirement brought out opposition within California’s law enforcement community with police and prosecutors expressing their doubts.
In his veto statement Gov. Brown gave voice to those concerns saying, “The bill, however, imposes new requirements that go beyond those required by federal law and could impede ongoing criminal investigations.”

With this veto the focus will again (once Congress solves/punts its fiscal fights) come back to the efforts of Sens. Lee and Leahy to move ECPA reform out of the Senate. With strong bipartisan backing, the question is more of when, not if, this happens.


Leave a comment

California Continues to Expand Consumer Privacy Protections, Enacting Further Amendments to CalOPPA and the Data Breach Notification Law

On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents.  These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.

“Do Not Track” Disclosures

The first bill, AB 370, amends the California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. Code § 22575 et seq.), requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanisms, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding personally identifiable information collection over time and across third-party websites.

The new law states that website operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the privacy policy that links to a description, including the effects, of any program or protocol the operator follows that offers consumers that choice, but defines neither the content of the disclosure nor “do not track.”

Data Breach Notification for Disclosure of Online Account Access Information

The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account.  Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”   A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.

In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means.  If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.

However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by:  (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.


1 Comment

Amendments to CalOPPA Allow Minors to “Erase” Information from the Internet and Also Restricts Advertising Practices to Minors

On September 23, 2013, California Governor Jerry Brown signed SB568 into law, which adds new provisions to the California Online Privacy Protection Act. Officially called “Privacy Rights for California Minors in the Digital World,” the bill has already garnered the nickname of the “Internet Eraser Law,” because it affords California minors the ability to remove content or information previously posted on a Web site. The bill also imposes restrictions on advertising to California minors.

California Minors’ Right to Remove Online Content

Effective January 1, 2015, the bill requires online operators to provide a means by which California minors may remove online information posted by that minor. Online operators can elect to allow a minor to directly remove such information or can alternatively remove such information at a minor’s request. The bill further requires that online operators notify California minors of the right to remove previously-posted information.

Online operators do not need to allow removal of information in certain circumstances, including where (1) the content or information was posted by a third party; (2) state or federal law requires the operator or third party to retain such content or information; or (3) the operator anonymizes the content or information. The bill further clarifies that online operators need only remove the information from public view; the bill does not require wholesale deletion of the information from the online operator’s servers.

New Restrictions on Advertising to California Minors

Also effective January 1, 2015, the bill places new restrictions on advertising to California minors. The bill prohibits online services directed to minors from advertising certain products, including alcohol, firearms, tobacco, and tanning services. It further prohibits online operators from allowing third parties (e.g. advertising networks or plug-ins) to advertise certain products to minors. And where an advertising service is notified that a particular site is directed to minors, the bill restricts the types of products that can be advertised by that advertising service to minors.

Implications

Given the sheer number of California minors, these amendments to CalOPPA will likely have vast implications for online service providers. First, the bill extends not just to Web sites, but also to mobile apps, which is consistent with a general trend of governmental scrutiny of mobile apps. Online service providers should expect regulation of mobile apps to increase, as both California and the Federal Trade Commission have issued publications indicating concerns over mobile app privacy. Second, the bill also reflects an increased focus on privacy of children and minors. Developers should consider these privacy issues when designing Web sites and mobile apps, and design such products with the flexibility needed to adapt to changing legislation. Thus, any business involved in the online space should carefully review these amendments and ensure compliance before the January 1, 2015 deadline.



1 Comment

A Ballot Initiative Seeks to Add a Right to Privacy in PII to the California Constitution

The California Office of the Attorney General received on July 19 a ballot initiative request, the “California Personal Privacy Initiative.” Under California Law, every California elector has the right to submit a ballot initiative. The two proponents of the initiative are Steve Peace, a former California State Senator, and Michael Thorsnes, an attorney.

The initiative proposes to add an article XXXVI, Right to Privacy in Personally Identifying Information, to the California Constitution:

SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed to be confidential.

SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.

SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest.

Section 1: PII Collection

Under the language of this section, personally identifying information (PII) provided by a data subject to either a private entity or to the government would be presumed to be confidential. In other words, PII would be confidential by default and entities wanting to process PII would have to first secure the consent of the data subject. The initiative, if enacted, would make opt in the only legal option for choice and consent in California.

The initiative defines PII broadly as “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” Under that definition, even information rendered anonymous but which could be re-identified would be protected.

Section 2: Harm

Harm would be presumed if the PII has been disclosed without the data subject’s authorization, and that would be very protective of consumers’ interests, as proving harm is notoriously difficult for victims of data breaches or improper data collection. However, in Krottner v. Starbucks, the 9th Circuit found in 2010 that plaintiff faced a credible threat of harm and thus met the injury-in-fact requirement for standing under Article III because of the theft of a laptop containing unencrypted personal data.

But in a recent California case, Yunker v. Pandora Media, the plaintiff had argued that Pandora’s alleged conduct had diminished the value of his PII, decreased the memory space on his mobile device, that disclosure of his PII had put him at risk of future harm, and that Pandora had invaded his constitutional right to privacy when allegedly disseminating his PII to third parties.

The Northern District Court of California found that the facts were not sufficient to prove decreasing memory space and diminished value of PII, and that the mere possibility of future harm was insufficient to establish standing. However, the court found that plaintiff had standing with respect to Pandora’s alleged violations of the constitutional right to privacy.

Under the initiative, plaintiff would no longer have to prove he suffered harm: the defendant would have to prove plaintiff suffered no harm.

Section 3: Countervailing Compelling Interest

The right to the privacy in one’s PII would not be absolute and would have to bend to countervailing interests. For instance, law enforcement would nevertheless have access to PII in order to protect public safety. Would the threat to public safety have to be immediate, or would a general mission of protecting safety be enough to override privacy interests? In the wake of the PRISM scandal, this question is particularly salient.

Another countervailing interest cited by the initiative is non-commercial free speech. One remembers that the Supreme Court held in 2010 in IMS Health, Inc. v. Sorrell that a Vermont prescription privacy law barring disclosure of prescription data for marketing purposes was unconstitutional as it violated the free speech rights of data brokers. Under a new article XXXVI, commercial free speech would not be considered a compelling interest, and thus data brokers would not be able to invoke a free speech defense.

What’s next? Under California law, Election Code § 9001, the Attorney General must now prepare a circulating title and a summary of the initiative within 15 days of the receipt. An initiative petition must then be presented to the Secretary of State and be certified by local election officials to have been signed by a specified number of qualified registered voters.

But the broad scope of the initiative may be its nemesis, as it may trigger intense lobbying against it. Even if enacted, companies may chose to block access to many of their services or products unless the data subject provides a general and broad opt in consent, to the detriment of a more granular consent.