The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Yesterday at FTC, President Obama Announced Plans for new data privacy and security laws: Comprehensive Data Privacy Law, Consumer Privacy Bill of Rights, and Student Digital Privacy Act

Yesterday afternoon, President Barak Obama gave a quip-filled speech at the Federal Trade Commission where he praised the FTC’s efforts in protecting American consumers over the past 100 years and unveiled his plans to implement legislation to protect American consumers from identity theft and to protect school children’s personal information from being used by marketers.   These plans build upon past legislative efforts and the Administration’s focus on cybersecurity, Big Data, and Consumer Protection.  Specifically, On February 23, 2012, the White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Blueprint”) and in January 2014, President Obama asked his Counselor, John Podesta, to lead a working group to examine Big Data’s impact on government, citizens, businesses, and consumers.  The working group produced Big Data: Seizing Opportunities, Preserving Values on May 1, 2014.

In his speech, the President highlighted the need for increased privacy and security protections as more people go online to conduct their personal business—shop, manage bank accounts, pay bills, handle medical records, manage their “smart” homes, etc.—stating that “we shouldn’t have to forfeit our basic privacy when we go online to do our business”.  The President referenced his “Buy Secure” initiative that would combat credit card fraud through a “chip-and-pin” system for credit cards and credit-card readers issued by the United States government.  In that system, a microchip would be imbedded in a credit card and would replace a magnetic strip since microchips are harder than magnetic strips for thieves to clone.   A pin number would also need to be entered by the consumer into the credit card reader just as with an ATM or debit card.  The President praised those credit card issuers, banks, and lenders that allowed consumers to view their credit scores for free.   He also lauded the FTC’s efforts in the efforts to help identity theft victims by working with credit bureaus and by providing guidance to consumers on its website, identitytheft.gov.

The first piece of legislation the President discussed briefly was a comprehensive breach notification law that would require companies to notify consumers of a breach within 30 days and that would allow identity thieves to be prosecuted even when the criminal activity was done overseas. Currently, there is no federal breach notification law and many states have laws requiring companies to notify affected consumers and/or regulators depending on the type of information compromised and the jurisdiction in which the organization operates.  The state laws also require that breach notification letters to consumers should include certain information, such as information on the risks posed to the individual as a result of the breach along with steps to mitigate the harm.   This “patchwork of laws,” President Obama noted, is confusing to customers and costly for companies to comply with.  The plan to introduce a comprehensive breach notification law adopts the policy recommendation from the Big Data Report that Congress pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal.  Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.

The President next discussed the second piece of legislation he would propose, the Consumer Privacy Bill of Rights.  This initiative is not new.  Electronic Privacy Bills of Rights of 1998 and 1999 have been introduced.  In 2011, Senators John Kerry, John McCain, and Amy Klobucher introduced S.799 – Commercial Privacy Bill of Rights Act of 2011.   The Administration’s  Privacy Blueprint of February 23, 2012 set forth the Consumer Privacy Bill of Rights and, along with the Big Data Report, directed The Department of Commerce’s The National Telecommunications and Information Administration (NTIA) to seek comments from stakeholders in order to develop legally-enforceable codes of conduct that would apply the Consumer Privacy Bill of Rights to specific business contexts.

The Big Data Report of May 1, 2014 recommended that The Department of Commerce seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights draft and consider legislative text for the President to submit to Congress.  On May 21, 2014, Senator Robert Menendez introduced S.2378 – Commercial Privacy Bill of Rights Act of 2014.  The Consumer Privacy Bill of Rights set forth seven basic principles:

1) Individual control – Consumers have the right to exercise control over what information data companies collect about them and how it is used.

2) Transparency – Consumers have the right to easily understandable and accessible privacy and security practices.

3) Respect for context – Consumers expect that data companies will collect, use, and disclose the information they provided in ways consistent with the context it was provided.

4) Security – consumers have the right to secure and responsible handling of personal data.

5) Access and accuracy – Consumers have the right to access and correct their personal data in usable formats in a manner that is appropriate to the data’s sensitivity and the risk of adverse consequences if the data is not accurate.

6) Focused Collection – Consumers have the right to reasonable limits on the personal data that companies collect and retain.

7) Accountability – Consumers have the right to have companies that collect and use their data to have the appropriate methods in place to assure that they comply with the consumer bill of rights.

The President next discussed the third piece of legislation he would propose, the Student Digital Privacy Act.  The President noted how new educational technologies including tailored websites, apps, tablets, digital tutors and textbooks transform how children learn and help parents and teachers track students’ progress.  With these technologies, however, companies can mine student data for non-educational, commercial purposes such as targeted marketing.  The Student Privacy Act adopts the Big Data Report’s policy recommendation of ensuring that students’ data, collected and gathered in an educational context, is used for educational purposes and that students are protected against having their data shared or used inappropriately.  The President noted that the Student Digital Privacy Act would not “reinvent the wheel” but mirror on a federal level state legislation, specifically the California law to take effect next year that bars education technology companies from selling student data or using that data to target students with ads.   The current federal law that protects student’s privacy is the Family Educational Rights and Privacy Act of 1974, which does not protect against companies’ data mining that reveals student’s habits and profiles for targeted advertising but rather protects against official educational records from being released by schools. The President highlighted current self-regulation, the Student Privacy Pledge, signed by 75 education technology companies committing voluntary not to sell student information or use education technologies to send students targeted ads.  It has been discussed whether self-regulation would work and whether the proposed Act would go far enough.  The President remarked that parents want to make sure that children are being smart and safe online, it is their responsibility as parents to do so but that structure is needed for parents to ensure that information is not being gathered about students without their parents or the kids knowing about it.  This hinted at a notification requirement and opt-out for student data mining that is missing from state legislation but is a requirement of the Children’s Online Privacy Protection Act of 1998.  Specifically, COPPA requires companies and commercial website operators that direct online services to children under 13, collect personal information from children under 13, or that know they are collecting personal information from children under to children under 13 to provide parents with notice about the site’s information-collection practices, obtain verifiable consent from parents before collecting personal information, give parents a choice as to whether the personal information is going to be disclosed to third parties, and give parents access and the opportunity to delete the children’s personal information, among other things.

President Obama noted that his speech marked the first time in 80 years—since FDR—that a President has come to the FTC.   His speech at the FTC on Monday was the first of a three-part tour leading up to his State of the Union address.  Next, the President also planned to speak at the Department of Homeland Security on how the government can collaborate with the private sector to ward off cyber security attacks.  His final speak will take place in Iowa, where he will discuss how to bring faster, cheaper broadband access to more Americans.

Advertisements


Leave a comment

The FTC Publishes a Staff Report on Mobile Apps for Children and Privacy

The Federal Trade Commission (FTC) just released a Staff Report (the Report) titled ‘Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.

 

Mobile Applications (Apps) are getting increasingly popular among children and teenagers, even very young. Indeed, the Report found out that 11% of the apps sold by Apple have toddlers as their intended audience (Report p. 6). Apps geared to children are often either free or inexpensive, which makes them easy to purchase, even on a pocket-money budget (Report p. 7-8).

As such, according to the Report, these apps seem to be intended for children’s use, and some may even be “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s implementing Rule (the Rule). The Rule defines what is a “[w]ebsite or online service directed to children”) at 16 C.F.R. § 312.2. Under COPPA and the Rule, operators of online services directed to children under age 13 of age must provide notice and obtain parental consent before collecting children’s personal information. This includes apps. Yet, the FTC staff was unable, in most instances, to find out whether an app collected any data, or, if it did, the type of data collected, the purpose for collecting it, and who collected or obtained access to such data (Report p. 10).

 

‘The mobile app market place is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development’ (Report p.3)

 

Downloading an app on a smart phone may an impact on children’s privacy, as apps are able to gather personal information such as the geolocation of the user, her phone number or a list of contacts, and this, without her parent’s knowledge. Indeed, if app stores and operating systems provide rating systems and controls which allow parents to restrict access to mobile content and features, and even to limit data collection, they do not provide information about which data is collected and whether it is shared. (Report, p. 15)

 

The Report concludes by recommending that app stores, app developers, and third parties providing services within apps, increase their efforts to provide parents with “clear, concise and timely information” about apps download by children. Parents would then be able to know, before downloading an app, what data will be collected, how it will be used, and who will obtain access to this data (Report p. 17). This should be done by using “simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device.” (Report p. 3)

 

One remembers that United States of America v. W3 Innovations, LLC, in August 2011, was the first FTC case involving mobile applications.

 


Leave a comment

Federal Trade Commission is Seeking the Public’s Comments on COPPA Rule

The Federal Trade Commission (FTC) is seeking comments from the general public on proposed amendments to the Children’s Online Privacy Protection Rule (COPPA Rule or the Rule).

The Children’s Online Privacy Protection Act (COPPA) was passed in 1998. It required the FTC to issue regulations regarding the collection of children’s personal information by operators of websites or online services directed to children under 13, and to enforce these regulations. The COPPA Rule was issued in November 1999, and became effective on April 21, 2000.

The COPPA Rule required the FTC, no later than April 21, 2005, to do a review of the Rule and to report the results of this review to Congress. The FTC sought public comments in 2005 on the Rule, and also sought additional comments on the COPPA Rule’s sliding scale approach to obtaining parental consent, which takes into account how children’s collected information  will be used. The FTC announced in April 2006 its decision to retain the COPPA Rule without changes.

In March 2010, the FTC asked the public to comment on whether changes to technology warrant changes to the COPPA Rule. The FTC also held a public roundtable during the comment period to discuss COPPA’s definitions of “Internet,” “website,” and “online service” as they apply to new devices and technologies.

After reviewing these public comments, the FTC is now proposing to amend the COPPA Rule. It proposes to modify some of the Rule’s definitions, and to update the requirements for parental consent, confidentiality and security, and safe harbor provisions. The FTC also proposes to add a new provision addressing data retention and deletion.

Parental Consent (16 CFR 312.5):

(p. 59 and following)

The FTC proposes to eliminate the “email plus” method for parental consent. This method allows operators to obtain verifiable parental consent through an email from the parent, but the email must be coupled with an additional step, such as postal address or telephone number from the parent, and confirming the parent’s consent by letter or telephone.

The FTC found that electronic scans and video conferencing technologies are functionally equivalent to the written and oral methods of parental consent originally recognized by the FTC in 1999. Therefore, the FTC proposes to recognize these two methods as a way to obtain verifiable parental consent.  The FTC also proposes to allow operators to collect a form of government-issued identification (driver’s license, truncated social security number) from the parent, as a way to verify the parent’s identity, provided that the parent’s identification is deleted “promptly” once the verification is done (p. 63).

Confidentiality, Security, and Integrity of Personal Information Collected From Children (16 CFR 312.8):

(p. 76 and following)

The Commission proposes to amend § 312.8 to strengthen the provision for maintaining the confidentiality, security, and integrity of personal information. The FTC thus proposes adding a requirement that “operators take reasonable measures to ensure that any service provider or third party to whom they release children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.” Indeed, COPPA requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, but does not explain what would be the data security obligations of third parties.

The FTC Commission proposes to amend § 312.8 to add:

 

The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The operator must take reasonable measures to ensure that any service provider or any third party to whom it releases children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.”

 

Safe Harbors (current 16 CFR 312.10, proposed 16 CFR 312.11):

(p. 80 and following)

COPPA established a “safe harbor” for participants in FTC-approved COPPA self-regulatory programs: compliance with these programs serve as a “safe harbor” against an FTC’s enforcement action. Such programs are, for example, the Children’s Advertising Review Unit of the Council of Better Business Bureaus, or TRUSTe.

The FTC proposes to amend paragraph (b)(2) of the safe harbor provisions of the Rule to read:

An effective, mandatory mechanism for the independent assessment of subject operators’ compliance with the self regulatory program guidelines . At a minimum, this mechanism must include a comprehensive review by the safe harbor program, to be conducted not less than annually, of each subject operator’s information policies, practices, and representations. The assessment mechanism required under this paragraph can be provided by an independent enforcement program, such as a seal program.”

Data Retention and Deletion Requirements (proposed 16 CFR 312.10):

(p. 78 and following)

The FTC proposes to add new data retention and deletion provisions. Operators would retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. Also, operators would have to delete this information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

The new data retention and deletion provision (§ 312.10) would read:

“An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”

Written comments must be received on or before November 28, 2011.