digital privacy and data protection

© 2014 Lathrop & Gage LLP

11

Digital Privacy and Data Protection

ACC Colorado

Happy Hour CLE

March 13, 2014


22

PresentersTom Leland - Partner and Co-Chair, Business

Litigation Team, Lathrop & Gage LLP, DenverBryan Clark – Associate, Digital Privacy and Data

Protection Practice Group, CIPP/US, Lathrop & Gage LLP, Chicago

Michael Jones – Global Privacy Program Manager, CIPP/US, Monster Worldwide, Inc., Boston


33

Overview of Agenda United States statutory framework EU privacy framework Technological background Recent regulatory developments Recent litigation developments


44

Key Privacy Laws in the United States

Graham Leach Bliley Act for financial information Health Information Portability and Accountability

Act (HIPAA) for health information FTC Act for all other personal information

• Section 5 prohibits unfair or deceptive trade practices


55

EU Privacy Laws and Directives

Privacy is a fundamental human right Data Protection Directive 95/46/EC

• Not prescriptive• Required each member country to pass a data

protection law Directive on Privacy and Electronic Communication

2002/58• Amended by Directive 2009/136 (“Cookie Directive”)


66

Privacy in the EU

Differs from privacy in the US• In the US, little privacy rights in public• In the EU, right to privacy extends farther

Consent based model Convictions of Google executives in Italy Google fought Spain’s AEPD in EU court over forced

removal of names from Google search results. Google ultimately won


77

Data Transfers

EU generally prohibits transfer of personal information outside of the EU

Enter Safe Harbor• Negotiated by the US Department of Commerce• US orgs voluntarily agree to EU standards in exchange

for being permitted to export personal data to US


88

Social Networking Marketing

• CAN-SPAM• Canada’s Anti-Spam Legislation (CASL)

Takes effect on July 1, 2014 Prohibits sending unsolicited commercial electronic messages More stringent than CAN-SPAM

Employment• Many states have prohibited requesting social media account credentials as

part of a job application• False friending – “A lawyer may not attempt to gain access to a social

networking website under false pretenses, either directly or through an agent” – NY State Bar Association – Formal Opinion


99

Social Networking CAN-SPAM National Labor Relations Act

• Costco Wholesale Corp., 358 NLRB No. 106 (Sept. 7, 2012)• Costco employee handbook stated “statements posted electronically (such as

[to] online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement, may be subject to discipline”

• NLRB found this policy was overbroad because is has a tendency to inhibit protected employee activity

• Lesson: ensure social media policy does not prohibit any protected activity


1010

Online Advertising

Beacons, and cookies, and trackers, oh my!


1111


1212

User TrackingAnalytics

User Experience

• First-party• Contextual• Behavioral

• Third-party• Behavioral• Retargeting

Advertising


1313

Tracking Technology

• HTTP• HTML• Flash• Cache

Cookies

• Combines browser data to uniquely identify a computer• Fingerprint not stored on local user’s machine

Device fingerprinting

• Done at the ISP level• Observers all traffic going through the user’s internet connection

Deep packet inspection


1414

User

ISP

Website (Publisher)

Ad Network

1 2

3

4

5

1. User enters URL into browser

Advertiser

7

6

2. User’s computer contacts ISP’s DNS to resolve URL into an IP address

4. HTML builds site, including instructions for user’s computer to contact ad server

3. User’s browser contacts IP address

5. User transmits cookie data to ad network

7. Ad network serves targeted ad

6. Ad network chooses advertiser to match cookie


1515

Trends and Initiatives in OBA

• FTC Principles • Self Regulatory Principles for Online Behavioral Advertising• FTC Preliminary Staff Report• Endorses “Do Not Track” to Facilitate Consumer Choice About Online Tracking.• FTC criticizes the industry for moving too slowly.

• DOC Preliminary Greenpaper• Icon (Currently Rolling Out)• BBB and DMA are beginning enforcement• Google and Yahoo moving to the DAA’s icon

• Chitika

US

• Cookie Directive• A coalition of the leading European advertising and publishing trade associations is

planning to roll out a self-regulatory program similar to the US program. • Yahoo has just rolled out its ad icon in the EU, similar to that available in the US.

EU


1616

Data Security

Several states have data security laws: CA, MA, TX 46 states have breach notification laws

• Financial account information, state-issued identification number, SSN

Federal data security standard set by NIST Special Publication 800-53 (Rev 4)• Currently voluntary standard


1717

Encryption

SFTP• Secure file

transfer protocol

HTTPS• Secure delivery

of web pages

Data in transit AES 256

• Meets FIPS 140-2 requirements for government encryption

Hash functions• For data that

does not need to be read, only verified

Data at rest


1818

Security Trends in Privacy

Encryption Role based access

• Limiting access to those who need it Information-centric security

• Protecting information based on type of data, not location of data Increased attention to authentication

• Token protection• APIs that let you interact with a site while on a third party site

(e.g., Facebook’s “like” button)


1919

Recent Regulatory Developments

Points of emphasis for FTC• Comments from Commissioner last week

New regulations under Telephone Consumer Protection Act, 47 U.S.C. 227 (“TCPA”)• Went into effect October 16, 2013• Written express consent is the key


2020

Recent Litigation Developments Article III standing Mooting Attempts to strike class allegations pre-discovery Hobbs Act Implied consent ATDS/capacity Confirmatory opt-out


2121

Article III Standing

Under Article III, a plaintiff must allege facts sufficient to show (1) injury in fact, (2) causation, and (3) redressability. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).

LaCourt v. Specific Media, Inc., 2011 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011) (“If Plaintiffs are suggesting that their computers’ performance was compromised . . . they need to allege facts showing that this is true.”).

Yunker v. Pandora Media, Inc., 2013 WL 1282980, *5-6 (N.D. Cal. March 26, 2013) (reasoning in part that amorphous claims of decreased memory space and potential future harm were insufficient to establish standing).


2222

Mooting “[O]nce the defendant offers to satisfy the plaintiff’s entire demand,

there is no dispute over which to litigate, and a plaintiff who refuses to acknowledge this loses outright . . . because [he] has no remaining stake.” Damasco v. Clearwire Corp., 662 F.3d 891, 895 (7th Cir. 2012).

“If an intervening circumstance deprives the plaintiff of a ‘personal stake in the outcome of the lawsuit,’ at any point during litigation, the action can no longer proceed and must be dismissed as moot.. . . [T]he mere presence of collective-action allegations in the complaint cannot save the suit from mootness once the individual claim is satisfied.” Id. at 1529. Genesis Healthcare v. Symczyk, 133 S.Ct. 1523, 1528-29 (2013).


2323

Striking Class Allegations Theory is to attack class allegations and defeat certification

before expending significant resources in discovery. Approach has had limited success, but it is gaining some

traction lately. See, e.g., Labou v. Cellco Partnership, 2014 WL 824225

(E.D. Cal. March 3, 2014)


2424

Hobbs Act The question here is the degree to which the Court can rule on FCC interpretations

(such as whether a text message is a call under the TCPA). The Hobbs Act provides in part that “[t]he court of appeals ... has exclusive

jurisdiction to enjoin, set aside, suspend (in whole or in part), or to determine the validity of all final orders of the Federal Communications Commission made reviewable by section 402(a) of title 47.” 28 U.S.C. § 2342(1).

Courts have treated this in different ways. Compare Leyse v. Clear Channel Broadcasting, Inc., 697 F.3d 360 (6th Cir. 2012) (“A case that is not a proceeding to enjoin or annul an FCC order lies outside the ambit of [the Hobbs Act]”); Nack v. Walburg, 715 F.3d 680 (8th Cir. 2013) (holding that the court is bound by the FCC interpretation of the TCPA because of the Hobbs Act).


2525

Implied Consent (TCPA)A hot issue in the TCPA context is whether a consumer can

give consent to receive a text message by providing his or her cell phone number.

Baird v. Sabre, Inc., 2014 WL 320205 (C.D. Cal. Jan. 28, 2014), was one of the most recent federal decision to hold that provision of a cell phone number is consent to receive a text message.

Other cases to watch: Coca-Cola cases in S.D. Cal. and N.D. Ala.


2626

ATDS/Capacity (TCPA) Another key issue in TCPA cases relating to the autodialer

provision is whether the equipment at issue has merely the “capacity” to autodial, or whether that capacity is actually being used.

Gragg v. Orange Cab Co., 2014 WL 801305 (W.D. Wash. Feb. 28, 2014) is one of the most recent authorities in this area and holds that mere capacity is not enough.

However, many courts have held (based on the strict statutory language) that capacity is all that is required.


2727

Confirmatory Opt-Out (TCPA) Mixed results. Ibey v. Taco Bell Corp., Case No. 12-cv-0583 (S.D.

Cal.): Dismissal where case was based on single, confirmatory text.

Ryabyshchuk v. Citibank (South Dakota) N.A., Case No. 11-cv-1236, (S.D. Cal.): Denying motion to dismiss where case was based on single, confirmatory text.

digital privacy and data protection

Documents

lathrop gage llp

eu privacy laws

digital privacy

directives privacy

key privacy laws

data transfers eu

little privacy rights

eu court