location, location, location: risks and rewards of ... · risks and rewards of location-based...

Location, Location, Location: Risks and Rewards of

Location-Based Services

Breakout Session Friday, March 8, 2013

8:15AM – 9:45AM

Speakers: Karen L. Neuman Michelle M. Shanahan S. Jenell Trigg, CIPP/US

© Copyright 2013 – IAPP Global Privacy Summit – Location, Location, Location: Risks and Rewards of Location-Based Services

2

SPEAKERS

• Karen L. Neuman, Partner, St. Ledger-Roty Neuman & Olson, LLP, Washington, DC

• Michelle M. Shanahan, Senior Associate General Counsel and Assistant Secretary, National Public Radio, Washington, DC

• S. Jenell Trigg, CIPP/US, Member, Lerman Senter PLLC, Washington, DC


3

SESSION ROADMAP

• Overview of various LBS technology

• Rules of the Road / Compliance

• Lessons Learned via Litigation

• Negotiating with Service Providers

• Contract Review Interactive Exercise

• Best Practices

• Other Considerations

• Action Items


4

WHAT IS LBS & HOW DOES IT WORK?

• What is LBS?

– Services that use a variety of technologies to track, monitor, or identify the real-time geographic location of a computer, mobile device, auto, object or individual

• Rapidly growing number of services are provided for consumer, business and government use

– Potentially Sensitive Personal Information

• FTC Report – Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012)

• FTC Report - Mobile Privacy Disclosures: Building Trust Through Transparency (Feb. 2013)

• Updated COPPA Rule, 16 CFR Part 312 (Dec. 2012)


5

WHAT IS LBS, CONT’D.

• Typically made available via:

– WAP

– Wi-Fi

– WLAN

– Downloadable software (Java, BREW, Symbian, mobile applications, QR Codes, etc.)

– Voice or text messaging

– Website

– Social Media Platform


6

OVERVIEW OF TECHNOLOGY & HOW DOES IT WORK?

• Global Positioning Systems (GPS)

– Via GPS chip installed in device/auto that allow calculation of position of device/auto within 10 meters or less using satellite technology

• Global System for Mobile Communications (GSM)

– Via installed GPS chip & triangulation to determine location or radio frequency & multilateration to locate GSM devices

– Via cell network use of triangulation between known geographic coordinates of network base stations

• Bluecasting (AKA Proximity Marketing)

– Via local servers with short range of up to 100 meters that deliver messages to Bluetooth-enabled device in close physical proximity to server


7

OVERVIEW OF TECHNOLOGY CONT’D.

• Near Field Communications (NFC)

– Limited-range wireless technology that enables exchange of data between phone and microchip (or similar technology embedded in a mobile device), and terminal that enables POS transactions, or emerging uses

– Identifying and directing people to location-based services and products through NFC-equipped accessories, like wristbands or payment or other cards.


8


• Geofencing

– Via feature of software program that uses GPS or RFID to define geographic boundaries; triggers set by administrator can determine when boundary is breached

• WLAN

– Provides wireless network communication over short distances using radio or infrared signal by attaching “Access Point” (AP) to edge of the wired network.

• Communication with AP accomplished by using wireless network adapter.

• WLANs that connect to the Internet use WAP technology to allow Web content to be downloaded to WLAN and accessed via mobile device.


9


• Wi-Fi

– Via Wi-Fi technologies in handheld devices that scan their surroundings for known or open networks

• Downloadable Software

– Java, BREW, Symbian: Various computing platforms

– Mobile Apps: Software or services accessible via smartphones that provide and/or integrate location-based oriented services

– Quick Response (QR) Codes: Type of two dimensional bar code that is used to deliver information via a smartphone


10


• Short Messaging Services (SMS)

– 160 character message sent between fixed or portable devices (two or more mobile phones) or over phone network

– Merchants “find” nearby customers; ask them to text a key word/short code, enter contest, download app, “check-in” or other means of consenting to the receipt of LBS, including geofencing texts

• Tailored message sent to mobile phone/device, i.e., coupon, reward or other incentive.


11


• Radio Frequency Identification (RFID)

– Via passive (antenna) or active (battery-operated) tags that serves as data reading technology applied to or embedded in goods, equipment, or people

• Internet Protocol (IP) Addresses

– Location determined by comparing computer user’s public Internet IP address with known locations of other neighboring servers and routers


12

LBS USES

• Targeted local advertising

– Mobile coupons

– Digital loyalty

• Targeted political advertising/campaigning

• In-vehicle navigation; connected car apps

• News, weather, traffic & other alerts

– LBS as a means to increase content engagement

• Location sharing; social check-in

• Fleet tracking

• Internet Search

• Financial Management


13

LBS USES CONT’D

• Education

• Equipment tracking

• Device Management

• Proximity payments

• Identify resources & services

– taxi/car sharing; restaurants; gas/charging stations; retail; and real estate)

• Gaming

• Contests/Sweepstakes/Promotions

• Dating Services


14

LBS: OTHER USES

• Law enforcement

• Emergency 911

• Telecom carrier services

• Internet services


15

COMPLIANCE - RULES OF THE ROAD KEY PLAYERS

• Federal Communications Commission

– Authority over telecommunications service providers over both interstate & intrastate services

• Federal Trade Commission

– Broad consumer protection powers under Section 5 of FTC Act

– Granted specific powers to issue & enforce rules under certain statutes

• U.S. Dept. of Justice

– Law enforcement authority for domestic and international unlawful uses of LBS


16

KEY PLAYERS CONT’D

• State Attorneys General & Consumer Protection Agencies

– Concurrent authority with FCC, FTC under certain statutes

– State laws can be more restrictive

• Plaintiff’s Bar

– Effectively making policy through class action lawsuits

• Mobile Marketing

• Undisclosed Tracking & Monitoring

• Undisclosed Collection and Use of Personal Information

• Unauthorized exposure to Children/Minors


17

COMPLIANCE RULES OF THE ROAD: KEY PRINCIPLES

• Generally, must get prior express consent to collect, use, store, and disclose location-based information.

• Can’t contract away liability for noncompliance with the law.

• Can’t send wireless communication to get consent to send a wireless communication.


18

COMPLIANCE- RULES OF THE ROAD

WHAT LAWS APPLY

• LBS services subject to:

– Federal and state statutes, regulations and guidelines

– Industry self-regulatory programs and guidelines

– Contract law

– Common law


19

COMPLIANCE- RULES OF THE ROAD

WHAT LAWS APPLY: FEDERAL

• Telephone Consumer Protection Act (TCPA) (FCC)

– 47 USC §227 and 47 CFR §64.1200

– Governs interstate and intrastate telephone calls (including voice, SMS/text messages, tweets and pre-recorded calls)

– Established Do Not Call Registry (DNC)

– Established Business Relationship (EBR) for voice calls to residential numbers but not to wireless devices or for pre-recorded calls


20

– Prohibits sending any message to wireless device via equipment w/capacity to use Automatic Telephone Dialing System (ATDS) without first obtaining written express consent

– Strict liability statute for principles and their agents (but under challenge)

– Private Right of Action with statutory damages • $500 per violation/$1500 if intentional/willful

TCPA CONT’D


21

TCPA DEVELOPMENTS & TRENDS

• FCC Final Report & Order (Feb. 12, 2012) updating Robocall rules:

– Requires prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers or residential lines

• Consent can be electronic if ESIGN Act compliant

– Purely informational non-telemarketing calls & commercial calls that don’t contain ads subject only to prior express consent

– Eliminated EBR exemption for pre-recorded calls to residential numbers (DNC EBR for voice was retained)


22

TCPA DEVELOPMENTS & TRENDS CONT’D

• SoundBite Communications, Inc.(FCC 12-143, CG Docket No. 02-278, Nov. 29, 2012)

– “One-time” text message confirming opt-out permissible under TCPA under certain circumstances:

• Message cannot contain marketing or sales solicitation, or attempt to convince consumer to reconsider his/her opt-out request

• Message must be sent within 5 minutes of opt-out request

• Message must be last message sent – can’t make follow-up call


23


• Dish Network, LLC, et al. (CG Docket No. 11-50, Public Notice DA 11-594, April 4, 2011)

– Pending Declaratory Ruling Petition re: strict liability for advertisers & franchisor/parent companies

• Caribbean Cruise Line & Economic Strategy Group, Case No. 12 C 4069 (N.D. Ill., Dec. 28, 2012)

– Plaintiffs allowed to proceed with TCPA claims for marketing calls (made under guise of political survey calls) to cell phones using auto or artificial voice/pre-recorded equipment


24


• Uptick in Class Action Lawsuits (State and Federal courts)

– Includes Arizona, California, Georgia, Illinois, Oklahoma, Texas, and Washington

– Testing expansion of TCPA in light/absence of FCC declaratory rulings and guidance

• Now in 4th/5th generation of claims

• Compliance with MMA Guidelines not always sufficient to avoid litigation

• Little, if any FCC enforcement


25

COMPLIANCE- RULES OF THE ROAD WHAT LAWS APPLY: FEDERAL

• Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) (FCC for MSCMs)

– 15 USC § 7712 and 47 CFR § 64.3100

– Governs “interstate” & “intrastate” emails sent using wireless domain name if primary purpose is:

• Commercial advertisement or

• Promotion of a commercial product or service (including content on Internet website operated for commercial purpose) e.g.,

» Mobile service commercial messages (MSCM)

• E.g., [email protected]


26

CAN-SPAM CONT’D

• Pre-empts state laws

– Even those that provide greater protections, except for computer fraud laws • Michigan and Utah Child Protection Registries

– Except “little FTC” acts that prohibit deceptive or misleading advertising

• No private right of action

– Except for ISPs to help them prevent wireless spam on their platforms

– But see Joffe v. Acacia Mortgage (Ariz. App. Div. 2005)

• All wireless email messages are ultimately telephone calls – subject to TCPA


27

CAN-SPAM CONT’D

• Specific disclosures required in order to secure adequate prior express consent

– Name of entity sending message

– Name of entity advertising/promoting product, service or commercial site (if different from above)

– Recipient may be charged fee (standard &/or premium rates

– Recipient right to revoke consent at any time & must be able to opt-out same way opted-in

• No prior express consent required for transactional or relationship messages

• Confirmatory opt-opt messages acceptable, but other bounce-back messages problematic


28

CAN-SPAM CONT’D

• FTC rules for standard emails apply to wireless emails

– Identify sender

– Meaningful opt-out w/i 30 days

– Honor request w/i 10 days

– Mixed content rule

– Forward-to-a-friend rule

– Sexually explicit material labeling rule


29

CAN-SPAM DEVELOPMENTS & TRENDS

• FCC is addressing privacy & security of info stored on mobile devices (DA 12-818, May 2012)

– But expect little FCC CAN-SPAM enforcement activity

• Facebook v. Max Bounty. Case No. 10-CV-04712 (N.D. Cal., March 2011)

– Federal District Court ruled that messages posted on social media walls, newsfeeds, in in-boxes and on user profiles are “electronic messages” w/i meaning of CAN-SPAM Act


30

CAN-SPAM DEVELOPMENTS & TRENDS CONT’D

• MySpace v. Wallace, 498 F. Supp. 2d 1293 (C.D. Cal. 2007); MySpace v. The Globe.com, No. CV 06-3391-RGK (JCx), 2007 WL 1686966 (C.D. Cal. Feb. 27, 2007).

– Messages sent within SM platform required use of electronic routing system that implicated issues about traffic volume and infrastructure utilization CAN-SPAM designed to address.


31

CAN-SPAM DEVELOPMENTS & TRENDS CONT’D

• Increased litigation to broaden application of CAN-SPAM prohibitions by entities claiming to be ISPs w/i meaning of the Act

– Ascertain whether commercial messages are routed a specific location within an electronic infrastructure, including a social network or other platform

– Know platform provider’s Terms that apply to sending messages within the platform to minimize the threat of a lawsuit


32

WHAT LAWS APPLY: FEDERAL CONT’D

• Children’s Online Privacy Protection Act (COPPA)

– 15 USC § 6501 and 16 CFR Part 312

– Governs websites and online services (including mobile apps) targeted to children or with actual knowledge personal information is collected from children

– Administered by FTC & State AGs


33

COPPA CONT’D

• Prohibits operators of commercial websites or online services, subject to a few exceptions, from collecting personal info from U-13 children w/o getting prior verifiable parental consent

– Mandatory notice and consent obligations via privacy policy & direct parent notice

• FTC mobile disclosure guidelines

– Maintain data security, confidentiality & integrity

• Third party service providers must demonstrate compliance

– New Third party liability

• Plug-ins, and ad networks


34

COPPA CONT’D

• Rule amended by FTC Dec. 21, 2012

– Effective July 1, 2013

– Applies to continuum of sites/services, including mobile apps, third party plug-ins and services

– Modified various definitions:

• Operator

• Personal Information to include persistent identifiers, photos/voice recordings (geotagging), and LBS as stand-alone Personal Information (sufficient for street name and city)

• Websites/Service Directed to Children


35

COPPA CONT’D

• New rule enhances definition of “operator” to include:

– Integrated third party sites/services, plug-ins ad networks that collect PI on behalf of host site or service

– Host sites/services strictly liable under COPPA for data collection on their sites by these third parties

– These third party parties liable under COPPA if they have actual knowledge that they’re collecting u-13 data from these sites/services

Includes LBS Providers!


36

COPPA CONT’D

• A word about verifiable parental consent:

– Protocol is byzantine, particularly in context of LBS

– FTC created new methods to take advantage of technology and acknowledge behaviors with mobile devices, e.g.:

• Electronic scans of signed consent forms

• Adds online payment systems that provide notification of each transaction


37

COPPA TRENDS & DEVELOPMENTS

• Increased FTC investigations & enforcement activity to demonstrate reach of rule

• More State AG enforcement

– State AGs have made mobile privacy, especially involving children, a priority

– Chiesa v. 24x7 Digital, LLC, Case. No. 2:12-cv-03402-KSH-PS (D.N.J. June 26, 2012)

• Children’s mobile educational app (transmitting u-13 PI to analytics w/o notice and consent unlawful under COPPA)


38

TRENDS & DEVELOPMENTS

REGARDING MINORS

• Valid consent mechanisms for Minors

• Increased scrutiny of in-app purchases by u-13

– FTC and State AG investigations

– FTC and State AG enforcement actions

– Plaintiff’s Bar

• Federal legislation targeting kids mobile privacy

– Congressman Ed Markey and Senator Al Franken


39

STATE LAWS

• California Online Privacy Protection Act, CA Bus & Prof. Code, §§22575-22579

– CA AG Agreement w/Developers & Platforms to implement mobile app privacy best practices (Feb. 2012)

• People of the State of Cal. v. Delta Airlines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct., Dec. 6, 2012)

• CA AG Privacy on the Go: Recommendations for the Mobile Ecosystem (Jan. 2013)

– Best practices for platforms, developers, ad networks & other mobile enterprises


40

STATE LAWS CONT’D

• Stalking

• Mobile/LBS

• Contract Language Requirements for Service Providers


41

GUIDELINES, SELF-REGULATORY PROGRAMS & BEST PRACTICES

• Mobile Privacy Disclosures: Building Trust Through Transparency, FTC Feb. 2013

– Recommends that Operating System/Platforms: • Provide “just-in-time” disclosures before apps can access

sensitive content such as geolocation info via the platform API.

• Obtain affirmative express consent before such access.

• Use privacy dashboards and icons.

• Exercise greater oversight over apps.

– Recommends that App Developers: • Have a Privacy Policy.

• Make Privacy Policy available through platform app store.

• Provide “just-in-time” disclosures and obtain affirmative express consent (but don’t repeat platform disclosures)

• Improve disclosures re ad network practices.

• Participate in self-regulatory programs, industry efforts.


42

GUIDELINES, SELF-REGULATORY PROGRAMS & BEST PRACTICES CONT’D

FTC Mobile Privacy Disclosures: Building Trust Through Transparency Cont’d

– Recommends that Ad Networks & Analytics Providers: • Improve coordination with app developers so app developers

can improve disclosures.

• Work with platforms to ensure implementation of effective do-not-track system for mobile.

– Recommends that App Trade Associations: • Develop standardized disclosures, terms, formats, notices.


43


• Mobile Apps for Kids: Current Privacy Disclosures Are DisAppointing, FTC Feb. 2012

• Mobile Apps for Kids: Disclosures Still Not Making the Grade, FTC Dec. 2012

– FTC guidance about how it can exercise its broad “Section 5” consumer protection powers

– Provides useful roadmap for class action lawyers


44


• Marketing Your Mobile App: Getting it Right from the Start, FTC Sept. 2012

• DOT.com Disclosures, FTC updating for mobile devices/small screens. Pending.

• NTIA Privacy Multistakeholder Process

– Working with mobile stakeholders to develop self regulatory “codes” that will be subject to FTC enforcement


45


• Industry Self-Regulatory Programs

(Similar notice/consent, opt-out provisions)

– CTIA • www.ctia.org/business_resources/wic/index.cfm/AID/11300

– MMA • www.mmaglobal.com/files/bestpractices.pdf

– GSMA • http://www.applicationprivacy.org/learn-resources/leading-

data-privacy-practices/#GSMA

– W3C • http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/

– FPF • http://www.scribd.com/doc/99802542/Best-Practices-for-

Mobile-App-Developers#outer_page_17

http://www.ctia.org/business_resources/wic/index.cfm/AID/11300

http://www.mmaglobal.com/files/bestpractices.pdf

http://www.applicationprivacy.org/learn-resources/leading-data-privacy-practices/









http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/









http://www.scribd.com/doc/99802542/Best-Practices-for-Mobile-App-Developers












46

PRIVACY NOTICE REQUIREMENTS

• Type of location information collected (with express opt-in)

– How it is used

• Updated disclosure if info will be used for a purpose other than for which it was collected and how to exercise choice about that use

• Whether information is shared with:

– Third party service providers/partners

– Affiliates

– Advertisers

– Social media networks

– Other third parties


47

PRIVACY NOTICE REQUIREMENTS CONT’D

• What information is retained and for how long

• How to exercise choice about any of the above, including modifying or revoking consent and deleting data.

• Follow COPPA protocol for U-13s

• Make notice accessible prior to purchase

• Make notice accessible within the app


48

LESSONS LEARNED FROM LITIGATION

• In re iPhone Application Litigation, First

Consolidated Class Action Complaint, Case No. 10-CV-05878-LHK (N.D. CA April 21, 2011)

– Consolidated UDID class action lawsuits

– Claims remain under CA Consumer Legal Remedies Act, CA Unfair Competition Law

– Court dismissed claims under Computer Fraud and Abuse Act, Wiretap Act, Stored Communications Act, CA Constitution, and common law

– Court dismissed claims against mobile advertising vendors and app providers

– Apple the only remaining defendant


49

LESSONS LEARNED FROM LITIGATION CONT’D

• New Jersey AG COPPA Mobile App

- Chiesa v. 24x7 Digital, LLC, Case No. 2:12-cv-

03402-KSH-PS (D.N.J., June 6, 2012)

• Opt-Out Confirmatory Message

– Ibey v. Taco Bell Corp., Case No. 12-cv-0583 (S.D. Cal, June 18, 2012)

– Ryabyshchuk v. Citibank (South Dakota) N.A., Case No. 11-cv-1236, (S.D. Cal., Oct. 30, 2012)


50

LESSONS LEARNED FROM

LITIGATION CONT’D

• Telemarketing v. Informational Messages

– Chesbro v. Best Buy Stores, L.P., Case No. 2:10-cv-00774-RAJ (9th Cir. filed Oct. 17, 2012, amended Dec. 27, 2012)

• Vicarious Liability Litigation

– Thomas v. Taco Bell Corp., Case No. 09-cv-01097 (C.D. Cal., Oct. 22, 2010)

– Anderson v. Domino’s Pizza, Inc., Case No. 11-cv-902 (W.D. Wash., May 15, 2012)


51

LESSONS LEARNED FROM LITIGATION CONT’D

• Fourth Amendment Search & Seizure

– U.S. v. Jones, 565 U.S. __, 132 S.Ct. 945 (2012)

• Attaching GPS tracking device to a suspect’s car to track movement on public streets w/o warrant violated Fourth Amendment – reasonable expectation of privacy in vehicle

– U.S. v. Skinner, Case No. 09-6497 (6th Cir. Aug 14, 2012)

• No warrant required for law enforcement real time tracking of defendant using a cell phone’s GPS location and “ping” or CSLI data – no reasonable expectation of privacy in data “given off” by cell phone


52

NEGOTIATING WITH SERVICE PROVIDERS

• Due Diligence

• Consider Privacy Requirements of Mobile App Distributors

• Contract Clauses with Developers to Address Privacy Compliance

– Detailed Work Description

– Ability to Adapt to Change, including changes to be made by vendor or you

– Confidentiality Obligations

– Immediate Termination Provision for breach of Privacy, Data Security and Confidentiality


53

NEGOTIATING WITH SERVICE PROVIDERS CONT’D

• Contract Clauses with Developers cont’d

– Expert Designer Clause

– Representations and Warranties

• Compliance with applicable laws in some detail

• Compliance with distributor requirements

• Compliance with principal’s privacy policy

• No violation of third party privacy rights

– Enhanced Indemnification Clause

– Immediate Termination Options

– Limited Liability

– Professional Liability Insurance


54

CONTRACT REVIEW INTERACTIVE EXERCISE

• Third-Party Developer Reps and Warranties (BEFORE Sample)

– Developer represents and warrants that (a) it has the legal power to enter into this Agreement, (b) it will perform the Services in a professional, workmanlike manner in accordance with industry standards, (c) the Services will perform materially in accordance with the specifications, and (d) it has all rights necessary to provide the Services.


55

CONTRACT REVIEW

INTERACTIVE EXERCISE CONT’D

• Issues w/ Third-Party Developer Reps and

Warranties (Related to privacy and LBS)

– Reps/warranties should be added concerning: • Compliance with applicable laws, including specific laws

relevant to Client’s business and privacy obligations

• Compliance with platform developer requirements

• Developer protection of any personal information collected or received in the course of providing the Services

• Compliance with Client’s privacy policy and other corporate guidelines

– Rep/warranty should clarify applicable industry stds

– Rep/warranty should refer to clear specifications set out elsewhere in agmt that address LBS and privacy

– Intellectual property rep/warranty must be bolstered


56

CONTRACT REVIEW INTERACTIVE EXERCISE CONT’D

DISCUSSION OF REVISED PROVISION


57

CONTRACT REVIEW


• Indemnification by Third-Party Developer

(BEFORE Sample)

– Developer shall defend Client against any claim, demand, suit or proceeding (“Claim”) made against Client by a third party alleging that the Services infringe upon the intellectual property rights of a third party, and shall indemnify Client for any damages finally awarded against, and for reasonable attorneys’ fees incurred by, Client in connection with any such Claim, provided that Client (a) promptly gives Developer written notice of the Claim, (b) gives Developer sole control of the defense of the Claim, and (c) provides reasonable assistance to Developer.


58

CONTRACT REVIEW


• Issues w/ Indemnification by Third-Party

Developer (Related to privacy and LBS)

– Developer should defend, indemnify and hold harmless Client from all Claims, including reasonable attorneys’ fees, arising out of: • Developer’s violation of any applicable law

• Developer’s infringement of a third party’s privacy rights

• Failure of Services to comply with platform requirements

• Developer’s breach of other reps and warranties

– Indemnification should cover Client affiliates, successors, assigns, directors, employees, etc.

– Client should be allowed to participate in defense

– Client must approve any settlement of Claim

– Client cooperation in defense at Developer’s expense


59




60

CONTRACT REVIEW


• Developer’s Limitation of Liability (BEFORE

Sample)

– IN NO EVENT SHALL DEVELOPER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNTS ACTUALLY PAID BY CLIENT IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.


61


• Issues w/ Developer’s Limitation of Liability (Related to privacy and LBS)

– Clause would not cover legal fees, damages, fines or penalties if there is a breach of privacy, data security, IP rights, or a violation of law

– Clause provides even less coverage for a breach occurring at the beginning of the term

– Increase cap to cover any possible direct damages

– Carve out from any damages cap: • Indemnification obligations

• Damages arising from breach of confidentiality

• Damages for violation of law, infringement of privacy rights, breach of security (if not covered by indemnification clause)

– Limitation of liability should be mutual


62




63

CONTRACT REVIEW


• Developer’s Termination Clause (BEFORE

Sample)

– Either party may terminate this Agreement (a) upon thirty (30) days’ written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (b) immediately if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.


64

CONTRACT REVIEW


• Issues w/ Developer’s Termination Clause

(Related to privacy and LBS)

– A breach of privacy, confidentiality, or security cannot be cured, only mitigated.

– Client needs right to terminate agreement immediately to avoid further damage and/or claims of negligence or unfair trade practice.

– Consider what should happen to personal information or other confidential information upon termination or expiration of the agreement.


65




66

ADDITIONAL BEST PRACTICES

• Privacy by Design

• Communications between legal, development/engineering/sales/ marketing

• Customer Service

• Training, training, training!


67

OTHER CONSIDERATIONS

• Privacy Legislation

– Application Privacy, Protection and Security Act of 2013

• International Law


68

ACTION ITEMS

• Audit LBS Practices

– Asses what PII is collected and why necessary

– Asses SDKs and all contributors to app development

• Update Privacy Policies

– Simplify with short or special notices

• Review Vendor Relationships

• Amend all current contracts to bring into compliance with laws and government guidelines/best practices

– Use “compliance with all applicable laws” provision

• Monitor Legislation and Self-Regulatory Efforts


69

ACTION ITEMS CONT’D

• Ascertain whether commercial messages are routed a specific location within an electronic infrastructure, including a social network or other platform

• Know platform provider’s Terms that apply to sending messages within the platform to minimize the threat of a lawsuit


70

RESOURCES

• FTC: www.ftc.gov

– Staff Privacy Report “Protecting Consumer Privacy in an Era of Rapid Change,” March 2012: http://ftc.gov/opa/2012/03/privacyframework.shtm

– CAN-SPAM Act: http://business.ftc.gov/documents/bus61-can-spam-act-Compliance-Guide-for-Business

– Mobile Apps for Kids: Current Privacy Disclosures are DisAppointing, FTC Feb 2012: http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf

– Mobile Apps for Kids: Disclosures Still Not Making the Grade, FTC Dec. 2012: http://www.ftc.gov/opa/2012/12/kidsapp.shtm

– Marketing Your Mobile App: Getting it Right From the Start, FTC Sept. 2012: http://www.ftc.gov/opa/2012/09/mobileapps.shtm

http://www.ftc.gov/

http://ftc.gov/opa/2012/03/privacyframework.shtm

http://business.ftc.gov/documents/bus61-can-spam-act-Compliance-Guide-for-Business















http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf

http://www.ftc.gov/opa/2012/12/kidsapp.shtm

http://www.ftc.gov/opa/2012/09/mobileapps.shtm


71

RESOURCES CONT’D

• FCC: www.fcc.gov

– CAN-SPAM Act and TCPA: http://www.fcc.gov/cgb/consumerfacts/canspam.html

– Public Notice, Security of Information on Mobile Devices (DA 12-818, May 2012): http://www.fcc.gov/document/security-information-mobile-devices-comment-deadlines

• White House Consumer Privacy Bill of Rights, February 2012: http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

• NTIA: http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency

http://www.fcc.gov/

http://www.fcc.gov/cgb/consumerfacts/canspam.html

http://www.fcc.gov/document/security-information-mobile-devices-comment-deadlines











http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

























http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency














72

RESOURCES CONT’D

• State Child Protection Registries – Utah CPR: https://donotcontact.utah.gov

– Michigan CPR: https://www.protectmichild.com

• Direct Marketing Association: www.dma.org

• Mobile Marketing Association: www.mmaglobal.com

• The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users, Information and Privacy Commissioner, Ontario, Canada: www.privacybydesign.ca/content/uploads/2011/02/pbd-asu-mobile.pdf

https://donotcontact.utah.gov/

https://www.protectmichild.com/

http://www.dma.org/

http://www.mmaglobal.com/

http://www.privacybydesign.ca/content/uploads/2011/02/pbd-asu-mobile.pdf






73

LOCATION, LOCATION, LOCATION

Thank You and Good Luck!

Karen L. Neuman

[email protected]; 202.454.9401

Michelle M. Shanahan


S. Jenell Trigg, CIPP/US


mailto:[email protected]

mailto:[email protected]

location, location, location: risks and rewards of ... · risks and rewards of location-based...

Documents