This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any speci�c facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation.

Panelists

Jennifer Archie, CIPP/US,

Partner, Latham & Watkins LLP

Melissa Krasnow, CIPP/US,

Partner, Dorsey & Whitney LLP

Joanne McNabb , CIPP/G, CIPP/IT, CIPP/US,

Director of Privacy Education and Policy,

Privacy Enforcement and Protection Unit,

California Department of Justice

2

Big Picture Considerations

• Importance of websites and mobile applications and change

• Geographical reach of websites and mobile applications (national, global, etc.)

• Increased regulation and enforcement regarding privacy policies and other risks

• Ongoing due diligence about website and mobile application operation and practices:– technology, business, legal and industry need to work together

• Disclosure and transparency

3

Some Initial Questions

• Which websites and mobile applications does the privacy policy apply to? – if the operator has other websites or mobile applications, do they

have privacy policies?

• What is the / is there an effective date on the privacy policy?– what new laws and best practices have come into effect since the

effective date?– has the website or mobile application changed since the effective

date?– what does existing privacy policy say about updating?

• Where could users of website or mobile application be from (geographical restrictions)?– could personally identifiable information about a California resident

consumer who uses or visits a website or mobile application be collected by its operator?

4

Value of Comprehensive Privacy Policy

• Provides picture of practices regarding collection, use, sharing, disclosure and protection of PII

• Promotes data governance

• Promotes accountability

• Informs the public, including through academics and media

• Complies with legal requirements, when applicable

5

California Online Privacy Protection Act

• Including “Tracking Transparency” Amendments (AB 370 of 2013)

6

Background on CalOPPA

• To whom does it apply? – Operator of commercial web site or online service that collects

PII about CA residents who use or visit the site/svc

• What does it require?– Conspicuous posting of privacy policy– Specific disclosures in the policy– Compliance with the policy

• Penalties– Violation:

• Failure to post policy w/in 30 days of notice• Failure to comply with provisions (a) knowingly and willfully; or (b)

negligently and materially

– Civil fine of $2,500 per violation, etc., under UCL

7

AB 370: Tracking Transparency Amendments

• "This bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. AB 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.“

• Author’s statement quoted in Assembly Business, Professions and Consumer Protection Committee analysis of AB 370, 4/16/13

8

AB 370 – Effective 1/1/14

• AB 370 adds two new disclosures in privacy policy

– Operator’s response to DNT browser signal

– Possible presence of 3rd parties tracking on operator’s site or service

9

New Privacy Policy Disclosure #1

• Disclose how the operator responds to

– Web browser “do not track” signals” OR

– Other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services

• If the operator engages in that collection

10

Alternate Privacy Policy Disclosure #1

• An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

11

New Privacy Policy Disclosure #2

• Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

12

Recommendations on Developing A Meaningful Privacy Policy

• From the California Attorney General’s Office

13

Meaningful Privacy Policies

• Making your privacy policy meaningful to consumers means

– Addressing significant data collection and use practices

– Using plain language and a format that enhances readability

14

Recommendations for Developing Meaningful Privacy Policies

• READABILITY– Use plain straightforward language.

– Use a format that supports readability, including titles or labels to identify sections.

• DATA USE AND SHARING– Explain how you use and share PII.

– Whenever possible, provide a link to the privacy policies of 3rd parties with whom you share PII.

15

Recommendations for Developing Meaningful Privacy Policies

• DO NOT TRACK/ONLINE TRACKING– Describe your response to a DNT browser signal or to another

mechanism (more transparent that just providing a link to a choice-related program).

• ACCOUNTABILITY– Tell your customers whom they can contact with questions or

concerns about our privacy policies and practices – at minimum, provide email address.

– Train customer service staff to respond appropriately to privacy questions.

16

Recommendations for Developing Meaningful Privacy Policies

• KNOW YOUR PRACTICES – AND VERIFY REGULARLY

– Be aware of changes in data practices, technologies, and business partners that should be addressed in your privacy policy.

– Confirm your policy’s accuracy with those responsible for data management.

17

Federal Law and Guidance

• Section 5 of Federal Trade Commission Act and guidance

• National Telecommunications & Information Administration Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices

• Industry guidance

18

Privacy of Children and Teens under Age 13 and Age 18

• Children under age 13 - updated Children’s Online Privacy Protection Act (COPPA) Rule effective July 1, 2013

• Children under age 18 - Cal. S.B. 568 effective on January 1, 2015 – Operator must permit and provide notice and instructions about

how registered user may remove or request removal of any content or information posted and implement removal mechanism (“eraser button”)

• Is date of birth information involved?

19

Canadian Anti-Spam Legislation(CASL)

• July 1, 2014 effective date

• Provides for an opt-in regime

• Applies to any individual or organization that sends, or causes or permits to be sent, a commercial electronic message (e.g., an email, a text message, an instant message or a social networking communication) if a computer system located in Canada is used to send or access the message, unless the message is subject to a specified exception

20

Privacy Policies in M&A and Bankruptcy

• FTC and state attorney general enforcement

• Toysmart, XY, Borders and True Beginnings cases

• Privacy policy excerpt:

– We never rent, sell, loan or lease any personal information collected on our website to any third party.

21

Lessons Learned the Hard Way:

• No surprise collection, use, sharing.

• Say what you do, do what you say on collection, choice, sharing. (And say it simply)

• Policy must track evolving products and practices and mobile platforms.

• Don’t lull with words that don’t apply (like “EU Safe Harbor” or “HIPAA” or “COPPA” compliant.

• Don’t make gratuitous promises about security.

22

Chitika Post Opt Out Tracking of Consumers

• Delivered 3 billion ad impressions a month, acting as a go between for websites and advertisers

• Buys ad space on websites and contracts with advertisers to place cookies on websites

• Privacy policy offered unqualified opt out, BUT opt-out cookies expired after 10 days.

23

Chitika Settlement

• Must have a clear and prominent notice with a hyperlink on the homepage of its website that states: “We collect information about your activities on certain websites to send you targeted advertisements. To opt out of Chitika’s targeted ads, click here.”

• Five year ban on sending ads to opt-out’s

• Prevents Chitika from using, selling, or transferring “any information that can be associated with a Chitika user or a Chitika user’s computer or device” that the company obtained prior to March 1, 2010.”

• Chitika must delete any such information stored in Chitika users’ cookies and any information retained in Chitika’s files that would allow the information to be associated with a particular consumer or that consumer’s computer or device.

• LESSON: do what you say, say what you do

24

Google Buzz: Retroactive Use Changes

• Gmail members were automatically enrolled in social networks with abusive ex-husbands, random e-commerce or one-off stray email correspondents, revealing actual identity

• The Google privacy policy at the time stated, “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.”

25

Google Buzz

• Even if you clicked “nah, go to my inbox” you were still enrolled in Buzz.

• The privacy settings or controls were not available in the Settings menu.

• Repurposed old data in new ways.

• “When you first enter Google Buzz, to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with the most….Your name, photo, and the list of people following you will be displayed on your Google profile, which is publicly searchable on the web.”

26

Google Buzz Settlement

• First ever comprehensive privacy program

• Independent privacy audits for 20 years

• ANY change requires opt in consent before roll out of any product that would involve “new or additional sharing” of previously collected information with any third party – no materiality qualifier

• Massive record retention (Emails about new products)

• Expansive definition of personal information

• LESSON: No repurposing of old data in new ways without express OPT-IN consent.

27

Be precise in word choice.

• EU SafeHarbor “certified” or “compliant” (that means actual registration/self-certification and keep it current!)

• “HIPAA compliant”

• “COPPA compliant” – big updates, big changes in complexity in the mobile environment in particular

• “Personal information” requires policy-specific definition.

28

Brightest Flashlight App

• (Settled) FTC Complaint that

– App transmits precise geo-location along with persistent device identifiers to various third parties, including third party advertising networks, not disclosed in EULA or Privacy policy

– EULA stated that consumers could opt to refuse the EULA, including those relating to the collection and use of device data, but regardless of whether consumers accepted or refused the terms of the EULA, App still transmitted device data as soon as the consumer launched the application and before they had chosen to accept

29

Wyndham Hotels: the Section 5 jurisdictional hook

Security

30

Skip gratuitous or over the top security commitments.

• “The privacy of our customers is our utmost concern.”

• “We take your privacy seriously and make it a priority to protect personally identifiable information that we obtain from and about individuals both online and off-line.”

• “We will never transfer your information without your permission.”

31

Frostwire

• Offers peer to peer file sharing application for desktop and Android devices

• Allowed users to share files, photos, videos, music with other users of the Gnutella P2P file sharing network

• App risked consumers inadvertently disclosing personal files stored on smartphones and tablets

• Default settings publicly shared photos, videos, etc. immediately upon installation and set-up

• LESSON: don’t do surprising things without extra disclosure.

32

Upromise

• Upromise members can receive cash rebates for college savings accounts

• Upromise TurboSaver Toolbar highlighted partner companies in search results, to help members find partner companies eligible for cash rewards

• “Personalized offer” feature collected information through browser when enabled, and delivered targeted advertising

• Personalized offer disclosure was weak and for much the period, pre-checked to enable feature

• Targeting tool (downloaded by 150,000 users) collected names of all websites visited, all links clicked, and names and passwords, and even information entered on secure web pages such as banks and online retailers, all without disclosure to customer

33

Upromise / continued

• Privacy policy had vague disclosure, i.e., that the Toolbar might “infrequently” collect some personal information

• But the filters were poorly designed (too narrow, improperly structured)

• Data collected was transmitted in clear, readable text over the internet

• No testing before distribution; no monitoring to see whether data was consistent with policies/intent

• Untrained employees, poor supervision of the developer of the Tool

34

Upromise Settlement

• Disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used.

• The disclosure must be clear and prominent and separate from other notices.

• Express affirmative consent before the consumer –

– Downloads, installs, or otherwise activates such software, OR

– Before making any material change from stated practices

• Corrective notices to affected consumers and data destruction

35

Scan Scout

• Scan Scout provided video ad services to AOL and others, using Brightcove technology to display online video content and track viewing patterns (by storing LSOs on computers)

• Alleged that Scan Scout used deceptive marketing with a website privacy policy that claimed consumers could opt out of online tracking, when they couldn’t opt out because the website used Flash cookie technology to collect data which browser settings could not block

• Terms: similar to Chitika

36

Litigation Triggers

• Undisclosed collection / tracking / usage of consumer data (Path, Apple, Streetview, Flash Cookies)

• Undisclosed sharing (Facebook Beacon, NebuAd, Zynga)

• Material changes to use of previously collected data (Google Buzz, Google Gmail, Friendfinder)

• Evading consumer choice (Amazon, Flash Cookies)

• Data breach cases (lulling or simply wrong statements in privacy policy)

37

What’s a good process?

• since CUTTING and PASTING is such a bad idea.

38

FIPS is your #1 TIPDraft from the BIG, unifying ideas

• Limits on collection (minimization, lawful, fair means of collection)

• Data quality (accurate, complete, current)

• Disclosure of purpose

• Limitations on use

• Security Assurances / Practices that are reasonable under the circumstances

• Transparent policies, practices, procedures

39

PROCESS – “Privacy by Design”

• WHAT– Safeguarding (heavy

enforcement)

– Limit collection to “legitimate business needs”

– Data retention policies and periods, especially for location data

– Ensure accuracy

• HOW– Organizational priority

(Proactive, preventative, board level)

– A discreet project objective

– Proceeds in tandem with the design process (not last minute)

– Embedded into everything

40

Some Privacy Policy Pointers

• Make sure the privacy policy has an effective date, uses clear, identifying headings (e.g., Do Not Track) and otherwise is readable on a website or mobile application

• Due diligence must be done to make disclosures in privacy policy

– work with other functions in and outside website or mobile application operator (e.g., service providers)

– determine who operator and third parties are and what they are doing on website or mobile application

• Make sure the differences between websites and mobile applications are reflected in their respective privacy policies (e.g., unique device identifiers for mobile applications, etc.)

41

Resources

• Latham & Watkins Global Privacy & Security Compliance Law Blog: http://www.globalprivacyblog.com/

• Privacy in Mergers & Acquisitions: http://www.dorsey.com/files/Publication/c740450a-a98b-4187-9659-fdfd02926a03/Presentation/PublicationAttachment/23ff9913-a5fa-46e7-8b7a-8c8477eeb0d5/Privacy-MA-Krasnow.pdf

• Canadian Anti-Spam Legislation: http://www.irmi.com/expert/articles/2014/krasnow02-cyber-privacy-risk-insurance.aspx

42

Resources

• California AG’s Recommended Practices

www.oag.ca.gov/privacy/business-privacy

• California Privacy Legislation

http://oag.ca.gov/privacy/privacy-legislation/leg2013

• California and Federal Privacy Laws

http://oag.ca.gov/privacy/privacy-laws

43

Questions & Answers

Jennifer Archiejennifer.archie@lw.com

Melissa Krasnowkrasnow.melissa@dorsey.com

Joanne McNabbJoanne.mcnabb@doj.ca.gov

44

Web ConferenceParticipant Feedback Survey

http://www.privacyssociation.org/

mailto:Dave@privacyassociation.org