Pillsbury Winthrop Shaw Pittman LLPPillsbury Winthrop Shaw Pittman LLP

Privacy for Social Media and Location-Based Services

John L. NicholsonCounsel, PWSPWashington, DCJohn.Nicholson@PillsburyLaw.comTelephone: (+1)202-663-8269www.virtualworldlaw.com

1 | Privacy for Social Media and Location-Based Marketing

The good news and the bad news -

I’m a lawyer…

I’m from Washington …

and I’m here to help you.

2 | Privacy for Social Media and Location-Based Marketing

What We’ll Cover

Privacy LawsCurrent status of global privacy laws, Recent regulatory concerns and guidance for social media and location-based servicesWhat might happen

Creating Privacy Policies and Privacy by Design

3 | Privacy for Social Media and Location-Based Marketing

Where We Stand on Privacy Laws

“Where you stand depends on where you sit.”

- Nelson Mandela

4 | Privacy for Social Media and Location-Based Marketing

EU – Most stringentprivacy law

Switzerland – EU-styleprivacy law

Russia – EU-styleprivacy law

China – EU-styleprivacy law

Australia / NZ –EU-style privacy law

Japan – EU-styleprivacy law

Asia (General) – EU-styleprivacy law, APEC

Israel – EU-styleprivacy law

Dubai – EU-styleprivacy law. 1st

in Middle East

Africa (General) –Privacy law not developed

S. America (General) –Privacy law developing

Argentina –EU-styleprivacy law

Mexico – EU-styleprivacy law

Canada – EU-styleprivacy law (PIPEDA)

US – “Harm”-based,sectoral privacy law

5 | Privacy for Social Media and Location-Based Marketing

What Is “EU-style” Privacy Law?

Views personal information as being owned and controlled by datasubject

Much broader definition of personal informationEffectively any uniquely identifying data

Comprehensive approach based on “privacy principles”Principle 1: Collection Limitation Principle 2: Data Quality Principle 3: Purpose Specification Principle 4: Use Limitation Principle 5: Security Safeguards Principle 6: Openness Principle 7: Individual Participation Principle 8: Accountability

Enacted by EU Parliament and then enacted into member state law by each state – so each is slightly different

6 | Privacy for Social Media and Location-Based Marketing

Why Should You Care About the EU Approach?

Your customers in countries with EU-style privacy laws do

And even if they don’t, the regulators in those countries do2010 – Google executives CONVICTED in Italy for violating privacy law by failing to take video off YouTube quickly enough

Was posted for 2 monthsTaken down within 2 hours of notice from Italian police

2010 – Many countries investigate Google for capturing personal information as part of Street View project2011 – South Korea considering prosecuting Google for privacy violations related to Google Street View

7 | Privacy for Social Media and Location-Based Marketing

What is US “Harm”-Based Approach

Views personal information as commodity to be bought, sold and traded

Applies limits only where “harm” is identifiedFinancial information (GLBA)Health information (HIPAA)Children’s information (COPPA & FERPA)Social security numbersDrivers license numbersTelephone / email recordsVideo rental / library recordsEtc.

State data breach notification lawsCaliforniaPatchwork frameworkSome states now adding medical information

However, US is moving towards a more comprehensive, holistic definition of “harm,” broader definition of PII, broader security obligations

8 | Privacy for Social Media and Location-Based Marketing

Massachusetts

New Massachusetts law requires employers to tell workers w/in 10days about any info placed in employee’s personnel file that has been or may be used to negatively affect the worker’s job

Employee also has right to review or get a copy of records w/in days of request up to 2x/year Limit does not apply to the notice and review of negative entriesFailure could lead to fine between $500 and $2,500 per incident

Could cause problems for employers during other employment litigation. If discovery reveals that employer failed to comply, could hurt the employer’s credibilityDocumentation dilemma

Attorneys tell clients to document employee issues as much as possible, just in case the issues go to litigationNew law makes putting relatively innocuous information into a personnel file a much more-provocative event. Now a note in a file carries the risk of upsetting employee

“I hope you know that this will go down on your Permanent Record.”

9 | Privacy for Social Media and Location-Based Marketing

Massachusetts

“Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 Mass. Code Regs.§ 17.00)

Who Must Comply?“…persons who own, license, store or maintain personal informationabout a resident of the Commonwealth of Massachusetts.”A presence in Massachusetts is not required to be liable under the Regulation.

Requires organizations to develop, implement, maintain and monitor a comprehensive, written information security program for records containing personal information (“Program”).Regulations allow for flexibility to tailor each organization’s Program.

See http://pillsburylaw.com/siteFiles/Publications/F829298BD2AC6409DF6C9A9B38A21998.pdf

10 | Privacy for Social Media and Location-Based Marketing

Getting From There to Here

From the EUExporting personal information from the EU to another country is only allowed if the receiving country has data protection laws that have been found “adequate” by the EU DPA

The US is not one of those countriesWithout express consent, exports of personal information from the EU to the US are enabled under three regimes:

Model clauses – efficient for two-party transactionsBinding Corporate Rules – good theory, difficult to implementSafe Harbor – efficient for multi-nationals/multi-party transactions

Some dissatisfaction in EU regarding Safe Harbor

From Canada Contractual obligations to comply with PIPEDA protections

11 | Privacy for Social Media and Location-Based Marketing

Regulatory Concerns & Guidance

FTC Staff Report “Self-Regulatory Principles for Online Behavioral Advertising”

Published Feb. 2009Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdfProposed four principles for handling online behavioral profiling:

Transparency and controlReasonable security and limited data retentionMust obtain affirmative express consent before information is used in a way that is materially different from that authorized in a privacy statementMust obtain affirmative express consent before using sensitive data (e.g., data about children, health or finances) in advertising

Expressed concept that PII is becoming broader than traditional definition and could include things like IP addressFTC is becoming concerned about creation of data profiles that uniquely identify a person despite lack of specific, traditional PII

12 | Privacy for Social Media and Location-Based Marketing

Regulatory Concerns & Guidance

FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace”Published April 2009Available at http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdfKey privacy/security findings on LBS:

Contrast between automatic, ubiquitous nature of LBS and cookies or telephone call logs that are created when consumer takes actionConfusion over identity of controller of location informationConfusion over application of current legal structure

Customer Proprietary Network Information (CPNI) rulesApply to location information BUTDo not apply to non-telecom carriers ANDProtect account holder, which may not be user of mobile device

Notice & Consent Banner ad vs. disclosure to third partyFrequency of notice issuesChildren’s use

International issues (e.g., EU data retention requirements)

13 | Privacy for Social Media and Location-Based Marketing

Regulatory Concerns & Guidance

FTC Preliminary Report “Protecting Consumer Privacy in an Era of Rapid Change”

Published Dec. 2010Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdfKey findings:

Expands concept of “harm” from just economicEndorses “do not track” conceptPromotes idea of “privacy by design”

Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.

14 | Privacy for Social Media and Location-Based Marketing

Regulatory Concerns & Guidance

Dept. of Commerce “Green Paper” – “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

Published Dec. 2010Available at http://www.ntia.doc.gov//reports/2010/IPTF_Privacy_GreenPaper_12162010.pdfMore commerce and policy orientedRecommends application of “Fair Information Privacy Principles”Does not address privacy by design or privacy enhancing technologies

EU “Communication” – “A comprehensive approach on personal data protection in the European Union”

Published April 2010Available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdfFocuses on rapid rate of change in technologyGoal is to focus on improving protection of personal privacy, increasing transparency (including for children), enhancing control over own information (including “right to be forgotten”), strengthening rules on consent, and extending enforcement powers and sanctions.

15 | Privacy for Social Media and Location-Based Marketing

Additional Guidance

CTIA – “Best Practices and Guidelines for Location-Based Services”v.2.0 published March 23, 2010Available at http://files.ctia.org/pdf/CTIA_LBS_Best_Practices_Adopted_03_10.pdfFocuses on notice and consent

LBS providers must ensure ability of users to receive meaningful notice LBS providers must ensure users consent and recognize that LBS providers bear burden of demonstrating consentUsers must have right to terminate consent at any time

Sample policies available at http://www.ctia.org/business_resources/wic/index.cfm/AID/11924

EFF – “On Locational Privacy, and How to Avoid Losing it Forever”“build systems which don’t collect the data in the first place”

16 | Privacy for Social Media and Location-Based Marketing

So What’s Congress Up To?

Last Congress -Two privacy bills

H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act)Boucher/Sterns Privacy Bill

Contemplating definitions of personal information that are broader than are currently used in US and more like EU (IP address has been mentioned)Several data security bills

H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and Breach Notification Act of 2010 S.1490 Personal Data Privacy and Security Act of 2009 S.3579 Data Security Act of 2010S.3742 -- Data Security and Breach Notification Act of 2010

Each contains requirements for data aggregators and for protection of personal information, as well as data breach notification obligations

17 | Privacy for Social Media and Location-Based Marketing

What’s Likely?

Window of about 8 months before 2012 election gridlockLeading House Republicans are interested in privacy

Joe Barton (R-TX) - Leading Republican on the Energy and Commerce CommitteeCliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and the Internet

Still, not much likely on a big scale - smaller pieces might get throughElectronic Communications Privacy Act reform - Tech industry and DoJ both want clarity on rules related to law enforcement searches of e-mail messages and documents stored in the cloud Web tracking and Privacy

Several Republicans opposed it in 2010; FTC has endorsed itFTC likely to revise COPPA regulations - Likely to expand definition of PII

States likely to keep moving forward Europeans likely to put more pressure on US – either through multinationals or US gov’t – to protect EU consumer data

18 | Privacy for Social Media and Location-Based Marketing

Creating Privacy Policies and Privacy by Design

19 | Privacy for Social Media and Location-Based Marketing

Drafting and Implementing a Privacy Policy

Privacy decisions are operational decisions

Privacy statement is a contractual commitment with the user that may be enforced by the FTC or other regulatory agencies

Copying the privacy statement from another company is not a goodidea

Technically copyright infringementAssumes that the copied policy is worth copyingAssumes that you’re doing business in the same way that company is

20 | Privacy for Social Media and Location-Based Marketing

Privacy Statement for Social Media and LBS

General Privacy Statement ObligationsNotice - Must be provided in plain language; must not be misleadingChoice

LBS or other identifying services (e.g., photo-tagging) should be opt-inUse of information for purposes not originally identified requires new consentDistinction between account holder consent and user consentUsers should be able to withdraw consent and information about them should be removed

Onward transfer – Describe third parties to whom information is providedSecurity – Commit to security of informationAccess – Users should be able to see information you’ve collected about them (if you keep it)

Children’s information raises additional issuesCOPPA

21 | Privacy for Social Media and Location-Based Marketing

Facebook Places

Opt-in ServiceUnlike Beacon, which was opt-outFacebook users can “place” tag friends who have not signed up for Places, BUT tags do not become active until tagged individual approves them

Assumption is that people will sign upPrivacy by Design

Best implementation would be to reject Place tags for anyone who has not activated the service, but provide incentives to turn it onBetter implementation would be to only hold Place tags for non-users for limited period of time then delete them

Facebook users can check other users into locations (2nd party tagging)2nd party check-ins can be manually deletedIndividual friends can be blocked from 2nd party check-ins2nd party check-ins can be blocked completelyPrivacy by Design - Best implementation would be that 2nd party check-ins are blocked by default and must be turned on, but provide incentives to turn it on

22 | Privacy for Social Media and Location-Based Marketing

Facebook Places (cont)

Default is “friends only”Leakage to “friends of friends”Special protections to limit access to information for members under 18 to friends only

The Unspoken ProblemFacebook limits membership to age 13 and over.According to industry, most popular games among U13s are Facebook gamesAccording to Center on Media and Child Health:

60 percent of children ages 10 to 14 have cell phones22 percent of children 9 and younger have cell phones

23 | Privacy for Social Media and Location-Based Marketing

Facebook Photo Tagging & Facial Recognition

Facial Recognition & TaggingWhen a user can tag friends in an album, Facebook will use its facial recognition technology to group similar faces together and automatically fill in the "Who is this?" box with its suggestionUsers can log in and remove tagsUsers can opt out of Tag Suggestions by going to their privacy settings and disabling the "Suggest photos of me to friends" feature

Individuals being tagged in a photo do not have to have a profile on FacebookPrivacy by Design:

No tagging people without Facebook profilesUsers can opt-in to photo tagging – provide incentives for opting inMultiple options for tag approval – provide incentives for increasing access

Universal Selective (white list or black list)Approval required

24 | Privacy for Social Media and Location-Based Marketing

Comments and Questions?

Thank you for listening.