Archive for June, 2010

Of Cookies and Spam

Posted by fgilbert on June 22nd, 2010

 

What’s Cookin’ in the European Union?

The European Union Member States will soon change the rules that apply to cookies and unsolicited messages. Recent amendments to the ePrivacy Directive require the Member States to implement new restrictions in their national laws by June 2011. These changes are likely to significantly affect the procedures and processes used for marketing in, or with, the European Union. The most important change creates new rules for the use of cookies.

1. Background and the 2009 Directive

The e-Privacy Directive is “the other directive” that applies to the protection of personal data in the European Union, in addition to the 1995 EU Data Protection Directive. Adopted in 2002, this directive identifies the restrictions that are intended to protect personal data in the context of wire or Internet communications.

The European Parliament and the Council of the European Union approved Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector in order to address the uses and abuses of new, advanced digital technologies. The ePrivacy Directive supplements Directive 95/46/EC by providing a framework to respond to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and creates a framework for the use of cookies, traffic data, location data, and public directories.

The 2002 version of the ePrivacy Directive was amended through Directive 2009/136/EC, which became effective in December 2009, and requires Member States to modify their national laws accordingly by June 2011. This amendment was part of a larger series of amendments that updated the existing regulatory framework for electronic communications networks and services. Several provisions of the 2002 ePrivacy Directive are significantly altered through these amendments. This, in turn, will cause a ripple effect when these amendments are implemented in the national laws of each of the EU Member States. Unfortunately, portions of the 2009 Directive are confusing, which is likely to cause significant discrepancies in the way that the Member States interpret this new directive.

2. New Rules for Cookies and Spyware

The most important change that is brought by the 2009 Directive is a new requirement for the use of cookies. The 2009 Directive replaces Article 5(3) of the ePrivacy Directive in order to strengthen the rights of the individuals.

Under the 2002 version of Article 5(3) of the ePrivacy Directive, Member States’ national laws must ensure that electronic communications networks are not used to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user concerned:

  • Has first received clear and comprehensive information in accordance with the 1995 Data Protection Directive about the purposes of the processing; and
  • Is offered the right to refuse such processing by the data controller.

According to the Preamble of the 2002 Directive, information and the right to refuse may be offered once for the use of various devices or pieces of code to be installed on the user’s terminal equipment during the same connection and may also cover any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse, or requesting consent should be made as user-friendly as possible. Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

a. Notice requirement

The 2009 version of Article 5(3), which supersedes the prior version, retains the notice requirement of the 2002 draft. It states that the subscriber must be provided with “clear and comprehensive information about the purposes of the processing” in accordance with the 1995 Data Protection Directive.

b. Consent or Right to Refuse?

The new Article 5(3) of the ePrivacy Directive requires the user’s consent. Member States national laws must provide that electronic communications networks may store information, or gain access to information already stored, in a user’s or subscriber’s equipment only “if the subscriber or user concerned has given his or her consent.”

There is no definition of “consent” either in the 2002 version of the ePrivacy Directive or in the 2009 Directive. Further, while the 2002 Directive distinguishes “consent” from “explicit consent,” the 2009 Directive does not.

The “right to refuse” in the 2002 version had been understood as an “opt-out.” The user should have the ability to “refuse” the cookies by setting its browser accordingly. An activity occurs unless the user stops the processing and indicates his opposition by using the relevant browser setting. The user is free to change the browser settings at any time.

If the requirement for “consent” is to replace that of a “right to refuse,” what is the difference between the two options? Does it mean that each website should have a landing page in which it provides information about its cookies, so that a visitor can then agree to the policy before entering the site?

Unfortunately, Recital 66, in the preamble to the 2009 Directive, which should provide background and comments on these provisions, only adds confusion. There are discrepancies between the text of the amended Article 5(3), and that of Recital 66. While Article 5(3) requires the user’s “consent,” Recital 66 refers to both the “right to refuse” and the obligation to obtain “consent.” For example, one sentence states: “the methods of offering … the right to refuse should be as user-friendly as possible.” The next sentence, however, provides “where it is technically possible and effective, … the user’s consent to processing may be expressed….”

To add even more to the confusion, the Recital 66 also indicates that the user can express his consent through his browser. The drafters comment that the user could express his “consent to the processing” by using appropriate settings on his browser or other application. If this is the case, then what is the difference with the current state, and what did the amendment intend to accomplish?

These amendments to the 2002 ePrivacy Directive now have to be implemented and interpreted by the 27 Member States. The different possible interpretations of the new Article 5(3) and of Recital 66 of the Preamble of the 2009 Directive are likely to result in significant discrepancies in the laws of the different Member States, the opposite effect of what a directive should accomplish.

c. Exceptions

Like the 2002 version, the new Article 5(3) of the e-Privacy Directive provides exceptions to the consent requirement for certain types of cookies. The exceptions are the same in both the 2002 version of Directive and the 2009 Directive.

One exception allows the use of cookies without consent when the technical storage of, or access to, information is for the sole purpose of carrying out the transmission of a communication over an electronic communication network. The other exception is when the use of a cookie is strictly necessary for the provider of an information society service explicitly required by the subscriber or user to provide the service.

According to the Preamble to the 2009 Directive, these exceptions should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Thus, presumably, session cookies that can take a user from one page to another (e.g. from a page where an order is placed to a checkout page where payment is made) would be allowed. Persistent cookies and web beacons, which may be used for web analytics, but could also be used for behavioral targeting purposes, would require consent.

3. Unsolicited Commercial Messages

In addition to the provisions pertaining to the use of cookies, the 2009 Directive modifies slightly the regime that applies to unsolicited commercial messages. It extends the scope of the ePrivacy Directive. Under Article 13 of the e-Privacy Directive, the national laws of the EU Member States must provide that unsolicited commercial messages may be sent to an individual unless the individual has previously opted-in to receive the message. If the merchant has a relationship with a preexisting customer, an opt-out is acceptable, but only when the communication is made for marketing similar products or services to that customer, and subject to several prerequisites. In this case, the merchant may use the contact information that it collected from the customer in the course of the sale of a product or service.

Several conditions need to occur:

  • The contact information must have been obtained in the context of the prior sale of a product or a service to the individual by the same company.
  • The contact information must have been obtained in compliance with the applicable Member State national law that implements the 1995 Data Protection Directive. Notice must be provided and consent obtained. The notice to the individual must describe which data are being collected, the identity of the entity collecting the information, for which purpose(s) the data will be used, the recipients or categories of recipients of the data, and the existence of the right of access to and the right to rectify the data concerning the customer.
  • The company must inform the customer in a clear and distinct manner that the data might be used again for direct marketing.
  • The Customer must be given clearly and distinctly the opportunity to object, free of charge and in an easy manner, to such use.
  • The ability to opt-out of the further use of the contact information must be provided both when the information is first collected, and on each use of the information.
  • The use of fairly-and-lawfully-previously-obtained contact information is limited to sending the customer information about products or services that are similar to those previously provided to that customer.

These provisions apply only to protect natural persons. However, the directive urges Member States to consider similar provisions to protect legal persons, as well, from unsolicited communications.

The 2009 Directive expand the scope of these provisions:

a. Opt-In for Robocalls, Fax, Email, and Text Messages

The e-Privacy Directive requires that Member States national laws implement an opt-in regime for automatic calling machines, facsimile machines, and emails and text messages used for direct marketing.

The 2009 Directive extends the restriction to MMS and similar applications.

b. Person-to-Person Voice Telephony

For communications other than through automated calling machines, facsimile machines, email, text, SMS, or MMS messages, and the use of email addresses obtained in a prior relationship, such as person-to- person voice telephone calls, the e-Privacy Directive allows Member States to choose between an opt-in and an opt-out regime.

In the 2002 version of the ePrivacy Directive, the privilege was granted only to the subscriber; the 2009 Directive extends the privilege to the users, as well.

Location Information in Consumer Contracts

Posted by fgilbert on June 8th, 2010

 

The use of location-based services by consumers, such as for the provision of directions, traffic information, or mapping to locate nearby stores, should be subject to terms and conditions that address the quality of the service, and the reliability of the data. In addition, the contract should address the privacy concerns of the customer. The collection, use and sharing of location information might raise more concerns than that of other data such as their name, phone number or the duration of a call. Thus, special attention should be given to the protection of the location data.

User’s choice

For the service to occur, the service provider needs the ability to locate the client. The cell phone or GPS transponder must be active. Nevertheless, at other times, when customers do not need the service, they may wish to have the ability to turn off the location capability. Cellular phones can easily be turned off. In a car or other machine equipped with a GPS, the user may wish the ability to deactivate the GPS transponder without shutting down the engine, so that it cannot record movements. The same issue arises for RFID tags, such as those that come with EzPass or FastTrak. Is there an off/on switch? Or does the device, once attached to a car windshield, keep transmitting their radiofrequencies at all times?

The service provider should take into account customers’ right or need to be “left alone.” To this end, product documentation, brochures, terms of use should inform purchasers of the ability to switch off the transmittal of information. Device manufacturers might also consider delivering equipment that includes wireless or GPS devices with the broadcasting function turned off, with appropriate instruction on how to turn on, or shut down the wireless capability, so that the customer does not unintentionally broadcast location information. In a related area, – WIFI – California recently enacted a law that requires manufacturers of wireless computer network equipment used in small offices and homes to include a warning on the product about how consumers can secure their networks. Since October 1, 2007, manufacturers of wireless computer network equipment used in small offices and homes must include a warning on their product to inform consumers how they can secure their networks against outside users who piggyback on their connection. They are required to advise consumers about how to secure their networks, in one of 4 ways: (1) Apply a temporary sticker warning over the ports of a device; (2) include a warning in the configuration process of the installation of a device; (3) Protect the device from use until the customer takes steps to secure the network; or (4) Provide other protections that would be enabled before the equipment could be used without an affirmative act of the consumer.

Privacy

Privacy and the use of personal data are of great concern to many individuals. To address privacy concerns, the service provider should use a privacy statement to notify users that the devices or service may be collecting information. In the United States, this may be a “Best Practice” since most US laws do not require privacy statements. Elsewhere, providing a notice of privacy practices may be required by law, for example under the European Union data protection laws.

In the Privacy Statement, the company would disclose what type of personal data will be needed and collected (e.g., identity, phone number, location), the purposes for which the data will be used (e.g., searches, tracking).

Individuals might wish to be informed, as well, when information about their location is generated, and how this information is generated. Since location information appears to be more sensitive than other types of personal information, the contract (and the related technology) may provide for ways that the customer would give her consent to the collection of location information, and ways to turn off the transponder.

The user may also be offered choices regarding management and use of information. This would include, as well, providing the ability to access and edit permissions. The customer could define which disclosures are permitted, and when the company may share data with third parties.

The protection of the collected data is of equal importance. How long will the data be retained? The 2002 European Union Directive on Privacy and Electronic Communication, to be implemented by the EU member states, for example, requires that location data be retained only for limited time. In addition, the 2006 European Union Data Retention Directive requires networks and service providers to retain traffic and location data generated in conjunction with electronic communications services for a minimum amount of time (6 to 24 months) to be specified by the national law of each European Union Member State.

When data are retained, what security will be used to ensure that the data is not exposed to unwanted disclosure, access, or modification?

The privacy statement or terms of service should also address marketing issues. There should be a clear description of the possibility that data (traffic data, location data, non contact information, such as prior searches) might be disclosed to third parties for marketing purposes. The customer should be given choice to prevent, or agree to these disclosures.

Privacy Statement

TRUSTe has worked with the telecommunications industry to outline the content of a privacy statement that would conform to the Fair Information Practices that have been recommended by the Federal Trade Commissions or other organizations such as the California Privacy Office. The proposed content of a Privacy Statement in the context of wireless services would include:

  • Name of organization
  • What information the wireless service provider collects
  • Personally identifiable information
  • Unique mobile device identifier
  • Location information
  • What information is collected by or through a third party
  • How the Wireless Service Provider uses the information
  • Secondary uses of the personal information
  • Secondary uses of the location information
  • With whom the information is shared
  • Sharing the location information with the Location Based Service provider
  • Sharing personal information or location information with third parties for secondary uses
  • What choices are available to the consumer regarding the collection, use, and distribution of the personal information collected by the Wireless Service Provider
  • Method for editing privacy preferences
  • What types of security measures are in place to protect from the loss, misuses, alteration of personal information collected by the Wireless Service Provider
  • How the consumer may access the information, and correct any accuracy
  • Whether location information is retained beyond the time period reasonable needed to complete the transaction requested by the customer.

Technological Constraints

There are practical obstacles to the use of comprehensive privacy statements. One cannot post a full-length privacy statement on a RFID chip, or a telephone screen. Companies have been scratching their head to find appropriate ways to deliver privacy notices and options adapted to the wireless devices. Typical handheld devices are tiny and use small screens. They may also have limited power.

It is not possible to deliver privacy information in the ways traditionally used with a desktop or lap top computer. Alternatives would include providing a full privacy statement in locations where the individuals can access them easily, for example, at a store, or on line, or by delivery through the mails. A summary notice of the privacy statement, with a cross-reference to a URL or brochure, might be able to address the size and other constraints.

If the transaction is conducted on a wireless device, the company may opt to deliver a short privacy notice that informs customers of the existence of the Privacy Statement, and directs them to another location where the full length Privacy Statement may be available for review in its entirety. The company should deliver the full Privacy Statement as soon as practical, in an appropriate medium, for example through postal mail or email. For those devices that are equipped with viewing technology that is based on optimized protocols using a proxy server between the device and the content source, (e.g. WAP technology), it may be possible to add a “privacy” option, and links the “privacy” button to the URL of the statement.

If the transaction is conducted online, but not on a wireless device, the service provider may provide a link to the site where the full privacy statement is located. If the transaction is conducted offline, the service provider could deliver the full privacy statement separately; or include it in the service contract; or include a clear and conspicuous statement in the product or service brochure that the full privacy statement is available by asking an associate.

Mobile Marketing Association

The Mobile Marketing Association (MMA) has defined six fundamental elements to a positive consumer experience. These elements include:

  • Choice. The consumer must “opt-in” to a mobile marketing program. Consumers have a right to privacy and marketers must therefore gain approval from consumers before content is sent, and include clear directions on how to unsubscribe from communication should it become unwanted.
  • Control. Consumers should have control of when and how they receive marketing messaging on the mobile phone and must be allowed to easily terminate or “opt-out” of an unwanted program.
  • Customization. Data supplied by the consumer for marketing purposes should be used to tailor such marketing to the interests of the consumer (e.g. restricting communications to those categories specifically requested by the consumer.). Targeting user consumer data made available to the marketer helps to eliminate spam, making content as relevant and useful to the consumer as possible.
  • Consideration. The consumer must receive or be offered something of perceived value in return for receiving the communication (product and service enhancements, entry into competitions etc.).
  • Constraint. The marketer must effectively manage and limit mobile messaging programs to a reasonable number of programs.
  • Confidentiality. Commitment to not sharing consumer information with non-affiliated third parties.

The MMA has also issued has published a Global Code of Conduct for mobile marketers that choose to use user information in order to market their products and services to these users through mobile devices. This Code of Conduct has five elements:  Notice; Choice and Consent (requires an opt-in); Customization and Constraints; Security; and Enforcement and Accountability.

Location Information in Commercial Contracts

Commercial contracts related to the provision of location-based services are likely to have complex structures because numerous entities might be involved. These entities could include, for example (a) Telco (ATT, Verizon); (b) Advertising networks; (c) Support (maps); (d) Information provider (e.g. traffic information, weather forecast): (e) Optimization technology service (mapping technology, fleet management technology); and (f) Search engines.

Handling Personal Information

Most location based services directed to consumers deal with the use of a person’s location to provide the service requested by that person. Protection of privacy is one of the major concerns of most individuals in connection with location-based services and the use of location information. Laws, regulations, and industry practices are creating pressure for companies to address data protection issues. The parties to contracts related to location-based services should negotiate provisions for the collection and protection of data. For example, will the device have the ability to collect personal information? Will performance of the service give the service provider the opportunity to view or access personal information? If personal information is available, what limitations should there be to collection, use, re-use, retention, or destruction of the information? What notice should be provided to individuals about the collection, use, or secondary uses of their information?

Collection of information

The parties should define what personal information the service provider needs in order to furnish the service. For example, to provide map information to the salesperson looking to organize his sales call, the mapping company might need the nature of the query and the geographic location of the device. It would not need to know who placed the query, from which device the query was placed (other than, perhaps the operating system), or to have the actual phone number of the salesperson’s device where he will receive the map. When the minimum information necessary for the provision of the service is identified, the contract would limit the collection of information and access to that information to that which is specified by the client.

Limitation to use of the data

When addressing limitations to the use of the data that are necessary for the provision of the service, or that are created through the use of the service, it might be appropriate to distinguish between different categories of data. While personal information related to billing, invoicing, or account numbers might need to flow freely (although with appropriate restraints to avoid the disclosure of credit card numbers), the location information might be subject to more restrictions. Thus confidentiality, security, and other clauses that relate to the handling, use, protection, dissemination of information should address with specificity the different requirements and restrictions depending on the nature of the information to be protected.

Quality; data integrity

The quality and accuracy of the information collected should be ensured. Quality of the information is essential to ensure the quality of the services. It is also crucial for providing the needed help in case of an emergency. The parties should require that those who collect, create, maintain, use, disclose or distribute location information ensure that the information is accurate and complete for the purpose of the contract. Otherwise, the service would furnish inaccurate results, the wrong person would be charged for a product purchase; the wrong route would be displayed on the map, and the ambulance would arrive too late to save the stroke patient.

Confidentiality and security

Adequate security measures should be required to ensure the protection of the personal and other information. Recent events have shown that databases and computer systems are vulnerable to numerous types of attacks. When data are accessed, the individuals or institutions to which the data pertain are at a higher risk of harm. Since several organizations may access or transmit personal or confidential data, the risk of losing or misplacing information grows exponentially. Those who collect or hold the information must make sure that the information is kept secure. Each entity involved in the provision of the service should be required to take appropriate confidentiality and security measures, including an obligation to require their subcontractors to implement the same measures.

Protecting the confidentiality and security of the personal data and company data collected should be a crucial component of any contract associated with the provision of location based services. The contract should define what security measures are to be used in order to protect the location information and the personal information to which the other company may receive access. The measures to be taken should be designed to prevent unauthorized use, access, disclosure, or alteration. The contract clause(s) should provide specific and detailed information such as (1) who may have access to the location information; (2) what restrictions will be placed on organizations that handle location information; or (3) what should be done to ensure the protection of personal or sensitive information at each stage of the services.

The parties may need to tailor the security measures to the nature and type of information collected or used. The measures should take into account the nature of the information that is collected or stored. For example, anyone with a suitable reader can scan an RFID chip unless adequate measures have been taken to protect the information. Thus, the information on the RFID chip would require special security measures to prevent hack attacks.

Data Retention

The parties should evaluate the appropriateness, utility, and risk of preserving the information after the service has been provided. Retention of information should be limited to the period reasonably needed to complete the transaction required by the consumer, while taking into account the applicable legal requirements. The E-Discovery amendments to the Federal Rules of Civil procedures create strict data retention requirements. The contract may have to include provisions for cooperation between the parties to ensure compliance with discovery requests. There might be requirements for specific retention period, such as in the case of credit card transactions. Other laws, such as those that implement the 2006 European Union Data Retention Directive may also dictate how long information must be retained.

Data Disposal

In addition, at some point, it will be necessary to dispose of the stored data. Experience has shown that devastating security breaches occur at the time of the disposal of information if the appropriate measures are not used for the destruction of the data. State and federal laws such as the FCRA Disposal Rule ray require specific provisions to be taken for the disposal of certain categories of data. If no law or specific regulation applies, the use of proper methods for disposing of personal information would nevertheless be required as part of the general duty of care of the holder of the data as a fiduciary. Security standards usually include provisions for the use of appropriate measures to destroy data.

For example, the ISO 27001 standard requires both the secure disposal of equipment and that of the media. Under ISO 27001, all items of equipment containing storage media must be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten before disposal. In addition, media must be disposed of securely and safely when no longer required, using formal procedures.

Rights of individuals; access and modification

Since location based services use, collect, or process a lot of personal information, the parties should also address whether, how and to what extent individuals (data subjects) will be granted the ability to access the information collected, such as account, transaction or contact information. In addition, individuals may be granted the right to make changes to this information, including changes to marketing permissions. If this right of access and modification are granted, methods for verification of the identity of the individuals who have access to the information would have to be implemented to reduce the risk of unauthorized access to personal or confidential data.

Limitations to Use and Re-Use of Information

As always, personal information, purchasing patterns, travel schedules, and the like are of great interest to advertisers. The parties to location-based services should discuss whether any of the entities involved might have access to the data subjects’ contact information or profiles. For those who have access to this information, clear guidelines should be set forth about the ability or not to use or re-use the personal information other than to fulfill the contract.

Defining clearly he limits to the use, reuse, and sharing of personal information is crucial because it has to be cross-referenced with several other documents, such as the privacy policy of the entity that signs-up the customer. It also needs to be consistent with each of the services and subcontractors agreement so that discrepancies and unexpected data leaks or misuses are avoided.

Content

Some location-based services rely on the existence of third party content. For example, a phone company may offer customers the latest movie show times. It may display restaurant locations on maps. This content may not be used or displayed without the appropriate license. As part of the pre-contract due diligence, the entity that will use this content to provide the services should verify the service provider’s ability to license and distribute the content for the contemplated purposes. The analysis should include, for example, questions as to the content and scope of the licenses. Do the company’s existing licenses apply to the range of new services to be offered? Does a license for distribution via the Internet also include a license for distribution via handheld device?

Other questions would need to be raised. What content will be provided to the customer’s personnel or clients? What criteria for the quality, such as completeness, accuracy of the maps being used? What updates? How frequent modifications or corrections should be made?

Technical Issues

In addition to privacy and content issues, the use of Geographical Information Systems and Global Positioning Systems raise numerous technical issues, as well. While the technical teams must first resolve them, these issues also need to be reflected in the related service agreements.

Accuracy

There should be a clear understanding of the technical capabilities of the system, in particular with respect to accuracy of the data. For example, if a delivery truck must deliver packages to several businesses located next-door to each other on a street, will the system be able to analyze the GPS data with sufficient precision to ensure accuracy of reporting? Or will the deliveries to Starbucks coffee shop be mixed with those of Noah’s Bagel, whose store is adjacent?

Integration

Another potential challenge is integration. The companies may face challenges when integrating applications based on GPS or geographical information systems with other applications that must send or receive geospatial data. The product functionalities and the representations and warranties made or received should accurately reflect the understanding and expectations of the parties.

Image resolution

There might be concerns about the quality of the images. There may be circumstances when getting two sets of GPS coordinates to match can be difficult because available maps from different service providers may provide different granularity of image resolution. The shortcomings of the technologies or underlying products should be explained clearly to the customer, and the contract provisions or exhibits should state these issues and limits.

Availability, response times

If an application requires access to certain databases, the continued availability of the database for the life of the contract should be part of the terms and conditions of the contract. There might be a similar need to specify the speed of access and response times, and ensure proper commitments from the database or technology provider.

Cellular coverage

Since these applications may require the use of cellular networks, there should be proper cellular network coverage. While GPS receivers can usually receive GPS signals from satellites, they may not always be able to relay the information to the company’s head office, because of deficiencies in the cellular network.

Use of Subcontractors

Contract for services rely in great part on the quality of the service provider. An individual or an organization will retain a particular service provider for its reputation, and the quality of its work or services. In many cases, the customer has conducted a thorough due diligence before choosing one vendor. To ensure that quality standards are maintained, the service agreements should discuss the possibility to use subcontractors, and define what restrictions would be imposed on the use of subcontractors. Consider for example, the obligations to ensure confidentiality and security of personal and other confidential data; or the restriction on the uses or reuses of data.

Compliance with applicable laws

A party to a Manufacturing Agreement or Supply Agreement for the provision of RFID or GPS devices may wish to confirm in writing whether or not the deliverable will / or will not contain any radio frequency device. If RFID tags are used, the purchaser would need appropriate warranties and representations that the equipment will comply with the applicable FCC requirements.

Liability

As seen above, the information and data to be handled might be highly sensitive. There might be issues with content, and the technologies might have shortcomings. As a result, it is important that the parties agree on the appropriate allocation of liability for errors, delays, or system unavailability. Consider, for example:

Liability for errors in the input

Who should be liable for errors in the collection of the data, or the failure to record incoming data (e.g., the location data, the identity of the data subject) properly?

Liability for errors in the output

Who should be liable for providing inaccurate measures?

Liability for breach of security

Who should be liable for errors caused because of technology glitches that allow data to be accessed by the wrong person?

Conclusion

The availability of location information is rapidly becoming ubiquitous as the underlying technologies become more advanced, cheaper, and more widely distributed. Even recent commercial contracts may predate these developments and will not address many of the questions raised by the new capabilities and the new uses of the information. They should be reviewed to determine whether they need to be revised immediately or can wait until their next renewal, but they will certainly need to be updated to cover at least some of the issues discussed above.

Remaining in Safe Waters

Posted by fgilbert on June 7th, 2010

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more.

Initial Self-Certification

Self-certification of a company’s compliance with the Safe Harbor Principles is a multiple step process. In order to prepare for the filing of the required documents with the US Department of Commerce, the company must go through a comprehensive analysis and evaluation that is necessary and appropriate to self-certify that its privacy policies and procedure comply with the Safe Harbor Principles

In its self-certification papers, the company represents that it does have the policies and procedures described in these documents. An “omission” or a misrepresentation exposes the entity to severe penalties for breach of Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

Re-certification Process

Many companies are unaware of the extensive requirements and commitments that attach to the filing of the re-certification documents. These documents must be signed and approved by a corporate officer of the company (typically the CEO or the General Counsel), and must attest and verify that the company is complying with specific requirements. Thus, it is very important to pay attention to the many legal requirements that are associated with the recertification process.

Like for the initial filing, an error in the re-certification documents exposes the entity to enforcement action and severe penalties. The “error” could be found a “misrepresentation” and the company might be sued under Section 5 of the FTC Act for unfair or deceptive practices.

Annual Verification

The documents that are to be filed with the US Department of Commerce as part of the renewal of the certification must verify the following:

  • The published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented, and accessible;
  • The privacy policy conforms to the Safe Harbor Principles;
  • Individuals are informed of how complaints are handled, and the independent mechanisms through which they may pursue complaints;
  • The organization has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;
  • The organization has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Audit or Assessment

In order to be comfortable signing this statement, it is prudent that an “audit” or “privacy assessment” or “compliance review” be conducted. This audit should allow to verify and be satisfied that the statements and commitments made in the privacy policy are accurate, that appropriate training is conducted, and that a dispute resolution procedure in place.

Companies may elect to conduct this audit internally. Law firms and consulting firms that focus on information privacy and security matters also conduct these audits.

Companies should not wait until the last minute to conduct or have conducted this audit. They must plan sufficient time to address any of the deficiencies that the audit might have identified. Otherwise, the representations made in their self-certification renewal papers would be inaccurate, misleading, or fraudulent.

Record Keeping

In addition, to the representations listed above, the Department of Commerce requires companies to retain appropriate records on the implementation of their safe harbor privacy practices. In other words, not only must a company represent that it has in place the required processes, procedures and policy, but it must also have a written record that documents the investigation conducted, the deficiencies identified, and the actions taken.

These records are to be made available upon request in case of an investigation or a complaint about non-compliance, or investigation about unfair and deceptive practices by a law enforcement agency – most likely the Federal Trade Commission.

FTC Enforcement – Twenty-Year Injunction

The FTC has already conducted enforcement actions and has prosecuted businesses for their misrepresentations in connection with Safe Harbor self-certification. These companies were charged for falsely claiming that they held current certification under the Safe Harbor program. See, for example, this consent agreement (pdf): http://www.ftc.gov/os/caselist/0923137/091006worldinnovatorsagree.pdf

The consent decrees with each of these businesses include reporting requirements, whereby marketing and advertizing documents claiming compliance with the Safe Harbor principles must be filed with the Commission. In addition, each company is enjoined for 20 years from misrepresenting in any manner that it complies with or adheres to any privacy, security, or other compliance program sponsored by the US government or any other entity.

For more information

For additional information on the Safe Harbor, see Chapter 9 of Francoise Gilbert’s two-volume treatise Global Privacy and Security Law

What Limits for Behavioral Targeting

Posted by fgilbert on June 4th, 2010

An individual uses a travel site to check hotels in New York, but does not book any hotel room. Later the individual visits the website of a local newspaper to read about the Chicago Cubs baseball team. While on the newspaper’s website, the individual is served an advertisement from an airline featuring flights from Chicago to New York. The method used to develop the consumer’s profile – someone interested in travelling to New York from his home base in Chicago – in order to serve target ads is named “behavioral advertising” or “behavioral targeting.”

Behavioral targeting is a marketing technique that tracks a user’s online activities over time in order to build a profile of that individual and to deliver advertizing that is targeted to the assumed interests of this individual. The information about a user is collected through a combination of cookies and pixel tags. It could include what searches were conducted, what pages were visited, how long she stayed on a particular page, on which links or advertisements she clicked. This information may then be combined with other information about that individual, such as her geographic location. It is then shared with advertisement networks, which serve advertisements at websites across the Internet.

Many consumers and advocacy groups are concerned about the privacy issues that are associated with such practices. For example, the manner in which the consumer information is collected is not visible to the consumer. Further, sensitive information regarding health, finances, or children could be used for unanticipated purposes.

The Federal Trade Commission has conducted studies, published reports, and presented testimony before a Committee on Commerce, Science and Transportation in Congress. In December 2007, it published proposed “Online Behavioral Advertising Privacy Principles”, indicating that it was seeking comments. In February 2009, the FTC issued a report describing its ongoing examination of online behavioral advertising and setting forth revised proposed principles to govern self-regulatory efforts in this area. The 2009 Report is available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.

The report discusses the privacy concerns raised by behavioral advertising. It notes that companies must still comply with all applicable privacy laws, some of which may impose requirements that are similar to those established by the principles. The report sets forth four revised principles.

Transparency and Consumer Control:

Websites are expected to provide clear, concise,consumer-friendly, and prominent notice regarding behavioral advertising, and an easily accessible way for consumers to choose whether to have their information collected for such purpose. The report encourages the development of creative and effective disclosure mechanisms that are separate from their privacy policies.

Reasonable Security and Limited Data Retention:

Companies are urged to provide reasonable security for any data they collect for behavioral advertising and to retain data no longer than is needed in order to fulfill a legitimate business or law enforcement need.

Affirmative Consent for Material Changes to Existing Privacy Promises:

Before a company can use previously collected data in a manner that is materially different from the promises that the company made when it collected the data, it should obtain affirmative express consent (opt-in consent) from the affected customers.

Sensitive Information:

Companies are urged to obtain affirmative express consentbefore collecting sensitive information for behavioral advertising. While financial information, information about children, health information, and Social Security numbers traditionally have been considered” sensitive information,” the FTC encourages stakeholders to develop more specific standards to address this issue.

Next steps: In its press release accompanying the report, the FTC notes that the February 2009 document is only part of an ongoing process, and that significant work in this area remains. The FTC intends to evaluate self-regulatory programs and to conduct investigations, where appropriate, to determine whether practices violate Section 5 of the FTC Act. In his comments accompanying the updated principles, FTC Commissioner Jon Leibowitz noted that “industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our Commission…. Put simply, this could be the last clear chance to show that self-regulation can – and will – effectively protect consumers’ privacy in a dynamic online marketplace.”

Companies need to pay close attention to behavioral targeting issues and must update their privacy statements in order to reflect their actual practices accurately. To the extent that they do use behavioral advertising techniques and collect information about their user’s behaviors, they should give them the opportunity to choose whether to have their information collected for such purpose.

HIPAA Security Rule

Posted by fgilbert on June 4th, 2010

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications.

In all cases, each covered entity must meet the standards. Each standard is associated with Implementation Specifications, which are either “required” or ” addressable.”

Required Implementation Specifications must be implemented by all covered entities.

Addressable Implementation Specifications allow some flexibility. Each organization must decide whether the security measure to apply fits within its particular security framework. Based on its evaluation of its specific circumstances, each covered entity can (1) implement the specification if reasonable and appropriate; (2) implement an alternative security measure to accomplish the purposes of the standard; or (3) not implement anything if the specification is not reasonable and appropriate and the standard can still be met.

The nine Administrative Safeguards include requirements for the implementation of Security Management Process, assigning Security Management Responsibility, establishing Workforce Security. A covered entity must implement Information Access Management, and Security Awareness and Training. Formal, documented Security Incident Procedures must be in place to ensure that security violations are reported and handled promptly. A Contingency Plan must be in effect for responding to system emergencies. Like for the Privacy Rule, the covered entity must obtain Satisfactory Assurances from its Business Associates that each of them will appropriately safeguard the information in accordance with the Security Standards. Finally, to demonstrate and document their compliance with the entity’s security policy and the other requirements of the Security Rule, the covered entity must periodically conduct an Evaluation of its security safeguards.

The four Physical Safeguards include Facility Access Controls, control of the Workstation Use and Workstation Security, and of other Device and Media. For example, a covered entity must implement policies and procedures to document modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks. In addition, each organization must put in place physical safeguards to secure workstations, and control the use of other devices and media. This would involve policies and procedures that govern the receipt and removal of hardware and/or software (for example, diskettes and tapes) into and out of a facility.

Five Technical Safeguards require policies and procedures for Access Control, Audit Control, ensuring Integrity of the protected health information, Mechanism to Authenticate the persons or entities sending the data, and Transmission Security.

The Security Rule includes, in addition, requirements for the Implementation of the standards. Final responsibility for a covered entity’s security must be assigned to one Official who will manage and supervise the use of security measures to protect data, and the conduct of personnel in relation to the protection of data. The covered entity must implement written policies and procedures to comply with standards and implementation specifications, and review these policies and procedures periodically and update them as needed. The covered entity must also document in writing its actions, activities, or assessments taken or conducted. All documentation must be retained for 6 years from date of creation or from date when last in effect.

The Center for Medicaid and Medicare Services (CMS) is responsible for implementing and enforcing the Security Rule, whereas HHS’ Office for Civil Rights is responsible for implementing and enforcing the Privacy Rule.

The Security Rule works in concert with the final Privacy Rule, which was adopted by HHS in its final form in August 2002, and took effect for most covered entities on April 14, 2003. The HIPAA Privacy Rule defines the authorized or required uses of PII, and the patients’ rights with respect to their PII. The HIPAA Privacy Rule is available at: http://www.hhs.gov/ocr/hipaa/finalreg.html.

The HIPAA Security Rule resides in part 164 of subchapter C of title 45 of the Code of Federal Regulations. The complete text of the final Security Rules is available at http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp – TopOfPage.

Information Privacy And Security Current And Emerging Issues In The United States

Posted by fgilbert on June 4th, 2010

altNot so long ago, the Internet was a separate world.  We distinguished e-commerce and other activities in “cyberspace” from those that were conducted in the brick and mortar world.  Today, most companies are exploiting at the same, and to the fullest extent possible, all of the vast resources that are available through the Internet, the World Wide Web and otherwise.

Concurrent with the convergence of cyberspace with the brick and mortar world, telephone and information technologies are converging.  From one single device, we can make calls, send emails, browse the web, review our documents, and even pay for our lattes.  With this convergence, and the ubiquitous need for access to personal information databases, data protection issues have gained greater importance.  Without customer information, companies cannot create products adapted to client needs or target the right client for a sale.

However, holding personal information without adequate safeguards may lead to disaster.  Companies have lost goodwill, to the point of bankruptcy, for having failed to address privacy and information security issues.

This article will look at selected current issues and trends in information privacy and security.

Current Issues

  • Accountability for Proper Security

While information privacy and security concepts were first developed in the early 1970s, it is only with the enactment of the modern data protection laws, such as GLBA and HIPAA, that certain markets became aware of, and required to implement security safeguards to protect the confidentiality, integrity, and authenticity of personal information.  Today, this requirement has been extended to all companies that hold sensitive personal information.  The Federal Trade Commission has made it an “unfair practice” under Section 5 of the FTC Act to hold personal data without providing adequate security.  California law requires companies that hold social security numbers or bank account numbers in combination with the first and last name of individuals to implement “reasonable security measures.”  It also requires these companies to implement the same in their contracts with their service providers.

The liability thresholds have also been raised by a recent Minnesota law, which became effective in the summer of 2007.  Under this new law, companies that retain credit card data after receiving the authorization of the transaction will be held strictly liable for any damages caused by a breach of security.  If data have been exposed, liability will follow without a plaintiff having to prove that the business was negligent.  Damages will include the cost of “reasonable actions undertaken” by financial institutions to respond to the breach, such as the costs to cancel or reissue any access device affected by the breach; close accounts affected by the breach and take any action to stop payments or block transactions with respect to the accounts; open or reopen accounts affected by the breach; make any refund or credit to a cardholder to cover the cost of unauthorized transactions related to the breach; and notify the cardholders affected by the breach. The financial institution will also entitled to recover the costs for damages that it paid to cardholders injured by the breach.  Businesses will be also responsible for violations by their service providers.

Security to protect personal information has also been required under the laws that have implemented the 1995 European Union Data Protection Directive.  US Companies that wish to self certify under the Safe Harbor, or that are contemplating the use of the Model Contracts must ensure that they do have security measures, and that their service providers do the same.

Failure to have adequate security measures is likely to lead to security breached, which US companies are required to report to the affected parties, clients or employees, under the Security Breach Notification Laws enacted in over 40 States.  Japanese companies have the same obligation.  The European Union is said to contemplate revisions to its laws to implement a similar requirement, as well.

  • E-Discovery, Records Retention and Destruction Issues

The need for adequate security measures and document control is also created by the new E-Discovery rules that result from a recent amendment of the US Federal Rules of Civil Procedure which were adopted after several well-reported cases took unexpected turns when the parties battled each other on the production of evidence.  The courts questioned the quality and completeness of the files produced and the so convenient loss, misplacement, or destruction of electronic evidence that was key to the case.

In the employment discrimination case Zubulake v. UBS Warburg, 220 F.R.D. 212 (SDNY 2004), which spanned over several years (because of evidentiary issues), for example, the court ruled that the employer had willfully deleted relevant emails despite contrary court orders.  The court granted the plaintiff’s motion for sanctions and ordered the employer to pay costsbecause it had failed to locate relevant information, to preserve that information, and to timely produce that information.

The amendments to the Federal Rules of Evidence, recently adopted, create a new regime for litigation in an era where emails and other electronic documents constitute a crucial component of the litigants’ case.  Organizations have to take affirmative steps to prevent spoliation of electronic evidence, negligent or intentional.  They must guarantee that identified relevant documents are preserved by placing a “litigation hold” on the documents, communicate the need to preserve them, and arrange for safeguarding of relevant archival media.

U.S. courts will not hesitate to impose sanctions for spoliation of electronic documents, even if it results from document mismanagement.  In this new era, companies have to address document retention and preservation issues.

Companies must take affirmative steps to implement appropriate Enterprise Security Programs that ensure that the location of all documents is known, and that these documents are protected and only destructed according to appropriate policies.  When a suit is filed, they must ensure that all sources of discoverable information are retained, and produced.

  • Proper Treatment of Customer Databases in Corporate and Commercial Transactions

Due diligence and other checklists for corporate or commercial transactions have also evolved with the current data protection trends.  A company can no longer simply transfer or license its database of customer information.  Both parties to the transaction must first ensure that the transfer is not prohibited.  They must review each other’s privacy policies.  This duty is imposed on both parties.

In a recent case were a database of personal information was used in connection with a services agreement, the client was found to have an obligation to verify that its service provider had the right to use the personal information it was using to provide the service. Relying only on a mere representation or warranty in a contract was deemed insufficient. http://files.ali-aba.org/thumbs/datastorage/lacidoirep/articles/PL_ACFF154_thumb.pdf)

In that case, the company was in the business of sending emails to consumers.  In order to promote the products and services of its advertising clients, it obtained the email addresses from list providers, which had gathered these lists through a variety of means.

The New York Attorney General’s investigation of the provenance of these marketing lists revealed that some of the company’s list providers, on their own websites, had promised consumers they would NOT sell, rent, or share their information to or with third parties.  On the other hand, the company represented on its website that recipients of its email campaigns “have all requested to receive information about products and services”.

In its March 2006 settlement, the company agreed to pay $1.1 million as penalties, disgorgement, and costs. Reliance on the list provider’s representations or warranties that the use of the contact information was permissible was found insufficient, on its own, to fulfill the obligation of an independent review.  The settlement agreement stated that the party that is acquiring personal information must first independently confirm that such acquisition is permissible under relevant seller privacy policies.  It must independently review all applicable privacy policies that were in effect when the information was collected, and independently confirm that such policies clearly disclosed that the information collected would or might be shared.  In the absence of such explicit terms, it must confirm, through first-hand investigation, that consumers affirmatively opted-in to permit such sharing.

It is therefore recommended that in the event of a corporate or commercial transaction that involves personal information, the recipient of this information (a) conduct due diligence; (b) conduct a thorough review and analysis of the co-contractor’s or target’s information privacy and security policies and practices; and (c) do not rely solely on written representations and warranties.

  • Outsourcing, outsourcing, outsourcing

Many US companies continue to feel that  “outsourcing, outsourcing, outsourcing” is the key to success.  “Outsourcing,” here, encompasses IT outsourcing, Business Process Outsourcing, Legal Process Outsourcing, Offshoring, and similar agreements.  Indeed, outsourcing might provide savings, efficiencies associated with standardization, and attractive balance sheets; but it presents great risks for client and employee personal information.

Poor privacy and information security safeguards have caused great losses, embarrassment, and loss of goodwill when outsourcers or service providers failed to use adequate security.  For example, Master Card, Visa, Discover, American Express and other large financial institution, were forced to reissue cards, pay for credit record monitoring services, and rebuild customer trust when a hacking at their service provider Card Systems caused the compromise of 40 million credit card numbers. (http://money.cnn.com/2005/06/17/news/master_card/index.htm)

When outsourcing contracts involve providing or giving access to personal information, thorough due diligence is essential to investigate the privacy awareness and security practices of the potential service providers.  Comprehensive and detailed contracts must define safeguards and other mechanisms to ensure adequate security to protected personal information, and compliance with privacy laws.  During the performance phase, companies must keep monitoring the performance of their vendor.  Failure to address seriously privacy and security concerns during these three faces would create exposure to great liability.  Several US laws and current jurisprudence require companies to ensure the protection of certain personal information in their custody, and this obligation extends to subcontractors and service providers of these entities.

Emerging Issues

As we are moving into the Web 2.0 era, and we are seeing the emergence of new uses of technology that seem to be stepping out of science fiction books, numerous legal issues are being raised.  Information privacy and security are likely to continue to be a top concern and priority.  Consider, for example, the following trends:

  • New Advertising models.  The customers’ footsteps are tracked to serve “better content,” more adapted to the customer’s needs.
  • Digital rights management.  These systems track customer uses.  What song or movie is accessed, when, how, where from which machine?
  • Social engineering.  My Space, Facebook are providing forums for disclosing the undisclosable.
  • RFID, GPS, and location based servicesallow tracking individuals, and cause serious privacy and security concerns (Nowhere to Hide, by Francoise Gilbert,  http://itlawgroup.com/privacy_publications.html)
  • Mobile web.  Avertisements sent to cellphones.  Electronic payments made easy.  Customers tracked everywhere.  Privacy might be achieved only by turning off the device.
  • Second Life.  Do avatars have feelings, and … a right of privacy?

While most of the emerging trends above are exciting, creative business activities, certain practices might have dramatic consequences for personal privacy.  In addition, current practices might also take a sour turn.  For example, as the cost of living increases in India or Eastern Europe where many companies have outsourced their call centers, so does the cost of the personnel entrusted with the delicate missions outsourced red to them.  If the outsourcer cannot increase the fees paid by its American client, it may attempt to unload the engagement elsewhere, to transfer its work to others with lower wages, and possibly lesser privacy or security practices and awareness.

Conclusion

The information and communications technologies that were created at the end of the XXth century are becoming very powerful and creating new opportunities.  Physical and geographical boundaries are crumbling, allowing for greater exchange.  Individuals seem to become more empowered.  The blogger becomes a journalist, the YouTube user a movie star.  The Second Life avatar can be a superhero.  However, in this emerging world where individuals seem more valued and powerful, privacy might be under attack and security might be endangered.  Legal issues will abound.