1. Privacy for Social Media and
Location-Based Services
John L. Nicholson
Counsel, PWSP
Washington, DC
John.Nicholson@PillsburyLaw.com
Telephone: (+1)202-663-8269
www.virtualworldlaw.com
Pillsbury Winthrop Shaw Pittman LLP
2. The good news and the bad news -
I’m a lawyer…
I’m from Washington …
and I’m here to help you.
1 | Privacy for Social Media and Location-Based Marketing
3. What We’ll Cover
Privacy Laws
Current status of global privacy laws,
Recent regulatory concerns and guidance for social media and location-based
services
What might happen
Creating Privacy Policies and Privacy by Design
2 | Privacy for Social Media and Location-Based Marketing
4. Where We Stand on Privacy Laws
“Where you stand depends on where
you sit.”
- Nelson Mandela
3 | Privacy for Social Media and Location-Based Marketing
5. Asia (General) – EU-style
privacy law, APEC Japan – EU-style
Canada – EU-style privacy law
privacy law (PIPEDA) Australia / NZ –
EU-style privacy law
US – “Harm”-based,
sectoral privacy law China – EU-style
privacy law
Mexico – EU-style
privacy law Russia – EU-style
Argentina – privacy law
EU-style
EU – Most stringent
privacy law
privacy law
S. America (General) –
Switzerland – EU-style
Privacy law developing
privacy law
Dubai – EU-style
Africa (General) –
privacy law. 1st Israel – EU-style
Privacy law not
in Middle East privacy law
developed
4 | Privacy for Social Media and Location-Based Marketing
6. What Is “EU-style” Privacy Law?
Views personal information as being owned and controlled by data
subject
Much broader definition of personal information
Effectively any uniquely identifying data
Comprehensive approach based on “privacy principles”
Principle 1: Collection Limitation
Principle 2: Data Quality
Principle 3: Purpose Specification
Principle 4: Use Limitation
Principle 5: Security Safeguards
Principle 6: Openness
Principle 7: Individual Participation
Principle 8: Accountability
Enacted by EU Parliament and then enacted into member state law
by each state – so each is slightly different
5 | Privacy for Social Media and Location-Based Marketing
7. Why Should You Care About the EU Approach?
Your customers in countries with EU-style privacy laws do
And even if they don’t, the regulators in those countries do
2010 – Google executives CONVICTED in Italy for violating privacy law by failing to
take video off YouTube quickly enough
Was posted for 2 months
Taken down within 2 hours of notice from Italian police
2010 – Many countries investigate Google for capturing personal information as
part of Street View project
2011 – South Korea considering prosecuting Google for privacy violations related
to Google Street View
6 | Privacy for Social Media and Location-Based Marketing
8. What is US “Harm”-Based Approach
Views personal information as commodity to be bought, sold and traded
Applies limits only where “harm” is identified
Financial information (GLBA)
Health information (HIPAA)
Children’s information (COPPA & FERPA)
Social security numbers
Drivers license numbers
Telephone / email records
Video rental / library records
Etc.
State data breach notification laws
California
Patchwork framework
Some states now adding medical information
However, US is moving towards a more comprehensive, holistic definition of
“harm,” broader definition of PII, broader security obligations
7 | Privacy for Social Media and Location-Based Marketing
9. Massachusetts
New Massachusetts law requires employers to tell workers w/in 10
days about any info placed in employee’s personnel file that has been
or may be used to negatively affect the worker’s job
Employee also has right to review or get a copy of records w/in days of request up
to 2x/year
Limit does not apply to the notice and review of negative entries
Failure could lead to fine between $500 and $2,500 per incident
Could cause problems for employers during other employment litigation. If
discovery reveals that employer failed to comply, could hurt the employer’s
credibility
Documentation dilemma
Attorneys tell clients to document employee issues as much as possible,
just in case the issues go to litigation
New law makes putting relatively innocuous information into a personnel
file a much more-provocative event. Now a note in a file carries the risk of
upsetting employee
“I hope you know that this will go down on your Permanent Record.”
8 | Privacy for Social Media and Location-Based Marketing
10. Massachusetts
“Standards for the Protection of Personal Information of Residents
of the Commonwealth” (201 Mass. Code Regs.§ 17.00)
Who Must Comply?
“…persons who own, license, store or maintain personal information
about a resident of the Commonwealth of Massachusetts.”
A presence in Massachusetts is not required to be liable under the
Regulation.
Requires organizations to develop, implement, maintain and monitor a
comprehensive, written information security program for records containing
personal information (“Program”).
Regulations allow for flexibility to tailor each organization’s Program.
See
http://pillsburylaw.com/siteFiles/Publications/F829298BD2AC6409DF6C9A9B
38A21998.pdf
9 | Privacy for Social Media and Location-Based Marketing
11. Getting From There to Here
From the EU
Exporting personal information from the EU to another country is only allowed if the
receiving country has data protection laws that have been found “adequate” by the
EU DPA
The US is not one of those countries
Without express consent, exports of personal information from the EU to the US
are enabled under three regimes:
Model clauses – efficient for two-party transactions
Binding Corporate Rules – good theory, difficult to implement
Safe Harbor – efficient for multi-nationals/multi-party transactions
Some dissatisfaction in EU regarding Safe Harbor
From Canada
Contractual obligations to comply with PIPEDA protections
10 | Privacy for Social Media and Location-Based Marketing
12. Regulatory Concerns & Guidance
FTC Staff Report “Self-Regulatory Principles for Online Behavioral
Advertising”
Published Feb. 2009
Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf
Proposed four principles for handling online behavioral profiling:
Transparency and control
Reasonable security and limited data retention
Must obtain affirmative express consent before information is used in a way
that is materially different from that authorized in a privacy statement
Must obtain affirmative express consent before using sensitive data (e.g., data
about children, health or finances) in advertising
Expressed concept that PII is becoming broader than traditional definition and
could include things like IP address
FTC is becoming concerned about creation of data profiles that uniquely identify a
person despite lack of specific, traditional PII
11 | Privacy for Social Media and Location-Based Marketing
13. Regulatory Concerns & Guidance
FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace”
Published April 2009
Available at http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdf
Key privacy/security findings on LBS:
Contrast between automatic, ubiquitous nature of LBS and cookies or
telephone call logs that are created when consumer takes action
Confusion over identity of controller of location information
Confusion over application of current legal structure
Customer Proprietary Network Information (CPNI) rules
Apply to location information BUT
Do not apply to non-telecom carriers AND
Protect account holder, which may not be user of mobile device
Notice & Consent
Banner ad vs. disclosure to third party
Frequency of notice issues
Children’s use
International issues (e.g., EU data retention requirements)
12 | Privacy for Social Media and Location-Based Marketing
14. Regulatory Concerns & Guidance
FTC Preliminary Report “Protecting Consumer Privacy in an Era of
Rapid Change”
Published Dec. 2010
Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
Key findings:
Expands concept of “harm” from just economic
Endorses “do not track” concept
Promotes idea of “privacy by design”
Companies should incorporate substantive privacy protections into their
practices, such as data security, reasonable collection limits, sound
retention practices, and data accuracy.
Companies should maintain comprehensive data management
procedures throughout the life cycle of their products and services.
13 | Privacy for Social Media and Location-Based Marketing
15. Regulatory Concerns & Guidance
Dept. of Commerce “Green Paper” – “Commercial Data Privacy and
Innovation in the Internet Economy: A Dynamic Policy Framework
Published Dec. 2010
Available at
http://www.ntia.doc.gov//reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf
More commerce and policy oriented
Recommends application of “Fair Information Privacy Principles”
Does not address privacy by design or privacy enhancing technologies
EU “Communication” – “A comprehensive approach on personal data
protection in the European Union”
Published April 2010
Available at
http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf
Focuses on rapid rate of change in technology
Goal is to focus on improving protection of personal privacy, increasing
transparency (including for children), enhancing control over own information
(including “right to be forgotten”), strengthening rules on consent, and extending
enforcement powers and sanctions.
14 | Privacy for Social Media and Location-Based Marketing
16. Additional Guidance
CTIA – “Best Practices and Guidelines for Location-Based Services”
v.2.0 published March 23, 2010
Available at http://files.ctia.org/pdf/CTIA_LBS_Best_Practices_Adopted_03_10.pdf
Focuses on notice and consent
LBS providers must ensure ability of users to receive meaningful notice
LBS providers must ensure users consent and recognize that LBS providers
bear burden of demonstrating consent
Users must have right to terminate consent at any time
Sample policies available at
http://www.ctia.org/business_resources/wic/index.cfm/AID/11924
EFF – “On Locational Privacy, and How to Avoid Losing it Forever”
“build systems which don’t collect the data in the first place”
15 | Privacy for Social Media and Location-Based Marketing
17. So What’s Congress Up To?
Last Congress -
Two privacy bills
H.R. 5777 – “Building Effective Strategies To Promote Responsibility
Accountability Choice Transparency Innovation Consumer Expectations and
Safeguards Act” (The Best Practices Act)
Boucher/Sterns Privacy Bill
Contemplating definitions of personal information that are broader than are
currently used in US and more like EU (IP address has been mentioned)
Several data security bills
H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and
Breach Notification Act of 2010
S.1490 Personal Data Privacy and Security Act of 2009
S.3579 Data Security Act of 2010
S.3742 -- Data Security and Breach Notification Act of 2010
Each contains requirements for data aggregators and for protection of personal
information, as well as data breach notification obligations
16 | Privacy for Social Media and Location-Based Marketing
18. What’s Likely?
Window of about 8 months before 2012 election gridlock
Leading House Republicans are interested in privacy
Joe Barton (R-TX) - Leading Republican on the Energy and Commerce Committee
Cliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and
the Internet
Still, not much likely on a big scale - smaller pieces might get through
Electronic Communications Privacy Act reform - Tech industry and DoJ both want
clarity on rules related to law enforcement searches of e-mail messages and
documents stored in the cloud
Web tracking and Privacy
Several Republicans opposed it in 2010; FTC has endorsed it
FTC likely to revise COPPA regulations - Likely to expand definition of PII
States likely to keep moving forward
Europeans likely to put more pressure on US – either through
multinationals or US gov’t – to protect EU consumer data
17 | Privacy for Social Media and Location-Based Marketing
19. Creating Privacy Policies and Privacy by Design
18 | Privacy for Social Media and Location-Based Marketing
20. Drafting and Implementing a Privacy Policy
Privacy decisions are operational decisions
Privacy statement is a contractual commitment with the user that may
be enforced by the FTC or other regulatory agencies
Copying the privacy statement from another company is not a good
idea
Technically copyright infringement
Assumes that the copied policy is worth copying
Assumes that you’re doing business in the same way that company is
19 | Privacy for Social Media and Location-Based Marketing
21. Privacy Statement for Social Media and LBS
General Privacy Statement Obligations
Notice - Must be provided in plain language; must not be misleading
Choice
LBS or other identifying services (e.g., photo-tagging) should be opt-in
Use of information for purposes not originally identified requires new consent
Distinction between account holder consent and user consent
Users should be able to withdraw consent and information about them should
be removed
Onward transfer – Describe third parties to whom information is provided
Security – Commit to security of information
Access – Users should be able to see information you’ve collected about them (if
you keep it)
Children’s information raises additional issues
COPPA
20 | Privacy for Social Media and Location-Based Marketing
22. Facebook Places
Opt-in Service
Unlike Beacon, which was opt-out
Facebook users can “place” tag friends who have not signed up for Places, BUT
tags do not become active until tagged individual approves them
Assumption is that people will sign up
Privacy by Design
Best implementation would be to reject Place tags for anyone who has
not activated the service, but provide incentives to turn it on
Better implementation would be to only hold Place tags for non-users for
limited period of time then delete them
Facebook users can check other users into locations (2nd party tagging)
2nd party check-ins can be manually deleted
Individual friends can be blocked from 2nd party check-ins
2nd party check-ins can be blocked completely
Privacy by Design - Best implementation would be that 2nd party check-ins are
blocked by default and must be turned on, but provide incentives to turn it on
21 | Privacy for Social Media and Location-Based Marketing
23. Facebook Places (cont)
Default is “friends only”
Leakage to “friends of friends”
Special protections to limit access to information for members under 18 to friends
only
The Unspoken Problem
Facebook limits membership to age 13 and over.
According to industry, most popular games among U13s are Facebook games
According to Center on Media and Child Health:
60 percent of children ages 10 to 14 have cell phones
22 percent of children 9 and younger have cell phones
22 | Privacy for Social Media and Location-Based Marketing
24. Facebook Photo Tagging & Facial Recognition
Facial Recognition & Tagging
When a user can tag friends in an album, Facebook will use its facial recognition
technology to group similar faces together and automatically fill in the "Who is
this?" box with its suggestion
Users can log in and remove tags
Users can opt out of Tag Suggestions by going to their privacy settings and
disabling the "Suggest photos of me to friends" feature
Individuals being tagged in a photo do not have to have a profile on
Facebook
Privacy by Design:
No tagging people without Facebook profiles
Users can opt-in to photo tagging – provide incentives for opting in
Multiple options for tag approval – provide incentives for increasing access
Universal
Selective (white list or black list)
Approval required
23 | Privacy for Social Media and Location-Based Marketing
25. Comments and Questions?
Thank you for listening.
24 | Privacy for Social Media and Location-Based Marketing