Presentation on how to chat with PDF using ChatGPT code interpreter
Hengesbaugh
1. E-Commerce
Latest Developments
in Consumer Privacy
Brian Hengesbaugh
Baker & McKenzie (Chicago office)
312-861-3077
brian.hengesbaugh@bakernet.com
www.bakernet.com/ecommerce
2. E-Commerce
“BIG PICTURE”
• State Law Developments
• Information Security Programs
• Privacy Considerations in Developing
and Managing a Website
Baker & McKenzie -- Global E-
Commerce Law
3. E-Commerce
STATE LAW
DEVELOPMENTS
• Legal Context
– GLB, FCRA, HIPAA all minimum standards
– States invited to do more, so long as not
“inconsistent”
– States as laboratories
Baker & McKenzie -- Global E-
Commerce Law
4. E-Commerce
Post September 11
• Legislative Interest in Privacy
– 750+ state privacy bills
– 50+ state financial privacy bills
– 85+ federal privacy bills
Baker & McKenzie -- Global E-
Commerce Law
5. E-Commerce
Vermont Regulation
• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Legal challenge by ACLI, AIA, and more
– exceeds authority
– violates intent of law
• Chances of success???
Baker & McKenzie -- Global E-
Commerce Law
6. E-Commerce
New Mexico Regulation
• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Any legal challenge?
Baker & McKenzie -- Global E-
Commerce Law
7. E-Commerce
California, Illinois, New York,
and others considering more
– Opt-in measures for nonaffiliate sharing
– Limits on sharing within affiliated groups (e.g.
prior CA bill)
– Driving force for federal preemption?
– Financial privacy commission and moratorium
on new state laws (HR 3068)
Baker & McKenzie -- Global E-
Commerce Law
8. E-Commerce
California -- Social Security
Numbers
• Restrictions on:
– transmitting SSNs over Internet
– printing SSNs on mailed materials
• July 1, 2002 implementation, but
grandfather for existing practices if:
– continuous
– notice of right to opt-out
– individual does not opt-out
Baker & McKenzie -- Global E-
Commerce Law
9. E-Commerce
INFORMATION SECURITY
PROGRAMS
• Final Interagency Guidelines
Establishing Standards for Safeguarding
Customer Information (February 1,
2001)
• FTC Proposed Standards for
Safeguarding Customer Information
(Comment Period Closed October 9,
2001)
Baker & McKenzie -- Global E-
Commerce Law
10. E-Commerce
Focus on Process
• Due diligence is 90% of battle (checklist)
• STEP 1: Conduct comprehensive
assessment that examines:
– internal and external threats
– sensitivity of data
– potential damage
Baker & McKenzie -- Global E-
Commerce Law
11. E-Commerce
Focus on Process (cont.)
• STEP 2: Assess sufficiency of existing
policies and procedures:
– access controls on systems and encryption
– physical access restrictions
– automatic reviews of system modifications
– technological and environmental hazards
– Subjective Standard: . . adopt those measures
the bank considers appropriate
Baker & McKenzie -- Global E-
Commerce Law
12. E-Commerce
Focus on Process (cont.)
• STEP 3: Take appropriate
organizational and administrative
actions:
– written information security program
– involve board of directors
– implement a system for regular testing
– information security officer
– service provider arrangements*
Baker & McKenzie -- Global E-
Commerce Law
13. E-Commerce
Service Provider Arrangements
• Due diligence in selecting SPs
• Establish contract to meet “objectives” of
Guidelines*
• Where appropriate, ongoing monitoring
(or review SAS 70 or similar report)
Baker & McKenzie -- Global E-
Commerce Law
14. E-Commerce
Contract with SPs
• Key Issues:
– Appropriate measures to meet “objectives” of
Guidelines (full compliance not required) (e.g.,
board of directors)
– Overly strict limits on use and disclosure
– Scope of “information” covered
Baker & McKenzie -- Global E-
Commerce Law
15. E-Commerce
WEBSITE PRIVACY ISSUES
• Context: entire privacy and consumer
protection legal framework PLUS online
application of that framework
• FTC and State AG dedication to
enforcement
Baker & McKenzie -- Global E-
Commerce Law
16. E-Commerce
Website Privacy Issues
• Passive and active collection
• Relationships with third parties
• Satisfying GLB notice requirements
• Jurisdiction
Baker & McKenzie -- Global E-
Commerce Law
17. E-Commerce
Passive and Active Collection
• Passive collections -- cookies, web bugs,
IP addresses, clickstream data, etc.
– “wooden” obligations to notify under GLB
– broader notification obligations under
consumer protection statutes (e.g. Michigan AG
and New Jersey AG)
• Active collections
– “unfriendly” GLB language for policy
Baker & McKenzie -- Global E-
Commerce Law
18. E-Commerce
Relationships with Third
Parties
• Support Services
– Internet Service Providers
– Web hosting services
– Application Service Providers
– Data analysis firms (Toys R Us)
– *GLB security guidelines apply*
Baker & McKenzie -- Global E-
Commerce Law
19. E-Commerce
Relationships with Third
Parties (cont.)
• Marketing/ Advertisers
– 3rd party advertisers (NAI principles)
– Framing and co-branded websites
– Joint marketers
Baker & McKenzie -- Global E-
Commerce Law
20. E-Commerce
Satisfying GLB Notice
Requirements Electronically
– Reasonable expectation of receipt
– Customer agrees
– Obtains financial product or service
electronically
– Retention and accessibility
Baker & McKenzie -- Global E-
Commerce Law
21. E-Commerce
Jurisdiction
• Reach of New Mexico and Vermont
• Zippo analysis
• How do you know who you are dealing
with?
Baker & McKenzie -- Global E-
Commerce Law
22. E-Commerce
General Website Tips
• Know what you are collecting
• Know what your service providers are
doing
• Disclose, disclose, disclose
• Keep it simple; avoid flowery language
• Keep it flexible; avoid the “never” trap
• Be mindful of jurisdiction
Baker & McKenzie -- Global E-
Commerce Law
23. E-Commerce
Keep track of privacy
developments at:
www.bakernet.com/ecommerce
www/bakernet.com/e-law (weekly newsletter)
Baker & McKenzie
One E-Commerce World. One Firm. Connected.
For companies moving with change