SlideShare une entreprise Scribd logo

John Nicholson Presentation

Mediabistro
Mediabistro
1  sur  25
Télécharger pour lire hors ligne
Privacy for Social Media and Location-Based Services John L. Nicholson Counsel, PWSP Washington, DC John.Nicholson@PillsburyLaw.com Telephone: (+1)202-663-8269 www.virtualworldlaw.com Pillsbury Winthrop Shaw Pittman LLP
The good news and the bad news - I’m a lawyer… I’m from Washington … and I’m here to help you. 1 | Privacy for Social Media and Location-Based Marketing
What We’ll Cover Privacy Laws Current status of global privacy laws, Recent regulatory concerns and guidance for social media and location-based services What might happen Creating Privacy Policies and Privacy by Design 2 | Privacy for Social Media and Location-Based Marketing
Where We Stand on Privacy Laws “Where you stand depends on where you sit.” - Nelson Mandela 3 | Privacy for Social Media and Location-Based Marketing
Asia (General) – EU-style privacy law, APEC Japan – EU-style Canada – EU-style privacy law privacy law (PIPEDA) Australia / NZ – EU-style privacy law US – “Harm”-based, sectoral privacy law China – EU-style privacy law Mexico – EU-style privacy law Russia – EU-style Argentina – privacy law EU-style EU – Most stringent privacy law privacy law S. America (General) – Switzerland – EU-style Privacy law developing privacy law Dubai – EU-style Africa (General) – privacy law. 1st Israel – EU-style Privacy law not in Middle East privacy law developed 4 | Privacy for Social Media and Location-Based Marketing
What Is “EU-style” Privacy Law? Views personal information as being owned and controlled by data subject Much broader definition of personal information Effectively any uniquely identifying data Comprehensive approach based on “privacy principles” Principle 1: Collection Limitation Principle 2: Data Quality Principle 3: Purpose Specification Principle 4: Use Limitation Principle 5: Security Safeguards Principle 6: Openness Principle 7: Individual Participation Principle 8: Accountability Enacted by EU Parliament and then enacted into member state law by each state – so each is slightly different 5 | Privacy for Social Media and Location-Based Marketing
Why Should You Care About the EU Approach? Your customers in countries with EU-style privacy laws do And even if they don’t, the regulators in those countries do 2010 – Google executives CONVICTED in Italy for violating privacy law by failing to take video off YouTube quickly enough Was posted for 2 months Taken down within 2 hours of notice from Italian police 2010 – Many countries investigate Google for capturing personal information as part of Street View project 2011 – South Korea considering prosecuting Google for privacy violations related to Google Street View 6 | Privacy for Social Media and Location-Based Marketing
What is US “Harm”-Based Approach Views personal information as commodity to be bought, sold and traded Applies limits only where “harm” is identified Financial information (GLBA) Health information (HIPAA) Children’s information (COPPA & FERPA) Social security numbers Drivers license numbers Telephone / email records Video rental / library records Etc. State data breach notification laws California Patchwork framework Some states now adding medical information However, US is moving towards a more comprehensive, holistic definition of “harm,” broader definition of PII, broader security obligations 7 | Privacy for Social Media and Location-Based Marketing
Massachusetts New Massachusetts law requires employers to tell workers w/in 10 days about any info placed in employee’s personnel file that has been or may be used to negatively affect the worker’s job Employee also has right to review or get a copy of records w/in days of request up to 2x/year Limit does not apply to the notice and review of negative entries Failure could lead to fine between $500 and $2,500 per incident Could cause problems for employers during other employment litigation. If discovery reveals that employer failed to comply, could hurt the employer’s credibility Documentation dilemma Attorneys tell clients to document employee issues as much as possible, just in case the issues go to litigation New law makes putting relatively innocuous information into a personnel file a much more-provocative event. Now a note in a file carries the risk of upsetting employee “I hope you know that this will go down on your Permanent Record.” 8 | Privacy for Social Media and Location-Based Marketing
Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 Mass. Code Regs.§ 17.00) Who Must Comply? “…persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” A presence in Massachusetts is not required to be liable under the Regulation. Requires organizations to develop, implement, maintain and monitor a comprehensive, written information security program for records containing personal information (“Program”). Regulations allow for flexibility to tailor each organization’s Program. See http://pillsburylaw.com/siteFiles/Publications/F829298BD2AC6409DF6C9A9B 38A21998.pdf 9 | Privacy for Social Media and Location-Based Marketing
Getting From There to Here From the EU Exporting personal information from the EU to another country is only allowed if the receiving country has data protection laws that have been found “adequate” by the EU DPA The US is not one of those countries Without express consent, exports of personal information from the EU to the US are enabled under three regimes: Model clauses – efficient for two-party transactions Binding Corporate Rules – good theory, difficult to implement Safe Harbor – efficient for multi-nationals/multi-party transactions Some dissatisfaction in EU regarding Safe Harbor From Canada Contractual obligations to comply with PIPEDA protections 10 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance FTC Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” Published Feb. 2009 Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf Proposed four principles for handling online behavioral profiling: Transparency and control Reasonable security and limited data retention Must obtain affirmative express consent before information is used in a way that is materially different from that authorized in a privacy statement Must obtain affirmative express consent before using sensitive data (e.g., data about children, health or finances) in advertising Expressed concept that PII is becoming broader than traditional definition and could include things like IP address FTC is becoming concerned about creation of data profiles that uniquely identify a person despite lack of specific, traditional PII 11 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace” Published April 2009 Available at http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdf Key privacy/security findings on LBS: Contrast between automatic, ubiquitous nature of LBS and cookies or telephone call logs that are created when consumer takes action Confusion over identity of controller of location information Confusion over application of current legal structure Customer Proprietary Network Information (CPNI) rules Apply to location information BUT Do not apply to non-telecom carriers AND Protect account holder, which may not be user of mobile device Notice & Consent Banner ad vs. disclosure to third party Frequency of notice issues Children’s use International issues (e.g., EU data retention requirements) 12 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance FTC Preliminary Report “Protecting Consumer Privacy in an Era of Rapid Change” Published Dec. 2010 Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf Key findings: Expands concept of “harm” from just economic Endorses “do not track” concept Promotes idea of “privacy by design” Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services. 13 | Privacy for Social Media and Location-Based Marketing
Regulatory Concerns & Guidance Dept. of Commerce “Green Paper” – “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Published Dec. 2010 Available at http://www.ntia.doc.gov//reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf More commerce and policy oriented Recommends application of “Fair Information Privacy Principles” Does not address privacy by design or privacy enhancing technologies EU “Communication” – “A comprehensive approach on personal data protection in the European Union” Published April 2010 Available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf Focuses on rapid rate of change in technology Goal is to focus on improving protection of personal privacy, increasing transparency (including for children), enhancing control over own information (including “right to be forgotten”), strengthening rules on consent, and extending enforcement powers and sanctions. 14 | Privacy for Social Media and Location-Based Marketing
Additional Guidance CTIA – “Best Practices and Guidelines for Location-Based Services” v.2.0 published March 23, 2010 Available at http://files.ctia.org/pdf/CTIA_LBS_Best_Practices_Adopted_03_10.pdf Focuses on notice and consent LBS providers must ensure ability of users to receive meaningful notice LBS providers must ensure users consent and recognize that LBS providers bear burden of demonstrating consent Users must have right to terminate consent at any time Sample policies available at http://www.ctia.org/business_resources/wic/index.cfm/AID/11924 EFF – “On Locational Privacy, and How to Avoid Losing it Forever” “build systems which don’t collect the data in the first place” 15 | Privacy for Social Media and Location-Based Marketing
So What’s Congress Up To? Last Congress - Two privacy bills H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act) Boucher/Sterns Privacy Bill Contemplating definitions of personal information that are broader than are currently used in US and more like EU (IP address has been mentioned) Several data security bills H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and Breach Notification Act of 2010 S.1490 Personal Data Privacy and Security Act of 2009 S.3579 Data Security Act of 2010 S.3742 -- Data Security and Breach Notification Act of 2010 Each contains requirements for data aggregators and for protection of personal information, as well as data breach notification obligations 16 | Privacy for Social Media and Location-Based Marketing
What’s Likely? Window of about 8 months before 2012 election gridlock Leading House Republicans are interested in privacy Joe Barton (R-TX) - Leading Republican on the Energy and Commerce Committee Cliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and the Internet Still, not much likely on a big scale - smaller pieces might get through Electronic Communications Privacy Act reform - Tech industry and DoJ both want clarity on rules related to law enforcement searches of e-mail messages and documents stored in the cloud Web tracking and Privacy Several Republicans opposed it in 2010; FTC has endorsed it FTC likely to revise COPPA regulations - Likely to expand definition of PII States likely to keep moving forward Europeans likely to put more pressure on US – either through multinationals or US gov’t – to protect EU consumer data 17 | Privacy for Social Media and Location-Based Marketing
Creating Privacy Policies and Privacy by Design 18 | Privacy for Social Media and Location-Based Marketing
Drafting and Implementing a Privacy Policy Privacy decisions are operational decisions Privacy statement is a contractual commitment with the user that may be enforced by the FTC or other regulatory agencies Copying the privacy statement from another company is not a good idea Technically copyright infringement Assumes that the copied policy is worth copying Assumes that you’re doing business in the same way that company is 19 | Privacy for Social Media and Location-Based Marketing
Privacy Statement for Social Media and LBS General Privacy Statement Obligations Notice - Must be provided in plain language; must not be misleading Choice LBS or other identifying services (e.g., photo-tagging) should be opt-in Use of information for purposes not originally identified requires new consent Distinction between account holder consent and user consent Users should be able to withdraw consent and information about them should be removed Onward transfer – Describe third parties to whom information is provided Security – Commit to security of information Access – Users should be able to see information you’ve collected about them (if you keep it) Children’s information raises additional issues COPPA 20 | Privacy for Social Media and Location-Based Marketing
Facebook Places Opt-in Service Unlike Beacon, which was opt-out Facebook users can “place” tag friends who have not signed up for Places, BUT tags do not become active until tagged individual approves them Assumption is that people will sign up Privacy by Design Best implementation would be to reject Place tags for anyone who has not activated the service, but provide incentives to turn it on Better implementation would be to only hold Place tags for non-users for limited period of time then delete them Facebook users can check other users into locations (2nd party tagging) 2nd party check-ins can be manually deleted Individual friends can be blocked from 2nd party check-ins 2nd party check-ins can be blocked completely Privacy by Design - Best implementation would be that 2nd party check-ins are blocked by default and must be turned on, but provide incentives to turn it on 21 | Privacy for Social Media and Location-Based Marketing
Facebook Places (cont) Default is “friends only” Leakage to “friends of friends” Special protections to limit access to information for members under 18 to friends only The Unspoken Problem Facebook limits membership to age 13 and over. According to industry, most popular games among U13s are Facebook games According to Center on Media and Child Health: 60 percent of children ages 10 to 14 have cell phones 22 percent of children 9 and younger have cell phones 22 | Privacy for Social Media and Location-Based Marketing
Facebook Photo Tagging & Facial Recognition Facial Recognition & Tagging When a user can tag friends in an album, Facebook will use its facial recognition technology to group similar faces together and automatically fill in the "Who is this?" box with its suggestion Users can log in and remove tags Users can opt out of Tag Suggestions by going to their privacy settings and disabling the "Suggest photos of me to friends" feature Individuals being tagged in a photo do not have to have a profile on Facebook Privacy by Design: No tagging people without Facebook profiles Users can opt-in to photo tagging – provide incentives for opting in Multiple options for tag approval – provide incentives for increasing access Universal Selective (white list or black list) Approval required 23 | Privacy for Social Media and Location-Based Marketing
Comments and Questions? Thank you for listening. 24 | Privacy for Social Media and Location-Based Marketing

Recommandé

Social Media and Legal Ethics
Social Media and Legal EthicsSocial Media and Legal Ethics
Social Media and Legal Ethicsanthonywong
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 
Pal gov.tutorial6.session5.privacy and data protection
Pal gov.tutorial6.session5.privacy and data protectionPal gov.tutorial6.session5.privacy and data protection
Pal gov.tutorial6.session5.privacy and data protectionMustafa Jarrar
 
Overview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPOverview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPTrilateral Research
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORTMartina Lindblad
 

Recommandé

Social Media and Legal Ethics
Social Media and Legal EthicsSocial Media and Legal Ethics
Social Media and Legal Ethicsanthonywong
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 
Pal gov.tutorial6.session5.privacy and data protection
Pal gov.tutorial6.session5.privacy and data protectionPal gov.tutorial6.session5.privacy and data protection
Pal gov.tutorial6.session5.privacy and data protectionMustafa Jarrar
 
Overview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPOverview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPTrilateral Research
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORTMartina Lindblad
 
3 censorship privacy
3 censorship privacy3 censorship privacy
3 censorship privacytolshinoda
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?Stuart Bailey
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends Endcode_org
 
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015ICT Watch
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...nuances public affairs
 
What every product manager needs to know about online privacy
What every product manager needs to know about online privacyWhat every product manager needs to know about online privacy
What every product manager needs to know about online privacyTrevor Fox
 
Cyber crime legislation part 1
Cyber crime legislation part 1Cyber crime legislation part 1
Cyber crime legislation part 1MohsinMughal28
 
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the pastDRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the pastMichael Owen
 
Apresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannApresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannFórum da Internet no Brasil
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyThis account is closed
 
Security Regulatory Framework
Security Regulatory FrameworkSecurity Regulatory Framework
Security Regulatory Frameworkanthonywong
 
Presentation on hadopi laws
Presentation on hadopi lawsPresentation on hadopi laws
Presentation on hadopi lawsbsookman
 
Data set Legislation
Data set Legislation Data set Legislation
Data set Legislation Data-Set
 
Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2Matthew MacNabb
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010mleyden
 
Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)guesta04b0
 
International convention on cyber crime
International convention on cyber crimeInternational convention on cyber crime
International convention on cyber crimeIshitaSrivastava21
 
Andrew Weinstein Presentation
Andrew Weinstein PresentationAndrew Weinstein Presentation
Andrew Weinstein PresentationMediabistro
 
Inside3dprinting_uday
Inside3dprinting_udayInside3dprinting_uday
Inside3dprinting_udayMediabistro
 

Contenu connexe

Tendances

3 censorship privacy
3 censorship privacy3 censorship privacy
3 censorship privacytolshinoda
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?Stuart Bailey
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends Endcode_org
 
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015ICT Watch
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...nuances public affairs
 
What every product manager needs to know about online privacy
What every product manager needs to know about online privacyWhat every product manager needs to know about online privacy
What every product manager needs to know about online privacyTrevor Fox
 
Cyber crime legislation part 1
Cyber crime legislation part 1Cyber crime legislation part 1
Cyber crime legislation part 1MohsinMughal28
 
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the pastDRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the pastMichael Owen
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyThis account is closed
 
Security Regulatory Framework
Security Regulatory FrameworkSecurity Regulatory Framework
Security Regulatory Frameworkanthonywong
 
Presentation on hadopi laws
Presentation on hadopi lawsPresentation on hadopi laws
Presentation on hadopi lawsbsookman
 
Data set Legislation
Data set Legislation Data set Legislation
Data set Legislation Data-Set
 
Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2Matthew MacNabb
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010mleyden
 
Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)guesta04b0
 
International convention on cyber crime
International convention on cyber crimeInternational convention on cyber crime
International convention on cyber crimeIshitaSrivastava21
 

Tendances (20)

3 censorship privacy
3 censorship privacy3 censorship privacy
3 censorship privacy
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminar
 
So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?So You Want to Protect Privacy: Now What?
So You Want to Protect Privacy: Now What?
 
IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends IAB Online Content Regulation: Trends
IAB Online Content Regulation: Trends
 
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoT
 
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
Data Protection and Public Affairs Workshop, nuances public affairs, Berlin, ...
 
What every product manager needs to know about online privacy
What every product manager needs to know about online privacyWhat every product manager needs to know about online privacy
What every product manager needs to know about online privacy
 
Cyber crime legislation part 1
Cyber crime legislation part 1Cyber crime legislation part 1
Cyber crime legislation part 1
 
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the pastDRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
DRAFT 2 - The Internet has effectively rendered privacy as a thing of the past
 
Apresentação de Jeanette Hofmann
Apresentação de Jeanette HofmannApresentação de Jeanette Hofmann
Apresentação de Jeanette Hofmann
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to ComplyCanada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
Canada's Privacy and New Anti-spam Laws: What You Need to Know to Comply
 
Security Regulatory Framework
Security Regulatory FrameworkSecurity Regulatory Framework
Security Regulatory Framework
 
Presentation on hadopi laws
Presentation on hadopi lawsPresentation on hadopi laws
Presentation on hadopi laws
 
Data set Legislation
Data set Legislation Data set Legislation
Data set Legislation
 
Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2Surveillance Coursework (COMPLETED-2
Surveillance Coursework (COMPLETED-2
 
Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010Linking Data: The Legal Implications - SemTech2010
Linking Data: The Legal Implications - SemTech2010
 
Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)Baker & McKenzie Presentation (E2.0)
Baker & McKenzie Presentation (E2.0)
 
International convention on cyber crime
International convention on cyber crimeInternational convention on cyber crime
International convention on cyber crime
 

En vedette

Andrew Weinstein Presentation
Andrew Weinstein PresentationAndrew Weinstein Presentation
Andrew Weinstein PresentationMediabistro
 
Inside3dprinting_uday
Inside3dprinting_udayInside3dprinting_uday
Inside3dprinting_udayMediabistro
 
Inside3DPrinting_ThomasKurfess
Inside3DPrinting_ThomasKurfessInside3DPrinting_ThomasKurfess
Inside3DPrinting_ThomasKurfessMediabistro
 
inside3dprinting_odiegel
inside3dprinting_odiegelinside3dprinting_odiegel
inside3dprinting_odiegelMediabistro
 
Katharine Lewis Presentation
Katharine Lewis PresentationKatharine Lewis Presentation
Katharine Lewis PresentationMediabistro
 
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a Fanbase
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a FanbaseDavid Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a Fanbase
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a FanbaseMediabistro
 
Randall Lloyd - Facebook Advertising for Results and ROI
Randall Lloyd - Facebook Advertising for Results and ROIRandall Lloyd - Facebook Advertising for Results and ROI
Randall Lloyd - Facebook Advertising for Results and ROIMediabistro
 
Kelvin Wee_Inside 3D Printing Melbourne 2014
Kelvin Wee_Inside 3D Printing Melbourne 2014Kelvin Wee_Inside 3D Printing Melbourne 2014
Kelvin Wee_Inside 3D Printing Melbourne 2014Mediabistro
 

En vedette (8)

Andrew Weinstein Presentation
Andrew Weinstein PresentationAndrew Weinstein Presentation
Andrew Weinstein Presentation
 
Inside3dprinting_uday
Inside3dprinting_udayInside3dprinting_uday
Inside3dprinting_uday
 
Inside3DPrinting_ThomasKurfess
Inside3DPrinting_ThomasKurfessInside3DPrinting_ThomasKurfess
Inside3DPrinting_ThomasKurfess
 
inside3dprinting_odiegel
inside3dprinting_odiegelinside3dprinting_odiegel
inside3dprinting_odiegel
 
Katharine Lewis Presentation
Katharine Lewis PresentationKatharine Lewis Presentation
Katharine Lewis Presentation
 
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a Fanbase
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a FanbaseDavid Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a Fanbase
David Barad - How to Leverage Facebook Apps to Build, Grow, and Keep a Fanbase
 
Randall Lloyd - Facebook Advertising for Results and ROI
Randall Lloyd - Facebook Advertising for Results and ROIRandall Lloyd - Facebook Advertising for Results and ROI
Randall Lloyd - Facebook Advertising for Results and ROI
 
Kelvin Wee_Inside 3D Printing Melbourne 2014
Kelvin Wee_Inside 3D Printing Melbourne 2014Kelvin Wee_Inside 3D Printing Melbourne 2014
Kelvin Wee_Inside 3D Printing Melbourne 2014
 

Similaire à John Nicholson Presentation

Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdfMeshalALshammari12
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of datadan hyde
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesKarl Larson
 
Privacy introduction
Privacy introduction Privacy introduction
Privacy introduction brentcarey
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelAffiliate Summit
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Privacy and missing persons
Privacy and missing personsPrivacy and missing persons
Privacy and missing personsmpcislides
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 

Similaire à John Nicholson Presentation (20)

Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in Mexico
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.ppt
 
GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016GDPR - Applift firstscreen june 2016
GDPR - Applift firstscreen june 2016
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of data
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property Issues
 
Privacy introduction
Privacy introduction Privacy introduction
Privacy introduction
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Privacy and missing persons
Privacy and missing personsPrivacy and missing persons
Privacy and missing persons
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 

Plus de Mediabistro

Elements of a Successful Job Listing
Elements of a Successful Job ListingElements of a Successful Job Listing
Elements of a Successful Job ListingMediabistro
 
Kelvin Wee_Inszi
Kelvin Wee_InsziKelvin Wee_Inszi
Kelvin Wee_InsziMediabistro
 
Paul Taylor_Inside 3D Printing Melbourne
Paul Taylor_Inside 3D Printing MelbournePaul Taylor_Inside 3D Printing Melbourne
Paul Taylor_Inside 3D Printing MelbourneMediabistro
 
Paul Mignone_Inside 3D Printing Melbourne
Paul Mignone_Inside 3D Printing MelbournePaul Mignone_Inside 3D Printing Melbourne
Paul Mignone_Inside 3D Printing MelbourneMediabistro
 
Angela Daly_Inside 3D Printing Melbourne
Angela Daly_Inside 3D Printing MelbourneAngela Daly_Inside 3D Printing Melbourne
Angela Daly_Inside 3D Printing MelbourneMediabistro
 
Chris Leigh-Lancaster_Inside 3D Printing Melbourne
Chris Leigh-Lancaster_Inside 3D Printing MelbourneChris Leigh-Lancaster_Inside 3D Printing Melbourne
Chris Leigh-Lancaster_Inside 3D Printing MelbourneMediabistro
 
Terry Wohlers_Inside 3D Printing Melbourne
Terry Wohlers_Inside 3D Printing MelbourneTerry Wohlers_Inside 3D Printing Melbourne
Terry Wohlers_Inside 3D Printing MelbourneMediabistro
 
2014 07-09 Juan Llanos Presentation
2014 07-09 Juan Llanos Presentation2014 07-09 Juan Llanos Presentation
2014 07-09 Juan Llanos PresentationMediabistro
 
Gary Anderson_Inside 3D Printing Melbourne
Gary Anderson_Inside 3D Printing MelbourneGary Anderson_Inside 3D Printing Melbourne
Gary Anderson_Inside 3D Printing MelbourneMediabistro
 
James canning inside bitcoin melbourne final
James canning inside bitcoin melbourne finalJames canning inside bitcoin melbourne final
James canning inside bitcoin melbourne finalMediabistro
 
Gst & bitcoins slides- Potential Pitfalls
Gst & bitcoins slides- Potential PitfallsGst & bitcoins slides- Potential Pitfalls
Gst & bitcoins slides- Potential PitfallsMediabistro
 
Building a trading platform from scratch
Building a trading platform from scratchBuilding a trading platform from scratch
Building a trading platform from scratchMediabistro
 
Bitcoin Lateral Economics
Bitcoin Lateral EconomicsBitcoin Lateral Economics
Bitcoin Lateral EconomicsMediabistro
 
State of Ethereum, and Mining
State of Ethereum, and MiningState of Ethereum, and Mining
State of Ethereum, and MiningMediabistro
 
Future of Bitcoin Mining- Josh Zerlan
Future of Bitcoin Mining- Josh ZerlanFuture of Bitcoin Mining- Josh Zerlan
Future of Bitcoin Mining- Josh ZerlanMediabistro
 
Evan Wagner and Robby Dermody Presentation
Evan Wagner and Robby Dermody PresentationEvan Wagner and Robby Dermody Presentation
Evan Wagner and Robby Dermody PresentationMediabistro
 
Morning Keynote: Bobby Lee
Morning Keynote: Bobby LeeMorning Keynote: Bobby Lee
Morning Keynote: Bobby LeeMediabistro
 
Yuan Bao Presentation
Yuan Bao PresentationYuan Bao Presentation
Yuan Bao PresentationMediabistro
 

Plus de Mediabistro (20)

Elements of a Successful Job Listing
Elements of a Successful Job ListingElements of a Successful Job Listing
Elements of a Successful Job Listing
 
Kelvin Wee_Inszi
Kelvin Wee_InsziKelvin Wee_Inszi
Kelvin Wee_Inszi
 
Melb oleg2
Melb oleg2Melb oleg2
Melb oleg2
 
Paul Taylor_Inside 3D Printing Melbourne
Paul Taylor_Inside 3D Printing MelbournePaul Taylor_Inside 3D Printing Melbourne
Paul Taylor_Inside 3D Printing Melbourne
 
Paul Mignone_Inside 3D Printing Melbourne
Paul Mignone_Inside 3D Printing MelbournePaul Mignone_Inside 3D Printing Melbourne
Paul Mignone_Inside 3D Printing Melbourne
 
Angela Daly_Inside 3D Printing Melbourne
Angela Daly_Inside 3D Printing MelbourneAngela Daly_Inside 3D Printing Melbourne
Angela Daly_Inside 3D Printing Melbourne
 
Chris Leigh-Lancaster_Inside 3D Printing Melbourne
Chris Leigh-Lancaster_Inside 3D Printing MelbourneChris Leigh-Lancaster_Inside 3D Printing Melbourne
Chris Leigh-Lancaster_Inside 3D Printing Melbourne
 
Terry Wohlers_Inside 3D Printing Melbourne
Terry Wohlers_Inside 3D Printing MelbourneTerry Wohlers_Inside 3D Printing Melbourne
Terry Wohlers_Inside 3D Printing Melbourne
 
2014 07-09 Juan Llanos Presentation
2014 07-09 Juan Llanos Presentation2014 07-09 Juan Llanos Presentation
2014 07-09 Juan Llanos Presentation
 
Gary Anderson_Inside 3D Printing Melbourne
Gary Anderson_Inside 3D Printing MelbourneGary Anderson_Inside 3D Printing Melbourne
Gary Anderson_Inside 3D Printing Melbourne
 
James canning inside bitcoin melbourne final
James canning inside bitcoin melbourne finalJames canning inside bitcoin melbourne final
James canning inside bitcoin melbourne final
 
Gst & bitcoins slides- Potential Pitfalls
Gst & bitcoins slides- Potential PitfallsGst & bitcoins slides- Potential Pitfalls
Gst & bitcoins slides- Potential Pitfalls
 
Building a trading platform from scratch
Building a trading platform from scratchBuilding a trading platform from scratch
Building a trading platform from scratch
 
Bitcoin Lateral Economics
Bitcoin Lateral EconomicsBitcoin Lateral Economics
Bitcoin Lateral Economics
 
State of Ethereum, and Mining
State of Ethereum, and MiningState of Ethereum, and Mining
State of Ethereum, and Mining
 
Future of Bitcoin Mining- Josh Zerlan
Future of Bitcoin Mining- Josh ZerlanFuture of Bitcoin Mining- Josh Zerlan
Future of Bitcoin Mining- Josh Zerlan
 
Evan Wagner and Robby Dermody Presentation
Evan Wagner and Robby Dermody PresentationEvan Wagner and Robby Dermody Presentation
Evan Wagner and Robby Dermody Presentation
 
Crypto Law
Crypto LawCrypto Law
Crypto Law
 
Morning Keynote: Bobby Lee
Morning Keynote: Bobby LeeMorning Keynote: Bobby Lee
Morning Keynote: Bobby Lee
 
Yuan Bao Presentation
Yuan Bao PresentationYuan Bao Presentation
Yuan Bao Presentation
 

John Nicholson Presentation

  • 1. Privacy for Social Media and Location-Based Services John L. Nicholson Counsel, PWSP Washington, DC John.Nicholson@PillsburyLaw.com Telephone: (+1)202-663-8269 www.virtualworldlaw.com Pillsbury Winthrop Shaw Pittman LLP
  • 2. The good news and the bad news - I’m a lawyer… I’m from Washington … and I’m here to help you. 1 | Privacy for Social Media and Location-Based Marketing
  • 3. What We’ll Cover Privacy Laws Current status of global privacy laws, Recent regulatory concerns and guidance for social media and location-based services What might happen Creating Privacy Policies and Privacy by Design 2 | Privacy for Social Media and Location-Based Marketing
  • 4. Where We Stand on Privacy Laws “Where you stand depends on where you sit.” - Nelson Mandela 3 | Privacy for Social Media and Location-Based Marketing
  • 5. Asia (General) – EU-style privacy law, APEC Japan – EU-style Canada – EU-style privacy law privacy law (PIPEDA) Australia / NZ – EU-style privacy law US – “Harm”-based, sectoral privacy law China – EU-style privacy law Mexico – EU-style privacy law Russia – EU-style Argentina – privacy law EU-style EU – Most stringent privacy law privacy law S. America (General) – Switzerland – EU-style Privacy law developing privacy law Dubai – EU-style Africa (General) – privacy law. 1st Israel – EU-style Privacy law not in Middle East privacy law developed 4 | Privacy for Social Media and Location-Based Marketing
  • 6. What Is “EU-style” Privacy Law? Views personal information as being owned and controlled by data subject Much broader definition of personal information Effectively any uniquely identifying data Comprehensive approach based on “privacy principles” Principle 1: Collection Limitation Principle 2: Data Quality Principle 3: Purpose Specification Principle 4: Use Limitation Principle 5: Security Safeguards Principle 6: Openness Principle 7: Individual Participation Principle 8: Accountability Enacted by EU Parliament and then enacted into member state law by each state – so each is slightly different 5 | Privacy for Social Media and Location-Based Marketing
  • 7. Why Should You Care About the EU Approach? Your customers in countries with EU-style privacy laws do And even if they don’t, the regulators in those countries do 2010 – Google executives CONVICTED in Italy for violating privacy law by failing to take video off YouTube quickly enough Was posted for 2 months Taken down within 2 hours of notice from Italian police 2010 – Many countries investigate Google for capturing personal information as part of Street View project 2011 – South Korea considering prosecuting Google for privacy violations related to Google Street View 6 | Privacy for Social Media and Location-Based Marketing
  • 8. What is US “Harm”-Based Approach Views personal information as commodity to be bought, sold and traded Applies limits only where “harm” is identified Financial information (GLBA) Health information (HIPAA) Children’s information (COPPA & FERPA) Social security numbers Drivers license numbers Telephone / email records Video rental / library records Etc. State data breach notification laws California Patchwork framework Some states now adding medical information However, US is moving towards a more comprehensive, holistic definition of “harm,” broader definition of PII, broader security obligations 7 | Privacy for Social Media and Location-Based Marketing
  • 9. Massachusetts New Massachusetts law requires employers to tell workers w/in 10 days about any info placed in employee’s personnel file that has been or may be used to negatively affect the worker’s job Employee also has right to review or get a copy of records w/in days of request up to 2x/year Limit does not apply to the notice and review of negative entries Failure could lead to fine between $500 and $2,500 per incident Could cause problems for employers during other employment litigation. If discovery reveals that employer failed to comply, could hurt the employer’s credibility Documentation dilemma Attorneys tell clients to document employee issues as much as possible, just in case the issues go to litigation New law makes putting relatively innocuous information into a personnel file a much more-provocative event. Now a note in a file carries the risk of upsetting employee “I hope you know that this will go down on your Permanent Record.” 8 | Privacy for Social Media and Location-Based Marketing
  • 10. Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 Mass. Code Regs.§ 17.00) Who Must Comply? “…persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” A presence in Massachusetts is not required to be liable under the Regulation. Requires organizations to develop, implement, maintain and monitor a comprehensive, written information security program for records containing personal information (“Program”). Regulations allow for flexibility to tailor each organization’s Program. See http://pillsburylaw.com/siteFiles/Publications/F829298BD2AC6409DF6C9A9B 38A21998.pdf 9 | Privacy for Social Media and Location-Based Marketing
  • 11. Getting From There to Here From the EU Exporting personal information from the EU to another country is only allowed if the receiving country has data protection laws that have been found “adequate” by the EU DPA The US is not one of those countries Without express consent, exports of personal information from the EU to the US are enabled under three regimes: Model clauses – efficient for two-party transactions Binding Corporate Rules – good theory, difficult to implement Safe Harbor – efficient for multi-nationals/multi-party transactions Some dissatisfaction in EU regarding Safe Harbor From Canada Contractual obligations to comply with PIPEDA protections 10 | Privacy for Social Media and Location-Based Marketing
  • 12. Regulatory Concerns & Guidance FTC Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” Published Feb. 2009 Available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf Proposed four principles for handling online behavioral profiling: Transparency and control Reasonable security and limited data retention Must obtain affirmative express consent before information is used in a way that is materially different from that authorized in a privacy statement Must obtain affirmative express consent before using sensitive data (e.g., data about children, health or finances) in advertising Expressed concept that PII is becoming broader than traditional definition and could include things like IP address FTC is becoming concerned about creation of data profiles that uniquely identify a person despite lack of specific, traditional PII 11 | Privacy for Social Media and Location-Based Marketing
  • 13. Regulatory Concerns & Guidance FTC Staff Report – “Beyond Voice – Mapping the Mobile Marketplace” Published April 2009 Available at http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdf Key privacy/security findings on LBS: Contrast between automatic, ubiquitous nature of LBS and cookies or telephone call logs that are created when consumer takes action Confusion over identity of controller of location information Confusion over application of current legal structure Customer Proprietary Network Information (CPNI) rules Apply to location information BUT Do not apply to non-telecom carriers AND Protect account holder, which may not be user of mobile device Notice & Consent Banner ad vs. disclosure to third party Frequency of notice issues Children’s use International issues (e.g., EU data retention requirements) 12 | Privacy for Social Media and Location-Based Marketing
  • 14. Regulatory Concerns & Guidance FTC Preliminary Report “Protecting Consumer Privacy in an Era of Rapid Change” Published Dec. 2010 Available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf Key findings: Expands concept of “harm” from just economic Endorses “do not track” concept Promotes idea of “privacy by design” Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services. 13 | Privacy for Social Media and Location-Based Marketing
  • 15. Regulatory Concerns & Guidance Dept. of Commerce “Green Paper” – “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Published Dec. 2010 Available at http://www.ntia.doc.gov//reports/2010/IPTF_Privacy_GreenPaper_12162010.pdf More commerce and policy oriented Recommends application of “Fair Information Privacy Principles” Does not address privacy by design or privacy enhancing technologies EU “Communication” – “A comprehensive approach on personal data protection in the European Union” Published April 2010 Available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf Focuses on rapid rate of change in technology Goal is to focus on improving protection of personal privacy, increasing transparency (including for children), enhancing control over own information (including “right to be forgotten”), strengthening rules on consent, and extending enforcement powers and sanctions. 14 | Privacy for Social Media and Location-Based Marketing
  • 16. Additional Guidance CTIA – “Best Practices and Guidelines for Location-Based Services” v.2.0 published March 23, 2010 Available at http://files.ctia.org/pdf/CTIA_LBS_Best_Practices_Adopted_03_10.pdf Focuses on notice and consent LBS providers must ensure ability of users to receive meaningful notice LBS providers must ensure users consent and recognize that LBS providers bear burden of demonstrating consent Users must have right to terminate consent at any time Sample policies available at http://www.ctia.org/business_resources/wic/index.cfm/AID/11924 EFF – “On Locational Privacy, and How to Avoid Losing it Forever” “build systems which don’t collect the data in the first place” 15 | Privacy for Social Media and Location-Based Marketing
  • 17. So What’s Congress Up To? Last Congress - Two privacy bills H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act) Boucher/Sterns Privacy Bill Contemplating definitions of personal information that are broader than are currently used in US and more like EU (IP address has been mentioned) Several data security bills H.R.2221 Data Accountability and Trust Act / S.3742 Data Security and Breach Notification Act of 2010 S.1490 Personal Data Privacy and Security Act of 2009 S.3579 Data Security Act of 2010 S.3742 -- Data Security and Breach Notification Act of 2010 Each contains requirements for data aggregators and for protection of personal information, as well as data breach notification obligations 16 | Privacy for Social Media and Location-Based Marketing
  • 18. What’s Likely? Window of about 8 months before 2012 election gridlock Leading House Republicans are interested in privacy Joe Barton (R-TX) - Leading Republican on the Energy and Commerce Committee Cliff Stearns (R-FL) – House Subcommittee on Communications, Technology, and the Internet Still, not much likely on a big scale - smaller pieces might get through Electronic Communications Privacy Act reform - Tech industry and DoJ both want clarity on rules related to law enforcement searches of e-mail messages and documents stored in the cloud Web tracking and Privacy Several Republicans opposed it in 2010; FTC has endorsed it FTC likely to revise COPPA regulations - Likely to expand definition of PII States likely to keep moving forward Europeans likely to put more pressure on US – either through multinationals or US gov’t – to protect EU consumer data 17 | Privacy for Social Media and Location-Based Marketing
  • 19. Creating Privacy Policies and Privacy by Design 18 | Privacy for Social Media and Location-Based Marketing
  • 20. Drafting and Implementing a Privacy Policy Privacy decisions are operational decisions Privacy statement is a contractual commitment with the user that may be enforced by the FTC or other regulatory agencies Copying the privacy statement from another company is not a good idea Technically copyright infringement Assumes that the copied policy is worth copying Assumes that you’re doing business in the same way that company is 19 | Privacy for Social Media and Location-Based Marketing
  • 21. Privacy Statement for Social Media and LBS General Privacy Statement Obligations Notice - Must be provided in plain language; must not be misleading Choice LBS or other identifying services (e.g., photo-tagging) should be opt-in Use of information for purposes not originally identified requires new consent Distinction between account holder consent and user consent Users should be able to withdraw consent and information about them should be removed Onward transfer – Describe third parties to whom information is provided Security – Commit to security of information Access – Users should be able to see information you’ve collected about them (if you keep it) Children’s information raises additional issues COPPA 20 | Privacy for Social Media and Location-Based Marketing
  • 22. Facebook Places Opt-in Service Unlike Beacon, which was opt-out Facebook users can “place” tag friends who have not signed up for Places, BUT tags do not become active until tagged individual approves them Assumption is that people will sign up Privacy by Design Best implementation would be to reject Place tags for anyone who has not activated the service, but provide incentives to turn it on Better implementation would be to only hold Place tags for non-users for limited period of time then delete them Facebook users can check other users into locations (2nd party tagging) 2nd party check-ins can be manually deleted Individual friends can be blocked from 2nd party check-ins 2nd party check-ins can be blocked completely Privacy by Design - Best implementation would be that 2nd party check-ins are blocked by default and must be turned on, but provide incentives to turn it on 21 | Privacy for Social Media and Location-Based Marketing
  • 23. Facebook Places (cont) Default is “friends only” Leakage to “friends of friends” Special protections to limit access to information for members under 18 to friends only The Unspoken Problem Facebook limits membership to age 13 and over. According to industry, most popular games among U13s are Facebook games According to Center on Media and Child Health: 60 percent of children ages 10 to 14 have cell phones 22 percent of children 9 and younger have cell phones 22 | Privacy for Social Media and Location-Based Marketing
  • 24. Facebook Photo Tagging & Facial Recognition Facial Recognition & Tagging When a user can tag friends in an album, Facebook will use its facial recognition technology to group similar faces together and automatically fill in the "Who is this?" box with its suggestion Users can log in and remove tags Users can opt out of Tag Suggestions by going to their privacy settings and disabling the "Suggest photos of me to friends" feature Individuals being tagged in a photo do not have to have a profile on Facebook Privacy by Design: No tagging people without Facebook profiles Users can opt-in to photo tagging – provide incentives for opting in Multiple options for tag approval – provide incentives for increasing access Universal Selective (white list or black list) Approval required 23 | Privacy for Social Media and Location-Based Marketing
  • 25. Comments and Questions? Thank you for listening. 24 | Privacy for Social Media and Location-Based Marketing