Update: 10/19/16 Police Scanning Driver’s Licenses to use in criminal investigations. Georgetown law: Half of All American Adults Are Already In a Police Facial Recognition Database ~ more details in The Perpetual Line-up (PDF)
This is a guest post by Richard B. Newman – Internet Attorney
Data security and consumer privacy are hot-button issues these days. They are gaining momentum and many – including the Obama administration – believe that it is time for a new regulatory framework.
Proposed regulations could have a direct impact on any entity that collects, stores, or shares data on a large scale.
Data brokers, online marketers, advertising agencies and networks, media and publishing companies, mobile application developers, retailers, web browsers and operators, credit reporting agencies, and financial services companies must be intimately aware of the status of these debates so that they can prepare for an almost certain new regulatory framework.
Numerous high-profile incidents have accelerated
legislative discussions for increased regulation.
Everyone from large corporations to government entities have fallen victim to large-scale data breaches, and many mobile devices have been discovered to allow the tracking and recording of a user’s locations.
Sensitive information such as names, dates of birth, Social
Security numbers, e-mail addresses, passwords, locations, and
health and financial related information increasingly seem at risk.
Over a dozen bills have been introduced this year in response to privacy advocates’ clamoring for heightened regulation.
In fact, the FTC and Department of Commerce have published their own recommendations.
THREE TYPES OF PROPOSED PRIVACY LEGISLATION
Generally, the proposals pertain to three specific areas:
- Online and point-of-sale privacy
- Mobile device privacy
- Data security and breach notification
Now is an ideal time for any business entity that may be at risk to critically examine their privacy and data security procedures to ensure compliance with legal and industry best practice standards on both the national and state levels.
The following is intended as a brief overview of pending regulatory proposals in Congress and the federal agencies, the implications of proposed regulations, and what companies should do to comply with the confusing patchwork of privacy regulations currently in place.
Legislative proposals in recent bills on consumer privacy and data security generally pertain to three topics:
- Consumer privacy bills seek to help consumers control what personal information is collected, used, stored, or shared based on their online and point-of-sale behavior.
- Mobile privacy bills seek to help consumers take control of what information is collected, used, stored, or shared based on their mobile device usage and their geolocation.
- Data security and breach notification bills seek to implement new protocols for protecting data and to create a national standard for notifying affected individuals and government agencies when a data breach has occurred.
Six bills have been introduced this year pertaining primarily to online and point-of-sale privacy.
When browsing the Internet or making purchases at a store, consumers reveal valuable, sometimes highly-sensitive, information that is used to construct user profiles based on their location, their preferences, and their contact information.
This data can be very valuable for behavioral marketers, which is the precise reason that the market for such consumer data continues to grow so rapidly.
The purpose of the privacy bills is to change how consumer information is collected, stored, used, and shared, and what and how consumers are informed told about these practices. Bills regarding data collection call for opt-out or opt-in mechanisms that require prior, express consent from the consumer before any personal information can be collected.
Bills contemplating data storage impose new limits on the scope and duration of data retention, as well as new security procedures to safeguard information. Bills regarding data use and sharing impose limits on the purposes for which data may be used, restrict with whom a data collector (e.g., a retailer) can share information, and set new standards for whether consumer consent or notification is necessary before information can be used in certain ways or shared with a third party.
While the themes discussed above generally characterize the current group of legislative proposals, there exist slight differences between each of the privacy-focused bills.
KEY ONLINE PRIVACY BILLS:
- Rep. Jackie Speier (D-Calif.): Do Not Track Me Online Act of 2011. This bill would require opt-out mechanisms for the collection or use of online and personal data;
- Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.): Commercial Privacy Bill of Rights Act of 2011. This bill would require opt-out mechanisms for data use or sharing, as well as opt-in consent for the collection, storage, or sharing of sensitive personal information;
- Rep. Bobby Rush (D-Ill.): BEST PRACTICES Act. This bill is similar to the Kerry-McCain proposal and calls for opt-out mechanisms for data collection and storage, as well as opt-in consent for certain third-party information sharing;
- Rep. Cliff Stearns (R-Fla.): Consumer Privacy Protection Act of 2011. This bill would allow consumers to opt-out of having their personally identifiable information shared with third parties;
- Sen. John D. Rockefeller IV (D-W.Va.): Do-Not-Track Online Act of 2011. This bill would give consumers the ability to opt-out of having their online data tracked and stored. This proposal would go one step further than the other privacy bills by also imposing limits on data collection from mobile devices;
- Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas): Do-Not-Track-Kids Act. Markey and Barton’s proposal would preclude online companies from using personal information for targeted marketing to children, would enable parents to delete the history of their children’s online behaviors, and would require parental consent for any data tracking online r on mobile devices.
MOBILE DEVICES LEAVE AN ELECTRONIC TRAIL
An entirely separate group of bills focuses their attention on mobile devices. To begin with, users who access GPS-enabled applications on their mobile devices, tablet devices, and smartphones are leaving an electronic trail that can be utilized to reveal both present and past physical locations.
KEY MOBILE PRIVACY BILLS:
Some of the key proposals in this particular area include:
- Sen. Ron Wyden (D-Ore.) and Rep. Jason Chaffetz (R-Utah): Geolocation and Privacy Surveillance (GPS) Act. These bills would prohibit companies from collecting or sharing geolocation information without the user’s express consent;
- Sens. Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.): Location Privacy Protection Act of 2011. This bill would require any covered entity to offer prior notice and obtain express consent from consumers in order to track and collect their geolocation information;
- Sen. Patrick Leahy (D-Vt.): Electronic Communications Privacy Act (ECPA) Amendments Act of 2011. Enacted in 1986, the ECPA restricts third-party access to private electronic communications, such as online activity and e-mails. However, the ECPA does not cover GPS-based information. Therefore, Leahy proposed this update to add geolocation information as a new class of private communications subject to the protections of the ECPA.
DATA SECURITY and BREACH NOTIFICATION:
Key proposals that focus primarily on data security and breach notification have recently been introduced. The purpose of these bills is to require entities that collect or store data to take steps to prevent bad actors from accessing personal information and to create a standard for notifying government agencies and consumers if an organization’s data is breached.
Limits on the scope and duration of data storage are the main focus.
The theory goes – if less data is stored and for a shorter period of time, then less data is necessarily at risk. Proposed security and notification legislation also mandate security policies to prevent unauthorized third-party access to data, as well as procedures and time frames to alert affected individuals and government agencies when a data breach has occurred.
DATA SECURITY and BREACH NOTIFICATION BILLS:
The key bills in this particular area include:
- Sens. Rockefeller and Mark Pryor (D-Ark.): Data Security and Breach Notification Act of 2011. This bill requires businesses and nonprofit organizations that store personal information to implement reasonable security measures and alert consumers when their data has been compromised. In the event of a breach, affected individuals would be entitled to free credit monitoring services for two years;
- Leahy: Personal Data Privacy and Security Act. This bill is similar to bills Leahy has introduced in the past and his proposal calls for businesses to enact security procedures to protect sensitive data. It would create a federal standard for notifying appropriate parties of a breach;
- Bono Mack (R-Calif.): SAFE Data Act. Her proposal requires businesses to notify consumers and the FTC within 48 hours of containing and assessing a breach and would entitle affected individuals to free credit monitoring services for two years;
- Rep. Cliff Stearns (R-Fla.): DATA Act of 2011. Stearns’ data security and breach bill is similar to Rep. Rush’s in its call for tighter protections of data storage systems, in addition to setting a standard for notifying affected individuals and government authorities in the event of a breach.
Of note, California recently amended its data breach notification law and as of January 1, 2012, California businesses are required to provide notice to individuals of the breach of their personal data, and must also notify the state Office of the Attorney General if the breach requires notification of more than 500 California residents.
For the first time, California will also require that notices to individuals include certain information, such as the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.
Despite the number of competing legislative proposals, Congress
will almost certainly pass a national standard on these issues soon.
The FTC and the Department of Commerce have issued their own recommendations addressing online and point-of-sale privacy, mobile device privacy, data security, and breach notification.
The aim of the FTC and Department of Commerce plans include limits on what information can be collected, how long it can be stored, simpler and more easily understood privacy policies, do-not-track preferences that follow a user from website to website, increased transparency on the part of data collectors, and requiring companies to build security and privacy measures into products.
Broad sweeping changes in these areas will almost certainly have far reaching practical implications that could reach just about every consumer and business in the country.
Data privacy regulations, as currently proposed in “do-not-track” and geo-location bills, would significantly change operations for entities that purchase consumer information for behavioral marketing purposes. Third-party purchasers would be affected by stricter privacy regulations.
New regulatory standards could change the online advertising landscape. It could significantly impact mobile phones because data privacy and geo-location bills could conceivably curtail data -centric, targeted marketing.
Under many of the proposals, ad networks, retailers, content websites, data brokers, mobile network providers and application developers, and any type of entity that collects and stores personal information would likely be impacted and limited in their ability to collect, store, use, or share consumer information.
If data security and breach notification proposals are adopted, covered entities would be mandated to comply with specific regulatory methods for storing consumer information and responding to breaches.
New data breach and privacy regulations will, undoubtedly, create countless hurdles and landmines in the information trade sector.
In the meantime, the wise thing to do is to evaluate policies in terms of existing law and best practice standards. If businesses do not currently meet regulatory standards, raising the threshold “if and when” will be much more difficult.
Currently, no comprehensive federal privacy law governs
the collection, use, storage, and sharing of consumer information.
Instead, a constantly evolving patchwork of sector-specific and data -specific state and federal privacy laws makes such compliance assessments difficult. Therefore, steps should be taken to minimize data privacy and security risks.
HOW TO MINIMIZE YOUR LEGAL EXPOSURE:
So, what can be done to safeguard sensitive information and minimize exposure? Here are some simple steps regarding the design and implementation of a sound data security plan:
- Implement reasonable written privacy and security policies, immediately.
- Identify risks and implement appropriate technological solutions.
- Assign one individual to oversee privacy and security issues.
- Take stock. Inventory what you have and train workers on privacy and data security matters.
- Scale down and pitch it. Keep only what you legitimately need.
- Lock it – physical security.
- Plan your response to security incidents, ahead of time.
- Consult with an experienced Internet Law Attorney.
…………………………………………………………………………………………………………………………
Richard B. Newman is an Internet Privacy Lawyer and Internet Defamation Attorney at Hinch Newman LLP (New York & California)
…………………………………………………………………………………………………………………………
PROPOSED INTERNET LEGISLATION:
- Atlantic.com: The Legislation That Could Kill Internet Privacy for Good: The Protecting Children from Internet Pornographers Act of 2011
RBNInternetAtty
Latest posts by RBNInternetAtty (see all)
- FTC Landmark Privacy Report: Key Takeaways ~ What to Do. - April 27, 2012
- Communications Decency Act Publisher Immunity Not Motive-Based: Yelp Wins Extortion Case - November 3, 2011
- Internet Legislation Proposed to Address Consumer Privacy and Data Security Issues - September 12, 2011
Even the most cyber-savvy organizations have found themselves exposed and ill prepared to manage the effects of a data breach. The best defense is implementing a broad set of operational and technical best practices that helps protect your company and your customers’ personal data.
To put it bluntly, internet never will be a security place for consumer privacy. I`m sure in this space the perfect solution is almost impossible to be found, as well as it’s impossible to invent a perpetual motion machine.
Consumer privacy is hard to solve. Dont think there ever will be a perfect solution 😉
Federal regulation on the internet is really starting to freak me out. Nothing is private anymore…
Thanks for touching this topic. Invasion of private account must be given more attention by the law makers. Because account holders must be more secure and safe in using the net.
gold would love you to read ..What You Need To Give Your Arowana A Good Home
Thanks for sharing your great ideas..I was asking in vain on more forums and blogs before for very long time:
jewel would love you to read ..Arizona Tax Guide: Figuring Out Your Estimated Federal Tax Payments
If you would like to learn more about social media and mobile privacy issuesyou can find additional safety tips, and conversation at techsafely.com, which is a blog discussing the same. It’s also a great place for opinionated coverage of the latest privacy related news.
James would love you to read ..You Are Not Getting A Free iPhone 5
Now that most of our personal information are available in the internet it is a must that the law protects us all.
westly would love you to read ..How Fire Extinguishers Work
Everyone is talking about a violation of privacy, but how can you even expect to have any privacy on the most public place on the world?
I am not saying it is OK to attack someones privacy, but my point is-why were we even hoping for it from the start?
Kristina L. would love you to read ..Singer22 Coupon Code
I prefer to keep a low profile. I do not follow all the legal mambo jambo. I would be willing to be they will keep changing the legal stuff to fit their needs. Seems like they are slowly trying to regulate the internet. Some say it’s a good thing, others say don’t mess with it. I don’t know what to think. Depends on what they really want to do, and how it will effect us. Sometimes that info is hard to comprehend.
Ray would love you to read ..The observant preacher’s daughter
This has become pretty serious and I’m scared what will happen to the online marketing industry if the administration will form a bill with regards to this issue. Whatever it is, it’s still pretty scary 🙁
Thanks for the updated information. Not only is it good for us to know the latest bills being passed, but you offer solid solutions for online businesses to utilize in the meantime.
Maybe this is not quite on topic, but I just wanted to share. I have been writing a few emails on Facebook about dental implants to my aunt. A few days later I see an ad for dental implants! I found it disturbing and clicked the “report” button. In cases like this invasion of integrity has gone to far!
Elin would love you to read ..Hjälpa att flytta till ny lägenhet
Hi Elin,
That is definitely ON topic. That has been going on for over a decade now. I first noticed it in the 1990s when I would get spam targeted to what I was doing online (and tons of other junk too, of course).
Facebook has taken a ton of heat for their privacy issues including the way they target ads. Because you can target small numbers of people by interest it is possible for advertisers to target ads in such a way that they can use Facebook to determine who is gay by what adds they are shown and which they choose to click on.
If that concerns you wait until you find out that many advertisers are using services that allow them to follow you from site to site and know about all the sites you visit that use that service or preserve the tracking cookie.
What I find really creepy is the Google widget some blogs use that displays ads based on what you searched on recently. I once did a search for bed bugs for a friend dealing with that issue and everywhere I went for weeks I saw ads for bed bug products – even in blogs. Now THAT is weird.
growmap would love you to read ..Facebook Page Setup for Bloggers: An Ultimate Guide
I agree, Google does the same thing with it’s search. Even on our email accounts, the ads match the content within the email being viewed. That seems like a HUGE violation of privacy.
Brian D. Hawkins would love you to read ..Video Tips For Bloggers Intro
Which web browser are you using? If you use Google Chrome they track what you are interested in and show you ads that are similar to that. So if you want to be really sure of not getting tracked you should use Mozilla Firefox or some other web browser.
Way to keep us updated on the latest privacy legislation. It will be interesting to see what bills pass, and how well they will be implemented. But it’s good to see politicians finally taking notice on the importance of protecting US citizens’ private information.
Very informative, Privacy breach & online security is biggest concern in today’s time. One incident really shocked me when I heard that around 2k hackers worked together to hack down Visa and MasterCard just to protest against the arrest of Julian Assange.
Priya would love you to read ..Goa Holiday Packages
This got me a little worried – really don’t like spending time on things other than writing content and marketing, but I guess it’s required.
I recently added a privacy policy to all my sites and I only handle email addresses so I don’t think it’ll be too much extra work. Aweber also comes with pretty good privacy options.
Look forward to learning more about the implications of this…
Sandip would love you to read ..Wonga
It is nice to see the link-name to an author of the article right under the title.
Before, in previous invited articles on this blog s/he was not clear even after some reading.
I also liked and will borrow “Click image to read Privacy…” (since it is never clear to click or not to click and for what) as well as “Image Credit: ”
I have a question about interplay of advertising-internet-security-etc. which I asked in a few forums but had not gotten any answer and all those threads are hidden from non-registered users so that I cannot even to give a link.
Can you advise a forum on Internet Law-Advertising Law-Marketing Law?
well attended, visible (without those catches when you spend time to register, write, wait approval) just to find that nobody answers and the post is invisible publicly
It is nice to see the link-name to an author of the article right under the title.
Before, in previous invited articles on this blog s/he was not clear even after some reading.
I also liked and will borrow “Click image to read Privacy…” (since it is never clear to click or not to click and for what) as well as “Image Credit: ”
I have a question about interplay of advertising-internet-security-etc. which I asked in a few forums but had not gotten any answer and all those threads are hidden from non-registered users so that I cannot even to give a link.
Can you advise a forum on Internet Law-Advertising Law-Marketing Law?
well attended, visible (without those catches when you spend time to register, write, wait approval) just to find later that nobody answers and the post is invisible publicly
ConspiWRiGHting De-LIaR-ious WebMA$Oist with Multiple Nym Disorder Syndrome would love you to read ..The Google+’s Nym Probe – Isn’t it a Scam to Change Agreements Unilaterally and Retroactively?
I already got the lawyer’s answer to the question I was asking in vain on many forums and blogs before for very long time:
Unavoidable advertising — Is it legal in U.S.?
It is intersection of securit (user authorization, authentication), privacy, tracking, marketing , spying, advertising, usability, userfriendliness.
ConspiWRiGHting De-LIaR-ious WebMA$Oist with Multiple Nym Disorder Syndrome would love you to read ..The Google+’s Nym Probe – Isn’t it a Scam to Change Agreements Unilaterally and Retroactively?
Kudos to you Richard for making such a dry topic an interesting read.
I wonder though, when and if any implementation of some international policy may come into existence, international being the operative word here.
K.
Are these just in the US or do you think that these are likely to go worldwide?
It’s a bit of a worry that it seems so legal though!
Richard,
Wow! I had no idea all of this was in the pipeline. Thanks for such a comprehensive breakdown of the proposed laws.
Your “ways to minimize your exposure” in the end is something all online businesses should take to heart.
Steve would love you to read ..The Pomodoro Technique: Internet Productivity 25-Minutes at a Time?
Thanks for sharing the ideas about how to stay ahead of the curve Richard.
Kevin would love you to read ..Home Service Contract Companies and Search Engines