Tuesday, February 10, 2015

Why Privacy Policies Must be Personalized

(This was cross-posted.)
The best argument for why companies should never simply copy and paste the text of another entities' privacy policy onto their own website can be found in the recent announcement by the FTC of a settlement reached with Snapchat – relating to misrepresentations contained in the Privacy Policy, among other things. (Snapchat is not alleged to have used someone else's Privacy Policy as its own; however, its mistakes in its public statements about its products illustrate fully that companies should say what they mean, and mean what they say in their privacy policies!)
The FTC's Complaint Against Snapchat
On December 31, 2014, the Federal Trade Commission (FTC) announced its approval of a final order settling charges against Snapchat for deceptive trade practices in the form of:
1) Snapchat's misrepresentations to consumers that images or videos shared through Snapchat would actually disappear within the timing set by the consumer (and in no event more than 10 seconds after shared);
2) False promises that if a recipient were to take a screenshot of the image, the sender would be notified; and
3) Misrepresentations about the nature and scope of the data actually collected from a user's phone the Snapchat's Find Friends tool.
See also "FTC Approves Final Order Settling Charges that Snapchat Deceived Users," Bloomberg BNA, Social Media Law & Policy Report (Jan. 5, 2015); see also In re Snapchat, Inc., FTC No. 132-3078, Final Order (Dec. 23, 2014).
In addition to these claims about Snapchat's misrepresentations about its data collection and use, the FTC also alleged that Snapchat failed to secure its Find Friends feature, which failure resulted in a security breach in December 2013 relating to a database of 4.6 million Snapchat usernames and phone numbers. FTC Press Release, "Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False; Snapchat Also Transmitted Users' Location and Collected Their Address Books Without Notice or Consent" (May 8, 2014).

Settlement with the FTC
On December 23, 2014, following the public comment period, the FTC formalized its complaint and gave final approval to the settlement, which requires Snapchat to:
  1. Implement a comprehensive privacy program that will be monitored by an independent privacy professional (a third-party whom Snapchat has to pay) for the next 20 years;
  2. Hire this independent privacy professional to conduct a follow up review every two years and provide a compliance report to the FTC;
  3. Conduct this two-year review until December 23, 2034;
  4. Revise Snapchat's privacy policy, product descriptions, advertising and any other public statements to disclose accurately the following:
    • The extent to which a message is deleted after being viewed by the recipient;
    • The extent to which Snapchat or its products/services are capable of detecting or notifying the sender when a recipient has captured a screen shot or saved a message;
    • The categories of personal information that Snapchat actually collects; and
    • The steps taken to protect against misuse or unauthorized disclosure of covered information.
  5. Maintain records for at least five (5) years of the following types of documents:
    • Every communication to consumers about the extent to which Snapchat "maintains and protects the privacy, security and confidentiality of any covered information";
    • All consumer complaints directed at Snapchat, or forwarded to Snapchat by a third party, that relate to the conduct prohibited by this order and any responses to such complaints;
    • Any documents that contradict, qualify, or call into question Snapchat's compliance with this order; and
    • All materials relied upon to prepare the required Assessment, "including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment."
Id. Lest anyone mistakenly believe that these consequences are not serious because there is no monetary penalty assessed, note that Snapchat risks civil penalties of $16,000 per violation per day if it fails to abide these terms. See  Letters to Commentators, at 1 (Dec. 23, 2014) (as provided by Section 5(1) of the FTC Act, 45 U.S.C. § 45(1), as adjusted by 16 C.F.R. § 1.98(c)).
Also note that the preparation of each of the items identified above will "cost" Snapchat money in terms of employee, consultant and/or contractor time, and in taking these resources away from working on money-making endeavors, whether they receive salaries or some other compensation.

Similar Settlement with Maryland Attorney General
In the midst of this dispute with the FTC, in June 2014, Snapchat settled a similar complaint with the Maryland Attorney General.
In its Complaint, the Maryland AG accused Snapchat of collecting data from its users' electronic address books without their knowledge or consent and "knowingly collect[ing] e-mail addresses and photographs from users younger than 13." "Snapchat to Pay $100,000 in Settlement with Maryland Over Privacy of User Snaps," Bloomberg BNA Social Media Law & Policy Report (June 12, 2014); Jeff Clabaugh, "Snapchat pays Maryland $100K in settlement," Washington Business Journal (June 12, 2014).
The settlement agreement with the Maryland Attorney General requires Snapchat to:
  1. Create and publicize mechanisms for users to report accounts that may be used by children;
  2. Provide notice and affirmative consent before Snapchat could collect any address book data – and this notice must appear separately from the user's agreement to the general terms of service; and
  3. Provide Maryland with annual reports for the next 10 years, documenting its compliance with the settlement.
CONCLUSION: Privacy Policies Must be Customized
There is no single, standard form privacy policy. Instead, privacy policies have evolved as a place where web sites disclose to users what data are collected, from which users, and how the data are then used. Privacy policies must disclose correctly how that particular site collects and uses data. See Privacy Policy, Wikipedia (last modified Jan. 10, 2015) (provides a good summary of the history of privacy policy development).
As a result, never simply block and copy an entity's Privacy Policy and adopt it as your own. You have no idea why the other entity included the technical and/or detail oriented promises in its Privacy Policy, and simply copying because it "looks good" is a bad idea and can subject you to enforcement liability.
In fact, the only promises that should appear in your Privacy Policy about what you do with data, cookies, personal information, or other data you collect from a user's device are those things you actually do.
Christopher Olsen, assistant director of the Division of Privacy and Identity Theft Protection in the FTC's Bureau of Consumer Protection, actually stated it best:
The agency [the FTC] certainly supports and encourages the development of privacy protective products, but if there is one message we want to make sure is clear today, it is that, if you make promises about privacy, you must honor those promises; otherwise you risk FTC enforcement action.
"Snapchat Settles FTC Accusations of Failure to Purge 'Snaps' by Senders," Bloomberg BNA Social Media Law & Policy Report (May 8, 2014).
Copyright (c) 2015, Christina D. Frangiosa, All Rights Reserved.

Wednesday, January 28, 2015

Monday, October 20, 2014

Moving to WordPress

I am very pleased to announce that The Privacy and IP Law Blog is in the process of moving to WordPress, and to a dedicated domain – PrivacyandIPLawBlog.com!  The blog will operate on both the Blogspot.com location and on the new location for a few months while all the kinks are worked out.  Ultimately, the RSS Feed and subscriber links will also move to WordPress.

Why the switch?
Well, for the past year or so, my traditional way of blogging (writing the material offline, double-checking all of the hyperlinks before publication, then posting in draft form, etc.) has been disrupted by some updates within MS Word that appear to now make it impossible to publish offline to a Blogger.com blog.

Specifically, I can no longer write the posts in Word and update them to the blog for further editing and customization, which has required online access more consistently in order to publish (not always easy when traveling!).  I’ve attempted to find fixes or patches to this issue – but it appears even though this concern is somewhat common, there is no fix.  The discussion boards are rich with complaints about this recent modification to the interactivity between Blogger (owned by Google) and MS Word (owned by Microsoft) – with no remedies.
As a result, my ability to post in a streamlined, time-efficient way has been disrupted.

Hence, fewer posts.
So, after researching for the past few months to find an alternative, I’ve decided to register my own domain and host it through WordPress.  We’ll give this a try for a while and see how it goes.  With any luck, I’ll be able to write more frequently, without as many administrative headaches, and keep this a robust site.

Thanks for coming along for the ride!

LinkedIn Sued for Providing “Trusted References” to Paying Subscribers

On October 9, 2014, a class action complaint was filed in the U.S. District Court for the Northern District of California alleging that LinkedIn violated the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., (“FRCA”) by offering to subscribers reports containing “Trusted References” without complying with the FCRA’s requirements to keep the data safe from disclosure. Sweet v. LinkedIn Corp., Civ. A. No. 5:14-cv-04531 (N.D. Cal. filed Oct. 9, 2014) (available at Law360 - subscription required).

Specifically, the complaint alleges that LinkedIn: 1) failed to comply with the certification and disclosure requirements of the FRCA for credit reporting agencies who furnish consumer reports for employment purposes; 2) failed to maintain reasonable procedures to limit the furnishing of consumer reports for the purposes enumerated in the FRCA and to assure the maximum possible accuracy of these reports; and 3) failed to provide the notices required by the FRCA to users of the consumer reports.  Id. at 2.  Plaintiffs seek both damages for past violations and injunctive relief to prevent the continued misuse of these reports in violation of the FRCA.  Id. 

These “reference reports” compile information about “people in your network who can provide reliable feedback about a job candidate or business prospect” – including a list of others in your network who worked at the same company as the job candidate during the same time period.  Id. at 7 (citing LinkedIn’s Premium Help Center); see also Trusted References for Job Candidates (last updated 4/21/14); Reference Search (last updated 11/27/13).  In addition, these reference reports encourage the potential employer to contact these references either through a formal Introduction or through inMail – both of which are communication methods available to LinkedIn members.  Compl. at 7.

Notably, LinkedIn users are not notified when a potential employer requests one of these reference reports about them.  Id. at 8.  As a result, the complaint concludes:  “any potential employer can anonymously dig into the employment history of any LinkedIn member, and make hiring and firing decisions based upon the information they gather, without the knowledge of the member, and without any safeguards in place as to the accuracy of the information that the potential employer has obtained.”  Id.
In essence, the complaint alleges that LinkedIn has “created a marketplace in consumer employment information, where it sells employment information, that may or may not be accurate, and that it has obtained in part from unwitting members, and without complying with the FRCA.”  Id. at 9.  In all, the complaint alleges five counts of FRCA violations, seeks damages and injunctive relief, and seeks a jury trial.

Next Steps
LinkedIn has the option of answering the complaint or making any one of a number of 12(b) motions to challenge the sufficiency of the complaint.  It may take some time before this issue is ripe for decision (any decision) by the court.

Tuesday, September 2, 2014

Is Your Company Subject to Laws Regulating Safe Destruction of Documents?

Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation.  These policies also frequently cover when documents may be destroyed in the normal course of business.  (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.)  It’s almost a business necessity these days given the cost of document storage.

It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.

However, did you know that many states regulate how personal information can be destroyed?  Or, more specifically, how documents and records that contain such personal information may be discarded?  To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).
Leaving aside the specific rules and regulations relating to the protection from disclosure of personal health information (e.g., HIPAA, HITECH, etc.), many states mandate that business records containing personal information of a consumer (including, perhaps, the business’s employees, too) may only be discarded by “shredding, erasing or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means . . . . ”  E.g., 6 Del. Code §§ 50c-101 through 50c-104 (enacted July 1, 2014 – effective as of Jan. 1, 2015); N.J. Stat. Ann. 56:8-162 (same methods, adding “or nonreconstructable through generally available means” at the end); see also N.J. Stat. Ann. 56:8-161 (for applicable definitions).
In Illinois, the law is even more specific.  It requires documents containing personal information to be “redacted, burned, pulverized or shredded” if the documents exist in paper form, or “destroyed or erased” if they are electronic files.  815 ILCS 530/40.  In both cases, these methods are recommended to ensure that the “personal information [contained in the document] cannot practicably be read or reconstructed.”  Id.
In general, this means that you cannot simply throw out old records that contain personal information of a customer (or, perhaps, even an employee) by throwing it in the trash, or setting it aside for recycling.  They have to be handled appropriately.  (Note that some commercial vendors offering shredding services can ensure that the shredded material is handled in an environmental-friendly manner.)
Many of these statutes also carry penalties – whether in the form of government fines or in civil remedies to the consumers whose personal data have been compromised.  For instance, Illinois’ statute provides that any violation of the document destruction law automatically constitutes a violation of the state’s unfair business practices act (which has its own penalties) and is subject to civil penalties, payable to the state Attorney General, of at least $100 per individual whose information has been improperly destroyed, but not more than $50,000 total.  Id. 
In Delaware, not only can the Attorney General seek penalties from any “commercial entity that does not take all reasonable steps in disposing of a customer’s personal identifying information,” but any consumer who has suffered actual damages as a result of this violation of this statute can sue the responsible commercial entity.  6 Del. Code § 50c-103(b).  In these cases, courts are permitted to treble (triple) the damages awarded.  Id.

So, here’s the lesson – if your company (whether a for-profit or not-for-profit entity) creates, maintains or discards personal information owned by a customer, check to see whether one of these state records destruction laws applies to your operations.  If your company operates in more than one state, dig deeper and check all relevant states.  Find out if there are “records destruction laws” that apply to your company and read them carefully.  Some have different requirements, and some are more stringent than others. 
Complying with these laws may also have the added benefit of helping your company avoid, or at least minimize, the significant losses associated with an unfettered data breach.