• You are receiving this publication because of your interest in privacy, information management & data security. It is for informational, including advertising purposes only and is not intended to be, nor should it be considered legal advice.
• Not interested? unsubscribe. Know someone who might be? Please forward.
• If someone sent you this publication subscribe here to receive future issues.
• To view previous issues click here.

Feature Article:
US-EU Privacy Safe Harbor Participation: Strategic Advantages for U.S. Companies
By Karen L. Neuman and Ari Z. Moskowitz

U.S.-based companies face an increasingly complex web of global privacy laws. The U.S.-E.U. Privacy Safe Harbor self-certification framework offers a streamlined approach for complying with European restrictions on the cross-border transfer of personal data to the U.S. for companies with existing or planned operations in E.U. countries. Utilizing the Safe Harbor framework offers several strategic benefits, including enabling organizations that choose to use it to compete on the basis of privacy.

Background.

The Safe Harbor program was created by agreement between the U.S. Department of Commerce and the European Commission in 1998 to bridge the gap between the U.S. approach to “regulating” privacy and the EU’s more stringent approach, as embodied in the European Union Data Protection Directive¹ (EU DPD). There are actually 2 Safe Harbors: the U.S-E.U. Safe Harbor, which applies to data transfers from E.U. countries to the U.S., and the U.S.-Swiss Safe Harbor, which applies to data transfers from Switzerland to the US. The Swiss framework encompasses the E.U. requirements. With the exception of a few countries² that the E.U. has determined have adequate data privacy laws, transfers from the E.U. to countries other than the U.S. are subject to certain standard contractual clauses promulgated by the European Commission. These clauses are incorporated into model contracts that can be used by businesses that choose to do so.

Requirements.

E.U. Safe Harbor. In order to self-certify under the E.U. Safe Harbor, organizations must comply with the following 7 commonly accepted fair information principles that have been effectively codified into the Safe Harbor framework:

1. Notice of the purpose and use for which personal information is being collected and options for limiting use and disclosure.
2. Choice about how to opt out of information disclosures to third parties or use for a purpose other than for which it was originally collected.
3. Seek Notice and Consent for information sharing with third parties.
4. Access to personal information by individuals who provide their data and the ability to amend, update, correct or delete any inaccurate information.
5. Reasonable security measures must be implemented to protect personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
6. Data Integrity Personal information should only be collected that is relevant to the purpose for which it is to be used.
7. Enforcement of the Safe Harbor principles is required by implementing certain independent mechanisms for dispute resolution and verification of a business’ commitment to adhering to the principles.

Strategic Advantages.

There are a several advantages for businesses that elect to participate in the Safe Harbor, including the relative practicality of its streamlined approach for complying with the E.U.’s stringent privacy framework, and its natural fit for certain methods and types of data transfers.

Rather than being subject to the rules of various E.U. DPAs, participating organizations are subject to Federal Trade Commission (FTC) enforcement. FTC enforcement offers some measure of consistency for U.S. companies because it removes any requirements that they negotiate directly with individual E.U. member DPAs. Participating in the Safe Harbor also lowers costs by guaranteeing that almost all data protection claims by E.U. citizens against U.S. companies will be heard in the United States.

Safe Harbor Alternatives.

There are some alternatives to the Safe Harbor framework, including for cross border data transfers from the E.U. to a country other than the U.S. These alternatives include Model Contracts and Binding Corporate Rules.³

Model Contracts consist of a set of standard contract clauses for data protection that the European Commission requires in contracts between a company within the E.U. and a company or “data processor “outside the E.U. This approach subjects organizations that choose to use it to the governing law of the E.U. country from which the data is exported, as well as third-party beneficiary rules granting rights to the data subject, and specific notification, consent, and data security clauses.

The disadvantages of Model Contracts relative to the Safe Harbor framework include that the standard clauses cannot be modified. Some E.U. countries require filing the agreements with the DPA. In addition, certain changes involving the corporation or business processes, such as a merger, require that the agreements be updated to reflect that – a result that could open the door to renegotiation of other terms.

A multinational corporation or a group of closely affiliated companies can, alternatively, take advantage of Binding Corporate Rules (BCRs) for intra-group transfers only. These rules must be binding on all parts of the company or companies in the group, regardless of their physical location and require approval by the DPA in each country from which the company wishes to transfer data (though some E.U. countries have agreed to recognize the decisions of certain other E.U. DPAs). The E.U. has released guidelines for what must be included in the BCRs that include a dozen rights that a data subject must be entitled to enforce, purpose limitations on collection and use of data, security measures, and regular audits.

Conclusion.

The global economy poses privacy compliance challenges for companies of all sizes, raising significant legal risk and increased costs associated with cross-border data transfers. Businesses whose operations include such data transfers may want to consider the U.S.-E.U. Safe Harbor as a method of minimizing those risks and lowering compliance costs. Doing so may offer the additional advantage of enhancing an organization’s ability to compete on the basis of privacy.

¹ 95/46/EC.
² These other countries include Switzerland, Canada, Argentina, Guernsey, Isle of Man, Israel, Andorra, and certain transfers with Australia. See, http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm.
³ European Commission, Frequently Asked Questions Relating To Transfers Of Personal Data From The EU/ EEA To Third countries, http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf

Back to Top

Foreign Companies Welcome Clarification of India’s Data Privacy and Security Rules
By Karen L. Neuman and Ari Z. Moskowitz

On August 24, 2011, the Indian Ministry of Communications & Information Technology (MCIT) published a number of key clarifications to recently enacted privacy rules¹ implementing India’s Information Technology Act of 2000, as amended in 2008 (IT Act).² According to a press release³ issued by MCIT, the rules will apply only to “sensitive personal information” collected in or transferred to India by an Indian “body corporate”; i.e., any commercial or professional enterprise. A body corporate subject to the rules must create a privacy policy providing requisite notice of data collection, use and disclosure practices and implement specified “reasonable security practices and procedures” for the protection of covered information.

U.S. companies had sounded alarms about application of the rules to outsourcing service providers, including data processing and customer call centers.⁴ These companies were particularly concerned about their ability to comply with a prior written consent requirement (including specified methods for obtaining consent). The companies also raised concerns that the rules appeared to apply to any information processed within India about anyone, anywhere in the world. For example, a data processing center in India, hired by a U.S. insurance company to process insurance claims, would need to obtain direct express consent from every client of the insurance company before the Indian company could process their claims. Companies claimed that such a scenario would increase compliance costs so significantly as to deter future outsourcing to India. In response, Indian officials indicated that they did not plan to enforce the rules against U.S. companies5 and subsequently published the clarifications described below.

MCIT clarified that a “body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with a legal entity located within or outside India” is exempt from the rules’ consent and disclosure requirements. For example, an Indian data processing firm under contract with an American credit card company to process financial transactions, that involve sensitive personal information, would be bound by the contract with the American company, including the security practices detailed therein, as well as India’s new data transfer, and reasonable security practices rules, but not the prior consent and disclosure sections of the new rules.

The clarifications do not alter the fundamental objective of rules, which is to protect personal privacy and preserves the framework contemplated by the IT Act. In furtherance of this objective the rules create the new data category, “sensitive personal information”, defined as: (1) passwords; (2) financial information such as Bank account or credit card or debit card or other payment instrument details; (3) physical, physiological and mental health condition; (4) sexual orientation; (5) medical records and history; (6) Biometric information; and (7) information related to these categories collected for processing, storage, or providing a service. The definition excludes any information that is freely available, accessible in the public domain, or furnished under India’s Right to Information Act, 2005.⁶

Together with the clarifications the rules require the following:

Changes to the FTC’s regulatory review process could also impact your business and you may want to consider submitting comments that alert the agency about the possible impact of its regulatory review procedures on your business.

Data Collection. Before collecting sensitive personal information, covered entities must obtain consent, in writing or electronically, directly from the data subject for the particular purpose for which that information will be used. The data subject must be given notice of what information is being collected, why it is being collected, who is collecting the information, and to whom the information will be disclosed. The information may be retained only so long as necessary to achieve the purpose for which it was collected. Consent may be withdrawn.

Disclosure. Prior consent must be obtained from a data subject before disclosing his or her information to a third party; that third party is prohibited from further disclosing the information. Transfer of sensitive personal information by a body corporate to any other person or company, within or outside India, is permitted only so long as that third party complies with the Rules and either the individual consents to the transfer or the transfer is necessary to perform a contract between the individual and the company.

It should be noted that even when an Indian organization is exempt from the basic consent and disclosure rules, the rules, as clarified, continue to limit Indian companies from transferring sensitive data to individuals or organizations within or outside India if those organizations or Individuals do not “ensure the same level of data protection as provided by these Privacy Rules.”⁷ Therefore, though the MCIT clarification means that Indian companies that contract with foreign companies are exempt from the basic consent and disclosure rules, they may only transfer sensitive personal information with that foreign company if that foreign company’s internal security practices provide similar data protections as the Indian rules.

Reasonable Security Practices. A body corporate must have, and publish on its a website, a clear and accessible privacy policy describing the organization’s data protection practices and procedures and compliance with these rules. A covered entity is considered to have complied with the requirement to implement reasonable security practices and procedures if it has a “comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures” that align with the data being protected and the business’ objective. A security program based on the International Standard IS/ ISO/IEC 27001 (“Information Technology – Security Techniques – Information Security Management System – Requirements”) will be deemed compliant if subject to regular auditing. The International Organization for Standardization promulgated these standards in 2005 and any organization that claims to be compliant may be certified and audited by an accredited third party.8 Any other self- regulating entity must submit its standards and best practices to the MCIT for approval in order to be deemed “reasonable”.

U.S. outsourcing companies, including those that use Indian service providers, should be familiar with the rules, including the recent clarifications. Even if the rules can now be seen as generally not applying to companies outside India, they continue to impose restrictions on Indian companies seeking to transfer sensitive personal data to entities within or outside India if those companies fail to “ensure the same level of data protection” required under the rules.

In addition, U.S. outsourcing companies should review the terms of their agreements to ensure that they are structured in a way that minimizes compliance costs in light of MCIT’s guidance. These companies should closely monitor future developments including potential further clarifications or modifications, as well as modifications by European or other Data Protection Authorities to their privacy regulatory frameworks in light of the rules as clarified.

¹ Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, Gazette of India, part II, section III(i) (Apr. 11, 2011), available at http://www.mit.gov.in/ sites/upload_files/dit/files/GSR313E_10511(1).pdf.
² The Information Technology (Amendment) Act, 2008, No. 10 of 2009, India Code (2009) available at http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf
³ Press Release, Ministry of Communications & Information Technology, Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000 (Aug. 24, 2011), http://pib.nic.in/newsite/erelease.aspx? relid=74990
⁴ Rama Lakshmi, India Data Privacy Rules May Be Too Strict For Some U.S. Companies, WASH. POST, May 21, 2011, http://www.washingtonpost.com/business/india-data-privacy-rules-may-be-too-strict-for-some-us-companies/2011/05/18/AF9QJc8G_story.html
⁵ Pranav Nambiar, Government to Address US Doubts about IT Act, TIMES OF INDIA, June 30, 2011, http://articles.timesofindia.indiatimes.com/2011-06-30/india-business/29720919_1_dsci-data-security-council-kamlesh- bajaj
⁶ Rules, supra note 1, at para. 3.
⁷ Id. at para. 7.
⁸ The ISO27001 Certification Process, http://www.27000.org/ismsprocess.htm

Back to Top

German Data Protection Authority Deals Blow to Social Advertising
By Karen L. Neuman and Ari Z. Moskowitz

Recent actions by German Data Protection Authorities (DPAs) have dealt a significant blow to brands and products that rely on Facebook’s “Like” button and “fan” pages to promote their brands and products to Facebook’s more than 20 million German users. These actions could more broadly deter businesses from using social media to promote their brands and products and restrict their ability to use analytics to refine their campaigns.

Last month Johannes Caspar, the data protection supervisor in the German state of Hamburg, asked Facebook to disable its facial recognition feature or risk a fine.¹ That feature scans photos uploaded by users to Facebook and, based on previously uploaded photos that have been tagged with people’s names, suggests names to tag the people in the new photo. The Hamburg DPA alleged that the feature violated the privacy rights of those tagged in the photo under German and European privacy laws, and could subject Facebook to a €300,000 fine. Facebook responded that the feature complies with German and European law, and that the person in the photo has the final say as to whether they wish to be tagged.

The data protection commissioner in the German state of Schleswig-Holstein, Thilo Weichert, subsequently ordered state offices and websites in Schleswig-Holstein to remove Facebook’s “Like” button from their websites, claiming it violates German and E.U. data protection laws.² This feature enables Facebook users who want to share a product’s content on Facebook to do so by clicking the “like” button. “Liking” content appears on a user’s friends’ newsfeeds and is typically construed as an endorsement of the product or brand. Mr. Weichert expressed concern that government websites, in particular, were passing on information about visitors to Facebook through the Like button and fan pages, and that Facebook was then building profiles of visitors to those government websites. Facebook denied this, claiming that while they do collect information such as the IP address of those who click on a “Like” button, that information is deleted within 90 days.

Facebook subsequently announced that it would sign a voluntary code of conduct. Such self-regulatory codes of conduct were in the process of being considered by German authorities. Nevertheless, on September 11, Germany’s consumer protection minister, Ilse Aigner, released a statement that she had advised Germany’s other ministers to avoid using Facebook and remove any Facebook buttons from government websites.³ In her letter to the other ministers, Aigner warned them not to use Facebook due to concerns with data protection and security. The consumer protection ministry followed the letter with a statement extending the warning to private companies.

Germany-based Businesses and those with German users currently using the complained of Facebook tools should pay close attention to developments at Germany’s Ministry of Consumer Protection. Though Minister Aigner’s statements thus far have been merely advisory, it is clear that the Ministry anticipates taking more concrete measures regarding social media tools in the coming months. Websites operating in the German state of Schleswig-Holstein should take particular care, and implement the required changes by the end of September to avoid the imposition of fines or other sanctions.

¹ Kevin J. O’Brien, Germany Investigating Facebook Tagging Feature, N.Y. TIMES, Aug. 3, 2011, http://www.nytimes.com/2011/08/04/technology/germany-investigates-facebook-tagging.html
² Melissa Eddy, German Privacy Watchdog Dislikes Facebook's "Like", ASSOCIATED PRESS, Aug. 19, 2011, http://www.google.com/hostednews/ap/article/ALeqM5jvG-rC5zv4-pUCY5gAY-AapmQlFw?docId=aba34998b2e74deaa0422b7aad2eb48e
³ German Minister Advises Colleagues to Shun Facebook, AFP, Sep. 11, 2011, http://www.google.com/hostednews/afp/article/ALeqM5hyxHKd75Jl-0hl_RfeclhEvMPZ8w?docId=CNG.ee29706d29744c955731a90381f66cc5.831

Back to Top

The EU Cookie Law: Perfect Recipe for Consent Elusive While Law’s Implementation Remains Unclear
By Karen L. Neuman

Background.

Recent developments involving the efforts by the European Union (EU) to impose restrictions on how businesses use cookies and other technologies to track EU citizens have raised concerns among advertisers and publishers about the practicality and costs of compliance as well as confusion about how those restrictions will be implemented by EU member states.

In 2002, the European Union (EU) enacted the EU Data Protection Directive¹ (the e-Privacy Directive), which was intended in part to protect individual privacy arising from the online collection, processing and use of the personal data of EU citizens.

In 2009 the e-Privacy Directive was amended² by another directive to address the use of cookies and other technologies used to track users’ behavior without their knowledge through their Internet browsers for the purpose of creating user profiles for targeted advertising. This directive, referred to as the “Cookie Law”, established stringent requirements for cookie use, including requiring that websites give users the opportunity to “opt-in” before placing a cookie on a user’s computing device. Certain exceptions were written into the directive’s definition of personal data, including IP addresses or similar information used for electronic transmission of data, or as required for a service “expressly” requested by a user.

European website operators that are directed to EU users are subject to the Cookie Law. Websites that are located outside the EU and that are directed to EU users are probably also subject to the law. It requires that:

• Member States shall ensure that the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user … has given his or her consent, having been provided with clear and comprehensive information, in accordance with the [EU Data Protection Directive] … about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

EU Member States were required to implement their own versions of the Law by May 25, 2011. That deadline has come and gone, and many EU countries have not yet done so. Some are currently considering legislative proposals.

The UK introduced implementing regulations in May but indicated that it will delay enforcement for a year while it works with browser manufacturers to create a new system for obtaining consent through browser settings – an approach that is seen as being at odds with the Cookie Law. Despite delayed enforcement, UK officials have stated that companies must nevertheless begin implementing its requirements. The Information Commissioner’s Office (ICO), the UK enforcement authority has offered some guidance on how to obtain consent, including suggesting the use of “pop-ups” to prompt users to choose their preferences.

Consent.

There has been considerable debate about what constitutes adequate consent under the Cookie Law, as well as concern that suggested methods will be disruptive for website users and add significant compliance costs for business.

A recent effort to promote an industry consent mechanism (part of an advertising industry self- regulatory code of conduct that enables advertisers to place an icon on targeted ads that users can click and be taken to a website that allows them to turn off such ads) was recently rejected by the Article 29 Working Party (the independent EU advisory body on privacy and data protection). The Working Party admonished that use of icons in place of statements or actions would not constitute valid consent under the Cookie Law because a chance to object to cookie tracking is not the same as a specific (verbal) opt- in. Moreover, icons attached to ads that link users to a website where they can learn about cookies and express preferences are inadequate since the Cookie Law applies irrespective of whether cookies collect personal data.

Other language in the Cookie Law appears to authorize the use of browser settings or “other applications” as valid means of obtaining consent, although the Working Party seems to have rejected this approach, too on grounds that the default is to accept cookies.

Adequate mechanisms for obtaining user consent will continue to be a primary focus of attention by both industry and regulators.

Looking Ahead.

The lack of implementation of the Cookie Law by many EU member states along with ambiguities about the law’s key requirements may cause businesses to wonder “why bother?” The recent pronouncement by the Article 29 Working Party that the advertising industry’s self-regulatory code is not “cookie law compliant” can be seen as a signal by this influential body that simply ignoring the law should be seen as high risk.

Accordingly, businesses subject to the law should evaluate their current compliance strategies, including their data collection and use practices for adherence to commonly accepted the fair implementation principles. These principles are embodied in the Cookie Law and in other privacy regulatory frameworks in the U.S. and elsewhere. Other measures that can be taken now include:

• Conducting an audit of your business’s websites and applications for cookie and other tracking technologies to understand their use, including the data stored.
• Being aware of cookie use and other tracking technologies by third-party advertisers on your site(s).
• Reviewing your privacy policies to ensure that they are up to date and accurately describes your data collection, use, retention and sharing practices, as well as cookie use on your site(s).
• Closely monitoring the status of EU member state Data Protection Authorities to implement legislation adopting the Cookie law as well as watching for further statements from the Article 29 Working Party on “cookie-compliant” consent mechanisms.

¹ 95/46/EC.
² Directive 2002/48/EC.

Back to Top

Singapore Proposes Consumer Data Privacy Protection Regime
By Karen L. Neuman

According to a press release issued September 26, 2011 by Singapore’s Ministry of Communication, Information and the Arts, (MCIA) Singapore is proposing a “consumer data protection regime to govern the collection, transfer, use disclosure, transfer and security of personal data”. The regime would apply to all organizations in Singapore, except those in the public sector, which are governed by an existing DP framework.

If adopted, the proposal would add another privacy law to the growing web of global privacy laws that businesses must contend with. Businesses would be required to seek prior consent in order to use personal data, such as identity card numbers, telephone numbers and physical addresses. Subject to certain exceptions, businesses would also be required to give consumers access to their personal data and the right to access and amend it. Interestingly, MICA proposes treating existing personal data as if consent was already obtained until the effective date of the proposal, after which new consent would be required for businesses seeking to use that data for purposes other than that for which it was initially collected.

In addition, a Data Protection Commission (DPC) would be established to oversee compliance and public education about data privacy. The DPC would have the authority to issue orders mandating remedial measures for certain types of violations and impose monetary penalties of up to $1 million for serious data breaches. The proposal also includes a “Do Not Track” registry.

Apart from protecting consumer privacy, a key objective of the proposal is to enhance Singapore’s status as a “trusted hub for global data management and processing services” consistent with other international frameworks for protecting privacy, such as the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data and the Asia-Pacific Economic Cooperation Privacy Framework.

The proposal comes as a growing number of U.S. businesses seek to compete with foreign companies that already have a Singapore presence by establishing offices there.

The proposal was issued as a “consultation paper”, which can be viewed here. MCIA is seeking public comments, which must be filed with MICA before 5 PM October 25, 2011.

Back to Top

FTC Seeks Comment on Proposed Amendments to COPPA Rule
By Karen L. Neuman

On September 15, 2011 the Federal Trade Commission (FTC) released proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule. The proposed amendments could impose additional compliance burdens on businesses that operate children’s websites or online services -- as well as general audience sites subject to its requirements. The FTC is accepting comments on the proposed changes until November 28, 2011.

Changes would include:

• expanding the definition of “personal information”;
• changing the “collection;” parental notice and parental consent mechanisms;
• updating confidentiality and security requirements; and
• strengthening FTC oversight of self-regulatory “safe harbor” programs.

In 2010 the FTC accelerated scheduled review of the rule to address mounting concerns about threats to children’s privacy posed by their adoption of rapidly evolving technologies, including accessing, viewing and interacting with content over mobile devices. During the review period the FTC expanded enforcement including applying the rule to such new technologies as mobile apps.

The FTC proposes the following changes:

• Updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising, and identifiers that track a child across websites or online services for targeted advertising. Also included would be information that permits direct online contact with a child, including screen or user names that are not used solely to support internal operations.
• Modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, as long as operators take “reasonable measures” to delete all or virtually all children’s personal information before it is made public, a change that is intended in part to address the iterative nature of certain filtering technologies.
• Adding new methods for obtaining “verifiable parental consent”, including electronic scans of signed parental consent forms, video-conferencing, and use of government- issued ID checked against a database, provided that the parent’s ID is deleted promptly after verification is done. In addition the FTC proposes eliminating what it views as the less- reliable “e-mail plus” method of obtaining verifiable parental consent.
• Establishing a voluntary 180-day notice and comment process to encourage new consent mechanisms whereby parties may seek FTC approval of a particular mechanism or permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.
• Adding to the rule’s confidentiality and security provisions a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it; requiring operators to retain the information for only as long as is reasonably necessary; and take reasonable measures to protect against unauthorized access to, or use in connection with its disposal.
• Strengthening FTC oversight of self-regulatory “safe harbor programs” by requiring these programs to audit their members at least annually and report periodically to the FTC the results of those audits.

Operators of children’s websites and other online services, including those operating over emerging platforms such as mobile apps, as well as general audience sites subject to COPPA, should closely monitor developments in this proceeding to anticipate how the proposed changes could affect their business and regulatory strategies.

Back to Top

Reports Highlight New "Supercookies" Used to Track Web Activity for Social Advertising
By Ari Z. Moskowitz

Privacy researchers from Worcester Polytechnic Institute, University of Wyoming, University of California, Berkeley, and Good Research recently released their second report on tracking technologies used by websites and online advertisers, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (“2011 Report”).¹ The report highlights the need for website operators and online service providers to be familiar with the information collection and disclosure practices of third party service contractors, including social advertisers and analytics companies. Periodic due diligence should be conducted to ensure that these service providers aren’t using tracking technologies that contravene users’ express privacy preferences and that websites are in compliance with their own privacy policies.

Background.

The first report, Flash Cookies and Privacy, released in August 2009, examined the use of persistent Local Stored Objects (LSOs), more commonly known as “Flash cookies”, to track users despite the users’ attempts to protect their online privacy by taking such steps as deleting cookies. The findings in this report were the linchpin in class actions against some of the advertisers and websites that the report found to be using Flash cookies.

Clearspring, whose Addthis tool allows website visitors to share a website’s content on social media and used Flash cookies to track people who visited websites with Addthis installed, was a named defendant in one of the actions. That lawsuit, along with a similar action against Quantcast, was settled this year, with the companies agreeing to not use LSOs in their products.²

The 2011 Report, along with additional work by Jonathan Meyer at Stanford,³ has similarly formed the basis for allegations in lawsuits against websites and advertisers who use the new “supercookies” and other forms of persistent trackers highlighted in the report. The report reviews how Flash cookie use has changed in the last year and identifies two additional supercookies, Cache-Cookies and HTML5 Local Storage. KISSMetrics, a web analytics company, and their now former client Hulu.com, were sued for privacy violations after the report noted their use of ETags, a type of cache-cookie.⁴

The common thread between the supercookies discussed in the 2011 Report⁵ is that each is more persistent and allows for greater data storage than standard HTTP cookies. Flash cookies and ETags respawn HTTP cookies after a user has deleted them or gone into “private browsing mode” to prevent cookie creation. (Private browsing is an option available in many Internet browsers, such as Internet Explorer and Firefox, which prevents websites from downloading cookies or storing new information in the cache after the browsing session ends). HTML5 storage does not respawn HTTP cookies, but where HTTP cookies automatically expire after some period of time, HTML5 storage does not expire and so it must be affirmatively deleted by the user to disable tracking. Flash cookies and ETags can be used to respawn HTML5 cookies, in addition to HTTP cookies.

Flash Local Storage Objects.

Flash LSOs, like other supercookies, are resistant to deletion as they are not deleted through the browser as one would do for standard HTTP cookies. The user is required to take additional steps to prevent tracking. Flash LSOs hold more data than HTTP cookies, enabling better tracking and can be used to respawn or recreate HTTP cookies that a user has deleted. Flash LSOs, the subject of the prior report, have decreased in use since the release of that report. Of the 100 sites investigated by the authors, 100 flash cookies were found, down from 281. Only two sites used flash cookies to respawn HTTP cookies.

Cache-Cookies and ETags.

Cache-cookies are not actually cookies. This method of tracking involves using the web browser’s cache to associate information between a deleted cookie and a new cookie. ETags are generally used by websites to tell a browser whether the site has changed, and if not, to use the copy of the website stored in the browser’s cache rather than downloading new data.

The report discusses how an ETag in a cached copy of a website can include a unique identifier. Even if a user deletes her cookies, when she returns to the website and downloads a new cookie, the ETag in the cached copy still exists and can give the website enough information to associate the new cookie with whatever data was collected via the old cookie. In this way, the old cookie is said to respawn. Also, if a user visits websites via his or her Internet browser’s “private browsing” mode, this type of tracking is not prevented. Specifically, if a user visits a website while not in private browsing, information is stored in the cache and may then still be retrieved when later visiting the website in private browsing mode. The only way to prevent this tracking is to manually clear the cache prior to revisiting the website.

HTML5 Local Storage.

The Report concluded that HTML5 cookies raise privacy concerns because they never expire. Instead, the user is required to affirmatively delete the cookie. The storage capacity is also significantly greater than any of the other cookies mentioned here, as well as standard HTTP cookies. A number of sites also respawned HTML5 cookies using either ETags or Flash cookies and others used matching values for their HTML5 and HTTP cookies, which makes respawning and association between the cookies easier.

CONCLUSION.

Companies wishing to take advantage of social advertising tools should take a close look at the tracking technologies employed by businesses offering those tools to make sure that the technology does not override consumer privacy preferences. One way to obtain assurance is to determine if these businesses comply with pertinent industry best practices and standards. As the lawsuits that rely on the findings of the researchers’ reports make clear, the plaintiffs’ bar does not distinguish between the companies that develop persistent tracking technologies and the businesses that use those technologies for legitimate business purposes.

¹ Ayenson, et.al., Flash Cookies And Privacy II: Now With HTML5 And ETag Respawning, 2011 (“2011 Report”)
² In Re Quantcast Advertising Cookie Litigation, 2:10-cv-05484-GW–JCG, (Cal. C.D. 2011) (Settlement Agreement at §4.19).
² A recent report out of Stanford reviewed Microsoft’s use of ETags, a cache-cookie. Jonathan Meyer, Tracking the Trackers: Microsoft Advertising (Aug. 18, 2011), http://cyberlaw.stanford.edu/node/6715
² Wendy Davis, KISSmetrics, Hulu Sued Over New Tracking Technology, MEDIAPOST, Aug. 1, 2011, http://www.mediapost.com/publicationsfa=Articles.showArticle&art_aid=155032
² Ayenson, supra note 1.

Back to Top

Settlement Entered in FTC’S First COPPA Action Involving Mobile Apps
By Ari Z. Moskowitz

On August 15, 2011, the Federal Trade Commission (FTC) announced that it reached a settlement with W3 Innovations, LLC, a developer of mobile apps and games for violating the FTC COPPA rule. The Complaint alleged that W3 Innovations, through its mobile apps and games, collected, maintained, and disclosed the personal information of children under 13 years old without obtaining their parents’ consent. The consent decree submitted to the court on August 12 imposes a $50,000.00 civil penalty. It would also require that W3 Innovations comply with the COPPA rule, delete personal information already collected by the company, and submit to additional reporting and monitoring requirements.

This is the first case brought by the FTC involving mobile app. The settlement was reached as the agency was finalizing proposed changes to the COPPA rule. Those changes include extending the rule’s application to new and emerging technologies, including mobile apps. Businesses that operate child directed websites and online services, including over new platforms, should expect additional enforcement actions involving those platforms.

W3 Innovations develops mobile apps and games for the iPhone and iPod that it sells through Apple’s App Store. The apps that led the FTC’s to file charges were listed in the “Games – Kids” section of the App Store and included the “Emily’s Girl World” app and “Emily’s Dress Up” app. These apps allowed users to design outfits by dressing up virtual models and play games such as Cootie Catcher and Truth or Dare, which reward the player with stickers for a virtual sticker album. A website of W3 Innovations described their apps as something that “younger girls and nostalgic adults might enjoy.” The FTC concluded that the apps were directed at Children under the age of 13 by assessing their subject matter and presentation, the analysis it undertakes when evaluating whether general audience websites are directed to children.

Users of these apps were encouraged to email “Emily” and to share stories and outfits designed through the app with “Emily” by sending an email. The apps also linked to “Emily’s” blogs, where users can submit comments by providing an email address and, optionally, their full name. W3 Innovations collected and maintained over 30,000 emails, including email addresses through emails from the apps and collected, maintained, and/or disclosed the personal information of almost 600 people who registered to comment on the blogs. W3 Innovations did not maintain or link to any online notice of their information collection, use, or disclosure practices through the Emily apps. And W3 Innovations neither provided notice to parents of their information collection and use practices nor obtained parental consent prior to collecting, using, and disclosing children’s personal information.

The settlement enjoins W3 Innovations from violating the COPPA Rule. On any website or app which is directed to children, or on which they have actual knowledge that they are collecting children’s information, W3 must (1) provide sufficient notice of what information they collect from children and how such information is used and disclosed, (2) provide direct notice to parents of what information they are collecting from children and how it will be used and disclosed, and (3) obtain verifiable parental consent before collecting, using, or disclosing any personal information from children.

In addition to this injunction, W3 Innovations must also delete all information collected in violation of the COPPA rule and pay a $50,000 civil penalty. The consent decree also requires additional monitoring and reporting. These include filing sworn statements detailing the their privacy practices, procedures for collecting and protecting information, the methods for obtaining parental consent, and other information on how their apps collect and use personal information.

With over 15 billion downloads from Apple’s App Store alone and $2.5 billion paid to app developers by Apple as of early July, the app industry is continuing to grow at an extraordinary pace. This growth, combined with increased use of smartphones and apps by children, make it increasingly likely that the FTC will enhance its scrutiny of the app industry and its compliance with the COPPA rule. This first enforcement action by the FTC against an app developer highlights the importance of understanding and complying with COPPA’s additional information privacy rules when selling and operating apps directed to children. If developers of children’s mobile apps and games wish to collect personal information as defined under the COPPA rule, including email addresses from their users, they must make certain to maintain an up-to-date information privacy policy and obtain verifiable consent from parents.

Back to Top

California Updates its Data Breach Notification Law
By Karen L. Neuman

On August 31, 2011, California Governor Jerry Brown signed SB 24 into law, a measure that amends the state’s landmark data breach notification statute (Cal. Civ. Code §§ 1798.29 & 1798.82), by mandating the inclusion of certain information in notifications that are already required under existing law to be sent to California residents who may have been affected by a data breach.

SB 24, which will take effect January 1, 2012, also requires that the notifying entity send an electronic version of the notice to the state Attorney General (AG) in instances where a breach affects more than 500 California residents. According to SB 24’s sponsor, Joe Simitian (D-Palo Alto), this requirement is intended to enable law enforcement to see the “big picture” and better understand statewide patterns of identity theft. Businesses, agencies and individuals subject to the law and who use substitute notice provisions permitted under the current statute must also provide an electronic version of the notice to the state’s Office of Information Security or the Office of Privacy Protection. Organizations that are subject to HIPAA’s HITECH breach notification requirements will be deemed to be in compliance with law’s breach notice content requirements but must still comply with the AG notification requirement.

Since 2003, California law required covered entities and individuals to notify affected persons of a data breach. However, unlike other state data breach laws, California’s statute did not mandate what information the breach notices should contain or require that state authorities be notified of the breach. Previous bills that addressed these gaps were vetoed by Governor Brown’s predecessor.

SB 24 addresses these gaps by establishing the following standard content requirements, which must be written in “plain language” for required breach notices:

• The name and contact information of the notifying entity or person;
• a list of the types of personal information that were or reasonably believed to have been breached;
• toll-free telephone numbers and addresses of the major credit reporting agencies if the breach discloses Social Security, Driver’s license or a California ID card number;
• the actual, estimated date or date range of the breach if it is possible to ascertain;
• general description of the breach, if it is possible to determine; and
• whether notice was delayed due to a law enforcement investigation.

SB 24 also authorizes covered entities and individuals to include in the notices, if they wish to do so, information about measures taken to protect persons whose information has been compromised as well as steps affected persons may take to protect themselves.

Back to Top

Coming Next:
Peeking Past the File Cabinet: Using Social Media to Acquire Information on Individuals. Organizations are turning to social media to acquire information about individuals in a wide variety of contexts such as college admissions, employment, and financial services. The French data protection authority recently found that a provider of telephone directory information violated French law by capturing and including information from Facebook. What risks do organizations face by collecting and using publicly available data on social media and what steps can be taken to minimize those risks?

Back to Top