Alan Sutin - Privacy

September 23, 2009

Location data and
privacy
The legal perspective
Alan N. Sutin
Chair, Global Intellectual Property & Technology Practice

GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM
©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.

Topics we will cover
 What activities give rise to privacy
concerns?

 When is location data regulated and do
any restrictions apply even if it is not itself
personal data?

 Special issues relating to children?

 How can service providers and
developers limit legal exposure?

September 23, 2009 [1]

What uses are being made of location data
 Government uses
□ Investigation
□ Evidence
 Commercial Uses
□ Telecom services
□ Navigation
□ Directories
□ Targeted advertising


Finding the Holy Gr
ail
of Web Advertising
Behavioral Targeti
ng G rows

y
g Works b s
Marketin onsumer
C
Targeting Online Marketin
g’s New Tack

The Quest fo
r the
Perfect Onli
ne Ad How Marketers Hone
Their Aim Online

ve
ed Ad s M o
Online Customiz Today’s
Niche M
er
a Step Clos Narrow
arketin
g
, Not Sm is About
all

What can happen when location data is
combined with other Personally
Identifiable Information?


Privacy Law
Overview


Sources of Relevant Privacy Law

 United States Constitution

 FCC CPNI-related rules

 FTC Regulations and Guidelines

 The Electronic Communications Privacy Act (ECPA)

 The Computer Fraud and Abuse Act (CFAA)

 The Children’s Online Privacy Protection Act (COPPA)

 EU Data Directives

 State Laws


United States Constitution

 United States Constitution
□ 4th Amendment: default
standard governing
evidence collection in
criminal investigations
□ Technology raises new
issues in 4th Amendment
analysis



 Fourth Amendment
□ Bans only “unreasonable”
searches and seizures
□ Searches and seizures are
“reasonable” if authorized
by a warrant or a warrant
exception
□ 4th Amendment is not
implicated if there is no
 Search
 Seizure


 Federal and state court decisions
inconsistent, but the trend is to
find that a warrant is required

 This summer alone:
□ May 12, 2009 – NY’s highest
court rules that GPS tracking is
a constitutional “search” that
requires a warrant.
□ September 18, 2009 – MA’s
highest court rules that warrant
required for GPS tracking

Relevant Privacy Laws

 The Communications Act and CPNI
□ Who must comply?
 The FCC’s CPNI rules apply to carriers, including
interconnected VoIP providers
 The Telephone Records and Privacy Protection Act of 2006
(“TRPPA”) is a generally applicable criminal statute
□ What activities and information are covered?
 FCC’s CPNI rules govern the collection and use of
customer proprietary information by carriers and their
partners and contractors.
 When does location information qualify as CPNI?

September 23, 2009 [ 10 ]

 CPNI
□ What are the key rules under the FCC’s CPNI Orders?
 Carriers may only use CPNI to provide requested services
to the customer, or as the customer authorizes/directs in
writing
 Can use customer info in aggregate form
□ What are the key rules under TRPPA?
 It’s a crime to
□ Obtain CPNI from a carrier without authorization or using
fraudulent means
□ Knowingly sell or transfer CPNI obtained improperly

September 23, 2009 [ 11 ]


 FTC Act, and Related Guidelines
□ FTC Act grants the FTC broad powers to protect
consumers against unfair, deceptive acts or practices
□ Personal information collection best practices for adult
consumers
 Notice/awareness
 Choice/consent
 Access/participation
 Integrity/security
 Enforcement/redress

September 23, 2009 [ 12 ]

 FTC
□ Under the FTC Act, the FTC actively pursues unfair and
deceptive practices related to personal information
 Deceptive practices include a company’s failure to follow
or implement its own privacy policy to the detriment of
consumers
□ Unfair practices include failure to adopt minimal levels of
security
 De facto standard directs companies to implement
reasonable information security programs to protect
consumer personal information

September 23, 2009 [ 13 ]


 FTC
□ FTC promotes effective industry self regulation
 New behavioral marketing guidelines
□ Issued principles after town hall meeting in 2007
□ Staff report on Self-Regulatory Principles for Online Behavioral
Marketing issued February 2009

 Currently considering location information privacy
issues
□ FTC Town Hall meeting scheduled for December 7, 2009
discussing, among other things, privacy implications of
location information tracking services

September 23, 2009 [ 14 ]


 Electronic Communications Privacy Act (ECPA)
 ISPs, online service providers (wired and wireless),
and remote computing service providers
 But only if they provide services to the public
 Disclosure of any wireless or wired transmission
 Access to electronically stored information

September 23, 2009 [ 15 ]


 ECPA
□ What are the key rules?
 No person or entity may intercept electronic
communications without authorization
 Service providers may not knowingly use any
electronic, mechanical or other devices to intercept,
use or disclose contents of in-transit or stored
electronic communications including customer
account records unless a statutory exception applies

September 23, 2009 [ 16 ]


 Computer Fraud and Abuse Act (CFAA)
 Generally applicable federal criminal statute
 Accessing protected computer resources
 Intercepting information or communications
 Accessing government computers or national security
information
 Accessing computers to commit a crime
 Causing damage to a protected computer
 Trafficking in passwords

September 23, 2009 [ 17 ]

 CFAA
 May not access computer resources (without
authorization) to intentionally engage in any of
prohibited acts
 Exceeding authorization and then engaging in
prohibited act is also a crime
 Damage threshold of $5,000 over 12 month-period
for civil actions and felony criminal prosecution
 Does CFAA apply to unauthorized collection of
personal information without notifying customers?
□ Probably, but satisfying the loss threshold is the trick
□ Aggregating claims across victims and time requires a single
act

September 23, 2009 [ 18 ]


 Children’s Online Privacy Protection Act (COPPA)
 Operators of commercial web sites and online
services satisfying either of the following:
□ Directed at children
□ General purpose service with actual knowledge that children
are providing personal information

 FTC has accelerated review of rules for application
to mobile services to 2010

 Collection of personal information from children
under 13
September 23, 2009 [ 19 ]


 EU Data Directive 95/46/EC
 Any person or entity can be subject to the EU Data
Directive, even companies without operations in the EU
 Transfer of personal data from any EU Country
 Covered data is information that personally identifies an
individual
 Personal data from the EU may not be transferred to any
country unless that country has adequate privacy
protections
 U.S. laws generally not considered adequate
September 23, 2009 [ 20 ]


 EU Data Directive 95/46/EC
□ To provide U.S. companies clarity, U.S. and EU agreed on
certain safe harbor principles
 They do not apply to non-U.S. companies, or transfers
within and between EU member states
 Compliance with principles is presumptive
compliance with EU Data Directive
 Methods of compliance
□ Participate in self-regulatory industry standards
□ Self-certify with submission to U.S. DoC

September 23, 2009 [ 21 ]

 EU Directive on Privacy and Electronic Communications
2002/58/EC
□ Covers real-time and historic location information
□ Providers can process location information to enable
transmission, process bills, and manage traffic
□ Location data (other than traffic data) can be processed
(without consent) if the individual isn’t identified
□ For value added services, location can be tracked with
informed consent of the user or subscriber
□ User or subscriber must be able to withdraw consent
□ Use of non-anonymous location data only to the extent
necessary to provide the value-added service within the
scope of the consent

September 23, 2009 [ 22 ]


 Invasion of privacy under state common law
□ Elements: (1) unauthorized intrusion; (2) level of intrusion
is offensive to a reasonable person; (3) intrusion relates
to private matters; and (4) results in anguish or suffering
□ Most states recognize the tort
 NY - no
 CA - yes

September 23, 2009 [ 23 ]

 45 States (+P.R.) have breach - notice Laws
 Typical statutory elements
□ Protected personal information covered
 Name plus one or more identifying element
□ SS#, driver’s license #, other government ID #, financial account numbers and
account access credentials

 Health insurance or medical records
 Applies to owners or delegated custodians of covered personal
information of a citizen of the state
 Location information not widely recognized . . . yet
□ Notice triggering events
 Actual unauthorized access or disclosure of unencrypted personal
information

 Reasonable belief of unauthorized access to such data

September 23, 2009 [ 24 ]

What Should Providers
and Developers Do?

September 23, 2009 [ 25 ]

LBS providers and developers - best practices

 Include privacy-enhancing features into location-tracking
services for consumer markets in the U.S.
□ Have a clear written privacy policy
 Say what you do and do what you say
□ Opt-in feature, with ability to opt-out easily
□ Allow users to select/de-select which and when third parties
can obtain their location information
□ Enable users to temporarily turn off location tracking
□ If device or service is targeted for children or likely to attract
children, follow COPPA if you want kids or block users younger
than 13 years old if you don’t want child users
□ Encrypt or redact personal information at rest and in storage
□ Destroy personal information after it is no longer useful

September 23, 2009 [ 26 ]


 Follow FTC general rule of reason approach
□ Employ privacy protections based on the sensitivity of the data
and the nature of provider’s business operations, the risks
faced and the reasonable protections available to
avoid/mitigate those risks.

 Adopt and implement data breach and notice policies that
comply with applicable state laws
□ Start with the states where your customer personal data is
stored
□ Look to the states where you have principal offices
□ Examine states where you’ll likely have customers
□ Decide which laws are most applicable
□ Safe harbors are available for data handlers that encrypt
September 23, 2009 [ 27 ]

 Adopt security program that is, at a minimum, consistent
with FTC’s guidelines
□ Designate a security program responsible party
□ Initial risk assessment for each area of relevant operation
 Employee training and management;
 Examine relevant information systems for vulnerabilities;
and
 Prevention, detection, and response to attacks,
intrusions, or other systems failures
□ Design and implement reasonable safeguards
□ Regularly test and monitor the safeguards
□ Evaluate and adjust the key controls

September 23, 2009 [ 28 ]


 Carefully choose downstream/upstream providers and act
on information of non-compliance

 Negotiate effective service and product agreements
□ Bind all providers and data handlers
□ Representations and warranties
□ Indemnifications covering losses/liabilities for non-compliance
□ Create remedies that address true cost of data breach
□ Remove indemnification liabilities from the cap on damages

September 23, 2009 [ 29 ]

Thank You!
Alan N. Sutin
Chair, Global Intellectual Property & Technology Practice
Tel: 212-801-9286
Email: sutina@gtlaw.com

GREENBERG TRAURIG, LLP ▪ ATTORNEYS AT LAW ▪ WWW.GTLAW.COM
©2009, Greenberg Traurig, LLP. Attorneys at Law. All rights reserved.

Alan Sutin - Privacy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Alan Sutin - Privacy

Similar to Alan Sutin - Privacy (20)

More from Ben Allen

More from Ben Allen (20)

Recently uploaded

Recently uploaded (20)

Alan Sutin - Privacy