Arent Fox Privacy Report: Senator Markey Announces ‘Privacy Bill of Rights’
Federal US News
Senator Markey Announces ‘Privacy Bill of Rights’
Senator Edward Markey (D-Mass.) has introduced a Privacy Bill of Rights Act that would create rules that stop companies from using personal information in discriminatory ways and would require companies to protect and secure the personal information they have. The bill also aims to make sure companies only collect personal information to provide specific requested services. It would grant individuals a private right of action to bring lawsuits against companies that violate the bill’s rules.
Tips From the Latest FTC Data Security Case
The FTC settled claims that ClixSense.com, a rewards website that pays users for clicking on ads and taking online surveys, implemented inadequate security measures that allowed hackers to gain access to consumers’ sensitive information through the company’s network. The company collects personal information from users, such as their full names, dates of birth, email and postal addresses, usernames, passwords, and answers to security questions, as well as Social Security numbers for those who make more than $600 a month. In its complaint, the FTC alleged that ClixSense deceived consumers by falsely claiming that it “utilizes the latest security and encryption techniques to ensure the security of your account information.” In fact, ClixSense failed to implement minimal data security measures, and stored personal information in clear text with no encryption. These failures allowed hackers to gain access to the company’s network through a browser extension that ClixSense downloaded. Takeaways from this case:
- Deliver on your security pledges;
- Monitor for suspicious activity and respond quickly and thoughtfully; and
- A confidential credential can be consequential.
FTC Proposes Settlement with Website for COPPA Violations
The FTC alleges that i-Dressup.com, a website that allows users, including children, to play dress-up games and design clothes, failed to obtain parental consent before collecting personal information from children under 13 and to provide reasonable and appropriate security measures. To gain access to all features, including the social features, users had to register as members, requiring them to submit a user name, password, birthdate, and email address. If a user indicated he/she was under 13, the registration field asked for a parent’s email. When a user clicked the “Join Now” button, an email notice was sent to the parental email address. In that email, parents could provide consent by clicking the “Activate Now” button. If a parent declined to provide consent, the under-13 users were given a “Safe Mode” membership allowing them to login to access i-Dressup’s games and features but not its social features. The FTC alleges that i-Dressup still collected personal information from these children even if their parents did not provide consent. In addition to violating the parental consent requirements, the FTC also alleged that i-Dressup and its operators failed to comply with the Children’s Online Privacy Protection Act’s requirement to keep data secure. The operators of i-Dressup discovered in September 2016 that a hacker had accessed accessed the information of approximately 2.1 million users — including approximately 245,000 users who indicated they were under 13. As part of the proposed settlement with the FTC, i-Dressup and its owners have agreed to pay $35,000 in civil penalties.
Eddie Bauer Reaches Settlement Over 2016 Breach
After more than two years of litigation, Eddie Bauer and Veridian Credit Union have reached a $9.8 million settlement to end proposed class claims that the retailer’s lax security measures contributed to a 2016 data breach that saw more than 1 million Veridian customer accounts compromised. In January 2016, attackers got into Eddie Bauer's systems and installed software to steal payment card information. Veridian issued cards that were compromised and suffered losses related to the fraud and replacing the cards. Veridian alleged on behalf of its customers that the breach and injuries suffered in connection with covering its customers' losses were the foreseeable results of Eddie Bauer's purportedly inadequate data security measures and its refusal to implement industry-standard measures, while the retailer countered that it owed no duty to the credit bureau to protect against the breach, an essential element to support a claim for negligence. Under the settlement, the proposed class can receive $2 for each claim made that one of their cards was breached and used by criminals to buy goods, with between $1 - $2.8 million set aside to settle those claims. If the amount of claims is less than $1 million, each individual claim will be increased until the total relief reaches $1 million. The retailer also pledged to spend two years beefing up its security, an effort it said it expects to exceed $5 million. An additional $2 million will go toward administration of the settlement, attorneys’ fees and an award of up to $10,000 for the class representative.
Advocacy Groups Urge Legislation to Address Voter Suppression
In a letter to Congress, a coalition of advocates say federal privacy legislation should include prohibitions on the use of data to discriminate — in housing, education, employment, insurance and credit opportunities and public accommodations — or suppress voters. “Personal data are the raw materials that fuel discrimination,” the letter states. “Commercial data practices that process massive quantities of personal data enable and facilitate discrimination on a systematic scale.” The letter comes as lawmakers are preparing new federal privacy legislation.
State US News
IAPP Releases US State Privacy Law Comparison Chart
State-level momentum for comprehensive privacy bills is at an all-time high. After the CCPA passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP compiled a chart of proposed comprehensive privacy bills from across the country. Although many of the bills included in the chart will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the US. Common privacy provisions include:
- Right of access to personal information shared with a third party;
- Right to rectification, deletion, restriction of processing, data portability, and opt-out of the sale of personal information;
- Right against solely automated decision making;
- A consumer private right of action;
- A strict opt-in for the sale of personal information of a consumer less than a certain age;
- Notice/transparency requirements;
- Data breach notification;
- Mandated risk assessment;
- A prohibition on discrimination against a consumer for exercising a right; and
- A purpose limitation, and a processing limitation.
Ad Industry Says Texas Privacy Bill Would Hurt Consumers
With the introduction of House Bill 4390 last month, Texas became the latest state to move to enhance online privacy protections for its residents. Under HB 4390, also known as the Texas Privacy Protection Act, businesses would be required to notify consumers about how they collect, process and disclose personal information; allow consumers to access and request the deletion of that data; and refrain from processing that data or sharing certain categories of information with third parties unless they've obtained consumers' explicit consent to do so. A coalition of online advertising industry groups is urging Texas lawmakers to rethink the bill, arguing that its unprecedented opt-in requirements and broad scope would erode consumers’ privacy and cripple the state’s economy. The groups believe opt-in consent “fails consumers” by “forcing them to read thousands of pages of terms and conditions” and inundating them with consent checkboxes that will frustrate them. The bill is awaiting a committee vote before it can move to the full Texas House of Representatives and Senate, which must act on the measure before the end of their legislative session on May 27.
Utah Bill Limits Police Ability to Access Electronic Data
The governor of Utah recently signed legislation, set to go into effect in May, that requires state and local law enforcement agencies to secure a search warrant from a judge before obtaining anyone’s electronic data. The warrant requirement applies to data stored on electronic devices, as well as data in the hands of designated third-party service providers such as email providers, social media companies, and cloud storage providers, therefore it may have implications for how tech companies respond to police requests for data. The law contains several exceptions to the warrant requirement, for example, where: (a) a judicially recognized exception applies (e.g., exigent circumstances), (b) the owner of the data gives informed consent, or (c) the “subscriber or customer” of a third-party service provider “voluntarily discloses” the data in a “publicly accessible” manner. All electronic data obtained in violation of the new law will be subject to exclusion from legal proceedings as if it were obtained in violation of the United States Constitution and the Utah Constitution.
Washington State Privacy Bill Likely Won’t Pass This Year
House lawmakers missed the final deadline to move on a Washington state privacy bill that would have given consumers more access to and control over the personal information that online companies hold. The Washington bill picked up on the themes of the GDPR and CCPA, but broke from the mold established by other US state laws that have been proposed in recent months by borrowing heavily from the GDPR rather than the CCPA to develop tools designed to protect how personal information is used and shared. The state Senate overwhelmingly approved the bill last month, but it stalled in the House of Representatives where amendments were floated to further enhance consumer privacy.
UK Releases Draft Code for Online Services Processing Children’s Data
The Information Commissioner’s Office (ICO) is seeking comments on its draft code of practice, “Age appropriate design,” for online services likely to be accessed by children. The draft code outlines practical guidance that should be taken into account by information society service providers, such as: consideration of children’s best interests, needs of children at different stages, transparency (in language suited to a child's age), avoidance of detrimental data uses (e.g., tracking, reward loops), data minimization settings by default, prominent and easy to use tools to exercise data subject rights, and DPIAs that include consultations with parents and children. Notably, the ICO floated the idea of limiting children’s use of likes on social media, calling them a “reinforcement technique” meant to keep kids glued to their platforms. The consultation period ends May 31, 2019.
- Indicate which specific data will be processed;
- Describe the purpose for processing; and
- Include an overview of data subjects rights, including how they can be exercised.
Bounty Fined for Unlawful Data Sharing
The ICO has fined Bounty UK Ltd, a pregnancy and parenting club, £400,000 (approx. $520,000) for illegally sharing personal information belonging to more than 14 million people. The club collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards, and directly from new mothers at hospital bedsides. Until April 30, 2018, the club also operated as a data broker, supplying data to third parties for electronic direct marketing purposes. The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and sex of a child. ICO found that Bounty had breached the Data Protection Act 1998, the implementing legislation for the old EU Data Directive, by sharing personal information without being fully transparent with people that it might do so. Bounty’s online privacy notices did have reasonably clear descriptions of the organizations with whom they might share information, but none of the four largest recipients were listed.
Slovenia Drafts Second Implementing Law
The Government of Slovenia issued a new Proposal for a Law on Protection of Personal Data, following dissolution of the National Assembly which issued a previous bill in March 2018. If passed, minor consent for information society services purposes is set at 15 years, biometric data cannot be processed in exchange for marketing services (even if free of charge), automated decisions are prohibited (unless expressly provided for by law), and appointed DPOs must speak Slovene, be a Slovenian or EU Member State national, and cannot have been convicted of personal data misuse or identity theft.
UK releases Online Harms White Paper
The Online Harms White Paper sets out the UK government’s plans for a world-leading package of measures (both legislative and non-legislative) to keep UK users safe online, while supporting innovation and a thriving digital economy. The White Paper is open for public consultation until July 1. The government aims to gather views on various aspects of the plan, including:
- The online services in scope of the regulatory framework;
- Options for appointing an independent regulatory body to implement, oversee and enforce the new regulatory framework;
- The enforcement powers of an independent regulatory body;
- Potential redress mechanisms for online users; and
- Measures to ensure regulation is targeted and proportionate for industry.
China Establishes Certification Scheme for Apps
China recently established a voluntary App Security Certification scheme for mobile app operators to show their compliance with the Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (Standard), issued in 2018 regarding the protection of personal information. The Standard requires transparency, specificity and fairness of processing purpose, proportionality, security, risk assessment, and the respect of individuals’ rights to control the processing of information about them. For collecting and processing personal information, it requires either consent from individuals, or reliance on one of a limited list of exceptions. The certification process is relatively manageable — after the government receives an application, it makes a decision within 15 days unless there are issues, in which case it would ask the company to submit additional information. Search engines and mobile application stores are encouraged to recommend certified apps to users.
Legislation Introduced in Brazil Would Penalize Abuse of Online User Content
Legislation was recently introduced in the Brazilian National Congress to amend the Marco Civil da Internet law. While the Marco Civil da Internet law already provides that personal data can’t be provided to third parties without consent and should not be processed beyond the consent obtained, the proposed amendment aims to deter internet businesses from engaging in activities that violate the law. The amendment would allow sanctions to be imposed for processing data without consent or for processing beyond the consent obtained. Such sanctions include: warnings with deadlines for corrective action; fines up to 10 percent of annual revenues in Brazil; temporary suspension of processing activities; and prohibitions on processing activities.
Bolivia Introduces Privacy Law
A data protection bill has been introduced in the Legislative Assembly of Bolivia. If passed, companies will be, among other things, subject to privacy principles (e.g., purpose specification, legitimacy, accuracy, etc.), have appropriate security measures in place, report breaches to the data protection authority and affected individuals, provide appropriate notice and obtain consent (processing of minors' data requires parental consent). The data protection authority may impose fines and issue authorizations and opinions.
Other Global News
Canada Considers Requirements for Transborder Data Flows
The Office of the Privacy Commissioner of Canada (OPC) is revisiting its policy position on transborder data flows under the Personal Information Protection and Electronic Documents Act. This includes not only cross border data transfers between controllers and processors, but also other cross border disclosures of personal information between organizations. It is the OPC’s position that organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process. In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localization), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this. The OPC intends to provide guidance on disclosures for processing and related consent and accountability requirements, and has solicited input from the public. Comments will be accepted until June 4, 2019.
At Least 100 Companies Have Faced Advertising Compliance Investigations
According to a recent announcement, at least 100 companies have faced compliance investigations under the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles (Principles) for interest-based advertising. The Principles set forth best practices for companies that participate in interest-based advertising and are enforced by two independent “accountability partners” – the Advertising Self-Regulatory Council of the Council of Better Business Bureaus (BBB) and the Data Marketing & Analytics division of the Association of National Advertisers. They respond to consumer complaints and conduct proactive monitoring to ensure that participating companies remain compliant with the Principles. BBB announced that it has completed 100 public compliance actions under the Principles since it began its enforcement efforts eight years ago.
More than Half of Organizations with Incident Response Plans Fail to Test Them
IBM Security announced the results of a global study exploring organizations’ preparedness when it comes to withstanding and recovering from a cyber-attack. The study found that the majority are still unprepared to properly respond to an incident, 77 percent indicated they do not have an incident response plan that applies consistently across their organization, and more than half do not test their plans regularly. Being prepared for an incident is important as studies show that companies who can respond quickly and efficiently to contain a cyber-attack within 30 days save, on average, over $1 million on the total cost of a data breach. Despite this, shortfalls in proper incident response planning have remained consistent over the past four years of the study.
Man who Stopped WannaCry Admits to Developing Other Malware
A British cybersecurity researcher, Marcus Hutchins, credited with stalling the global WannaCry ransomware worm that locked British hospitals, FedEx, and scores of other global entities out of their data pled guilty in Wisconsin federal court to, years earlier, developing a malware known as Kronos that was meant to collect the usernames and passwords of visitors to online banking sites. “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks,” Hutchins said in a statement on his website. Hutchins faces up to 10 years in prison, but could be given a more lenient punishment at his sentencing due to his admission of guilt.
Behavioral Design Could be Privacy Law’s next Frontier
Regulators from the US and UK could force tech giants to scale back efforts to keep users glued to devices, with newly unveiled proposals to limit how companies can use design to manipulate users’ behavior. US Senators Mark Warner, D-Va., and Deb Fischer, R-Neb., have introduced legislation, the Deceptive Experiences to Online Users Reduction (DETOUR) Act, banning social media platforms from designing interfaces that trick users into offering up personal data. The senators cited examples of companies sending users repeated pop-ups during an activity until they consent, or making an opt-out button difficult to find. Meanwhile, the UK Information Commissioner’s Office released a draft code of practice (see above) that includes the idea that companies should stop “nudging” young users into turning on settings that prompt them into agreeing to share more user data and staying engaged with their services for longer. The attention to how social media companies design their platforms could be part of a new trend in which authorities look behind the curtain to see how companies influence the decision to consent to the collection of data.
Technology is a Threat to Obscurity
Woodrow Hartzog, professor of law and computer science at Northeastern University, and Evan Selinger, professor of philosophy at Rochester Institute of Technology, wrote an opinion piece in the New York Times about how obscurity — a combination of the privacy a person has in public and the privacy a person has in groups — is threatened by technology that makes our personal information easy and cheap to aggregate, archive and interpret. The professors argue that obscurity is vital to our well-being because it makes meaningful and intimate relationships possible, enables us to grow as individuals, protects us from being pressured to be conventional and is crucial to democracy.