"Privacy Update: An Overview of Legislative, Regulatory and Technology Developments in the Privacy Sector"

by Skadden, Arps, Slate, Meagher & Flom LLP
Contact

Skadden

[author: Stuart D. Levi]

White House Releases Framework for Data Privacy

On February 23, 2012, the White House released its much-anticipated report on data privacy. The report, entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy1 is a nonbinding framework for the use and handling of personal data by private-sector entities in commercial settings (Framework). The overall theme of the Framework echoes one that was included in the Department of Commerce and FTC privacy reports that were issued in 2011; namely, that protecting data privacy and providing greater certainty in this area is essential to help grow the online sector. 

The Framework includes a proposed “Consumer Privacy Bill of Rights” intended to act as a “legal baseline” governing consumer data privacy in the United States. The Obama administration plans to encourage stakeholders to implement the Consumer Privacy Bill of Rights through codes of conduct and to work with Congress to have these rights enacted through data privacy legislation. However, tacitly acknowledging that it has been difficult to get data privacy legislation enacted, the administration notes that even if legislation is not enacted, companies should abide by these principles to increase consumer trust and thereby promote innovation. The Framework also calls for “international interoperability” to harmonize data protection regimes and subtly calls on the EU to accept the U.S. approach to data privacy.

I. Consumer Privacy Bill of Rights

The White House’s proposed Framework sets forth seven core principles of consumer privacy, many of which form the basis of privacy laws in other countries. Although the administration couches these principles as “rights,” they have no legal effect unless and until Congress encompasses them into data privacy legislation. Significantly, these principles are broad in nature, and the administration has stressed that it did not want to adopt a single set of “rigid requirements” and instead wanted companies to have the flexibility to determine how to best comply given their individual circumstances.

These rights relate to the use and handling of “personal data,” which is defined as “any data, including aggregations of data, which is linkable to a specific individual.” Significantly, “personal data” also includes data that is linked to a specific device. This is consistent with the growing trend that personal information can be deciphered merely by tracking activity taking place on a device (e.g., a smartphone) — even if the name of the user remains unknown.

a. Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it. At the time of collection, companies should present consumers with choices about the collection, use and disclosure of their personal data that is commensurate with the scope and nature of the personal data in question. The broader and more detailed the data collection and the longer it is retained, the more granular and customized the consumer options should be.

b. Transparency: Consumers have a right to easily understandable information about privacy and security practices. Companies should clearly describe (1) what personal data they collect, (2) how they will use it, (3) how long they will retain it before deleting or anonymizing it, and (4) whether and for what purposes they will share personal data with third parties.

c. Respect for Context: Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data. If a company uses or discloses personal data in a manner inconsistent with the context in which the company and consumer interact, then the company should provide greater transparency and individual choice at the time of data collection. This right does not foreclose a company’s ability to use personal data previously collected in new and innovative ways, so long as the new use is the subject of appropriate — and perhaps higher — measures of transparency and individual choice. In addition, companies may infer consent to collect and use personal data to achieve objectives specifically requested by consumers to conduct standard direct marketing (where consumers can opt out at any time).

d. Security: Consumers have a right to secure and responsible handling of personal data.

e. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

f. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should therefore tailor their collection of personal data for specific purposes.

g. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. A company that handles personal information should, at minimum, train and monitor its employees to ensure that they adhere to the Consumer Privacy Bill of Rights. In some instances, this may require full audits of a company’s privacy practices.

II. Legislative Approach

The Framework urges Congress to enact comprehensive privacy legislation by adopting the Consumer Privacy Bill of Rights and granting the FTC the authority to directly enforce such legislation. Interestingly, although federal legislation appears to be the administration’s preferred approach for adopting the Consumer Privacy Bill of Rights, it is included last in the Framework, after the code of conduct approach discussed below. This placement may be an acknowledgement by the administration that enacting federal data privacy legislation may be challenging at best. 

The Framework notes that Congress cannot simply convert the Consumer Privacy Bill of Rights into legislation. Rather, greater specificity would be required as to how companies must comply with it. In addition, the Framework suggests that Congress enact privacy legislation with the following effects:

a. Preempt state privacy laws to the extent that they are inconsistent with the Consumer Privacy Bill of Rights as enacted and applied;

b. Avoid modification of existing sector-specific federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, which effectively protect personal data by imposing legal obligations that are tailored to the types of personal data used and the standard practices in those industries; and

c. Unify the various security breach notification laws, which require companies to notify consumers in the event of unauthorized disclosure of certain categories of their personal data, by creating a national standard to replace the various local laws currently in effect and preempt any future state legislation.

III. Multistakeholder Processes to Develop Enforceable Codes of Conduct

The Framework acknowledges that implementing the Consumer Privacy Bill of Rights across a wide array of industries requires more specific practices. Therefore, if federal legislation is not enacted, the Framework proposes a transparent, nongovernmental process amongst companies, industry groups, privacy advocates, state attorneys general and others to develop industry-specific codes of conduct that implement the Consumer Privacy Bill of Rights. These codes of conduct would be updated periodically in response to changes in technology, consumer expectations and market conditions to ensure the continued protection of consumer privacy. The Department of Commerce’s National Telecommunications and Information Administration would mediate this process. 

Once a code of conduct is adopted and approved by the FTC, a company that chose to adopt the code would be in a safe harbor against FTC or state enforcement action. If a company failed to adhere to the code after it said it would adopt it, that company could be subject to an FTC enforcement action through the FTC’s authority to prohibit unfair or deceptive acts or practices. The Framework encourages Congress to grant the FTC the authority to review and approve codes of conduct and grant safe harbor status to companies that comply.

IV. International Interoperability

The Framework also includes a section on “international interoperability,” which encourages cooperation and coordination among different countries to create a uniform data privacy approach, and to allow personal data to seamlessly cross international borders. There are two interesting and subtle points in this section. First, the Framework mentions the proliferation of cloud computing and the need to protect data that may be sent anywhere in the world. In recent months, a number of foreign-based cloud computing providers have questioned whether it is “safe” to store data in a U.S.-based cloud, given that the Patriot Act might provide the U.S. government access to foreign data stored in a U.S. cloud. The administration’s statement that cloud computing issues need to be addressed is perhaps an acknowledgment that the scope of the Patriot Act and other legislation needs to be better defined so that it does not forestall the growth of the U.S. cloud computing industry. 

Second, to date, the EU has held that the U.S. does not provide an “adequate” level of data protection, since there is no comprehensive federal data privacy legislation. As a result, companies looking to transfer data from the EU to the U.S. must rely on the so-called “model contract clauses” offered by the EU certify to the U.S.-EU Safe Harbor or take one of the other permitted approaches. The section of the Framework dealing with International Interoperability seems to suggest that the EU reconsider its position if the U.S. adopts the code of conduct approach to the Consumer Privacy Bill of Rights, even if no omnibus federal legislation is enacted.

Practice Points

Although the Framework has no binding legal effect, it provides useful guidance on the areas on which companies should focus when establishing their privacy policies. For example, the Framework envisages companies seeking out innovative ways to recognize consumer choices through mechanisms that are simple, persistent and scalable. 

Under the Consumer Privacy Bill of Rights, consumer-facing companies would not be able to abdicate their responsibility to consumers by outsourcing the collection and processing of data to third parties. Engaging a third party to perform such tasks is permitted but requires certain disclosures, namely:

i. the purposes for which the company provides the data to the third party;

ii. the nature of the third party’s activities; and

iii. whether the third party is bound to limit its use of the data to achieve those purposes.

Companies that do not deal directly with consumers but which deal in personal data — e.g., data brokers — also are an intended target of the Consumer Privacy Bill of Rights. These third-party handlers of personal data are nonetheless expected to seek innovative methods to provide consumers with effective control and the ability to access and correct their personal data. In addition, to satisfy their transparency obligations, third-party companies are expected to provide explicit explanations of how they acquire, use and disclose personal data.

Companies that take a “wait and see” stance toward privacy — choosing to act only after being required to do so by Congress — may find themselves at a competitive disadvantage compared to other companies that have adopted a proactive approach to data privacy. In addition, privacy practices may become an important point of distinction as competitors seek to promote their products and services over that of their competitors. Companies and other stakeholders interested in shaping the regulations and legal contours of consumer privacy in their industry also should consider participating in the multi-stakeholder processes that the administration is considering.

______________________________________________________________________________

California Attorney General Reaches Agreement With Mobile Platform Providers 

Since 2004, any operator of a commercial website or online service that collected information about California residents was required to conspicuously post its privacy policy. This state law, the California Online Privacy Protection Act (the California Privacy Act), effectively operated as a national requirement to include such a privacy policy since most sites that collect data also collect data from California residents. Last month, California took another important step in the national privacy debate when the California Attorney General, Kamala Harris, entered into a “Joint Statement of Principles” with the leading mobile platform operators. Although not legally binding, under the joint statement, these operators (Amazon, Apple, Google, Hewlett Packard, Microsoft, and Research in Motion) agreed to privacy principles designed to ensure that the “app industry” conspicuously posts privacy policies with their apps where legally required to do so. It should be noted that, under the California Privacy Act, almost all apps developers would be required to do so; but few, in practice, comply with this requirement.

Under the joint statement, the platform operators agreed that in the application submission process for a new or updated app, they will prompt app developers to provide the text of, or a link to, their policies. Once this text or link is provided, the mobile operators will make it accessible from the app store. Users also will be presented with the opportunity to report apps that don’t comply with their stated policies, and the platforms will develop a mechanism for responding to these reports.

Through the joint statement, Harris has addressed the fact that many mobile apps lack privacy policies by targeting the platforms through which these apps are distributed to the public. The Joint Statement also represents an interesting use of an industry code of conduct to help drive compliance with an existing piece of legislation.

____________________

1 Available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.

Download PDF Version

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP
Contact
more
less

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.