1.Hot Topics in Privacy and Date Security Law1 Affiliate Summit East 2014 DATA THE LIFEBLOOD OF THE AFFILIATE INDUSTRY August 11, 2014 Gary Kibel Partner, Digital Media, Technology & Privacy Davis & Gilbert LLP gkibel@dglaw.com 212.468.4918 @GaryKibel_law 2014 Davis & Gilbert LLP

2. TOPICS Big Data - What is PII? Reports on data brokers Federal Trade Commission initiatives Other state / federal / international initiatives Data in Behavioral Advertising Data in Social Media Data The Lifeblood of the Affiliate Industry2 3. THE FOCUS ON BIG DATA 4. DEFINITIONS WIKIPEDIA Big data is a blanket term for any collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications An information broker (independent information professional, information consultant) collects and sells information. Uses include targeted ads, market research, consumer scoring, patent searches, and election campaigns. The industry has been criticized for being unregulated and opaque Data The Lifeblood of the Affiliate Industry5 5. WHAT IS PERSONAL INFORMATION? U.S. definition ? - COPPA - HIPAA protected health information - GLB nonpublic personal information - State security breach notification laws E.U. definition Any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (E.U. Data Protection Directive 95/46/EC) Data The Lifeblood of the Affiliate Industry6 6. In re: Hulu Privacy Litigation, Case No: 11-03764 (N.D. Cal. 2012) - Video Privacy Protection Act Personally identifiable information includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider - Data transmitted by clicking the Facebook LIKE button could be deemed to be Personally Identifiable Information, which means such information identifies a person as having requested or obtained specific video materials from a Video Tape Service Provider Data The Lifeblood of the Affiliate Industry7 EXPANDING SCOPE OF PERSONAL INFORMATION 7. REPORTS, REPORTS AND MORE REPORTS 8. FTC (MARCH 2012) 9 Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers - [t]he Commission recommends that Congress consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers. Data The Lifeblood of the Affiliate Industry 9. Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-TX) sent letters July 2012 to nine data companies asking detailed questions about their practices The business of data brokerage, namely the collecting, assembling, maintaining, and selling to third-parties of consumers personal information, has grown into a multiple billion dollar industry. By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every U.S. consumer. This large scale aggregation of the personal information of hundreds of millions of American citizens raises a number of serious privacy concerns. Data The Lifeblood of the Affiliate Industry10 10. Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-TX) sent letters July 2012 to nine data companies asking detailed questions about their practices 11 Data The Lifeblood of the Affiliate Industry - Methods of collection - Use of social media - Use of mobile services - Products and services (both online and offline) - FCRA compliance - Consumer data access - Consumer data opt-out - Consumer data updates - Consumer data deletion 11. CHAIRWOMAN RAMIREZ (AUGUST 2013) 12 Chairwoman Ramirez listed perceived risks of big data: - Indiscriminate collection of data - Need to ensure meaningful consumer choice - Data breach (risk of improper disclosure of sensitive information) - Behind-the-scenes profiling - Data determinism (use of data to make determinations about individuals, not based on concrete facts, but on inferences or correlations) Data The Lifeblood of the Affiliate Industry 12. CHAIRWOMAN RAMIREZ (AUGUST 2013) To me, the FTC is like the lifeguard on a beach. Like a vigilant lifeguard, the FTCs job is not to spoil anyones fun but to make sure that no one gets hurt. With big data, the FTCs job is to get out of the way of innovation while making sure that consumer privacy is respected 13 Data The Lifeblood of the Affiliate Industry 13. FTC STATEMENT TO CONGRESS (DECEMBER 2013) 14 FTC Prepared Statement What information do data brokers have on consumers, and how do they use it - Lack of transparency - No reasonable access to data - FCRA Data The Lifeblood of the Affiliate Industry 14. FTC COMMISSIONER BRILL Reclaim your name initiative Dont focus solely on data usage - Robust and meaningful notice - Choice - Collection minimization Data The Lifeblood of the Affiliate Industry15 15. New breach notification law Consumer Bill of Rights Amend ECPA Discriminatory outcomes of big data analytics digital redlining The big data revolution presents incredible opportunities in virtually every sector of the economy and every corner of society 16 Data The Lifeblood of the Affiliate Industry 16. FTC DATA BROKERS: A CALL FOR TRANSPARENCY AND ACCOUNTABILITY (MAY 2014) Data Brokers = Companies that collect consumers personal information and resell or share that information with others They operate with a fundamental lack of transparency Consumers are largely unaware that data brokers are collecting and using this information It is virtually impossible for a consumer to determine how a data broker obtained his or her data Consumer choices are invisible and incomplete Call for legislation Access; opt-outs; disclosures of sources 17 Data The Lifeblood of the Affiliate Industry 17. CALIFORNIA !!! 18. CalOPPA - CALIFORNIA AB 370 (SEPTEMBER 2013) Amendment to California Online Privacy Protection Act (CalOPPA) Three new privacy policy disclosure requirements (Seven total) Disclose how a publisher responds to a DNT signal or similar mechanism if that publisher engages in online behavioral advertising Cure period Effective January 1, 2014 Data The Lifeblood of the Affiliate Industry19 19. CA ATTORNEY GENERAL MAKING YOUR PRIVACY PRACTICES PUBLIC (MAY 2014) AG the practice of online tracking is invisible to consumers because consumers whose browsers send a DNT signal cannot easily determine how a site or service responds to the signal Data The Lifeblood of the Affiliate Industry20 20. CA ATTORNEY GENERAL MAKING YOUR PRIVACY PRACTICES PUBLIC (MAY 2014) Operators should: - Clearly identifying the sections of the privacy policy in which their policy regarding online tracking or how it responds to consumers DNT signals is described - Describe the response to browser DNT signals or to such other mechanisms in the privacy policy - Privacy policy link to a program or protocol that offers consumers a choice about online tracking - Disclosing the presence of other parties that collect personally identifiable information on the website or service, if any are present Data The Lifeblood of the Affiliate Industry21 21. CALIFORNIA SB 568 Right of erasure for CA minors for online services Notify minors of these rights and provide clear instructions Doesnt extend to third party usage Effective January 1, 2015 Data The Lifeblood of the Affiliate Industry22 22. FEDERAL TRADE COMMISSION INITIATIVES AND ENFORCEMENT ACTS 23. UNCHECKED BIG DATA 24 24. Section text Data The Lifeblood of the Affiliate Industry25 25. FEDERAL TRADE COMMISSION ACT 5 Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful - Deception = Misrepresentations or omissions likely to mislead consumers acting reasonably under the circumstances - Unfairness = causes or is likely to cause substantial consumer injury, not reasonably avoided by the consumer, and not outweighed by countervailing benefits to consumers or competition 26 Data The Lifeblood of the Affiliate Industry 26. Data The Lifeblood of the Affiliate Industry27 PRIVACY POLICIES FTC Fair Information Practice Principles http://www.ftc.gov/reports/privacy3/fairinfo.Shtm - Notice - Choice - Access - Security - Enforcement Its all about transparency and consumer expectations 27. FTC PROPOSED PRIVACY FRAMEWORK DECEMBER 2010 Privacy by design Simplified consumer choice - Commonly accepted practices - Do not track Increased transparency - Disclosures - PII v. Non-PII Data brokers 28 Data The Lifeblood of the Affiliate Industry 28. FTC V. SNAPCHAT (MAY 2014) FTC asserted Snapchat deceived consumers over: I. Disappearing messages II. Amount of data collected III. Type of data collected IV. Security measures Commissioner Ramirez: Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action 20 year consent order Data The Lifeblood of the Affiliate Industry29 29. FTC V. GMR TRANSCRIPTION SERVICES (JANUARY 2014) 50th data security consent order Independent medical transcription contractors Independent contractors transmitted medical files in clear readable text The lawsuit also alleges that GMR didnt monitor what [its subcontractor] was doing to protect the highly sensitive information in its possession. Taken together, the FTC says that GMRs course of conduct violated Section 5 Vendor liability 30 Data The Lifeblood of the Affiliate Industry 30. PENDING LEGISLATION 31. SEN. JAY ROCKEFELLER (D-WV) Do Not Track Online Act of 2013 Orders FTC to implement regulations that establish standards for the implementation of a mechanism for consumers to simply and easily indicate a preference to have PIE collected by service providers Exceptions for collection that are necessary to provide a service requested by a user Not yet enacted 32 Data The Lifeblood of the Affiliate Industry 32. SEN. JAY ROCKEFELLER (D-WV) Data Broker Accountability and Transparency Act of 2014 (DATA Act) Introduced February 2014 Prohibits deception Requires data access to correct or opt-out Not yet enacted 33 Data The Lifeblood of the Affiliate Industry 33. CALIFORNIA SB 1348 (FEBRUARY 2014) Introduced February 21, 2014 Requires online data brokers to notify consumers when the broker transfers their personal information to a third party and to provide a description of the content of the information and the identity of the purchaser Still in committee Data The Lifeblood of the Affiliate Industry34 34. CONSUMER CONTROL 35. Hot Topics in: Advertising, Social Media and Consumer Privacy Law36 ACXIOM ABOUT THE DATA 36. CONSUMER CHOICE THE E.U. MODEL Mario Costar Gonzalez The right to be forgotten Google E.U. Court of Justice Search engines are data controllers (even non-E.U.) Right already exists without the proposed data protection regulations Newspaper can keep it up 37 Data The Lifeblood of the Affiliate Industry 37. WHAT DOES CONSUMER CONTROL LOOK LIKE? Notice and choice Transparency Access Modification / correction Deletion / opt-out Uses * Dont forget contractually required disclosures in a privacy policy Data The Lifeblood of the Affiliate Industry39 38. BEHAVIORAL ADVERTISING 39. Hot Topics in: Advertising, Social Media and Consumer Privacy Law42 Hot Topics In Consumer Privacy42 40. Data The Lifeblood of the Affiliate Industry43 BEHAVIORAL ADVERTISING Federal Trade Commission December 20, 2007 Online Behavioral Advertising Moving the Discussion Forward to Possible Self-Regulatory Principles - Transparency and consumer control - Reasonable security, and limited data retention, for consumer data - Affirmative express consent for material changes to existing privacy promises - Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising 41. Data The Lifeblood of the Affiliate Industry44 BEHAVIORAL ADVERTISING AAAA/ANA/DMA/IAB July 2009 7 principles: Education; Transparency; Consumer Control; Data Security; Material Changes; Sensitive Data; Accountability 42. Data The Lifeblood of the Affiliate Industry45 DIGITAL ADVERTISING ALLIANCE (DAA) WWW.ABOUTADS.INFO Self-Regulatory Principles for Online Behavioral Advertising License Icon Implementation - Evidon - Truste 43. WORLD WIDE WEB CONSORTIUM (W3C) DO NOT TRACK DNT refers to interactive companies honoring a users browser preference settings to stop online tracking through the use of cookies and other technologies by all sites through that users browser (rather than opting out of tracking site by site) W3C is working with browser vendors and industry groups for the complete implementation of an easy- to-use, persistent, and effective Do Not Track system Participants in the W3C include representatives of Apple, AT&T, eBay, Google, Microsoft, Yahoo! among others Data The Lifeblood of the Affiliate Industry47 44. WORLD WIDE WEB CONSORTIUM (W3C) DO NOT TRACK Many open issues remain regarding implementation, exceptions and response to receiving a DNT signal 1st Parties vs. 3rd Parties 1st Party must not pass data to a non-service provider 3rd Party Financial logging permitted Affiliate/attribution tracking ? Data The Lifeblood of the Affiliate Industry48 45. THE BROWSERS Microsoft IE announced that Internet Explorer 10 will have DNT turned on by default Mozilla Firefox includes DNT option Data The Lifeblood of the Affiliate Industry49 Apple Safari Blocks third party cookies Google Chrome Functionality built in 46. WHATS NEXT AFTER THE COOKIE? Cookies Device fingerprinting Canvas fingerprinting Other persistent identifiers (UNDID) Location-based services Cross-device tracking Pixel tags / web beacons De-identified data segments Need new technological solutions vs. standard notice and choice constructData The Lifeblood of the Affiliate Industry50 47. MOBILE MARKETING 51 Data The Lifeblood of the Affiliate Industry 48. FTC STAFF REPORT MOBILE PRIVACY DISCLOSURES (FEBRUARY 2013) Provide just in time disclosures to obtain affirmative express consent Develop one-stop dashboards Develop icons to depict transmission of data Require App developers to meet these standards Platforms should disclose to consumers the extent of the testing and review Implement Do Not Track Better coordination between platforms advertising networks App developers 52 Data The Lifeblood of the Affiliate Industry 49. Hot Topics in: Advertising, Social Media and Consumer Privacy Law53 Hot Topics in Social Media and Mobile Marketing Law53 Social Media and Privacy53 50. Data The Lifeblood of the Affiliate Industry54 CHILDRENS ONLINE PRIVACY PROTECTION ACT 13 U.S.C.1301 et seq. All website operators who intend to reach children under the age of 13 or have actual knowledge (regardless of the age group targeted by their website) that children under the age of 13 visit their website must - Post a privacy policy - Obtain verifiable parental consent - Advise parent/legal guardian that they can review the childs personal information - Establish and maintain reasonable security procedures 51. EXPANDING SCOPE OF PERSONAL INFORMATION FTC Consent orders Persistent identifiers COPPA Amendments 2013 Definition of personal information expanded to include any persistent identifier that can be used to recognize a user over time and across different websites or online services - Carve out for support for internal operations Certain internal activities would not be considered a collection of PI, as long as the information collected is not used or disclosed to contact a specific individual(e.g., site maintenance and analysis) Data The Lifeblood of the Affiliate Industry55 52. DATA IN SOCIAL MEDIA 53. SOCIAL MEDIA 54. Data The Lifeblood of the Affiliate Industry58 ENDORSEMENTS/TESTIMONIALS Endorsement/Testimonial = Any advertising message which message consumers are likely to believe reflects the opinions, beliefs, findings, or experience of a party other than the sponsoring advertiser Must be honest and not deceptive Disclosure of material connections: When there exists a connection between the endorser and the seller of the advertised product which might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed 55. Data The Lifeblood of the Affiliate Industry59 FTCS REVISED ENDORSEMENT GUIDES A blogger/word-of-mouth marketer has a duty to disclose any material connections with an advertiser (e.g., payments or free products that the consumer would not expect) Celebrities have a duty to disclose their relationships with advertisers when making endorsements outside the context of traditional ads, such as on talk shows, blogs or in social media Employees who promote their employers products or services in social media should clearly and conspicuously disclose their employment relationship 56. FTC VS. COLE HAAN (MARCH 2014) #Wanderingsole Contest - $1,000 FTC We believe that participants' pins featuring Cole Haan products were endorsements of the Cole Haan products, and the fact that the pins were incentivized by the opportunity to win a $1000 shopping spree would not reasonably be expected by consumers who saw the pins Data The Lifeblood of the Affiliate Industry60 57. DISCLOSURES AND RIGHT OF PUBLICITY 58. Hot Topics in: Advertising, Social Media and Consumer Privacy Law62 59. DONT BE CREEPY! 63 Data The Lifeblood of the Affiliate Industry 60. 64 From Arenas to Zooey: Recent Attempts to Expand Right of Publicity Claims 64 The Basics of Advertising & Marketing Law64 QUESTIONS? Gary Kibel Partner, Digital Media, Technology & Privacy Davis & Gilbert LLP gkibel@dglaw.com 212.468.4918 @GaryKibel_law