Privacy policy workshop
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Privacy Policy Workshop PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on
  • Presentation posted in: General

Privacy Policy Workshop. M. Ryan Calo, Center for Internet and Society, Stanford Law School Mali Friedman , Covington & Burling LLP, San Francisco Office January 28, 2009. Overview . Legal Landscape How to Write an Effective Privacy Policy The Future of Notice. Legal Landscape.

Download Presentation

Privacy Policy Workshop

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Privacy policy workshop

Privacy Policy Workshop

M. Ryan Calo, Center for Internet and Society, Stanford Law School

Mali Friedman, Covington & Burling LLP, San Francisco Office

January 28, 2009


Overview

Overview

  • Legal Landscape

  • How to Write an Effective Privacy Policy

  • The Future of Notice


Legal landscape

Legal Landscape

California Law

FTC

Fair Information Principles

Commission Guidance

Enforcement Proceedings

State Attorneys General

Enforcement Actions

General Guidance

Additional Considerations

Children

International

3


Legal landscape california law

Legal Landscape: California Law

  • Online Privacy Protection Act of 2003

    • Cal. Bus & Prof. Code §§22575-22579

  • Basic Requirements

    • “Commercial Web site or online service that collects personally identifiable information through the Internet”

    • “About individual consumers residing in California”

    • “Conspicuously post”


Legal landscape california law1

Legal Landscape: California Law

  • Google Controversy


Legal landscape california law2

Legal Landscape: California law

  • Substantive Requirements

    • Identify categories of personally identifiable information collected.

    • Identify categories of third parties with whom personally identifiable information may be shared.

    • If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information.

    • Describe the consumer notification process for material changes to the Privacy Policy.

    • Identify the effective date for the Privacy Policy.


Legal landscape1

Legal Landscape

1. Identify categories of personally identifiable information collected and how this information is used.

  • FTC Fair Information Principles

    • Privacy policy should identify ways consumer information is collected and used.

    • This includes notifying consumers of “what will happen to the personal information they are asked to divulge.”

  • State Mini-FTC Acts

    • Suggestion that it is an unfair or deceptive trade practice not to notify consumers about the collection of information.

      • Amazon (2002)

        • Specify collection and use.

      • DoubleClick (2000)

        • Describe cookies.


Legal framework

Legal Framework

Identify categories of third parties with whom personally identifiable information may be shared.

FTC Fair Information Principles

Encourage identification of any recipients of the data.

State AGs

Required entities to inform consumers about third-party recipients.

New York (Alta Vista, 2001)

Missouri (More.com, 2000)

Washington State

State whether third parties are bound by operator’s privacy policy with respect to disclosed information.

Disclose whether information will be shared with third parties for third parties’ direct marketing purposes.

8


Legal framework1

Legal Framework

  • If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information.

  • No general requirement in the United States that websites allow consumers to access personal information.

  • FTC Fair Information Principles

    • Recommends providing opportunity to access and dispute the accuracy and completeness of the personal information provided.


Legal framework2

Legal Framework

  • Describe the consumer notification process for material changes to the Privacy Policy.

  • No federal or state law specifically defines “material change.”

    • FTC: When new practices are inconsistent with the company’s previous representations to its customers.

    • FTC staff opinion: To be considered “material,” change must affect a company.

    • Washington AG: May include “new use[s] of personal data as well as changes to the list of parties with whom the business shares information.”


Legal framework3

Legal Framework

  • Identify the effective date for the Privacy Policy

  • No explicit definition.

  • Even minor changes to the policy may require a change to the effective date.


Legal landscape2

Legal Landscape

  • Generally, format and content should be easy for a reasonable consumer to understand.

    • FTC Fair Information Principles

    • Amazon.com Example

      • Privacy policy alleged in 2000 to confuse consumers.

      • State attorneys general convinced the company to revise the policy by:

        • (1) Narrowing the scope of exceptions; and

        • (2) Adding examples to improve clarity.


Additional considerations

Additional Considerations

  • Children’s Online Privacy Protection Act (“COPPA’)

    • Applies to websites that collect information from children under the age of 13 that are either:

      • (1) directed to children; or

      • (2) general audience sites with actual knowledge that they collect information from such children.

    • Requires additional, child-specific privacy disclosures.

    • Requires notification to and consent from parents.

  • International


How to write an effective pp

How To Write An Effective PP

  • Identify actual privacy practices.

    • Find or develop a questionnaire.

    • Get input from all levels of the organization.

    • Good time to audit for legal compliance.

  • Look to peers / competitors.

    • What is your organization doing differently?

    • What might your organization improve or highlight to its advantage?

  • Compare multiple models to see the range of disclosure options.


How to write an effective pp1

How To Write An Effective PP

  • Anatomy of a privacy policy:

    • Information collection

      • Personally identifiable information

      • Non-PII (including cookies, web bugs, logs)

    • Information use

      • Individual vs. aggregate

    • Information disclosure

      • Types of third-parties (contractors, partners, gov’t)

      • Purpose of disclosure

    • Consumer choices

      • Opt out

      • Access (view, alter, delete)


How to write an effective pp2

How To Write An Effective PP

  • Anatomy of a privacy policy cont.:

    • Communications from website

    • Retention

    • Security

    • Business transitions (including mergers)

    • Effective date

    • Material changes

    • Contact information

  • Example: Navigenics


How to write an effective pp3

How To Write An Effective PP

  • Next steps:

    • Focus-group the text with non-lawyers

    • Monitor for developments

  • More resources:

    • OECD Privacy Policy Generator

    • BBB Privacy Planner

    • Direct Marketing Association

    • TRUSTe Model Policy and Whitepaper

    • Federal Trade Commission Guidance


The future of notice

The Future of Notice

  • Problems:

    • Constant innovation means that privacy policies must be broadly worded.

    • Consumers do not have time to read policies.

      • Carnegie Mellon study calculated that it would take the average American 200 hours / year to read policies.

    • Consumers assume protective privacy practices from the mere existence of a privacy policy link.

      • In a Samuelson Clinic / Annenberg study, 57% of adults agreed strongly that where a company has a privacy policy, it will not share user data with other companies.


The future of notice1

The Future of Notice

  • Potential Solutions:

    • Automation

      • In Code, Lawrence Lessig explores a potential design-based solution to online privacy called P3P.

      • Privacy Finder leverages P3P in a search engine.

      • Students from Berkeley’s School of Information are currently scoring top privacy policies (KnowPrivacy.org).

      • The Internet Governance Forum is looking for a way to translate privacy policies into machine-readable blocks.

    • Icons

      • The Center for Democracy and Technology and others suggested “standardized disclosures” in FTC comments.


The future of notice2

The Future of Notice

Icons Cont.

Source:

Matthias Mehdau

Jan Gerner (font)


Questions contact information

Questions? / Contact Information

Mali Friedman

Covington & Burling LLP

[email protected]

415.591.7059

M. Ryan Calo

Stanford Law School

Center for Internet and Society

[email protected]


  • Login