The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.
It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.
Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA). The form is available at https://oag.ca.gov/reportprivacy. As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.
As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial. Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.
“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”
If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.
In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly. On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.
As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA. As early as 2012, its office began sending notices of non-compliance to mobile application developers. When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA. Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case. Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly
Verizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent. Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads. In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer. For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.
Among the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino. On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society. Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading Apple vs. FBI: The House Judiciary Committee Hearing and Takeaways
Written by Jane Haviland
The latest Pew Research Center Report relayed useful information regarding application users’ concerns with sharing personal data. Ninety percent of app users indicated that how their personal data will be used is “very” or “somewhat” important to them, and influences their decision to download an app. Sixty percent of users decided against downloading an app when they saw how much personal information they would need to share. Android 6.0, or Marshmallow, should abate users’ concerns.
The Report looked at the type of permissions sought by apps available in the Google Play store—largely because the public availability of this data and the popularity of the Google Play store. Google Play apps request a total of 235 unique permissions to access users’ information or phone hardware. The most common permissions relate to accessing the device’s internet connectivity. The average app sought five permissions. The most common permissions sought access to the device’s hardware (i.e., controlling vibration, adjusting volume, etc.) as opposed to personal information. The Android permissions structure is currently “all or nothing,” meaning the user must grant the app all permissions requested in order to install the app. The permissions appear at the time of installation, requiring the user to accept them in order to install the app, and can be viewed at any time on the app’s page in the Google Play store.
With Android 6.0, or “Marshmallow,” Google will allow users to pick and choose the permissions they wish to grant. Permissions will be displayed not at the time of download, but at the moment when the app requires the permission to perform a particular function. Users can grant or deny the permission, then change the permission setting later. For instance, the user can allow the app to access the user’s location when using the app, then turn this permission off afterwards. This change makes the Android permission scheme more like Apple’s.
This change may result in more users for Google Play Store’s apps. Those users who decline to download an app because of their wariness of sharing too much personal information can take control of what they share at any given time. Users can refuse to allow access to data, including personal information, all together, or pick and choose when to allow access. App developers can be less concerned with scaring off potential users by requesting multiple or broad permissions. This development is good news for users and developers alike and will likely encourage increased and repeated app downloads.
It’s Monday morning — do you know your privacy/security status?
Here are a few bits and bytes to start your week.
SEC to Registered Investment Advisers and Broker-Dealers: It’s Your Turn to Pay Attention to Cybersecurity
The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. We’ve summarized key points from the recently-issued Guidance.
The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:
- Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:
- controlling access to:
- various systems and data via management of user credentials;
- authentication and authorization methods;
- firewalls and/or perimeter defenses;
- sensitive information and network resources;
- network segregation;
- system hardening; and
- data encryption.
- controlling access to:
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
- unauthorized intrusions;
- loss or exfiltration of sensitive data; or
- other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
- Implement the strategy through:
- written policies and procedures; and
- training that:
- provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
- monitors compliance with cybersecurity policies and procedures.
Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.
Penn State University Confirms Cyberattack Originated in China
If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while. The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China. Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered. The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.
For more: Cyberattack on Penn State University
Digital Advertising Alliance to Enforce Mobile App Principles
Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment. The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment. Mobile tools for consumers were released in February: App Choices and the Consumer Choice Page for Mobile Web.
The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.
After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.
REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR
Don’t forget to register for the next in our Privacy Wednesday Webinar series: The Long Reach of COPPA. Webinar is eligible for NY and CA CLE credit — register here.
Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN on the subject of cross-device tracking. In the brief interview, I discuss the growing prevalence of cross-device tracking and what the FTC is doing in response.
Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading Cross-Device Tracking: The New World