Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)

 

Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

The Federal Trade Commission (FTC) clarified in recent guidance how the Children’s Online Privacy Protection Act (COPPA) applies to internet-connected device companies and other businesses that collect and use children’s voice recordings.

COPPA compliance is necessary for all commercial websites and online or mobile service operators that collect personal information of children under the age of 13. Previously, the FTC has released clarifying updates regarding requirements for companies obtaining verifiable parental consent and the applicability of the law to educational institutions and businesses that provide online services to educational institutions. More recently, it has become important for new business models, such as those involved with Internet of Things devices, to understand how they can remain in compliance with COPPA obligations. In light of COPPA enforcement actions in recent years, we have prepared a helpful guide to ensure businesses know how to avoid violations. Continue Reading FTC Provides Additional Guidance on COPPA Policy for Voice Recordings

Developers and operators of educational technology services should take note.  Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”).  “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.

Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps.  The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.

The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results.  At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Rule (COPPA) govern the use of student data.  However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”

Recognizing this, California has enacted laws in this space to fill in gaps in the protection.  Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.

Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  • Data Collection and Retention: Minimization is the Goal 

Describe the data being collected and the methods being used, while understanding that data can be thought of to include everything from behavioral data to persistent identifiers.  If your service links to another service, disclose this in your privacy policy and provide a link to the privacy policy of the external service.  If you operate the external service, maintain the same privacy and security protections for the external service that users enjoyed with the original service.  Minimize the data collected to only that necessary to provide the service, retain the data for only as long as necessary, and be able to delete personally identifiable information upon request.

  • Data Use: Keep it Educational

Describe the purposes of the data you are collecting.  Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service.  Do not create profiles other than those necessary for the school purposes that your service was intended for.  If you use collected data for product improvement, aggregate or de-identify the data first.

  • Data Disclosure: Make Protections Stick 

Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site.  If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department.  Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach.  Do not sell any collected information, except as part of a merger or acquisition.

  • Individual Control: Respect Users’ Rights 

Describe procedures for parents, legal guardians, and eligible students to access, review and correct personally identifiable data.  Provide procedures for students to transfer content they create to another service, and describe these procedures in your privacy policy.

  • Data Security: Implement Reasonable and Appropriate Safeguards

Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information.  Describe your process for data breach notification.  Provide training for your employees regarding your policies and procedures and employee obligations.

  • Transparency: Provide a Meaningful Privacy Policy

Make available a privacy policy, using a descriptive title such as Privacy Policy, in a conspicuous manner that covers all student information, including personally identifiable information.  The policy should be easy for parents and educators to understand.  Consider getting feedback regarding your actual privacy policy, including from parents and students.  Include an effective date on the policy and describe how you will provide notice to the account holder, such as a school, parent, or eligible student.  Include a contact method in the policy, at a minimum an email address, and ideally also a toll-free number.

Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed.   If you are growing an ed tech company, this is the time to build in data privacy and security controls.   if you are established, it’s time to review your privacy practices against this Guidance and see how you match up.  If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide

If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series:  The Long Reach of COPPA.   Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.

 

Register online here – NY and CA CLE credit is available.

It’s Monday morning — do you know your privacy/security status?

Here are a few bits and bytes to start your week.

SEC to Registered Investment Advisers and Broker-Dealers:  It’s Your Turn to Pay Attention to Cybersecurity

The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties.  That information includes information concerning fund investors and advisory clients.   We’ve summarized key points from the recently-issued Guidance.

The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

  • Conduct a periodic assessment of:
    • the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
    • internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
    • security controls and processes currently in place; and
    • the impact should the information or technology systems become compromised;  and the effectiveness of the governance structure for the management of cybersecurity risk.
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:PrivacyMonday_Image1
    •  controlling access to:
      • various systems and data via management of user credentials;
      • authentication and authorization methods;
      • firewalls and/or perimeter defenses;
      • sensitive information and network resources;
      • network segregation;
      • system hardening; and
      • data encryption.
  • protecting against the loss or exfiltration of sensitive data by:
  • restricting the use of removable storage media; and
  • deploying software that monitors technology systems for:
    • unauthorized intrusions;
    • loss or exfiltration of sensitive data;  or
    • other unusual events.
  • data backup and retrieval; and
  • the development of an incident response plan
    • routine testing of strategies could also enhance the effectiveness of any strategy.
  • Implement the strategy through:
    • written policies and procedures; and
    • training that:
      • provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
      •  monitors compliance with cybersecurity policies and procedures.

Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.

 

Penn State University Confirms Cyberattack Originated in China

If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while.  The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China.   Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered.   The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.

For more:  Cyberattack on Penn State University

 

Digital Advertising Alliance to Enforce Mobile App Principles

Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment.   The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment.  Mobile tools for consumers were released in February:  App Choices and the Consumer Choice Page for Mobile Web.

The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.

After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.

 

REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR

Don’t forget to register for the next in our Privacy Wednesday Webinar series:  The Long Reach of COPPA.   Webinar is eligible for NY and CA CLE credit — register here.

 

 

 

 

 

On Friday, the FTC published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions. Specifically, nearly a year after the last update to the “COPPA and Schools FAQs”, the Commission revisited its answers to FAQs M.1, M.2, and M.5 and deleted FAQ M.6 in an attempt to streamline the FAQs to provide further clarity on the key topics of notice and consent, best practices for educational institutions, and the interplay between COPPA and other federal and state laws that may apply in the education space. To access our blog post on the prior update to the COPPA and Schools FAQs please click here. Continue Reading Privacy Monday – March 23, 2015: COPPA Refresh

Written by Julia Siripurapu, CIPP/US

Some clarification and a bit more flexibility was forthcoming late last week from the Federal Trade Commission to help ease compliance with the “new” COPPA.

In its recent update to three FAQs in Section H (Verifiable Parental Consent) of the COPPA FAQs , the FTC provided important information on the topic of verifiable parental consent. The revisions are particularly important for the mobile application market since it is now very clear that developers of mobile applications directed to children under 13 can use an app store to obtain verifiable parental consent and that the app stores providing the verifiable parental consent mechanism “will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent.” Continue Reading COPPA Update: FTC Provides More Flexibility on Obtaining Verifiable Parental Consent