October 13 Futureproofing Privacy Programs Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well.

In conjunction with Canadian firm nNovation LLP, Privacy and Information Security practice chair Alysa Hutnik and partner Aaron Burstein will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

Register Here

October 20 New Frontiers of the Intersection Between Privacy Laws, Antitrust and Misleading Advertising Enforcement Canadian Bar Association (CBA) 2020 Fall Competition Law Conference The Bureau is pushing the boundaries of the intersection between competition and privacy laws, and the pandemic has accelerated pre-existing trends in digital enforcement. The FTC is similarly continuing to pursue robust enforcement in cutting-edge areas such as data privacy and fintech. Join Alysa Hutnik and a host of others for this session for a conversation on misleading advertising priorities in Canada and the U.S. in the digital economy.

Register Here

November 10 Nuts and Bolts of Basic Advertising: Substantiation, Disclosures and Social Media 2020 ANA/BAA Marketing Law Conference: A Virtual Experience

Join partner Gonzalo Mon for this session, which will cover important principles of advertising law, including prerequisites to prove your claims, the type of proof required, how to make disclosures, and application of these principles to social media. In addition, it will cover options for challenging competitors. Whether new or experienced to advertising, this session will give you down-to-earth information you need to put later sessions into context. This presentation will put a great new spin on important topics.

Register Here

October 21 2020 Election Outlook: An In-Depth Analysis of the Race for the White House and Congress Please join Kelley Drye's Government Relations and Public Policy Group as we present a bipartisan assessment of the upcoming 2020 elections. Election analysts Greg Speed and Jim Ellis will provide a detailed and data-packed assessment of the current state of play in the race for the White House. In addition, they will cover key Senate and House races and the prospects for control of both chambers in the upcoming 117th Congress.

Register Here

November 10, 2020 The Future of Consumer Protection and Privacy - What to Expect from the FTC As the election approaches, our government prepares for a transition – either to the second term under President Trump or to the Biden Administration. As this is occurring, consumer protection law also finds itself in transition. Partners Christie Grymes Thompson and John Villafranco will focus on what this means, in terms of recent enforcement activities and priorities related to privacy, data security, marketing, advertising, and other areas of consumer protection.

Register Here

For on-demand webinar replays and other content organized around Advertising and Marketing Standards, Privacy and Data Security and Consumer Product Safety, visit the Advertising and Privacy Law Resource Center microsite. Available via www.KelleyDrye.com, the site provides practical, relevant information to help in-house counsel answer the questions and solve the problems that they face on a daily basis.

Listen on Apple, Spotify, Google Podcasts, SoundCloud or wherever you get your podcasts.

For more information on CCPA and other topics, visit:

• Kelley Drye’s California Consumer Privacy Act Practice Page
• Kelley Drye's Privacy Law Practice Page
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Ad Law News and Views Newsletter

Key takeaways from the guidance include:

• The Commission will continue to work with data protection authorities to ensure uniform application of the Schrems ruling
• The Commission will continue to work in earnest to negotiate a safer and more comprehensive framework for future transatlantic data transfers
• The guidance identifies standard contractual clauses and Binding Corporate Rules as viable temporary alternative transfer mechanisms
• The guidance notes that data protection rules provide for certain exemptions, which may permit the transfer of data in specific circumstances

The guidance, “Making Your Privacy Practices Public,” is intended to help companies comply with recent revisions to the California Online Privacy Protection Act (“CalOPPA”), which requires that each privacy policy disclose how the website operator responds to mechanisms, such as DNT signals, that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information (“PII”) over time and across third-party websites. In addition to best practices on DNT signals, the guidance also provides general recommendations to make privacy policies “more effective and meaningful” to consumers.

The guidance provides the following 10 key recommendations:

1. Scope of Policy: Privacy policies should explain whether it covers online or offline data collection, or both, and to what entities the privacy policy applies.
2. Availability: A conspicuous link to the privacy policy should be provided on the homepage of the website, and every webpage where PII is collected. For mobile apps, the link should be provided both on the app’s platform page and within the app.
3. Readability: Privacy policies should be written in plain, straightforward language that is meaningful to, and can easily be understood by consumers. For smaller screens, such as privacy policies read through mobile apps, the guidance suggests using a layered format that highlights the most relevant privacy issues.
4. Data Collection: Privacy policies should describe how PII is collected (including through the use of cookies or web beacons) and the kind of PII collected. Any information collected from children under the age of 13 should comply with COPPA.
5. Do Not Track: Privacy policies should have a clearly identified section which describes the policy regarding online tracking. A header, such as “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures,” can be used to call out the specific section. In addition, privacy policies should describe how the website responds to a browser’s DNT signal or similar mechanism. The guidance recommends describing this information in the privacy policy, over linking to a related program or protocol that offers consumers a choice about online tracking.
6. Data Use and Sharing: Privacy policies should explain how PII is used and shared with other entities, including affiliates and marketing partners, and provide a link to the privacy policies of such third parties.
7. Individual Choice and Access: Privacy policies should describe the choices a consumer has regarding the collection, use, and sharing of his or her personal information
8. Security Safeguards: Privacy policies should explain how the website or app operators protect consumers’ PII from unauthorized or illegal access.
9. Effective Date: The effective date of the privacy policy should be provided, and the privacy policy should explain how consumers will be notified about material changes.
10. Accountability: Contact information should also be provided in case consumers have questions or concerns about the privacy policy or practices.

• Disappearing “Snaps” – Snapchat represents to users that their snaps (i.e., photos and videos) will “disappear forever” after the user-set time period expires, thereby ensuring users’ privacy and safeguarding against data collection. According to the FTC’s complaint, however, recipients could circumvent the settings to save or access the snaps in a number of ways. For example, recipients could open Snapchat messages in third-party apps, take a screen shot of the snaps on an iPhone, or access videos by connecting their mobile device to a computer and retrieving the files through the device directory. The complaint alleges that these types of workarounds were highly publicized.
• Misrepresenting Data Collection Practices – Snapchat’s privacy policy represented to users that the app did not access or track users’ geolocation information. The FTC complaint asserts that in October 2012, Snapchat integrated an analytics tracking service in the Android system, which transmitted Wi-Fi based and cell-based location information from users’ mobile devices. Snapchat continued representing in the privacy policy that it did not collect or use geolocation information until February 2013. In addition, the app allows users to “Find Friends” by entering their mobile number or by accessing the Find Friends feature in the apps menu options. The privacy policy implied that the user’s mobile phone number was the only information Snapchat collected to find the user’s friends. The FTC contends, however, that when the user chose to Find Friends, Snapchat also collected the names and phone numbers of all the contacts in users’ address books.
• Security Design Flaws: The FTC complaint alleges that Snapchat failed to securely design its Find Friends feature by failing to verify the phone number of the user upon registration. In such case, an individual could create an account using a phone number belonging to another consumer. The FTC contends that Snapchat received a number of complaints that users’ snaps were being sent to strangers who had registered with friends’ numbers, or that their phone number had been used to send inappropriate or offensive snaps. In addition, Snapchat represents in its privacy policy that it takes “reasonable steps” or “reasonable measures” to protect users information. The FTC asserts, however, that Snapchat failed to implement any restrictions on serial and automated account creation, which allowed attackers to create multiple accounts and send millions of Find Friends requests using randomly generated phone numbers. According to the complaint, the attackers were able to compile a database of 4.6 million Snapchat usernames and associated mobile phone numbers.

Although the FTC’s order does not include any monetary remedy, Snapchat must comply with a 20-year FTC administrative order. This means that if the company violates a term of its settlement agreement with the FTC, it can be liable for a civil penalty of up to $16,000 for each violation, which the FTC can construe as each day of non-compliance. The settlement is a continued reminder that the FTC remains focused on protecting the privacy of consumers and will closely scrutinize companies’ practices as they relate to the handling and security of consumers’ personal information.

Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps. By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks. The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:

• Overriding the default SSL certificate validation settings provided by the iOS and Android application programming interfaces (APIs) without implementing other security measures to compensate for the lack of SSL certificate validation;
• Failing to appropriately test, audit, assess, or review the apps, including failing to ensure that the transmission of sensitive personal information was secure;
• Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties (Fandango only); and
• Failing to reasonably and appropriately oversee its service providers’ security practice (Credit Karma only).

As mobile privacy and security continues to be at the forefront of the FTC’s enforcement priorities, companies should keep abreast of developments in this area and regularly evaluate their mobile products and services. Stay tuned for a Kelley Drye client advisory discussing the enforcement trends for mobile and “red flags” that companies should watch out for.

The bill also implicates the mobile industry, proposing geolocation information privacy protections. If enacted, the bill would prohibit required disclsoure of contemporaneous or prospective geolocation information without a warrant or court order, with exceptions for emergency response and historical data. At a recent hearing (see Kelley Drye Adivsory), Sen. Leahy expressed his desire for broad application of ECPA to mobile providers and mobile applications. Notably, the bill would insulate electronic communication service providers from liability for providing geolocation information to federal authorities.

Communications providers need to be aware of their current and potential obligations under ECPA and the way in which they respond to requests for sensitive customer information from federal authorities. ECPA reform and the flood of recent privacy legislation (see Kelley Drye Chart) may impact mobile and Internet service providers’ responsibilities to protect customer privacy.

Christopher S. Koves contributed to this post.

The New Privacy Paradigm—moderated by Kelley Drye Partner Dana Rosenfeld

• Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission
  
• Lee Peeler, President, National Advertising Review Council
  
• Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology

Panelists focused on the future of consumer privacy regulation and enforcement and the practices organizations should follow to protect consumers’ privacy in light of changing technology and marketplace conditions.

• Maneesha Mithal, from the Federal Trade Commission (FTC), discussed how the FTC’s upcoming series of privacy roundtable discussions will impact the Commission’s examination of its privacy regulation framework. According to Ms. Mithal, the roundtable discussions are designed to address drawbacks in the current privacy regulatory framework; determine challenges the FTC will face moving forward, such as how the FTC can create clear privacy rules while maintaining flexibility to adopt to changing technology and marketing techniques; and what goals the FTC should adopt for privacy regulation and enforcement.
  
• Other topics included the Center for Democracy and Technology’s (CDT) view of the FTC’s roundtable discussions, including an overview of comments submitted by CDT regarding the event. Ari Schwartz, from CDT, urged the FTC to bring more enforcement actions using the unfairness standard to prevent misuse of consumers’ personal information and advocated the adoption of fair information practices, such as those used by the Department of Homeland Security.
  
• From the industry self-regulation perspective, Lee Peeler with the National Advertising Review Counsel, discussed the benefits of privacy self-regulation as a fast and flexible approach to create new privacy standards. Mr. Peeler also presented a model to regulate behavioral advertising and mechanisms that could monitor the industry for organizations that violate self-regulatory rules.

Developments in Data Security—moderated by Kelley Drye Associate Alysa Hutnik

• Marc Groman, House Energy & Commerce Committee Staff
  
• Stephen L. Surdu, Vice President of Professional Services, MANDIANT
  
• Naomi Lefkowvitz, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission

The second panel addressed privacy and data security legal developments including current legislation, recent criminal data breach activity, and agency enforcement actions and new regulations.

• Legislative developments include Congressional data breach bills introduced in the House and Senate. Marc Groman, a staff member for the House Committee on Energy and Commerce, discussed the Committee’s efforts to enact federal data breach legislation and the requirements of this pending legislation, including a FTC mandate to promulgate data breach rules, coverage of both paper and electronic records, federal preemption standards, and civil penalty provisions available for both FTC and state enforcement actions.
  
• Stephen Surdu, from MANDIANT, an information security company, discussed new types of data security attacks that can leave organizations vulnerable to information breaches. Mr. Surdu warned that many new system attacks are more sophisticated, making them harder to recognize as security intrusions, such as new phishing scams that accurately spoof company logos, e-mail formats, and other information.
  
• FTC attorney for the Division of Privacy and Identity Protection, Naomi Lefkovitz, spoke about legislative and regulatory developments regarding identity theft, including the scope of the FTC’s Red Flags Rule. Ms. Lefkovitz provided information regarding the FTC’s approach to risk-based identity theft prevention plans and the rule’s effect on covered entities that use third party vendors to collect, use, or protect personal information.

Privacy and New Technologies—moderated by Kelley Drye Partner John Heitmann

• Mary Ellen Callahan, Chief Privacy Officer, Department of Homeland Security
  
• Edward Palmieri, Deputy Chief Privacy Officer, Sprint Nextel
  
• C.M. Tokë Vandervoort, Senior Counsel—Technology & Privacy, XO Communications

Panelists involved in the final session of the day discussed how different organizations, from government to the private sector, handle privacy issues associated with new technologies.

• From the government perspective, the Chief Privacy Officer for the Department of Homeland Security, Mary Ellen Callahan, discussed a variety of privacy law-related challenges facing the federal government, including the steps government agencies have taken to assess and to adapt to privacy issues created by the development and implementation of new technologies, such as web programs that use cookies or other web tracking devices. She also addressed concerns associated with the government’s use of social media, including public perceptions and expectations regarding privacy and the preservation of federal records.
  
• C.M. Tokë Vandervoort from XO Communications discussed benefits, drawbacks, and privacy issues associated with cloud computing. Cloud computing is beneficial to consumers and business because it minimizes costs of data storage, allows individuals and business to access new applications at a low cost, and can provide users with expert application support. But, privacy and information security problems can arise if consumer data is not properly protected or cloud computing organizations do not adequately communicate privacy and data security standards to consumers. Ms. Vandervoort provided possible remedies for privacy and security issues and explored what privacy and security issues could arise for cloud computing in the future.
  
• Edward Palmieri from Sprint Nextel addressed privacy issues related to emerging cell phone and location-based technology. These technologies offer valuable and convenient services for users; however, businesses should be careful to tailor privacy notices and notice/consent regimes to adequately warn consumers about different types of information used and collected by each program. Mr. Palmieri also stressed that consumer privacy education, simple and meaningful privacy disclosures, and comprehensive data security measures are necessary to protect consumers’ information and ensure consumer satisfaction with use of personal information by carriers.

The seminar was presented by Kelley Drye’s Privacy and Information Security and Telecommunications practice groups. To view a recording of the full webcast, click here.