Privacy Policy Workshop

M. Ryan Calo, Center for Internet and Society, Stanford Law School

Mali Friedman, Covington & Burling LLP, San Francisco Office

January 28, 2009

2

Overview

• Legal Landscape • How to Write an Effective Privacy Policy• The Future of Notice

3

Legal Landscape

• California Law• FTC

– Fair Information Principles– Commission Guidance– Enforcement Proceedings

• State Attorneys General– Enforcement Actions– General Guidance

• Additional Considerations– Children– International

4

Legal Landscape: California Law• Online Privacy Protection Act of 2003

– Cal. Bus & Prof. Code §§ 22575-22579 • Basic Requirements

– “Commercial Web site or online service that collects personally identifiable information through the Internet”

– “About individual consumers residing in California”– “Conspicuously post”

5

Legal Landscape: California Law• Google Controversy

6

Legal Landscape: California law • Substantive Requirements

1. Identify categories of personally identifiable information collected.

2. Identify categories of third parties with whom personally identifiable information may be shared.

3. If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information.

4. Describe the consumer notification process for material changes to the Privacy Policy.

5. Identify the effective date for the Privacy Policy.

7

Legal Landscape1. Identify categories of personally identifiable

information collected and how this information is used.

• FTC Fair Information Principles – Privacy policy should identify ways consumer information

is collected and used.– This includes notifying consumers of “what will happen to

the personal information they are asked to divulge.”

• State Mini-FTC Acts– Suggestion that it is an unfair or deceptive trade practice

not to notify consumers about the collection of information.• Amazon (2002)

– Specify collection and use.• DoubleClick (2000)

– Describe cookies.

8

Legal Framework2. Identify categories of third parties with whom

personally identifiable information may be shared. • FTC Fair Information Principles

– Encourage identification of any recipients of the data.

• State AGs– Required entities to inform consumers about third-party

recipients.• New York (Alta Vista, 2001)• Missouri (More.com, 2000)

– Washington State• State whether third parties are bound by operator’s privacy

policy with respect to disclosed information.

• Disclose whether information will be shared with third parties for third parties’ direct marketing purposes.

9

Legal Framework

3. If it exists, describe the process by which an individual consumer may review and request changes to his or her personally identifiable information.

• No general requirement in the United States that websites allow consumers to access personal information.

• FTC Fair Information Principles – Recommends providing opportunity to access and dispute

the accuracy and completeness of the personal information provided.

10

Legal Framework

4. Describe the consumer notification process for material changes to the Privacy Policy.

• No federal or state law specifically defines “material change.” – FTC: When new practices are inconsistent with the

company’s previous representations to its customers. – FTC staff opinion: To be considered “material,”

change must affect a company.– Washington AG: May include “new use[s] of personal

data as well as changes to the list of parties with whom the business shares information.”

11

Legal Framework

5. Identify the effective date for the Privacy Policy

• No explicit definition.• Even minor changes to the policy may

require a change to the effective date.

12

Legal Landscape• Generally, format and content should be easy

for a reasonable consumer to understand.– FTC Fair Information Principles – Amazon.com Example

• Privacy policy alleged in 2000 to confuse consumers.• State attorneys general convinced the company to revise

the policy by: – (1) Narrowing the scope of exceptions; and– (2) Adding examples to improve clarity.

Additional Considerations• Children’s Online Privacy Protection Act

(“COPPA’)– Applies to websites that collect information from

children under the age of 13 that are either: • (1) directed to children; or• (2) general audience sites with actual knowledge that

they collect information from such children.

– Requires additional, child-specific privacy disclosures.

– Requires notification to and consent from parents.• International

14

How To Write An Effective PP• Identify actual privacy practices.

– Find or develop a questionnaire.– Get input from all levels of the organization.– Good time to audit for legal compliance.

• Look to peers / competitors.– What is your organization doing differently?– What might your organization improve or highlight

to its advantage?• Compare multiple models to see the range of

disclosure options.

15

How To Write An Effective PP• Anatomy of a privacy policy:

– Information collection• Personally identifiable information• Non-PII (including cookies, web bugs, logs)

– Information use• Individual vs. aggregate

– Information disclosure• Types of third-parties (contractors, partners, gov’t)• Purpose of disclosure

– Consumer choices• Opt out• Access (view, alter, delete)

16

How To Write An Effective PP• Anatomy of a privacy policy cont.:

– Communications from website– Retention– Security– Business transitions (including mergers)– Effective date– Material changes– Contact information

• Example: Navigenics

17

How To Write An Effective PP• Next steps:

– Focus-group the text with non-lawyers– Monitor for developments

• More resources:– OECD Privacy Policy Generator– BBB Privacy Planner– Direct Marketing Association– TRUSTe Model Policy and Whitepaper– Federal Trade Commission Guidance

18

The Future of Notice• Problems:

– Constant innovation means that privacy policies must be broadly worded.

– Consumers do not have time to read policies.• Carnegie Mellon study calculated that it would take the

average American 200 hours / year to read policies.

– Consumers assume protective privacy practices from the mere existence of a privacy policy link.

• In a Samuelson Clinic / Annenberg study, 57% of adults agreed strongly that where a company has a privacy policy, it will not share user data with other companies.

19

The Future of Notice• Potential Solutions:

– Automation• In Code, Lawrence Lessig explores a potential design-

based solution to online privacy called P3P.• Privacy Finder leverages P3P in a search engine.• Students from Berkeley’s School of Information are

currently scoring top privacy policies (KnowPrivacy.org).• The Internet Governance Forum is looking for a way to

translate privacy policies into machine-readable blocks.

– Icons• The Center for Democracy and Technology and others

suggested “standardized disclosures” in FTC comments.

20

The Future of Notice

Source:Matthias MehdauJan Gerner (font)

Icons Cont.

21

Questions? / Contact Information

Mali FriedmanCovington & Burling LLPmfriedman@cov.com415.591.7059

M. Ryan CaloStanford Law SchoolCenter for Internet and Societyrcalo@stanford.edu