Posts Tagged ‘Privacy Policies’
Survey on App Privacy Policies Finds Increased Implementation, Overall
Monday, July 23rd, 2012Survey finds that only 61.3% of apps have privacy policies, reflecting perceived need for increased app privacy regulations.
By Alice Cheng
A recent survey conducted by the Future of Privacy Forum (FPF) examined whether popular free and paid mobile apps provided users with access to a privacy policy. The survey found that 61.3% of the 150 apps examined had a privacy policy, while more free apps than paid apps had privacy policies. While the numbers of apps with privacy policies are still low, these findings mark an overall increase from the previous year.
The FPF credits the consumer privacy efforts of various groups, including the Federal Trade Commission and the California Attorney General. The FTC has made continuous efforts to develop companies develop best consumer privacy practices, and has been involved in battling privacy violations. In February, California Attorney General Kamala Harris persuaded six major companies with mobile platforms (including Apple, Microsoft, and Google) to ensure that app developers include privacy policies that comply with the California Online Privacy Protection Act. More recently, Harris also announced the formation of the Privacy Enforcement and Protection Unit to oversee privacy issues and to ensure that companies are in compliance with the state’s privacy laws.
Together with the FPF survey results, these recent strides reflect a growing nationwide concern for information privacy. However, mere access to privacy policies does not ensure that consumers are aware of what happens to information collected about them. Many policies are long and onerous, and can be confusing for consumers. As many privacy laws focus on protecting the consumer’s privacy interests, providing a clear privacy policy is oftentimes a best practice for all companies.
Who Owns Your Data and What Can They Do With It? Understanding Data Privacy and Information Security in the Cloud
Tuesday, May 29th, 2012
“Cloud” Technology Offers Flexibility, Reduced Costs, Ease of Access to Information, But Presents Security, Privacy and Regulatory Concerns
With the recent introduction of Google Drive, cloud computing services are garnering increased attention from entities looking to more efficiently store data. Specifically, using the “cloud” is attractive due to its reduced cost, ease of use, mobility and flexibility, each of which can offer tremendous competitive benefits to businesses. Cloud computing refers to the practice of storing data on remote servers, as opposed to on local computers, and is used for everything from personal webmail to hosted solutions where all of a company’s files and other resources are stored remotely. As convenient as cloud computing is, it is important to remember that these benefits may come with significant legal risk, given the privacy and data protection issues inherent in the use of cloud computing. Accordingly, it is important to check your cloud computing contracts carefully to ensure that your legal exposure is minimized in the event of a data breach or other security incident.
Cloud computing allows companies convenient, remote access to their networks, servers and other technology resources, regardless of location, thereby creating “virtual offices” which allow employees remote access to their files and data which is identical in scope the access which they have in the office. The cloud offers companies flexibility and scalability, enabling them to pool and allocate information technology resources as needed, by using the minimum amount of physical IT resources necessary to service demand. These hosted solutions enable users to easily add or remove additional storage or processing capacity as needed to accommodate fluctuating business needs. By utilizing only the resources necessary at any given point, cloud computing can provide significant cost savings, which makes the model especially attractive to small and medium-sized businesses. However, the rush to use cloud computing services due to its various efficiencies often comes at the expense of data privacy and security concerns.
The laws that govern cloud computing are (perhaps somewhat counterintuitively) geographically based on the physical location of the cloud provider’s servers, rather than the location of the company whose information is being stored. American state and federal laws concerning data privacy and security tend to vary while servers in Europe are subject to more comprehensive (and often more stringent) privacy laws. However, this may change, as theFederal Trade Commission (FTC) has been investigating the privacy and security implications of cloud computing as well.
In addition to location-based considerations, companies expose themselves to potentially significant liability depending on the types of information stored in the cloud. Federal, state and international laws all govern the storage, use and protection of certain types of personally identifiable information and protected health information. For example, the Massachusetts Data Security Regulations require all entities that own or license personal information of Massachusetts residents to ensure appropriate physical, administrative and technical safeguards for their personal information (regardless of where the companies are physically located), with fines of up to $5,000 per incident of non-compliance. That means that the companies are directly responsible for the actions of their cloud computing service provider. Aaron Messing, an information privacy and technology attorney at OlenderFeldman LLP, notes that some information is inappropriate for storage in the cloud without proper precautions. “We strongly recommend against storing any type of personally identifiable information, such as birth dates or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible,” he says, “unless it is encrypted or otherwise protected.” In fact, even a data breach related to non-sensitive information can have serious adverse effects on a company’s bottom line and, perhaps more distressing, its public perception.
Additionally, the information your company stores in the cloud will also be affected by the rules set forth in the privacy policies and terms of service of your cloud provider. Although these terms may seem like legal boilerplate, they may very well form a binding contract which you are presumed to have read and consented to. Accordingly, it is extremely important to have a grasp of what is permitted and required by your cloud provider’s privacy policies and terms of service. For example, the privacy policies and terms of service will dictate whether your cloud service provider is a data processing agent, which will only process data on your behalf or a data controller, which has the right to use the data for its own purposes as well. Notwithstanding the terms of your agreement, if the service is being provided for free, you can safely presume that the cloud provider is a data controller who will analyze and process the data for its own benefit, such as to serve you ads.
Regardless, when sharing data with cloud service providers (or any other third party service providers)), it is important to obligate third parties to process data in accordance with applicable law, as well as your company’s specific instructions — especially when the information is personally identifiable or sensitive in nature. This is particularly important because in addition to the loss of goodwill, most data privacy and security laws hold companies, rather than service providers, responsible for compliance with those laws. That means that your company needs to ensure the data’s security, regardless of whether it’s in a third party’s (the cloud providers) control. It is important for a company to agree with the cloud provider as to the appropriate level of security for the data being hosted. Christian Jensen, a litigation attorney at OlenderFeldman LLP, recommends contractually binding third parties to comply with applicable data protection laws, especially where the law places the ultimate liability on you. “Determine what security measures your vendor employs to protect data,” suggests Jensen. “Ensure that access to data is properly restricted to the appropriate users.” Jensen notes that since data protection laws generally do not specify the levels of commercial liability, it is important to ensure that your contract with your service providers allocates risk via indemnification clauses, limitation of liabilities and warranties. Businesses should reserve the right to audit the cloud service provider’s data security and information privacy compliance measures as well in order to verify that the third party providers are adhering to its stated privacy policies and terms of service. Such audits can be carried out by an independent third party auditor, where necessary.
What Do I Need To Look For In A Privacy Policy?
Thursday, May 3rd, 2012
Privacy policies are long, onerous and boring. Most consumers never read them, even though they constitute a binding contract. Here is a handy checklist of some quick things to skim for.
As we’ve previously discussed, even “non-sensitive” information can be very sensitive under certain circumstances. When reviewing a company’s privacy policy, you should focus on determining the following:
- The type of information is gathered by the website, including information which is voluntarily provided (i.e., name, date of birth, etc.) and electronic information (i.e., tracking cookies).
- What information is optional (i.e., requested but not required for website use) versus what information you must provide if you want to use the website.
- With whom your information is shared, and if it is shared with affiliates, you should learn the identity of the affiliates. The more information you provide, the more concerned the user should be about this answer.
- How your information is used (i.e., for targeted advertising, for general marketing, for selling data to third-parties, etc.). Similar to above, the more information you provide, the more concerned the user should be about this answer.
- How long the website retains your information, and similarly, what rights you have to have all of your information deleted by the website (including information the website has already shared with third-parties).
Generally speaking, all website users should start with the assumption that all information provided is optional and will ultimately be shared with other companies or individuals. Starting with that assumption then makes it easier psychologically to skim through the privacy policy or terms and conditions and pick out the exceptions which may protect your privacy. If you are unable to quickly pick out those exceptions, or if the language is too confusing, the user should proceed with caution and assume his or her information will not be kept confidential – a decision which will dictate how and whether you proceed on the website. Better to be safe than sorry with the information you provide.
Entertainment Weekly Calls On OlenderFeldman For Comments
Tuesday, October 18th, 2011On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.
Feldman, a partner at OlenderFeldman who is also not involved in the IMDb suit, believes “the most pivotal issue in the case” will be the clarity of IMDb’s Privacy Policy and Subscriber Agreement. According to Feldman, IMDb’s “mistake here is that neither the Privacy Policy nor the Subscriber Agreement are clear as to the purpose for obtaining credit card information, and how that information will be used.” Without that confusion, Feldman speculated that IMDb could have avoided this lawsuit altogether. Still, he agreed that Doe “has numerous hurdles to overcome,” primarily that she “appears to confuse promises made in those agreements concerning security of information provided to IMDb and the privacy rights afforded to subscribers of the website.”
Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.
To read more on this intriguing matter, click here.