A Q&A with Dominique Shelton
The area of mobile app customer data collection is fraught with heightened regulatory interest. In the past 18 months, industry leaders have come together to create the Best Practices in Mobile Data Collection guidance while the California Attorney General released “Privacy on the Go.” To get a better handle on the issue of mobile app data collection, I spoke with Dominique Shelton of Edwards Wildman Palmer, LLP in Los Angeles, CA.
Can you provide an example of a business being sued for wrongful data collection?
It is important to keep in mind that data collection has been challenged by plaintiffs and regulatory agencies when an argument can be raised that the consumers did not understand that their data was being collected. The focus of the FTC and certain regulators like the California Attorney General has been on compliance with “privacy by design.” This means giving consumers sufficient notice and the choice to make meaningful decisions about their data and how it’s used. Currently, there are over 176 class actions pending around the country, based on behavioral advertising or tracking information to create customized products or targeted advertising. One recent example is the case the California Attorney General brought against Delta Airlines for not posting a mobile privacy disclosure. We have also seen class actions filed against a major studio and search engine in December, challenging mobile apps that allegedly collect behavioral information from users under the age of 13. So in this environment it’s very important for companies to take a look at this issue.
What types of data can get businesses into trouble?
Certainly, any personally identifiable information, such as name, address, phone numbers or email that may be collected without disclosure. And now we’re starting to see risk around behavioral data that identifies the user’s mobile device or social networking ID associated with their Facebook profile, for instance. Those identifiers are considered personally identifiable information by regulators. The CA AG recently issued the “Privacy on the Go” report, in which personally identifiable information is defined as “any data linked to a person or persistently linked to a mobile device—data that can identify a person via personal information or a device via a unique identifier.” Also, the FTC is moving towards a definition of personal information that includes any data “reasonably linkable” to an individual based upon the comments of users that unique identifiers can be linked to other information to identify users personally. Of course, we are also seeing financial and health data as an area of interest and this is considered “sensitive” information as well.
Are there any states with stricter laws that increase liability?
No. California doesn’t have a law yet. There is a Do Not Track bill pending but it hasn’t gone through to a full vote. In the context of class actions, most have been filed using older statutes such as the Electronic Privacy Act and the Computer Abuse Act, claiming that tracking violates those statutes. Although there is not a distinct Do Not Track bill, it is important to know that this issue is getting greater attention by regulators and this in and of itself may create a new standard. For example, “Privacy on the Go” does create a de facto new standard for the country by recommending security, encryption and protection standards for unique identifiers and behavioral data that was previously considered by many companies to be non-personally identifiable information, not subject to enforcement. Further, the class actions that have been brought based upon the creation of ad profiles from the users’ online behavior also acts as a check for how companies should consider compliance. Further, the SEC October 2011 guidance calling for disclosure of all material cyber risks by public companies is useful.
What can a business do to mitigate their risk?
First, take a look at online disclosure and mobile disclosure policies. Supplemental notice is ideal. Make sure that someone in the company is responsible for privacy compliance—it could be the chief privacy officer or someone in the legal department or product development. They should be in touch with self-regulatory groups that have promulgated guidelines to address these issues. At a minimum, the company should be in step with its peers in addition to focusing on the latest guidance materials and which activities will attract the attention of regulators. There needs to be a dialogue between the privacy group and product development and marketing so that when new products are rolled out they can vet their use of customer information and make sure they are up to date on their legal obligations. Also, conducting annual trainings on privacy practices is a good idea and recommended by the CA AG.