MIRSKY & COMPANY, PLLC

T EL : (202) 339-0303 (DC) (646) 374-1335 (NY) F AX : (202) 350-9480 E MAIL : ANDY @M IRSKY L EGAL . COM I NTERNET : WWW .M IRSKY L EGAL . COM

New Media Legal Breakfast (Twitter: #MediaLawDC) March 27, 2012 Privacy and Business: What MUST You Be Aware Of? Basic Privacy Obligations of a New Business in the US Andrew Mirsky, Esq. (Mirsky & Company, PLLC)
Important Note: This discussion covers Privacy for Business as a general matter. This is not a policy discussion, but rather a discussion of what businesses must be aware of and what areas expose all businesses to legal liability. We will not address consumer privacy, nor HIPAA, Graham-Leach or employment-specific privacy, nor non-US (particularly EU). Those are topics for another day. This is meant to address privacy from the perspective of the general privacy considerations for a company doing business in the United States and interacting with consumer information. 1. Significance of Personally Identifiable Information (PII)? Most privacy obligations apply only to handling of users PII. 2. What is PII? (a) PII Generally: Name (full name or first initial and last name), maiden name Email address or other online contact information such as instant messaging identifier Home or other physical address Telephone number Credit card or debit card numbers Bank account numbers Social Security number Drivers license number or state issued ID card number Passport number Taxpayer identification number Personal characteristics such as photographic images (especially of face or other identifying characteristic), fingerprints, or other biometric data (i.e. retina scan, voice signature, facial geometry) MA and CA courts: Zip codes are PII. Trend: Industry trend is moving away from overly legal distinctions and simply treating anything that is reasonably personal as PII essentially removing the middle identifiable. From FTC Report (3/26/12): The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be "reasonably linked" to consumers, computers, or devices. The final report concludes that data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.

2301 N Street, NW (Suite 313) Washington, DC 20037

318 West 14th Street (4th Floor) New York, NY 10014

MIRSKY & COMPANY, PLLC

(b) Potential PII (not by themselves): A persistent identifier such as a generic customer/user value held in a cookie IP (Internet Protocol) address or host name Date of birth, age Racial or ethnic background Religious affiliation Gender Height, weight Marital status Employment information Medical information Financial information Credit information Student information (c) Sensitive PII PII which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or Information related to (i) a particular medical condition or a health record or (ii) the religious affiliation of an individual. (d) Not PII: Browser type Browser plug-in details Local time zone Date and time of each visitor request (i.e. arrival, exit on each web page) Language preference Referring site Device type (i.e. desktop, laptop, or smartphone) Screen size, screen color depth, and system fonts 3. Major Laws (generally) applicable to privacy in the US (from business perspective): FTC Act Section 5 State Baby FTC Acts State (e.g. CA) Privacy Laws State Data Security Laws (e.g. MA, IL, MN, etc.) HIPAA (medical and health information) Gramm-Leach (financial information) COPPA 4. Major differences between mobile and non-mobile? Yes, particularly because of FCC oversight of mobile (N/A for non-mobile), and application of issues like sharing of customer proprietary network information ("CPNI"), including geographic location information. FCC is not claiming oversight of internet beyond mobile, but FTC is claiming oversight of mobile as well (FTC public workshop 5/30/12). 5. Privacy: What must a business really do? Conspicuously disclose (absolute minimums): (a) Information Collected Categories of personal information the website collects. (b) Categories of 3rd-parties with whom the company shares the information. (c) How the user can review and request changes to their information collected by the company. (d) How the company notifies users of material changes to its privacy policy.
Page 2

MIRSKY & COMPANY, PLLC

(e) The effective date of the privacy policy. But also (from SRO and seal program certifications): (a) (Option not to Provide PII) Users given option of not giving PII if information collected is not related to primary purpose for which it was collected or the PII was disclosed to third parties. (b) (Unsubscribe Options) All newsletters and promotional email messages that are sent to users, apart from the messages the user has agreed to receive as a condition of using the service, must include an unsubscribe link. (c) (COPPA) If a user has stated that he/she is under 13 years of age you should not collect any PII on your site without the knowledge and permission of their parent or guardian. If there are certain web pages within your Site that require users to be at least 13 years of age, anyone under the age of 13 should be restricted from participating in such web page activities. (d) (Data Security) You must take reasonable steps when collecting, creating, maintaining, using and disclosing PII, to assure that the data are accurate, complete and timely for the purposes for which they are to be used; and you also implement reasonable security procedures, such as encryption, to protect Personally Identifiable Information. (e) (User Access) Inform users how to access and change the PII provided by them to you. (f) (Tracking and OBA) What tracking technology, if any (e.g. cookies), is used on the site. NAI (Network Advertising Initiative) and FTC guidance pushing for standardization of (1) transparency about data collection practices and how collected data is used and (2) easier access to opt-out options from tracking, even if provided through a third-party provider (e.g. analytics/optimization providers) rather than directly. 6. Self-regulatory compliance and Industry best practice guidelines: Seal programs: BBB Online (http://www.bbbonline.com), or TRUSTe, (http://www.truste.com). What significance? For discussion. 7. Winter/Spring 2012: FTC/White House/DoC Initiatives: For discussion.

Page 3