2015 Privacy Year In Review
Blog Privacy & Data Security Law Blog

2015 Privacy Year In Review © 2016 Winston & Strawn LLP In 2015, there was intense scrutiny on privacy and data security on multiple fronts. From cross-border data flow issues to breakneck developments in state data breach laws, 2015 was a busy year. Winston & Strawn has again put together its Privacy Year in Review, summarizing the biggest developments of 2015. This summary serves as a roadmap for general counsel, chief privacy officers, chief information security officers, chief financial officers, and other senior leaders as they plan for 2016. The Impact of the “Death of Safe Harbor” (Is It Really Dead?) Increasing Desire to Obtain “Big Data” and Combine It with Internal Information Breakneck Change In US Data Breach Laws Confusion In the Case Law Around What Constitutes “Harm” for Data Breach Cases Summary of Contents 2015 Privacy Year In Review Winston Privacy Institute The Winston Privacy Institute brings together events, training, and education on cutting-edge privacy issues. The Challenges Around Managing “Programmatic Buying” and OBA Consumer Tracking On Steroids Ongoing Developments In Consumer Texting Preparations for EU Privacy Law Changes 1 © 2016 Winston & Strawn LLP The Impact of the “Death of Safe Harbor” (Is It Really Dead?) The Snowden revelation that the US conducted surveillance on citizens of other countries had a significant impact in 2015, including on the transfer of personal data from the EU to the US. In early October, the European Court of Justice concluded that an earlier decision (Decision 2000/250) was invalid. In that decision, the European Commission had concluded that the “safe harbor” program between the EU and the US constituted a valid basis for the transfer of personal data between the two regions. That decision also addressed a requirement under the EU Privacy Directive that personal data could not be sent outside of the EU unless those countries’ laws provided “adequate protection” for personal information. The US privacy laws were not viewed as adequate. As a result of the ECJ ruling, companies had to consider the viability of other options for transferring data, such as: (1) entering into a transfer agreement using EU-approved “model clauses;” (2) putting in place binding corporate rules (which would need to be approved by an EU data protection authority); (3) obtaining consent from the individual (this option not always being available); or (4) falling within an exception, like the need to transfer for reasons of substantial public interest. Some EU data protection authorities clarified that safe harbor might be a basis under which an EU entity could transfer personal information, notwithstanding the ECJ decision. The decision concluded only that there couldn’t be a presumption that the transfer was acceptable because the US recipient participated in safe harbor. At the end of 2015, companies started scrambling to ensure that they had proper mechanisms in place to send (EU entities) information and to receive (US entities) information. At the same time, negotiations between the US and the EU occurred very quickly to develop a “safe harbor 2.0” that could be implemented by early 2016. In the meantime, the US Department of Commerce, continued to accept safe harbor filings from US entities. US EU As a result of the ECJ ruling, companies had to consider the viability of other options for transferring data. 2015 Privacy Year In Review 2 Increasing Desire to Obtain “Big Data” and Combine It with Internal Information In 2015, the exploding use of smartphones, social networks, and cloud computing resulted in increased ability—and desire—to collect and combine data. “Big data” is not only on companies’ radars, it is on regulators’ radars as well. Some studies suggest that the digital universe is doubling every two years and will reach 40,000 exabytes by 2020. (A single exabyte is equivalent to 20 billion filing cabinets’ worth of text.1 ) The speed at which this data can be processed is equally impressive. Companies can use real-time or nearly real-time information to get ahead of competitors. For example, on Black Friday, MIT Media Lab used location data from mobile phones to track the number of cars in Macy’s parking lots.2 This made it possible to estimate the retailer’s sales on that critical day, even before Macy’s had recorded those sales. The variety among this data allows 1 See Dennis McCafferty, “Surprising Statistics About Big Data,” Baseline Magazine (Feb. 2014). 2 See Andrew McAfee & Erik Brynjolfsson, “Big Data: The Management Revolution,” Harvard Business Review, 63 (Oct. 2012). companies to piece together information on any topic of interest. Mobile phones, online shopping, social networks, electronic communication, and GPS all produce torrents of data as a by-product of their ordinary operations.3 Once a company has amassed an arsenal of information about its customers, the next logical step is putting this data to good use. In 2015, companies grappled with how to combine information from multiple sources without running afoul of a variety of laws, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, the Electronic Communications Privacy Act, and state-level laws (the California Online Privacy Protection Act and California Shine the Light law). Companies also took into account unfair and deceptive trade practice laws (UDAP statutes), which “turn into law” a company’s representations about how it will use individuals’ information. As we enter into 2016, companies interested in using big data to better understand—and market to—their customers need to not only understand the technologies and tools available to them, but also the patchwork of laws and regulatory framework that govern how information can be shared. These laws impact both how information can be shared inside and outside of an organization (typically done to get more big data), as well as whether the big data obtained can be combined with the existing information that a company holds about an individual. 3 Id. A single exabyte is equivalent to filing cabinets worth of text Exabyte Some studies suggest that the digital universe is doubling every two years and will reach 40,000 exabytes by 2020. = One million 3 © 2016 Winston & Strawn LLP Breakneck Change In US Data Breach Laws Nine states (California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington, Wyoming) in the US tweaked their general data breach notification statutes in 2015, making it potentially more confusing for companies to keep track of how to provide notice in the event of a nationwide data incident. Of note among the changes, Rhode Island created a 45-day deadline to provide notice after confirmation of the breach (effective in June 2016), and Connecticut created a 90-day deadline—and a requirement to provide identity theft mitigation/identity prevention services for at least 12 months. California’s law, beginning January 1, 2016, requires companies sending notice to impacted individuals to use specific headings in their notices, and that the notice be in at least 10 point font. Use of the form below would fulfill the law’s requirements: The California law also requires, for the purposes of substitute notice, that the amendment clarifies that “conspicuous notice” means: • The notice must be posted on the notifying entity’s website for a minimum of 30 days and include a link to the notice on the home page or the first significant page after entering the website; and • The notice must be in larger font than the surrounding text, or in contrasting type, font, or color than the surrounding text, or be set off from the surrounding text by symbols or other attentiondrawing marks. States that Changed Their Breach Notice Laws: California . Connecticut . Montana . Nevada . North Dakota Oregon . Rhode Island . Washington . Wyoming Nine states in the US tweaked their general data breach notification statutes in 2015, making it potentially more confusing for companies to keep track of how to provide notice in the event of a nationwide data incident. [Name of Institution/Logo] Date: [Insert Date] Notice of Data Breach What happened? What information was involved? What we are doing. What you can do. Other important information. [Insert other important information] For more information. Call [telephone number] or go to [internet web site] 2015 Privacy Year In Review 4 Confusion In the Case Law Around What Constitutes “Harm” for Data Breach Cases Plaintiffs’ counsel in the US have continued to file lawsuits after companies announce a data breach. A common argument in seeking to dismiss these cases has been that the impacted individuals have not suffered any harm sufficient to sustain the cause of action. Courts in 2015 were split over what constitutes sufficient harm. On the one side are the cases that have been dismissed for failure to establish harm. For example, in 2015 a Pennsylvania court dismissed two consumer consolidated class actions concerning a data breach involving the computer system of defendant Paytime, Inc. for lack of standing. In that case, the breach resulted in unauthorized access to consumers’ social security numbers and bank account information, among other personal information. The court held that the plaintiffs failed to establish standing because they did not allege that they had suffered any form of identity theft as a direct result of the breach. The court recognized the nuisance of credit monitoring due to the increased threat of data breaches, but stated that “require[ing]companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses.” Storm v. Paytime, Inc., Case No. 14-cv-1138 (MD PA 2015). On the other side are cases that have survived the “harm” hurdle. Notably, in 2015, the Seventh Circuit reversed the dismissal of a lawsuit brought against Neiman Marcus after it suffered a data breach, finding that the risk of harm to the 350,000 people whose credit card numbers were exposed during the breach was “very real and immediate.” In support of its conclusion, the court noted that 9,200 cards had already been used to make fraudulent charges. The Seventh Circuit distinguished data breach cases from the Supreme Court decision in Clapper v. Amnesty Int’l USA, which held that the risk that government agencies were spying on the plaintiffs was speculative. Instead, Judge Wood—writing for the unanimous panel—found that the only reason a hacker would have attacked the retailer’s system was to engage in fraud. Moreover, there was no reason to make the consumers wait for an actual fraud to be perpetrated before taking action. A common argument in seeking to dismiss these cases has been that the impacted individuals have not suffered any harm sufficient to sustain the cause of action. 5 © 2016 Winston & Strawn LLP The Challenges Around Managing “Programmatic Buying” and OBA You say potato. I say potahto. Programmatic buying, interest-based advertising, online behavioral advertising (OBA), or other catch-phrases generally refer to the automated placement of advertising in the digital space based on individuals’ behaviors. Such advertising—referred to in the legal space as “interest-based advertising” (at least this year)—is subject in the US to the Digital Advertising Alliance (DAA) Self-Regulatory Program, enforced by the Online Internet-Based Advertising Accountability Program. Under that program, companies engaging in these activities need to give consumers the ability to opt out. In Europe, consumers need to be given an opportunity to opt-in. The Accountability Program conducted several investigations in the US in 2015, including against Etsy, 247 Sports, and Imgur. The websites in question disclosed information collection and sharing practices, but failed to provide enhanced notice about information collection and use for OBA through the requisite stand-alone link on each page of the respective websites. TWiT, the company that was the subject of the fourth decision, acknowledged that it did not provide information because it was not aware of the Program’s Principles. In each of the four cases, the company at issue agreed to bring its OBA practices into compliance with these Principles. The Accountability Program also brought cases in 2015 against those engaged in “native advertising” (ads that look similar to the surrounding online content; for example, sponsored content or (promoted stories on social media). In one case, which was administratively closed, the company in question provided a “content recommendation widget” that places promoted stories on publishers’ websites. These recommendations may be based in part on the use of consumers’ browsing behavior across websites and over time. The Accountability Program was concerned that the recommendation widget was not compliant with the notice and choice requirements. The company responded that it had already begun taking remedial steps to address these concerns. Toward the end of 2015, the Accountability Program also indicated that it would start enforcing the mobile portion of its program. To address opt-outs in mobile, the DAA launched an AppChoices App, earlier this year, a tool that lets consumers opt out of cross-app collection. Under that program, companies engaging in these activities need to give consumers the ability to opt out. In Europe, consumers need to be given an opportunity to opt-in. 2015 Privacy Year In Review 6 Consumer Tracking on Steroids From drones to GPS to cross-device tracking, the ways in which companies are tracking consumers has grown significantly. With significant proliferation of such tracking, regulation follows. For example, the FTC held a workshop on cross-device consumer tracking issues on November 6, 2015. On the same day, the Digital Advertising Alliance (DAA) released its Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices. This guidance builds upon the framework of the DAA’s existing Principles for Online Behavioral Advertising, Multi-Site Data, and the Mobile Environment. The new guidance extends the DAA’s transparency and control principles to situations where an entity collects and uses information about a user from across different browsers and devices. Under the new DAA guidance, entities collecting multi-site data and cross-app data from a particular browser or device for use on a different browser or device need to disclose this in their website notice. The notice should also include a link to either a mechanism where users can exercise control over how their data is collected, or to a list of all third parties engaged in these data collection practices through the entity’s website. The guidance further states that users should be able to control whether their information is collected across devices or transferred to a third party for that purpose. Ultimately, regardless of the type of tracking in which a company is engaged, it is clear that the company should provide consumers with meaningful notice and choice regarding those practices. Regardless of the type of tracking in which a company is engaged, it is clear that the company should provide consumers with meaningful notice and choice regarding those practices. 7 © 2016 Winston & Strawn LLP Ongoing Developments In Consumer Texting The world of text message enforcement in the US continued to be busy in 2015. Cases were filed, and cases settled. Of note, Abercrombie & Fitch, Co. and Hollister Co. settled for $10 million a class action lawsuit in which they were alleged to have sent text messages to consumers’ cell phones without the consumers’ prior express written consent, violating the Telephone Consumer Protection Act (TCPA). According to the complaint, the defendants sent unsolicited advertisement text messages to more than 3.7 million consumers as early as August 2010 without appropriate consent. The complaint also alleged that the messages did not include an opt-out mechanism, despite the fact that the “text terms” on both companies’ websites stated that people could opt out of texts by replying “STOP” to any message. Western Union settled a case for $8.5 million over similar allegations. During a 2009 marketing campaign, it sent unsolicited text messages asking consumers to opt in to receive regular updates from the company. Plaintiffs alleged that they never consented to receive Western Union’s initial opt-in text, and the company therefore violated the TCPA. Western Union countered that the message did not constitute advertising (being instead a request to see if people wanted to get advertising texts), and as such, express written consent was unnecessary. Notwithstanding this argument, Western Union agreed to settle the matter with a payment of $8.5 million (almost $3 million of which was for attorneys’ fees). In further text message activity in the US, the Federal Communication Commission clarified requirements under the TCPA for certain calls and text messages to consumers. The TCPA requires prior express consent for autodialed, prerecorded, or artificial voice calls to wireless phone numbers and prerecorded telemarketing calls to residential lines. The recipient’s consent must be in writing (and signed) if the autodialed call constitutes telemarketing or introduces advertising. In a series of “declaratory rulings,” the FCC reminded companies that an “autodialer” is any technology with the capacity to dial random or sequential numbers, and that equipment used to send Internet-to-phone text messages is an autodialer, so the caller must have consumer consent before calling. The FCC also indicated that consumers had the right to revoke their consent to receive calls and texts “in any reasonable way at any time,” suggesting that companies may need to be prepared to accept and process an opt-out request regardless of how it is received (e.g., in person at a retail establishment, by email). 2015 Privacy Year In Review 8 Preparations for EU Privacy Law Changes In 2015, companies worried about—and prepared for—the EU General Data Protection Regulations (GDPR). First proposed in 2012, the European Commission, Parliament, and Council finalized the comprehensive regulations in December 2015. The GDPR will become effective two years from the date it is published in the Official Journal of the EU. Unlike the current EU Data Privacy Directive, the GDPR is a regulation and will require no implementing legislation from the EU member states to become effective. The GDPR impacts companies operating in Europe, including multinationals. Indeed, its scope includes any entity that handles information about EU citizens. Under the GDPR, companies must, inter alia, give individuals a “right to be forgotten;” in many circumstances have an independent data officer overseeing privacy; and obtain individuals’ consent before processing their information (subject to certain exceptions). The regulation further provides for notification to national supervisory authorities in the event of a data breach and requires companies to implement a “privacy by design” approach. The GDPR anticipates penalties of up to two percent of annual global sales. In anticipation of these, and other requirements, companies with EU operations have been reviewing their current practices, policies, and guidelines to ensure they are ready to face the GDPR, once it goes into effect. Under the GDPR, companies must, inter alia, give individuals a “right to be forgotten...” About Winston & Strawn Winston & Strawn LLP is an international law firm with more than 850 attorneys across 18 offices in Beijing, Brussels, Charlotte, Chicago, Dubai, Hong Kong, Houston, London, Los Angeles, Moscow, New York, Newark, Paris, San Francisco, Shanghai, Silicon Valley, Taipei, and Washington, D.C. The exceptional depth and geographic reach of our resources enable Winston & Strawn to manage virtually every type of business-related legal issue. We serve the needs of enterprises of all types and sizes, in both the private and the public sector. We understand that clients are looking for value beyond just legal expertise. With this in mind, we work hard to understand the level of involvement our clients want from us. We take time to learn about our clients’ organizations and their business objectives. And, we place significant emphasis on technology and teamwork in an effort to respond quickly and effectively to our clients’ needs. Visit winston.com if you would like more information about our legal services, our experience, or the industries we serve. Attorney advertising materials. Winston & Strawn is a global law firm operating through various separate and distinct legal entities. Winston Privacy Institute