On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (f/k/a AOL Inc.), a wholly-owned subsidiary of Verizon Communications, Inc., for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) as a result of its involvement with online behavioral advertising auctions. This settlement represents the largest penalty ever in a COPPA enforcement matter in U.S. history.

Through its investigation, the New York Attorney General’s Office discovered that AOL collected, used, and disclosed personal information of website users under the age of 13 without parental consent in violation of COPPA. Specifically, the company was charged with having “conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13.” The New York Attorney General found that AOL operated several ad exchanges and permitted clients to use its display ad exchange to sell ad space on COPPA-covered websites, despite the fact that the exchange was not capable of conducting a COPPA-compliant auction that involved third-party bidders. AOL was charged with having knowledge that these websites were subject to COPPA because evidence demonstrated that: (i) several AOL clients had provided AOL with notice that their websites were subject to COPPA and (ii) AOL had conducted a review of the content and privacy policies of client websites and had designated certain websites as being child-directed. Additionally, the New York Attorney General charged AOL with having placed ads through other exchanges in violation of COPPA.   Specifically, whenever AOL participated and won an auction for ad space on a COPPA-covered website, AOL ignored any information it received from an ad exchange indicating that the ad space was subject to COPPA and collected information about the website users to serve a targeted advertisement to the users. Continue Reading Oath (f/k/a AOL) Agrees to Record $5 Million COPPA Settlement

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law that would pre-empt the California law and help harmonize the various state laws. Pushing to the front of that effort is a new draft federal privacy law proposed by Intel.

The Intel law looks to be written specifically to pre-empt the California law, as it contains language that would pre-empt any State law with civil provisions designed to reduce privacy risk through the regulation of personal data. This pre-emption contains limited exceptions for state-data-breach, contract, consumer protection, and various other laws, but it would drive a hole through California’s law. Furthermore, Intel’s proposed law could pre-empt various specific laws such as Illinois biometric data protection law, and because it does not include any notice provision — it would be reliant on the state-breach-notification statutes to find violations in the first place.

Beyond frustrating state attempts at personal information regulation, the law creates penalty caps that result in disproportionate punishments for smaller and mid-size security incidents and allow larger incidents, typical of a larger company, to operate on an eat-the-fine basis. For example: The Equifax breach from earlier this year affected 143 million Americans. If regulators chose to bring an action, the maximum penalties for the action could be up to $16,500 per violation — that means a maximum penalty of 2.3 trillion dollars. The penalty cap however was set at 1 billion dollars, meaning the largest data breaches will face the lowest penalty-per-impacted individual.

Our take

This proposed national privacy law would primarily serve the interests of the largest players in the tech and data industry, while providing harsher relative penalties to smaller and mid-size players. This law or something similar is likely to see serious political debate in the next few years as lobbying efforts intensify. Expect the heat to turn up as we near January 1, 2020.

In a recent letter to the Federal Trade Commission (“FTC”), Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn), expressed their concern regarding a recent study, which “indicates that numerous apps directed at children have been accessing geolocation data and transmitting persistent identifiers without parental consent” in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”). In addition, the senators voiced concerns that parents are being misled by app developers, the advertising companies they work with, and app stores because such apps are placed in the “kids” or “families” sections of app stores. In other words, these apps should not be marketed as appropriate for children if they are engaging in activity that violates COPPA. The senators urged the FTC to review the extent to which app developers, advertising companies, and app stores are complying with COPPA. The senators requested a response from the FTC by October 31.

The study referenced in the senators’ letter comprised of a review of 5,855 “child-friendly” apps for compliance with COPPA. The researchers found that approximately 57% of these apps were engaging in activity prohibited by COPPA. For example, the researchers concluded that over 1,000 of the apps analyzed shared persistent identifiers with third parties. Furthermore, they found that 235 of the apps analyzed accessed geolocation information without verifiable parental consent, with a number of apps also sharing this information with advertising companies.

A copy of the senators’ letter to the FTC can be found here.

Our take

COPPA was designed to protect children under the age of 13 from overreaching by marketers by providing parents control over what information is collected from their young children online. This increased scrutiny by lawmakers of the data collection and use practices of child-friendly apps should serve as a reminder for app developers to review their products, and the terms of their agreements with the advertising companies they work with, for compliance with COPPA.

Effective January 1, 2020, California will require manufacturers of “connected devices” to equip those devices with reasonable security features. An example of a reasonable security feature (provided in the bill) would be to assign each device a unique password or to prompt the user to generate a password on setup.

This new law follows a trend that has been gathering steam since 2015, when the FTC provided security guidance to Internet of Things device manufacturers. Just a year later, the Mirai botnet used a DDos attack to take down a number of popular web services, in one of the first major Internet of Things attacks. DDos attacks leverage the internet connections (bandwidth) of large numbers of unsuspecting persons. First, the bad-actor infects the person’s device with malware. Then these devices can be remotely-forced to connect simultaneously to various targets (think Netflix), overwhelming their ability to communicate and shutting down the service. These types of large-scale attacks are especially dangerous in the Internet of Things context, where otherwise innocuous devices such as light-fixtures, DVRs, toasters, pet-feeders, and countless others begin to come online.

While this new bill asks very little of manufacturers, it is a crucial first step that will force manufacturers of internet-connected devices to put in place at least some common-sense security features.

Our take

This new bill requires very little of manufacturers and provides very little in terms of security for consumers. To address Internet of Things security, both regulators and companies need to provide platforms and standards that are easy to integrate, update, and adopt.

Just last month, the National Institute of Standards and Technology (“NIST”), in concert with the National Cybersecurity Center of Excellence (“NCCoE”), jointly published a behemoth guide to securing Electronic Health Records (“EHR”) on mobile devices.

The guide is a reaction to the growing number of issues with EHR in the mobile application context, as healthcare organizations often have poor EHR integration with their mobile apps. Mobile devices have so many obvious benefits from patient communication to care coordination that organizations are going with the implement first, secure later approach, creating major headaches down the road when the inevitable security incident occurs. In their guide, NIST and NCCoE provide a full analysis of provider side access risks where the provider adds patient information into an EHR system through a mobile device and that same EHR data is accessed elsewhere by another provider via a separate mobile device.

The guide provides a roadmap for healthcare organizations that:

  • maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule
  • provides a detailed architecture and capabilities that address security controls
  • facilitates ease of use through automated configuration of security controls
  • addresses the need for different types of implementation, whether in-house or outsourced
  • provides a how-to for implementers and security engineers seeking to re-create or reference design in whole or in part

We recommend reviewing the guide during the planning phase of any EHR-related mobile application implementation. For a quick overview of the guide, see the one page fact sheet here.

Our take

The guide provides a timely and valuable starting point for CIOs and Privacy Officers that are considering a mobile app implementation. At a high level, §8’s Risk Questionnaire (page 216) provides a great resource for those organizations looking to understand the types of questions they need to ask when selecting a cloud-based EHR vendor. The tables that follow these questionnaires will help an engaged leader to understand the universe and severity of the risks that come with the move to mobile.

On August 24, 2018, the California Legislature published the first round of proposed amendments to the California Consumer Privacy Act, which was signed into law on June 28, 2018 and would take effect January 2020. The full text with amendments can be found here. Here are our major highlights:

The proposal narrows slightly the previously expansive definition of “personal information,” which previously included information such as a user’s IP address. Now “personal information” will require the information to be capable of being associated with a particular consumer or household. This helps minimize some of the runaway impacts of the previously expansive definition without losing its all-inclusive character. The proposal also pushes back the January 2020 deadline to July 2020 for the Attorney General to implement and draft mandated regulations. This will cause major compliance risk for organizations, as the law will be “effective” for some time without clear guidance from regulators.

On the health-privacy front, the law had only provided an exemption for covered entities under HIPAA, creating confusion and compliance concerns for holders of healthcare data about whether this exemption also covered business associates. New amendments now expand the exemption to include business associates. Financial privacy also received clarification with the GLBA receiving an exemption (while preserving consumer’s right to sue in case of a breach) instead of the previous ambiguous exemption that applied only where there was a “conflict.”

Our take

The real story in these proposed amendments is that they change very little. Industry groups will be happy that the newly narrowed personal information definition is something they can work with, but consumers managed to preserve many of their major rights in this first revision. The right to opt-out will remain a serious battle going forward as the deletion of customer data is both difficult and expensive for industry to implement.

Two developments last month concerning the EU-US Privacy Shield–which is the mechanism designed by the US Department of Commerce and the European Commission to allow US companies to transfer personal data from the EU to the US–highlight the ongoing tension between the EU and US approaches to privacy, particularly post-GDPR. First, the US Federal Trade Commission announced an agreement with a California company, settling allegations that the company falsely claimed in its website privacy policy to be in the process of self-certification with the Privacy Shield, when it fact it had begun the application process but failed to complete all the steps. The FTC Chairman stated that the settlement “demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” A few days later, the European Parliament passed a non-binding resolution to suspend the EU-US Privacy Shield unless the US becomes fully compliant by September 1, 2018. Considering that the Privacy Shield does not provide adequate protection, the European Parliament cited among its reasons the fact that non-US citizens have been excluded by the protections of the Privacy Act by executive order, the fact that the US has failed to appoint any independent supervisory authority, and the fact that there is insufficient monitoring and enforcement. Continue Reading Privacy Shield Developments at Home and Abroad