Led by Chair Ed Chau, the California Assembly Select Committee on Privacy conducted a hearing today on the collecting, sharing and tracking of personal information on-line and in the mobile app ecosystem. Industry advocates discouraged new "static" state laws that might inadvertently stifle the fast moving, innovative and growing mobile app economy, while consumer groups advocated for laws that protected a user’s right to know what personal information is being shared, how it will be used, and having a right to meaningfully opt out of data collection.
Privacy issues are hot for the California Legislature, due to 29 pending bills in areas such as privacy of personal information online and mobile, public agency access to and use of Personally Identifiable Information (PII), medical information, data breach notification, government use and warrant Issues, drones (which can conduct unmanned searches), and social media access by an employer.
The key question discussed was to what extent personal information is collected and shared on the Internet. On the one hand, the collecting and selling of personal information for purposes of targeted advertising drives the Internet economy where users expect things to be free in exchange for looking at ads. On the other hand, the collecting and sharing of personal information — including tracking of online behavior and geo-location — rubs some users the wrong way from a privacy standpoint.
Professor Robin Feldman, Director of UC Hastings’ Law and Bioscience Project and Co-Director of the Privacy and Technology Project, reviewed federal privacy law, noting that there is no privacy right explicitly set forth in the U.S. Constitution, but one has been cobbled together by the federal courts from the First (privacy of belief), Fourth (protection from unreasonable searches), Fifth (can’t be forced to reveal self-incriminating information) and Fourteenth Amendment (implicit protections of privacy). She pointed to two key federal laws: (1) the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which covers protection of patients’ medical information by health plans, pharmacies, and hospitals, and (2) the Gramm-Leach-Bliley Act requiring federal companies to explain their information sharing practices to customers and safeguard sensitive data.
At the state level, Professor Feldman highlighted that California’s Constitution expressly protects an individual’s right to privacy. As a result, it is an aggressive state in terms of protecting its residents’ privacy rights, and a trailblazer among states on online privacy issues. California’s "Shine the Light" law is a 2003 privacy law that addresses the practice of sharing customer’s personal information for marketing purposes (governing data brokers). The California Online Privacy Protection Act (Cal OPPA) requires website operators that collect PII from California consumers to conspicuously post and comply with a privacy policy identifying what PII it collects and categories of third parties with whom the operator may share the information. She highlighted that California Attorney General Kamala Harris has interpreted Cal OPPA protections to extend the wireless online world, striking agreements with major operators of mobile application platforms to a Joint Statement of Principles in 2012.
The European Union (EU) is strikingly different in approach from the U.S. The EU Data Privacy Directive and Draft Data Protection Regulation require EU member states to enact their own national data protection laws in harmony with principles laid out in the Directives. The problem is that the member states pass their own laws often with very differing provisions, creating a patchwork quilt of laws for the EU. Any U.S. mobile app company with a single user in that EU country is subject to the privacy law of that country. Actual enforcement is spotty, however, said Professor Feldman. Aleecia McDonald, Director of Privacy at Stanford Center for Internet and the Society, added that the UK model is "implied consent" meaning that a website may state "We use cookies" on the home page, and if the user does not leave the site, there is implied consent to the website’s use of the cookie. McDonald contrasted the approach of the Netherlands where actual consent is required.
"Do Not Track" is a proposed system that would allow consumers to avoid being tracked as they browse the Web. Federal Trade Commission (FTC) Chair Leibowitz, FTC staff, House staff and the World Wide Web Consortium have advocated for this approach. McDonald seemed concerned about the Do Not Track mechanism that would allow a consumer to opt out of tracking, noting that many websites and apps ignore the Digital Millennium Copyright Act (DMCA) signals already. She advocated a "balanced" law that would set a common baseline for online companies so both companies and users would know what to expect.
Joanne McNabb, Director of Privacy Education and Policy with the California Department of Justice, pointed to its 2013 white paper "Privacy on the Go" which sets forth privacy best practices, including data privacy for mobile apps. She said the overarching theme is "no surprises," meaning giving users clear notice and getting consent as to sensitive data. She said mobile app companies should build in consumer privacy protections at every stage in developing their products, such as reasonable security for consumer data, limited collection and retention of the data, and reasonable ways to ensure data accuracy. She also advocated for cross platform privacy settings, moving away from persistent tracking, strong disclosure or policies to users (transparency) and limiting use of PII.
Laura Berger, FTC Attorney, Division of Privacy and Identity Protection, said the FTC pursues Fair Credit Reporting Act and Gramm-Leach-Bliley Act cases. FTC picks cases where there was unfair competition (mobile app case where default settings were too risky) or where deception of the consumer took place, citing the Path, HTC America and W3 Innovations case. The FTC has a Mobile Apps for Kids report, giving suggestions to app developers to include simple and short privacy policies/disclosures formatted in a way that is appropriate for a small screen, and alerts parents if the app connects with social media or allows targeted advertising. The agency advocates for app stores to have more consistent ways for developers to display information collection practices, perhaps using a universal icon approach.
The FTC also gives guidance on data collection and retention practices, which Berger said is becoming ubiquitous. "Consumers do not realize the collection of data is occurring," said Berger. "Some is bad, some is good." She warned that cumulatively, advertisers and data brokers may end up with very detailed information about a specific user, particularly if the user uses the same username across many apps. She asked all players in the mobile ecosystem to work together to improve disclosures.
Two consumer groups appeared at the hearing, Beth Givens, Director of the Privacy Rights Clearinghouse, and Chris Conley for the ACLU, NorCal. Givens described her group as the "Dear Abby" of privacy complaints. She noted that consumers cannot get a copy from data brokers of what data a third party can buy about that consumer, unlike a credit report. She also said correcting wrong information is very difficult. She applauded a California law in 2011 that gave victims of stalking and domestic violence the ability to opt out of data collection about them that could be sold to a third party, and encouraged that law be expanded.
Givens also highlighted Fair Information Practice Principles (FIPPs) which she termed the building blocks of privacy practices. FIPPs are a set of internationally-recognized practices for addressing the privacy of information about individuals, dating back to the Seventies. From there came concepts about transparency (notice of information collection practices), control by the individual of information collected about oneself, and limits on data collection and retention.
ACLU’s Conley acknowledged the challenges of protecting privacy while advancing innovative technology in the mobile space. He emphasized focusing on the information being protected, not the technology. He believes the concept of transparency is very important so the consumer knows what happens to the information. But he felt the consumer should be shown the specific type of data that was going to be shared and to whom it would be shared. As an example, he warned users who let third party apps access their Facebook page that this app may now know who all your friends are, your marital status, your interests, and where you go.
The two industry panelists appeared. Ron Barnes, VP of State Affairs for the Direct Marketing Association, said his industry tries to get ads before consumers who may have interest in a product or service at the right time. The industry has agreed to seven principles for online marketing practices, including giving the consumer choices to opt out. He said last year 12 million people visited the site to learn more about the opt out option, but only 1 million (8%) actually chose to opt out. Barnes advocated for a self-regulatory environment, and reminded the Committee we were only six years out from the launch of the iPhone and the creation of the new Apps Economy.
Robert Callahan, California Director of State Government for TechAmerica, pointed out that the technology sector is a big economic driver of the tech economy. He said his members take privacy issues very seriously, and that their business model depends on trust between the company and the user. He claimed that privacy is a marketplace differentiator. He advocated for approaches that used industry standards and self-regulation, warming that the mobile economy needs to be adaptable, nimble, and flexible. He asked policy makers to use care in adapting laws that may become static given the very rapid pace of technology in the mobile app ecosystem.
