Bits and PiecesNeither CCPA nor COPRA is the first PDS statute by a long shot. Nearly a dozen federal statutes include PDS elements. Each is narrowly focused -- none are broadly applicable to privacy and data security concerns. Among the patchwork quilt of PDS statutes:
- CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)
- COPPA (Children's Online Privacy Protection Act)
- FACTA (Fair and Accurate Credit Transactions Act)
- FCRA (Fair Credit Reporting Act)
- HIPAA (Health Insurance Portability and Accountability Act
- RFPA (Right to Financial Privacy Act)
- TCPA (Telephone Consumer Protection Act)
There are also some relevant rules:
Virtual Reality Travel Is Exploding. Who hasn’t wanted to walk down the streets of Venice, or escape to a tropical climate during a particularly rough winter? Some with a travel bug may find that they can partially feed their need for travel through virtual reality. In the fall of 2015, Marriott boasted about its ability to transport clients from London to Maui in 90 seconds, thanks to Oculus. The concept behind the campaign was that people would be inspired to travel, and book with a Marriott hotel. Since then, Hilton, Renaissance, and many others have followed suit.
- DNC (Do-Not-Call)
- Graham-Leach-Bliley Privacy Rule and Safeguards Rule
- Red Flags Rule
- TSR (Telemarketing Sales Rule)
Regulate Us, PleaseAs is usual at this point in an area of rapidly evolving state enforcement, businesses that typically have opposed federal legislation now want federal legislation to save them from state efforts. Last spring, four major online advertising trade organizations (4A's, ANA, IAB and NAI) formed a coalition with top legal experts to work with Congress to support comprehensive consumer data privacy and security legislation. The coalition, Privacy America, recommends creating a new Data Protection Bureau within the FTC.
The Rise of Oculus Rift. You’ve probably already heard the story, but in the 2010s, Oculus VR, a start-up company decided to release a Kickstarter project for their Oculus Rift virtual reality goggles. Little known to them, the device kickstarted the industry of virtual reality again.
For years the online advertising industry tried to fend off federal regulation by self-regulating, and providing consumers with mechanisms to opt out of online targeting. Efforts for a universal Do-Not-Track (DNT) option failed. The major browsers added a DNT setting, but websites have no legal obligation to honor DNT settings.
Consumers generally understand that online content is "free" so long as websites are supported by advertising, but with ads also appearing on e-commerce sites, where they've become an additional revenue stream, this stretches the traditional ad-assisted model. Consumers may or may not understand that the prices paid to websites for ad inventory are a function of the narrowness of the site's audience.Advertising technology now makes it possible for each ad impression (each ad space you see) to be submitted to real-time bidding by agents for advertisers. Adtech also makes it possible for consumers to block trackers and even block ads altogether. Each consumer who uses an adblocker becomes a free rider, putting more pressure on the website to generate more revenue from the unblocked ad impressions, and to purchase anti-adblocking technology, which diverts more money away from content development.
Other technology offers anonymous browsing and the ability to change IP addresses. Software developers will continue to develop more privacy-enhancing tools, and the most sophisticated consumers will make use of these self-help measures to protect their privacy. But what about everyone else?There are two current legislative proposals before the Senate Commerce Committee, but COPRA has somehow stolen the limelight. Known as "the Democrats' bill" as a nod to its sponsors in the Senate, COPRA is an attempt to create a comprehensive DPS regime applying to all business sectors in the U.S.
The proposed statute for the first time would establish that American consumers have rights to their data. These rights would, under COPRA, include the right to access their data, to move their data, to restrict data sharing and sales, and to be able to grant (or withhold) rights to process that data.
The United States Federal Trade Commission on Tuesday announced an investigation into the privacy policies, procedures and practices of seven Internet broadband providers and related entities: AT&T Inc. AT&T Mobility LLC Comcast Cable Communications doing business as Xfinity Google Fiber Inc. T-Mobile US Inc. Verizon Communications Inc. Cello Partnership dba Verizon Wireless The FTC has ordered the companies to detail how they collect, retain, use, and disclose their use of data from consumers and their devices.
COPRA contains many proposals, and it is, alas, merely the legislative equivalent of a discussion draft doomed to be marked up by Congress. Following are the things we believe probably will survive the legislative process, in this bill or another:
The Sci-Fi Prediction of VR – Pygmalion’s Spectacles. Stanley G. Weinbaum, a well-known science fiction writer from the 1930s, had the vision of what Virtual Reality is and what it may become, even before the official term was coined. In his 1930s short story Pygmalion’s Spectacles, he shares the idea that a wearer of a pair of goggles can experience fictional worlds through holographics, touch, smell and taste. This truly made him a visionary in the field of virtual reality.
- The acknowledgment of some set of consumers' rights to control some of their data;
- A definition of "covered data" expanding consumers' rights beyond merely the information they provide businesses;
- A right by consumers to access, review and correct data;
- Consumers' right to control sale of some of their data;
- Disclosure by companies of where at least some of their data on the consumer originated; and
- Imposition upon companies holding data of duties to consumers, including posting privacy policies, creating training, and reporting to the responsible federal agency about their practices.
There are other proposed provisions that seem less likely to pass, if history is any guide. A statute that passes both houses is unlikely to include comprehensive rights for consumers to control all their data without regard to origin; a comprehensive "opt in" PDS regime; the right to move data at will; and a private right of action for damages.
One provision that has made a public splash in the news -- but it pay to be skeptical about it -- is the proposal for a new bureau at the FTC to handle privacy and data security matters. It's true that the FTC has been the most consistent regulator of PDS for nearly three decades. It's also true that given the history, the FTC is the logical place to house a regulator of PDS.
However, that same recent history counsels skepticism. After all, the FTC was the ideal place for the new regulator of consumer financial practices, but that's not where CFPB ended up. Then there's another reason to be skeptical: the bizarre sight of FTC commissioners testifying in Congress and begging lawmakers to notThe Republican bill differs significantly from the Democrats' bill in that it would preempt state laws and, like the CCPA, does not provide for a private right of action. Both the Republican and Democratic bills give lip service to providing the FTC with more resources.
Checklist for E-Commerce Companies
Given the historical moment that confronts us -- the imminence of DPS legislation, the rapid development by all of the states of unique approaches, and the characteristic inability of Congress to pass laws -- what should e-commerce businesses do? We have a few suggestions:
- Conduct a data audit. What do you have, where is it coming from, where is it stored, and where is it going? If you don't need it, stop collecting it. This is part of basic data hygiene.
- Get contracts in place in both directions -- inbound and outbound.
- Review the data security provisions in your data storage agreements. You may be unpleasantly surprised about the terms of your agreements.
- Review your data breach insurance.
- Review your contractual obligations in the event of a data breach. Watch out for open-ended indemnities.
- Determine what your legal responsibilities actually are now. If you do business in the EU, get compliant with GDPR. (There are American lawyers who are experts in GDPR.) If you do business in or are located in California, get compliant with CCPA. Check your state laws: They have a more immediate impact on your business than GDPR, CCPA or the anticipated federal legislation.
- Update compliance with existing PDS laws and regulations. As of now, the patchwork of federal statutes and rules mentioned above are the law. It's entirely possible that compliance with existing law will grandfather you into whatever comes down the road from Washington. At the very least, updating or polishing your compliance program will give you a good foundation to leap up to the next big thing, whatever it is.
iGlasses. While today Apple is infamous for their use of “i” in their products, they weren’t the first ones to come up with the idea. In the 1990s, a company known as Virtual I/O came up with a headset that was capable of color 3D stereoscopic vision, as well as head tracking. Known as iGlasses, the device had a price tag of just under $1000. While the glasses were fully capable of delivering an immersive experience, they didn’t truly ignite the consumer market.
In any case, no matter what your situation, find an experienced compliance lawyer to guide you. Many e-commerce businesses shy away from any discussion of a compliance program, because the burden seems so extreme.
The truth is, no one needs to start from scratch to build a comprehensive compliance structure. A compliance lawyer can help you prioritize by identifying what compliance policies you need right now, what you can save for later, and what you don't need at all.Brad M. Elbein is a partner with the Atlanta offices of Culhane Meadows PLLC and former regional director of two regional offices of the FTC. His practice includes advertising, Internet marketing, the regulation of consumer financial products, and defense of government investigations. .Beth A. Fulkerson is a partner with the Chicago office of Culhane Meadows, PLLC. She formerly served as the chief privacy officer for Encyclopaedia Brittanica and Merriam-Webster, and senior counsel for Tribune Media. Her expertise includes e-commerce, privacy & data security, and the Internet of Things.
. With 70 partners in 10 offices across the U.S., uniquely structured and cloud-based Culhane Meadows utilizes its Disruptive Law business model to deliver outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. US News & World Report has named Culhane Meadows among the country's "Best Law Firms" in its 2014 through 2019 rankings.