Cybersecurity Pros Join 'Right to Repair' Battle
Cybersecurity Pros Join 'Right to Repair' Battle
Tech Strides, Tech Worries and Tech Visions: ECT News Roundtable, Episode 1
Tech Strides, Tech Worries and Tech Visions: ECT News Roundtable, Episode 1
FBI, ICE Turn Drivers' Licenses Into Facial Recognition Gold
FBI, ICE Turn Drivers' Licenses Into Facial Recognition Gold
-  Fortune
- Fortune
EU Gives Nod to 'Big Brother' Biometrics Database
EU Gives Nod to 'Big Brother' Biometrics Database

COPRA May Be Coming, and It's Not Too Soon to Prepare

congress may pass new data privacy and security legislation3 Ways Agent Experience is Boosting Customer ExperienceJoin NICE inContact on Wednesday, Feb 12th at 1pm EST in a webinar with agent experience expert Lori Bocklund of Strategic Contact where we will be discussing how you can empower your agents to provide a 5-star experience to every customer. Register Today » All eyes are on the West Coast as the state of California reins in the unfettered collection, use and sale of the personal data consumers share as part of the bargain for "free" online services. For years this bargain has been explained in privacy policies that few people read, because there is not a lot of negotiating in the personal data market. The California Consumer Privacy Act (CCPA) gives consumers revolutionary rights to access, delete, transfer, and prevent the sale of their data. As revolutionary as the CCPA is, there are even more significant privacy and data security law developments brewing on the other side of the continent. In Washington, D.C., for the first time in history, Congress is giving serious consideration to legislation providing comprehensive privacy and data security (PDS). A confluence of unlikely events makes it more likely than ever that Congress actually will pass PDS legislation introduced at the end of November as the Consumer Online Privacy Rights Act (COPRA).

Bits and Pieces

Neither CCPA nor COPRA is the first PDS statute by a long shot. Nearly a dozen federal statutes include PDS elements. Each is narrowly focused -- none are broadly applicable to privacy and data security concerns. Among the patchwork quilt of PDS statutes:
  • CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)
  • COPPA (Children's Online Privacy Protection Act)
  • FACTA (Fair and Accurate Credit Transactions Act)
  • FCRA (Fair Credit Reporting Act)
  • HIPAA (Health Insurance Portability and Accountability Act
  • RFPA (Right to Financial Privacy Act)
  • TCPA (Telephone Consumer Protection Act)

There are also some relevant rules:

It’s not all going to be plastic. Today, virtually everyone loves everything about VR, which accounts for the magnitude of its success. But the technology continues to evolve at a breakneck speed. One focus of technological advances related to VR is the engineering and design of the headset. Expectedly, there are ultra high-tech and complicatedly designed headsets out there. But some tech wizards have taken it one step further, thereby making it way more accessible to everyone. Now, there are tutorials about making VR headsets out of pieces of cardboard. Not only has this opened a plethora of possibilities for VR, it has gotten people to think in creative ways to upsize their experiences.

  • DNC (Do-Not-Call)
  • Graham-Leach-Bliley Privacy Rule and Safeguards Rule
  • Red Flags Rule
  • TSR (Telemarketing Sales Rule)
The granddaddy statute of them all, Section 5 of the FTC Act, provides the foundation for many of these laws and a majority of the enforcement activity. The FTC for years has led enforcement efforts against bad actors and provided industry with guidelines. The FTC's 2012 report on protecting consumers set forth best practices for businesses. Among its recommendations: privacy by design (consumer privacy should be considered at every stage of product development); do-not-track mechanisms; and greater transparency. It also recommended -- in 2012 -- that Congress consider enacting general privacy legislation, legislation regulating data brokers, and data security and breach notification legislation. Existing PDS laws are not just split among a witches' brew of federal statutes. They also are split among the 50 states' laws. All 50 state legislatures have passed data security breach laws, and they continue to amend them. A collage of state laws was relatively manageable in the brick-and-mortar world. Now it is a compliance nightmare. There are so many PDS laws that there is a need for a solution that might have been imagined by Tolkien: one statute to rule them all. Surprisingly, Congress appears to have stepped up to provide it in the form of COPRA. Why now? One, Silicon Valley is an easy political target. The immense wealth of Facebook and Google suggests that consumers have not received a fair bargain in the trade of free online services for personal data. Two, the FTC brought actions against each of those companies for data privacy violations and settled for amounts that congressional Democrats have ridiculed as entirely too low to incentivize better behavior. Three, the Cambridge Analytica scandal revealed how profiling can be used for nefarious purposes. Four, the European Union's GDPR has provided a model for how to give consumers control over their own personal information. European PDS law might be ignored, but California stepping alone into the breach is an embarrassment to Congress and carries the threat of businesses having to contend with 50 comprehensive (and conflicting) PDS statutes coming from the states.

Regulate Us, Please

As is usual at this point in an area of rapidly evolving state enforcement, businesses that typically have opposed federal legislation now want federal legislation to save them from state efforts. Last spring, four major online advertising trade organizations (4A's, ANA, IAB and NAI) formed a coalition with top legal experts to work with Congress to support comprehensive consumer data privacy and security legislation. The coalition, Privacy America, recommends creating a new Data Protection Bureau within the FTC.

Movies and sports and other events will be viewable in VR as technology continues to advance.

For years the online advertising industry tried to fend off federal regulation by self-regulating, and providing consumers with mechanisms to opt out of online targeting. Efforts for a universal Do-Not-Track (DNT) option failed. The major browsers added a DNT setting, but websites have no legal obligation to honor DNT settings.

Consumers generally understand that online content is "free" so long as websites are supported by advertising, but with ads also appearing on e-commerce sites, where they've become an additional revenue stream, this stretches the traditional ad-assisted model. Consumers may or may not understand that the prices paid to websites for ad inventory are a function of the narrowness of the site's audience.

Advertising technology now makes it possible for each ad impression (each ad space you see) to be submitted to real-time bidding by agents for advertisers. Adtech also makes it possible for consumers to block trackers and even block ads altogether. Each consumer who uses an adblocker becomes a free rider, putting more pressure on the website to generate more revenue from the unblocked ad impressions, and to purchase anti-adblocking technology, which diverts more money away from content development.

Other technology offers anonymous browsing and the ability to change IP addresses. Software developers will continue to develop more privacy-enhancing tools, and the most sophisticated consumers will make use of these self-help measures to protect their privacy. But what about everyone else?

There are two current legislative proposals before the Senate Commerce Committee, but COPRA has somehow stolen the limelight. Known as "the Democrats' bill" as a nod to its sponsors in the Senate, COPRA is an attempt to create a comprehensive DPS regime applying to all business sectors in the U.S.
The proposed statute for the first time would establish that American consumers have rights to their data. These rights would, under COPRA, include the right to access their data, to move their data, to restrict data sharing and sales, and to be able to grant (or withhold) rights to process that data.

COPRA contains many proposals, and it is, alas, merely the legislative equivalent of a discussion draft doomed to be marked up by Congress. Following are the things we believe probably will survive the legislative process, in this bill or another:

The VR Today. Currently Virtual Reality is growing in popularity and while companies like the Oculus Rift are losing some of their customers because of unpopular marketing practices, other devices, including the HTC Vive are taking the VR stage. Furthermore, with Google Cardboard creating the concept and other companies taking note, Smartphone Virtual Reality Goggles are letting consumers easily enjoy and experience immersive virtual and augmented reality. With huge consumer base, the multiple platforms for development, and the lack of many VR games and experiences, small start-ups as well as huge companies are investing huge amounts of money into the development of content for Virtual Reality, which might very well help VR finally achieve the world-wide recognition it didn’t manage to achieve on the market for years.

  • The acknowledgment of some set of consumers' rights to control some of their data;
  • A definition of "covered data" expanding consumers' rights beyond merely the information they provide businesses;
  • A right by consumers to access, review and correct data;
  • Consumers' right to control sale of some of their data;
  • Disclosure by companies of where at least some of their data on the consumer originated; and
  • Imposition upon companies holding data of duties to consumers, including posting privacy policies, creating training, and reporting to the responsible federal agency about their practices.

There are other proposed provisions that seem less likely to pass, if history is any guide. A statute that passes both houses is unlikely to include comprehensive rights for consumers to control all their data without regard to origin; a comprehensive "opt in" PDS regime; the right to move data at will; and a private right of action for damages.

One provision that has made a public splash in the news -- but it pay to be skeptical about it -- is the proposal for a new bureau at the FTC to handle privacy and data security matters. It's true that the FTC has been the most consistent regulator of PDS for nearly three decades. It's also true that given the history, the FTC is the logical place to house a regulator of PDS.

However, that same recent history counsels skepticism. After all, the FTC was the ideal place for the new regulator of consumer financial practices, but that's not where CFPB ended up. Then there's another reason to be skeptical: the bizarre sight of FTC commissioners testifying in Congress and begging lawmakers to not

The Republican bill differs significantly from the Democrats' bill in that it would preempt state laws and, like the CCPA, does not provide for a private right of action. Both the Republican and Democratic bills give lip service to providing the FTC with more resources.

Checklist for E-Commerce Companies

Given the historical moment that confronts us -- the imminence of DPS legislation, the rapid development by all of the states of unique approaches, and the characteristic inability of Congress to pass laws -- what should e-commerce businesses do? We have a few suggestions:

  1. Conduct a data audit. What do you have, where is it coming from, where is it stored, and where is it going? If you don't need it, stop collecting it. This is part of basic data hygiene.
  2. Get contracts in place in both directions -- inbound and outbound.
  3. Review the data security provisions in your data storage agreements. You may be unpleasantly surprised about the terms of your agreements.
  4. Review your data breach insurance.
  5. Review your contractual obligations in the event of a data breach. Watch out for open-ended indemnities.
  6. Determine what your legal responsibilities actually are now. If you do business in the EU, get compliant with GDPR. (There are American lawyers who are experts in GDPR.) If you do business in or are located in California, get compliant with CCPA. Check your state laws: They have a more immediate impact on your business than GDPR, CCPA or the anticipated federal legislation.
  7. Update compliance with existing PDS laws and regulations. As of now, the patchwork of federal statutes and rules mentioned above are the law. It's entirely possible that compliance with existing law will grandfather you into whatever comes down the road from Washington. At the very least, updating or polishing your compliance program will give you a good foundation to leap up to the next big thing, whatever it is.
  8. If you have to make a big investment in DPS now, before things become clear -- let's say you're starting a compliance program from scratch -- the best bet is to comply with the requirements of the current federal DPS laws and your local state laws. Where no federal or state standard clearly applies, you might want to use the CCPA as a suggestion to inform your choices. (For example, no current federal law explicitly requires a company to publish a privacy policy on its website or to place a privacy policy link on its website. However, CCPA does. It's not hard to predict that CCPA's requirements for both will appear in whatever federal legislation finally passes.)

It Can Take You Places. One of the best experiences of virtual reality is using the technology to travel to places that you haven't been to. The right simulation can allow you to walk around some of the most important places around the world. In addition, virtual reality allows users to watch special documentaries that put them right in the middle of the action. Some of the top film companies are now producing documentaries made specifically for virtual reality headsets.

In any case, no matter what your situation, find an experienced compliance lawyer to guide you. Many e-commerce businesses shy away from any discussion of a compliance program, because the burden seems so extreme.

The truth is, no one needs to start from scratch to build a comprehensive compliance structure. A compliance lawyer can help you prioritize by identifying what compliance policies you need right now, what you can save for later, and what you don't need at all.

Brad ElbeinBrad M. Elbein is a partner with the Atlanta offices of Culhane Meadows PLLC and former regional director of two regional offices of the FTC. His practice includes advertising, Internet marketing, the regulation of consumer financial products, and defense of government investigations. .Beth FulkersonBeth A. Fulkerson is a partner with the Chicago office of Culhane Meadows, PLLC. She formerly served as the chief privacy officer for Encyclopaedia Brittanica and Merriam-Webster, and senior counsel for Tribune Media. Her expertise includes e-commerce, privacy & data security, and the Internet of Things.
. With 70 partners in 10 offices across the U.S., uniquely structured and cloud-based Culhane Meadows utilizes its Disruptive Law business model to deliver outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. US News & World Report has named Culhane Meadows among the country's "Best Law Firms" in its 2014 through 2019 rankings.
Should We Be Concerned About the Security and Privacy Risks of VR and AR?
Should We Be Concerned About the Security and Privacy Risks of VR and AR?
Court: Cops Can't Compel the Use of Body Parts to Unlock Phones
Court: Cops Can't Compel the Use of Body Parts to Unlock Phones
Kodachi Builds Privacy Tunnel for Linux
Kodachi Builds Privacy Tunnel for Linux
VR & AR News and Education
VR & AR News and Education