Bits and PiecesNeither CCPA nor COPRA is the first PDS statute by a long shot. Nearly a dozen federal statutes include PDS elements. Each is narrowly focused -- none are broadly applicable to privacy and data security concerns. Among the patchwork quilt of PDS statutes:
- CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)
- COPPA (Children's Online Privacy Protection Act)
- FACTA (Fair and Accurate Credit Transactions Act)
- FCRA (Fair Credit Reporting Act)
- HIPAA (Health Insurance Portability and Accountability Act
- RFPA (Right to Financial Privacy Act)
- TCPA (Telephone Consumer Protection Act)
There are also some relevant rules:
It’s not all going to be plastic. Today, virtually everyone loves everything about VR, which accounts for the magnitude of its success. But the technology continues to evolve at a breakneck speed. One focus of technological advances related to VR is the engineering and design of the headset. Expectedly, there are ultra high-tech and complicatedly designed headsets out there. But some tech wizards have taken it one step further, thereby making it way more accessible to everyone. Now, there are tutorials about making VR headsets out of pieces of cardboard. Not only has this opened a plethora of possibilities for VR, it has gotten people to think in creative ways to upsize their experiences.
- DNC (Do-Not-Call)
- Graham-Leach-Bliley Privacy Rule and Safeguards Rule
- Red Flags Rule
- TSR (Telemarketing Sales Rule)
Regulate Us, PleaseAs is usual at this point in an area of rapidly evolving state enforcement, businesses that typically have opposed federal legislation now want federal legislation to save them from state efforts. Last spring, four major online advertising trade organizations (4A's, ANA, IAB and NAI) formed a coalition with top legal experts to work with Congress to support comprehensive consumer data privacy and security legislation. The coalition, Privacy America, recommends creating a new Data Protection Bureau within the FTC.
Movies and sports and other events will be viewable in VR as technology continues to advance.
For years the online advertising industry tried to fend off federal regulation by self-regulating, and providing consumers with mechanisms to opt out of online targeting. Efforts for a universal Do-Not-Track (DNT) option failed. The major browsers added a DNT setting, but websites have no legal obligation to honor DNT settings.
Consumers generally understand that online content is "free" so long as websites are supported by advertising, but with ads also appearing on e-commerce sites, where they've become an additional revenue stream, this stretches the traditional ad-assisted model. Consumers may or may not understand that the prices paid to websites for ad inventory are a function of the narrowness of the site's audience.Advertising technology now makes it possible for each ad impression (each ad space you see) to be submitted to real-time bidding by agents for advertisers. Adtech also makes it possible for consumers to block trackers and even block ads altogether. Each consumer who uses an adblocker becomes a free rider, putting more pressure on the website to generate more revenue from the unblocked ad impressions, and to purchase anti-adblocking technology, which diverts more money away from content development.
Other technology offers anonymous browsing and the ability to change IP addresses. Software developers will continue to develop more privacy-enhancing tools, and the most sophisticated consumers will make use of these self-help measures to protect their privacy. But what about everyone else?There are two current legislative proposals before the Senate Commerce Committee, but COPRA has somehow stolen the limelight. Known as "the Democrats' bill" as a nod to its sponsors in the Senate, COPRA is an attempt to create a comprehensive DPS regime applying to all business sectors in the U.S.
The proposed statute for the first time would establish that American consumers have rights to their data. These rights would, under COPRA, include the right to access their data, to move their data, to restrict data sharing and sales, and to be able to grant (or withhold) rights to process that data.
COPRA contains many proposals, and it is, alas, merely the legislative equivalent of a discussion draft doomed to be marked up by Congress. Following are the things we believe probably will survive the legislative process, in this bill or another:
The VR Today. Currently Virtual Reality is growing in popularity and while companies like the Oculus Rift are losing some of their customers because of unpopular marketing practices, other devices, including the HTC Vive are taking the VR stage. Furthermore, with Google Cardboard creating the concept and other companies taking note, Smartphone Virtual Reality Goggles are letting consumers easily enjoy and experience immersive virtual and augmented reality. With huge consumer base, the multiple platforms for development, and the lack of many VR games and experiences, small start-ups as well as huge companies are investing huge amounts of money into the development of content for Virtual Reality, which might very well help VR finally achieve the world-wide recognition it didn’t manage to achieve on the market for years.
- The acknowledgment of some set of consumers' rights to control some of their data;
- A definition of "covered data" expanding consumers' rights beyond merely the information they provide businesses;
- A right by consumers to access, review and correct data;
- Consumers' right to control sale of some of their data;
- Disclosure by companies of where at least some of their data on the consumer originated; and
- Imposition upon companies holding data of duties to consumers, including posting privacy policies, creating training, and reporting to the responsible federal agency about their practices.
There are other proposed provisions that seem less likely to pass, if history is any guide. A statute that passes both houses is unlikely to include comprehensive rights for consumers to control all their data without regard to origin; a comprehensive "opt in" PDS regime; the right to move data at will; and a private right of action for damages.
One provision that has made a public splash in the news -- but it pay to be skeptical about it -- is the proposal for a new bureau at the FTC to handle privacy and data security matters. It's true that the FTC has been the most consistent regulator of PDS for nearly three decades. It's also true that given the history, the FTC is the logical place to house a regulator of PDS.
However, that same recent history counsels skepticism. After all, the FTC was the ideal place for the new regulator of consumer financial practices, but that's not where CFPB ended up. Then there's another reason to be skeptical: the bizarre sight of FTC commissioners testifying in Congress and begging lawmakers to notThe Republican bill differs significantly from the Democrats' bill in that it would preempt state laws and, like the CCPA, does not provide for a private right of action. Both the Republican and Democratic bills give lip service to providing the FTC with more resources.
Checklist for E-Commerce Companies
Given the historical moment that confronts us -- the imminence of DPS legislation, the rapid development by all of the states of unique approaches, and the characteristic inability of Congress to pass laws -- what should e-commerce businesses do? We have a few suggestions:
- Conduct a data audit. What do you have, where is it coming from, where is it stored, and where is it going? If you don't need it, stop collecting it. This is part of basic data hygiene.
- Get contracts in place in both directions -- inbound and outbound.
- Review the data security provisions in your data storage agreements. You may be unpleasantly surprised about the terms of your agreements.
- Review your data breach insurance.
- Review your contractual obligations in the event of a data breach. Watch out for open-ended indemnities.
- Determine what your legal responsibilities actually are now. If you do business in the EU, get compliant with GDPR. (There are American lawyers who are experts in GDPR.) If you do business in or are located in California, get compliant with CCPA. Check your state laws: They have a more immediate impact on your business than GDPR, CCPA or the anticipated federal legislation.
- Update compliance with existing PDS laws and regulations. As of now, the patchwork of federal statutes and rules mentioned above are the law. It's entirely possible that compliance with existing law will grandfather you into whatever comes down the road from Washington. At the very least, updating or polishing your compliance program will give you a good foundation to leap up to the next big thing, whatever it is.
It Can Take You Places. One of the best experiences of virtual reality is using the technology to travel to places that you haven't been to. The right simulation can allow you to walk around some of the most important places around the world. In addition, virtual reality allows users to watch special documentaries that put them right in the middle of the action. Some of the top film companies are now producing documentaries made specifically for virtual reality headsets.
In any case, no matter what your situation, find an experienced compliance lawyer to guide you. Many e-commerce businesses shy away from any discussion of a compliance program, because the burden seems so extreme.
The truth is, no one needs to start from scratch to build a comprehensive compliance structure. A compliance lawyer can help you prioritize by identifying what compliance policies you need right now, what you can save for later, and what you don't need at all.Brad M. Elbein is a partner with the Atlanta offices of Culhane Meadows PLLC and former regional director of two regional offices of the FTC. His practice includes advertising, Internet marketing, the regulation of consumer financial products, and defense of government investigations. .Beth A. Fulkerson is a partner with the Chicago office of Culhane Meadows, PLLC. She formerly served as the chief privacy officer for Encyclopaedia Brittanica and Merriam-Webster, and senior counsel for Tribune Media. Her expertise includes e-commerce, privacy & data security, and the Internet of Things.
. With 70 partners in 10 offices across the U.S., uniquely structured and cloud-based Culhane Meadows utilizes its Disruptive Law business model to deliver outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. US News & World Report has named Culhane Meadows among the country's "Best Law Firms" in its 2014 through 2019 rankings.