Presentation on theme: "Legal Compliance and Web 2.0 Applications Presented by: Jeffrey C. Neu, Esq."— Presentation transcript:
Legal Compliance and Web 2.0 Applications Presented by: Jeffrey C. Neu, Esq.
US Privacy and Security Principles 1 1 Federal Oversight 2 2 Federal Legislation 3 3 (c) 2008 J. C. Neu and Associates Table of Contents
The 8 U.S. Privacy and Security Principles Knowledge 1 1 Notice 2 2 Choice 3 3 Onward Transfer 4 4 Access 5 5 (c) 2008 J. C. Neu and Associates 6 6 Data Integrity Enforcement Security 7 7 8 8
Knowledge (c) 2008 J. C. Neu and Associates 1 1 2 2 3 3 6 important questions to ask yourself when collecting personally identifiable information What information do I need? What information do I have? Why do I need/want that information? What information do I want? What legal restrictions govern that information? Is it better not to know? 4 4 5 5 6 6
Notice and Onward Transfer What do I have to disclose? (c) 2008 J. C. Neu and Associates 1 1 2 2 3 3 4 4 5 5 The purpose of collecting the information How that information is going to be used How Users inquire and complain Data sharing with 3 rd parties Any standards or methods for limiting use of the information 6 6 Related 3 rd party responsibilities
Access and Security Who has access and why? Generally required to grant users access to personal information Depending on the information, can be required to allow users to amend, delete, or alter personal information when it is inaccurate. - Generally speaking this is limited to instances where it is not cost prohibitive Can be required to take reasonable precautions to protect private information from misuse. Security is particularly scrutinized based upon representations - Limit access to personal information based on need - Do not allow unnecessary disclosure of personal information - What data is being transmitted in an open text vs encrypted format - How is that data being stored? Open text vs. encrypted - What type of information is it? Different information has different storage requirements (c) 2008 J. C. Neu and Associates
Data Integrity Title Ensure the accuracy and completeness of the data. Personal Information collected must be relevant to the purposes for which it is collected. Enforcement Depending on Application, can be required to provide enforcement mechanisms to protect an individual’s privacy rights, including dispute resolution system. Title Subtitle can go here (c) 2008 J. C. Neu and Associates
FTC FTC gains its powers under the FTC Act 15 U.S.C.A. §§ 45 and 52 § 45 regulates unfair and deceptive trade practices § 52 regulates false advertising Broadened by the U.S. Safe Web Act of 2006 to incorporate internet activities Penalties can range from severe monitoring and reporting requirements, as long as 20 years, to fines, sometimes in excess of $10,000,000.00 FTC use of private information for behavioral marketing. Haven’t really said anything other than saying “We are watching you, and reserve the right to come after you.” Comes back to transparency. (c) 2008 J. C. Neu and Associates
Federal Legislation Digital Millennium Copyright Act - “DMCA” 1 1 Children’s Online Privacy Protection Act – “COPPA” 2 2 Communications Decency Act – “CDA” 3 3 Health Insurance Portability and Accountability Act – “HIPAA” 4 4 (c) 2008 J. C. Neu and Associates 5 5 Electronic Communications Privacy Act – “ECPA” 6 6 Computer Fraud and Abuse Act – “CFAA” 7 7 Graam – Leach Bliley Act – “GLB” 8 8 Fair Credit Reporting Act – “FCRA”
DMCA The DMCA provides “Safe Harbors” and not requirements. If you do not comply, you are not necessarily guilty, but you are simply left to standard copyright infringement. Only applies to copyright liability. Does not apply to Trademark liability, or others. (c) 2008 J. C. Neu and Associates The Services are interpreted very broadly, and covers such services as Ebay and Amazon. Protects the following services: Conduit Services – providing internet access itself. Caching – Specific types of caching. Hosting Data on behalf of Users – Web Hosts Information Location Tools – linking and search engines.
User Generated Content – DMCA Requirements Step 1Step 2Step 3 Policy of Terminating Repeat Infringers. It is important to have this policy when you begin this service. Have an Obligation to take Standard Measures which Copyright Owners Implement The good news is that this standard does not currently exist. Register a Copyright Agent Notice and Take down Procedure: Statute gives specific requirements as to what the notice of infringement must contain. Final thoughts can go here (c) 2008 J. C. Neu and Associates Step 4 Notice and Take down Procedure: Statute gives specific requirements as to what the notice of infringement must contain. Disqualifiers: 1.Actual Knowledge (red flag knowledge) of infringing material on your site. What is actual knowledge? 1.If you derive a direct financial benefit from infringement and can control infringement. Very easy, yet often overlooked
DMCA Safe Harbors Flow Chart (c) 2008 Jeffrey C. Neu and Associates
A Few Examples to Avoid Xanga Allowed users to self report their ages. The minute the Users disclosed their age, they had knowledge of their age, and really it shouldn’t have been collected at all. ConnectU/Facebook Gathering data from another person’s server Heavily regulated event, and can be very problematic. Facebook/Beacon Facebook combined with Beacon to offer individuals the ability to see the purchases of their “friends” Peer Marketing was the intent – Tough to regulate (i.e Tupperware) Problem with transparency. Users do not like to find out about privacy issues from Slashdot Standard Marketing and Email Campaign Laws still apply WholeFoods Founder blogged under an alias about the company. Reprimanded and fined by the FTC. (c) 2008 J. C. Neu and Associates
Final Tips It is important to have a document retention and destruction policy written down. The new rules of Federal Civil Procedure in litigation require a documented regime for both. Without the policy, you are likely to be fined and penalized. Under the CDA and the DMCA, it is important that the Service Provider not be the publisher or add any content, including comments or notes to the content. One of the biggest single exposures to companies is employee off-duty conduct, via blogging, use of company assets, etc. Training is required, a manual is generally speaking not enough. (c) 2008 J. C. Neu and Associates
Jeffrey C. Neu, Esq. J. C. Neu and Associates 318 Newman Springs Road Red Bank, NJ 07701 firstname.lastname@example.org 732-978-4053