Download - Protect Privacy to Protect Your Startup

Protect Privacy to Protect Privacy to Protect Your Protect Your

StartupStartupDon’t catch an FTC (Action), Don’t catch an FTC (Action), practice safe data collectionpractice safe data collection

Thank You to Our Sponsors

Presentation Content

• Privacy Policy vs. Terms of Service• Process of Creating Your Privacy Policy• Compliance with the Law• Avoiding the FTC• Online Services for Protecting Privacy

United States v. Path, Inc.

• Path: mobile app developer• Contrary to privacy policy,

automatically collected personal info• Got info from ~3,000 kids under age 13• FTC charged Path for deception and

violation of COPPA• Settlement: $800,000; 20 yrs of audits

Our Startup: Dragon Digs

• The social hub of Drexel University• Relies on user-generated content• Features:

– Create, RSVP to events– Post pictures, comments– In-app ticket purchasing– Promo emails from Dragon Digs– Third-party advertising

Privacy Policy

• Explains how company gathers, uses, discloses, manages user info

• Separate from TOS• More specifically:

– Type of data collected and how it’s used, stored, protected

– How user data is shared with third parties– Compliance with privacy laws and user control

Terms of Service

• Rules users must abide by on website/app

• Legally binding; subject to change• More specifically:

– Software license; website/app operation; users’ rights

– Information ownership; copyright; incorporates privacy policy– Disclaimers/limitation of liability; notice

Ensuring Enforceable Terms

• Forming an enforceable contract– Notice and assent

• Click-wrap vs. Browse-wrap

• Additional tips and considerations

Notice and Assent

• Click-wrap: – Present users with copy of terms, and– Require action showing user read and agrees to

terms

Notice and Assent

• Browse-wrap:– Available to users via web links– Does not require action indicating user agrees

to terms• Typically state that site use is deemed acceptance of

terms

Additional Tips and Considerations

• Use plain English• Consider device it will be read on• Place in a conspicuous location

What Info Should I Collect?

• Relationship with user determines what should be collected

• De-identify personal identification info where possible

• Whatever you collect, give users notice

– Helps create user trust

Give Users a Choice

• No consent needed: If collected data is expected for a relationship with user– Such as product fulfillment, analytics, security,

and website improvements

• Consent needed: If collected data is outside what would be expected

• Do Not Track options

Tracking

• Cookie: Text file that collects user information

• Beacon: Graphic image file that collects user information

• Types: Persistent or session cookies• Can be used for website operation or

advertising

Privacy by Design

• Build in privacy and security at all stages of design and development

• Implement and enforce strategically sound privacy practices throughout company

Best Practices

• Data security– Firewall and virus protection– SSL encryption– Encrypt user names and passwords– Keep security current

• Reasonable collection limits– Collect only what is needed

Best Practices

• Sound retention practices– Right to be forgotten– Retention depends on industry

• Data accuracy– Allow users to access and change their profiles

• Knowledgeable, designated staff

Compliance

Be Sure You Read Be Sure You Read Your Your Own Own Policy!Policy!

FTC Act and Regulations

• Unfair or deceptive• Avoid the FTC:

– Comply– Notify– Protect

CalOPPA

• California Online Privacy Protection Act• Conspicuously post your policy• Comply • Do Not Track amendment

CalOPPA ComplianceCalOPPA Compliance

• Privacy policy must include:– Collect info– Sharing policies – User review/control – Notification– Effective date

COPPA

• Children’s Online Privacy Protection Act

Are You Under the Age of 13?

COPPA Compliance

• Who is collecting the info?• Description of info collected • Use • Disclosure to third parties• Parental review & consent• User notice

CAN-SPAM ACT

• Controlling the Assault of Non-Solicited Pornography and Marketing Act

• Are you spamming?• Compliance is simple

HIPAA

• Health Insurance Portability and Accountability Act

FERPA

• Family Educational Rights and Privacy Act

Gramm-Leach-Bliley Act

• Governs financial information

European Union E-Privacy Directive

• The right to be forgotten, among other things

Avoiding the FTC

• FTC– Statutory authority to remedy privacy

infringements• Power to prohibit unfair and deceptive practices

• Statutory requirements– CalOPPA; COPPA; CAN-SPAM; HIPAA; FERPA; GLBA

FTC Actions

• Google• RockYou• Snapchat• The Brightest Flashlight App

Privacy Policy Generators

• Tested 28 online generators• Factors: ease of use, guidance, cost, and

policy generated• Recommendations:

– FreePrivacyPolicy.com– GeneratePrivacyPolicy.com; SEOToaster.com– TRUSTe.com (for mobile apps)

What Needs Protection?

Seals of Approval

• The best individually– TRUSTe– TrustGuard– Qualys– Comodo

• The best for you– Mix-and-match to suit your needs– Each service has strengths & weaknesses

Questions?

Thank You to Our Sponsors

Thank You to Our Audience

Apply to be a client at

www.drexel.edu/law/ELC