Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Online retailers often learn information about a consumer that may be used by them to help identify other products, services, or companies that may be of interest to the consumer. For example, if a person purchases an airplane ticket to Washington DC, the person may want information about hotels, popular restaurants, or amenities at the airport. …

passing

Cybersecurity Disclosures: A How-To Guide

Cybersecurity Disclosures: A How-To Guide

In October of 2011, the U.S. Securities and Exchange Commission (“SEC”) issued guidance regarding a public company’s obligations to disclose cybersecurity risks and cyber incidents (the “Cybersecurity Disclosure Guidance”).1 The Cybersecurity Disclosure Guidance applies to all SEC registrants and relates to disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934. …

cd

Email Marketing In Canada (CASL): A How-To Guide

Email Marketing in Canada (CASL): A How-To Guide

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. 1 These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …

CASL

Email Marketing: A How-To Guide

Email Marketing: A How-To Guide

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation. …

email marketing

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Smartphones, smartphone apps, websites, and other connected devices (e.g., “wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates. …

Knowing

Video Viewing Information: A How-To Guide

Video Viewing Information: A How-To Guide

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

VVI

Online Behavioral Advertising: A How-To Guide

Online Behavioral Advertising: A How-To Guide

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a company’s website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the company’s website, so that those individuals can be monitored across a behavioral advertising network. …

online behavoiral

Ransomware: A How-To Guide

Ransomware: A How-To Guide

Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013. …

ransomware

 

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

Data Protection Officers A Comparison of US Law, EU Law, and Soon-to-be-EU Law

 

 

Guidelines for De-Identification, Anonymization, and Pseudonymization

Guidelines for De-Identification, Anonymization, and Pseudonymization

De-identification of data refers to the process used to prevent personal identifiers from being connected with information. The FTC indicated in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer.1 The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.” …

de-identification

 

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

data-protection-officers

 

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Guidelines for Email Marketing in Canada (CASL)

Guidelines for Email Marketing in Canada

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. [1] These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain proscribed sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …guidelines-for-email-marketing

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 2 of 2)

What Happens if I Join Privacy Shield and an Employee Submits a Complaint? (Part 2 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, a “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission). Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee.

In our fifth installment, we provided a roadmap of the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. In this sixth installment, we provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the ways in which an employee might file a complaint against an employer.

hrdara

 

Achatz Quoted in ‘Law Week Colorado’

July 2016

Boulder Associate Chris Achatz was quoted July 18 by Law Week Colorado concerning Privacy Shield, the European Union’s recently approved agreement between EU member states and the U.S. that will permit transatlantic transfer of personal data. The agreement, released in February, was created to replace the Safe Harbor framework, which allowed U.S. companies to self-certify compliance with the EU’s 1995 Data Protection Directive, and was deemed insufficient in October 2015. Though the new framework limits U.S. government access to certain data, raises data protection standards and grants EU citizens the right to file complaints regarding mishandling of their data, critics remain skeptical of its advantages over model contract clauses. Achatz suggested that companies gauge authorities’ responses to the blanket agreement, which might present legal challenges, though the new framework has its perks. “In the wake of the Brexit vote and other political turbulence in Europe, the European Court of Justice may be more reluctant to hand down rulings that upset the status quo,” said Achatz, adding that the Privacy Shield is held accountable by an annual review mechanism, which will allow the framework “to evolve over time.” 

 

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 1 of 2)

What Happens if I Join Privacy Shield and Someone Submits a Complaint? (Part 1 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions that we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, every “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission).

Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee. In this fifth installment, we provide a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. Our next installment will provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved.non-hr

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

Zetoony, Achatz Author Article in ‘Transportation Quarterly’

June 2016

Boulder Partner David Zetoony and Associate Chris Achatz authored an article on privacy issues for self-driving vehicles in the spring edition of Transportation Quarterly, published by the Antitrust Litigation Committee of the American Bar Association. “To date, seven states and the District of Columbia have enacted laws that address autonomous vehicles or autonomous technology, but none of these state regulations address key areas of data privacy, such as the collection, use, and disclosure of driver behavior information gathered from autonomous vehicles or autonomous technology,” they wrote. Click here to read the article.

The Top Three Privacy Takeaways of the New Delaware Online Privacy and Protection Act

Delaware’s New Privacy Policy Requirements

Effective January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect personally identifiable information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a “commercial internet website, online or cloud computing service, online application, or mobile application.”…

doppa

How to Comply with the CAN-SPAM Act (2016)

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation….

complycanspam

Achatz Quoted in ‘Law Week Colorado’

March 2016

Boulder Associate Chris Achatz was quoted March 14 by Law Week Colorado concerning the preliminary text of the Privacy Shield, recently released by the U.S. Department of Commerce and the European Commission. While there are still many hurdles to pass before this agreement between the U.S. and European Union becomes law, it is a first step in terms of guidance for U.S. companies handling Europeans’ personal information. Achatz said it is unclear how quickly the EC might move in adopting the Privacy Shield or making revisions. “Some people don’t want to wait to find out if this Privacy Shield is going to work for them, or what it is going to look like, or how it is going to be enforced,” Achatz said. “So those clients may look to the certainty of model contract clauses, which have been around for many years, and they already know what they look like and how they’re enforced. It’s a quick solution if there’s too much uncertainty in the other options.”

Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield

At A Glance: De-Identification, Anonymization, and Pseudonymization (2016)

De-identification of data refers to the process used to prevent personal identifiers from being connected with information. The FTC indicated in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer.1 The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.”2identiyf

Privacy Shield: Safe Harbor 2.0? (2016)

As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.

Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..privacyshield

Evaluating Data Privacy and Security Issues of Self-Driving Vehicles (2016)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology including the need to reduce public fear, increase reliability, and create adequate regulations . . . 2016SelfDrivingCars

SEC CyberDisclosures At A Glance (2015)

Cybersecurity Disclosures - At A GlanceThe SEC has made clear that there are a number of disclosure requirements that might impose an obligation on an issuer to disclose cyber-risks and cyber-incidents and has discussed certain of those requirements, including disclosures required in risk factors, MD&A, business descriptions, legal proceedings, financial statements and disclosure controls and procedures. . . .

 

Webinar: The Legal Issues Involved with Commercializing Data

Aug. 25, 2016 at 12 p.m. Eastern

In today’s technology-driven world with the use of the cloud, big data, mobile applications, and digital-collaboration platforms becoming commonplace for businesses of all shapes and sizes, every company is becoming a data company, and new data assets are created every day. In this webinar, Boulder Partner Jason Haislmaier and Associate Chris Achatz will discuss the legal issues of commercializing data and the common questions regarding the creation of commercial data products. Topics include legal aspects of data products, including creating and aggregating data sets, acquiring data from private and public sources, providing effective data analytics, selecting a data distribution model, and licensing.

Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Webinar: An In-House Attorney’s Guide to Creating an Effective Privacy Policy

June 28, 2016 at 12 p.m. EDT

Almost every company now has an online presence and, with it, an online privacy policy. While privacy policies are not new, attorneys need to keep current with the laws and regulations and to draft the policies effectively so that consumers can understand them. Boulder Partner David Zetoony and Associate Christopher Achatz discuss the legal issues involved with drafting privacy policies and explore best practices on how to create effective policies. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Webinar: Autonomous Vehicles Privacy and Cybersecurity Issues

January 20, 2016

With even GM investing in a driverless future, autonomous vehicles, or self-driving cars, may be the greatest disruptive innovation to travel that we have experienced in decades. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of this autonomous technology. Of particular concern with regard to autonomous vehicles are data privacy and security risks that attorneys need to know. David Zetoony and Chris Achatz, Bryan Cave LLP, discuss the evolution of the technology, provide an overview of current legal and regulatory data privacy and security issues that are implicated, and explore specific data privacy and security concerns that will need to be addressed to enable the adoption of autonomous vehicles.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

CAN-SPAM An In-House Guide (2015)

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day.  Since its enactment, the CAN-SPAM Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM’s restrictions give . . . CAN-SPAM

 

Live Event: Privacy Policy Fundamentals

November 11, 2015
Bryan Cave, Denver

Please join us for lunch on November 11, 2015 for a panel discussion regarding privacy policy fundamentals. We will discuss the role of privacy policies in establishing data rights and obligations, and explore the core principles, industry requirements, geographic considerations, and future of privacy policies.  The event is sponsored by the IAPP.  Click here to register.

Nov11,2015PrivacyPolicyFundamentals

The Canadian Anti Spam Law (CASL) At A Glance (2015)

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (CASL) came into force.  These provisions generally prohibit the sending of a Commercial Electronic Message (CEM) without the recipient’s express consent, and unless the CEM contains certain proscribed sender information and an unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law, however . . . CASL_At A Glance_1

 

Event: Data as a Product – Dealing with the Issues of Commercializing Data

Sept. 17, 2015

ABA Business Law Section Annual Meeting
Chicago, IL

Bryan Cave Partner Jason Haislmaier and Associate Chris Achatz will present a CLE on “Dealing with the issues of Commercializing Data” at the upcoming ABA Business Law Section Annual Meeting. The program will provide insights into the common questions regarding the creation of commercial data products.  The topic line-up will include  legal aspects of data products, including creating data sets, acquiring data from private and public sources, aggregating data sets, providing effective data analytics, selecting a data distribution model, and licensing.

For registration information, please visit the ABA Business Law Section website.

Self-Driving Cars At A Glance (2015)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology . . . Self_Driving Cars_At A Glance