Chapter 5 Flashcards
- Telecommunications operators
- Internet firms
- Financial institutions that provide online services (e.g., banking institutions, insurance companies, securities companies, and foundations)
- Cybersecurity product and/or service providers
- Enterprises that have websites and provide network services
Network operators examples
Issued warnings, confiscated illegal income, and penalties of up to RMB one million (about $152,000 USD)
Failure to comply with the Cybersecurity Law
Approach to privacy protection, particularly in the private sector, is significantly different from the approach taken in Europe and in Canada
The United States
The only national privacy policies to survive congressional debate have passed into law on a case-by-case basis
Sectorial approach to privacy law
Requires accurate and relevant data collection by entities that compile CONSUMER REPORTS as well as persons who use consumer reports
Fair Credit Reporting Act (FCRA)
It gives consumers the ability to access and correct their information and limits the use of consumer reports to permissible purposes
Fair Credit Reporting Act (FCRA)
FCRA stands for:
Fair Credit Reporting Act
Factors in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose
Purpose of consumer report
any information that pertains to:
1. creditworthiness
2. credit standing
3. credit capacity
4. character
5. general reputation
6. personal characteristics
7. mode of living
and that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose
Consumer report
Any entity that routinely furnishes consumer reports to third parties for a fee
consumer reporting agency (CRA)
CRA stands for:
consumer reporting agency
- Provide consumers with access to the information contained in their consumer reports, along with the opportunity to dispute any inaccurate information.
- Take reasonable steps to ensure the accuracy of information in the consumer report.
- Not report negative information that is outdated. In most cases, this means account data more than seven years old or bankruptcies more than 10 years old.
- Provide consumer reports only to entities that have a permissible purpose under the FCRA.
- Maintain records regarding entities that received consumer reports and provide consumer assistance as required by Federal Trade Commission (FTC) rules.
CRA Requirements
Account data more than 7 years old or bankruptcies more than 10 years old
Outdated negative report according to FCRA
- Have a permissible purpose as prescribed by the law
- Provide certifications to the CRA that they are accessing the report for a permitted purpose
- Notify consumers when adverse actions are taken and limit the types of adverse actions that can be taken as a result of obtaining or reviewing the information contained within a consumer credit report
Users of credit report requirements
All business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined, such as denying or canceling credit or insurance, or denying employment or promotion
Adverse action
Civil and criminal penalties that include significant statutory damages
Noncompliance to FCRA
FTC and state attorneys general
Enforce violations of FCRA
HIPAA stands for:
Health Insurance Portability and Accountability Act
U.S. law that specifically addresses health information privacy
HIPAA (Health Insurance Portability and Accountability Act)
US national standards for electronic healthcare information transactions
HIPAA rules
- privacy
- security
- transactions
3 subsets of HIPAA rules
Minimum standards
HIPAA privacy and security rules
Any information that identifies, or reasonably could be used to identify, an individual and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to that individual
personal health information (US)
- Healthcare providers (e.g., a hospital)
- Health plans (a specific program offered by an insurer or other provider)
- Healthcare clearinghouses (third - party organizations that host, handle or process medical information)
Entities that are directly covered under HIPAA
“Business associates” and any other entity that uses or discloses personal health information
Entities that are indirectly covered under HIPAA
HHS and state attorneys general
Enforces HIPAA
Both civil and criminal penalties with significant fines and potential prison sentences
HIPAA penalties
GLBA stands for:
Gramm-Leach-Bliley Act
To address all sorts of issues regarding mergers and to provide significant privacy and security protections for consumers
GLBA (Gramm-Leach-Bliley Act)
GLBA protects this information.
It is personally identifiable financial information that is
(1) provided by a consumer to a financial institution
(2) resulting from a transaction or service performed for the consumer, or
(3) otherwise obtained by the financial institution
nonpublic financial information
US domestic financial institutions, defined to include any U.S. company that is “significantly engaged” in financial activities
Application of GLBA
A.K.A. Financial Services Modernization Act of 1999
GLBA (Gramm-Leach-Bliley Act)
Publicly available information and any consumer list that is derived without using personally identifiable financial information
Excluded from nonpublic financial information
- Securely store personal financial information
- Give notice of policies regarding the sharing of personal financial information
- Give consumers the alternative to opt out of some sharing of personal financial information
GLBA (Gramm-Leach-Bliley Act) basic requirements
- Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be given when a customer relationship is established and annually thereafter.
- Clearly provide consumers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to a number of significant exceptions related largely to the processing of consumer transactions)
Under GLBA, U.S.-based financial institutions are required to:
FTC and state attorneys general
Enforce GLBA (Gramm-Leach-Bliley Act)
COPPA stands for
Children’s Online Privacy Protection Act of 2000
Operators of commercial websites and online services (especially those directed to children under the age of 13), general-audience websites and online services if they have actual knowledge that they are collecting personal information from children under the age of 13
COPPA applies to:
- Post a privacy policy on the site’s homepage and link to the privacy policy on every page where personal information is collected
- Provide notice about the site’s information collection practices to parents
- Obtain verifiable parental consent before collecting personal information from children
- Give parents a choice as to whether their child’s personal information will be disclosed to third parties
- Provide parents access and the opportunity to delete the child’s personal information and to opt out of future collection or use of the information
- Not condition a child’s participation in a game, contest or other activity on the child’s disclosure of more personal information than is reasonably necessary to participate in that activity
- Maintain the confidentiality, security and integrity of personal information collected from children
COPPA requirements
FTC and state attorneys general
Enforce COPPA
These US laws relate to specific communications channels and methods such as telemarketing, electronic mail, and fax marketing
U.S. Marketing Communications Laws
Regards to the major contrast between U.S. and international approaches to marketing communications
Choice
Where do laws generally require the consumer to opt in to marketing programs?
EU and Canada
Where do laws generally require the consumer to opt out of marketing programs?
US
Apply to for-profit organizations and cover charitable solicitations placed by for-profit telefunders
U.S. Telemarketing Sales Rules (TSR)
- Call only between 8 a.m. and 9 p.m.
- Screen and scrub names against the Do Not Call list (DNC)
- Display caller ID information
- Identify themselves and what they are selling
- Disclose all material information and terms
- Comply with special rules for prizes and promotions
- Respect requests to call back
- Retain records for at least 24 hours
- Comply with special rules for automated dialers
U.S. Telemarketing Sales Rules (TSR) requirements:
A means for U.S. citizens to register residential and wireless phone numbers that they do not wish to be called for telemarketing purposes
*** Rose from TSR
National Do Not Call Registry
The list and the rules and exceptions associated with Do Not Call list for Canadians fall under
Canadian Radio-television and Telecommunications Commission (CRTC)
TCPA stands for:
Telephone Consumer Protection Act
It regulates telemarketing calls, autodialed calls, prerecorded calls, text messages, unsolicited faxes, and so
Telephone Consumer Protection Act (TCPA)
- Obtain prior express written consent from consumers before robocalling them
- No longer use an “established business relationship” to avoid getting consent from consumers when calling their home phones
- Provide an automated, interactive opt-out mechanism during each robocall so consumers can immediately opt out of future robocalls
TCPA requirements to telemarketers
Federal Communications Commission (FCC)
Enforces TCPA
CAN-SPAM stands for:
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
Anyone who advertises products or services by email directed to or originating from the United States
Application of CAN-SPAM
The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service
CAN-SPAM
FTC
Enforces CAN-SPAM
Monetary fines and made subject to the possibility of being responsible for paying damages
CAN-SPAM penalties
- Prohibits false or misleading headers
- Prohibits deceptive subject lines
- Requires commercial email to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to opt out of future email from that sender
- Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email
- Requires all commercial email to include:
(1) clear and conspicuous identification that the message is an advertisement or solicitation (unless the recipient has provided prior affirmative consent to receive the email),
(2) clear and conspicuous notice of the opportunity to opt out, and (3) a valid physical postal address of the sender - Prohibits “aggravated violations” relating to commercial email such as:
(1) address harvesting and dictionary attacks,
(2) the automated creation of multiple email accounts, and
(3) the retransmission of commercial email through unauthorized accounts - Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)
CAN-SPAM requirements
The first US state to pass Security Breach Notification Law
California: SB 1386
One must disclose the breach of any computer system that contains unencrypted personal information of California residents
California: SB 1386
An individual’s name in combination with any one or more of the following:
(1) social security number
(2) California identification card number
(3) driver’s license number
(4) financial account number or credit or debit card number
in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Personal information (California SB 1386)
Once it is determined that there has been a breach, the notification must be made “in as expedient a manner as possible” unless law enforcement requests a delay to meet its investigative requirements
Notice for California: SB 1386
FTC and U.S. state attorneys
Enforce unfair trade practices laws/rules
States that it is illegal to conduct “unfair or deceptive acts or practices in or affecting commerce
Federal Trade Commission Act
Commercial conduct that intentionally causes substantial injury without offsetting benefits and that consumers cannot reasonably avoid; there is no intent requirement
Unfair trade practices
Commercial conduct that includes false or misleading claims, or claims that omit material facts; there is no intent requirement
Deceptive trade practices
The act was influenced by the EU’s GDPR and is the most expansive privacy law ever introduced at any level of U.S. governance
California Consumer Privacy Act (CCPA)
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
Personal information (CCPA)
For-profit businesses doing business in California that meet one of three thresholds:
- Have over $25 million in gross annual revenue
- Buy, receive, sell or share for commercial purposes the personal information of more than 50,000 consumers, households or devices
- Derive 50% or more of their revenue from the sale of consumers’ personal information
Application of Personal information (CCPA)
- Disclose information about how they collect and use personal information and for what purposes
- Refrain from selling the information of a person between the ages of 13 and 16 without their consent and refrain from selling the personal information of persons under 13 without parental consent
- Post a conspicuous link on their internet homepage stating “Do Not Sell My Personal Information” if sharing personal information with third parties for valuable consideration, giving consumers the power to opt out
- Not discriminate against any person for exercising their rights under the act by increasing fees or lowering the quality of their service
California Consumer Privacy Act (CCPA) requirements
- The right to deletion of their personal data
- The right to access personal data that has been collected in the past 12 months
- The right to access information about categories of third parties to whom their personal data has been sold for each category of information disclosed
- The right to opt out of having personal data sold to third parties
Consumer rights under California Consumer Privacy Act (CCPA)
2 states that followed California in making comprehensive privacy laws
Nevada (Bill 220 Online Privacy Law) and
Maine (Act to Protect the Privacy of Online Consumer Information)
European privacy protection is more commonly referred to as
Data protection
European privacy protection general rule
Not allow any collection or use of personal data unless permitted to do so by law
To harmonize and unify the inconsistent landscape of national data protection laws within the EU
General Data Protection Regulation (GDPR)
No. of member states in the EFTA (European Free Trade Association)
3
Iceland
Liechtenstein
Norway
Member states in the EFTA (European Free Trade Association)
No. of member states in the EU (European Union)
27 (26 now)
No. of member states in the EEA (European Economic Area)
30
Extends to all member states of the EEA as well as to the UK until the end of the negotiated Brexit transition period
Application of GDPR
GDPR stands for:
General Data Protection Regulation
EU had passed several directives, the most important is:
EU Directive or simply “the Directive”
The EU counterparts to the roles played by the federal and provincial privacy commissioners in Canada
Data protection authorities (DPAs)
Civil and criminal enforcement
Penalties in EU
Data protection authorities (DPAs)
Enforces European laws
The aim is to create a clearer, more certain, and trustworthy legal environment for both businesses and citizens, which will in turn increase both competition and innovation in the digital market
GDPR
Any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered and where the actual processing takes place (even if that is outside the EU)
Application of GDPR
- A telecommunications organization that offers its goods and services through its EU-based regional offices to EU data subjects
- A retailer that offers its goods or services to EU data subjects via its online website
- A marketing agency that monitors the purchasing habits and behaviors of EU data subjects using data-processing techniques to create individual profiles and predict personal preferences, behaviors and attitudes
Examples of organizations with headquarters in Canada that will be impacted by the GDPR
An important core principle of the GDPR; states that personal data should only be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Purpose limitation
(1) the data subject gives explicit consent
(2) it is needed to perform a contract
(3) it is needed to comply with a legal obligation
(4) it protects the vital interests of the data subject
(5) it performs a task in the public interest
(6) it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”
According to GDPR, processing of data is only lawful if:
Interests pursued by the controller or by a third party are overridden by the interests or fundamental rights and freedoms of the data subject
Exemption to GDPR; processing of data is lawful if:
- biometric data
- genetic data
- data concerning sexual orientation
Sensitive personal data (GDPR)
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
Data special categories (GDPR)
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data
Controller (GDPR)
Body “which processes personal data on behalf of the controller
Processor (GDPR)
