In a statement on its Developer Blog, Facebook said:

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready.”

Data-Sharing Decision & Responses

The original decision to share user information came on Friday, January 14 2011. Facebook pointed out that the new feature would allow a user to “easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone.”

The surprising decision triggered public backlash against Facebook’s privacy practices. Although app developers could only gather contact information if users had allowed them to do so, observers pointed out users are often confronted with too many apps that are deceptive about allowing access.

It is also commonly known that many users will click through permission dialogue boxes without pausing to read their contents. As a result of being inundated with too many permissions requests, users will respond to constant dialog boxes by agreeing to everything without considering potential negative consequences.

Critics responded strongly to Facebook’s new data-sharing practices. The marketing and media site The Drum commented:

“[This] raises questions as to how an organization, which ought to have been sensitive to privacy concerns following previous controversies, could have launched such an unheralded change, on a Friday evening, without fully thinking through the consequences.”

Graham Cluley, a technology consultant with the IT security firm Sophos called the new practices a “recipe for disaster,” pointing to the array of scam applications that have overrun the social network.

Suggested alternatives

Commenters suggested that Facebook ought to pre-approve developers before they are able to gain access to users’ information. The suggested approval process would be similar to the compulsory verification system for iPhone apps. According to a recent Sophos poll, over 95% of respondents supported the idea of Facebook verification of all apps before they are released to users. Currently, Facebook app developers only need to verify their accounts by confirming their mobile number or credit card information. After this process, they can write and release any application they like.

While Facebook does not currently offer this feature, many recommend that the network check applications written for its platform to ensure that they are not malicious. As this verification is not done, it is common to see many “rogue applications” appear across the social network. Such apps include revenue-generating survey scams, redirection of users’ browsers to malicious sites, spamming from a user’s account or stealing personal information.

Others suggested that users’ contact information could only be accessed if it was necessary for the purposes of the application. At the very least, the application should specifically request users’ permission before gathering their information. Facebook’s announcement on Friday evening led to many users removing their home address and mobile number from their profiles, as an immediate measure.

Summary

This article takes a look at Facebook’s January 14, 2011 decision to share user data with its applications developers. In the face of negative media coverage and public outcry, the social networking site was forced to reverse the changes only three days later. Many users and critics were uncomfortable with the fact that developers were able to access personal information such as their home address and mobile numbers. This article also looks at why this practice is especially problematic, especially in light of Facebook’s developer and applications policies.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Concerns – Organizational Practices (II.A.b.)
• Privacy Expectations – Prominent Notice & Opt-In Consent (II.B.b.)
• Social Networking Services – System Designs (VI.C.i.)
• Social Networking Services – Privacy Controls (VI.C.ii.)

Safe Harbor in a nutshell
During October 1998, the European Commission’s Directive on Data Protection was enacted, prohibiting the transfer of personal data from European Union (EU) member states to non-EU nations that did not meet the privacy protection standard. In order to facilitate the transfer of information between EU-based organizations and US-based organizations, the Safe Harbor framework was developed.

US-based organizations may qualify for Safe Harbor statues in two different ways. They may join self-regulatory privacy programs following the requirements of Safe Harbor. Alternatively, they may choose to develop organization-specific self-regulatory privacy policies, in line with the requirements of Safe Harbor.

What is CARU?
In 1974, the Children’s Advertising Review Unit (CARU) was created in order to promote responsible advertising to children. CARU was developed as a component of a strategic alliance amongst the major US advertising trade associations, including the American Association of Advertising Agencies (AAAA), American Advertising Federation (AAF), Association of National Advertisers (ANA) and the Council of Better Business Bureaus (CBBB).

CARU is in charge of children’s advertising issues within the advertising industry’s self-regulation program. It assesses the truthfulness, accuracy and consistency of child-directed advertising and assists advertisers in dealing with child audiences responsibly. CARU does so by advancing compliance with its Self-Regulatory Guidelines for Children’s Advertising, the Children’s Online Privacy Protection Act of 2000 (COPPA) and other relevant laws.

The CARU Safe Harbor Program
As of January 2001, the CARU self-regulatory program was approved as Safe Harbor-compliant, under the Children’s Online Privacy Protection Act (COPPA). It was also the first such program to the FTC-approved. Organizations that comply with CARU Guidelines are also in compliance with the COPPA, thus insulated from FTC enforcement action.

Compliance with CARU’s Safe Harbor Program is dependent on the following elements:
• Adhering to the requirements in the CARU Safe Harbor Compliance Checklist
• Compliance with the CARU Self-Regulatory Guidelines for Children’s Advertising
• Review by CARU staff of the web site’s information practices; completion of Initial Website Review & Seeding form
• Continuous monitoring of web site by CARU staff to ensure compliance with the Safe Harbor framework
• Completion of CARU Self-Assessment Form and Attestation by Safe Harbor participant

CARU Safe Harbor Compliance Checklist
This checklist makes up a critical component of the Safe Harbor compliance, as discussed above. The checklist includes the Safe Harbor principles and is specific to web sites advertising to child audiences. The following elements are on the CARU Safe Harbor Compliance Checklist:
1. Provide notice
2. Obtain verifiable parental consent
3. Limit collection, use and disclosure of personal information collected from children
4. Provide access upon verification of parental identity
5. Maintain reasonable security

The elements of the checklist are explored in greater detail below:

1. Provide Notice
In accordance with the Safe Harbor principles, privacy notices should be clearly written and easily understandable. They should not contain irrelevant, confusing or contradictory statements. There are two different types of notices that are required of CARU Safe Harbor participants: a Notice of Information Practices and a Direct Notice to Parents.

The Notice of Information Practices is also referred to as the “Web Site Notice,” or “Children’s Privacy Policy.” Such a notice requires a prominent link on the site’s home page and in each area where personal information is collected from children. This notice must state all of the following information:
• Name, address, phone number and email of the operators responsible for the collection and maintenance of personal information collected from children through the site.
• Types of personal information that is collected from children.
• Identification of the means of collection of the information (i.e. directly or passively).
• How the personal information is being used, or will be used.
• If the personal information will be disclosed to third parties. If this is being done, then the notice must state the types of businesses in which third parties are engaged; the purpose of such personal information; and if the third parties are committed to maintaining the security and confidentiality of the information collected.
• An option for the parent to agree to the collection and use of the child’s information, that is not dependent on consent for disclosing information to third parties.
• The child cannot be required to disclose more information than reasonable necessary to participate in the web site activities.
• The parent has the right to review the child’s personal information, request that it be deleted, and prevent any further collection or use of the personal information.
• Procedures for the parent to review or delete their child’s personal information and prevent ongoing use or disclosure.

The Direct Notice to Parents must include the following information:
• The same information stated in the Notice of Information Practices (as listed above).
• The web site operator wishes to collect personal information from the child.
• Request for the parent’s consent to collect this personal information. This consent is required for the collection, use and disclosure of personal information.
• Methods for providing parental consent.

2. Obtain Verifiable Parental Consent
Web site operators are obliged to obtain verifiable parental consent before the collection, use or disclosure of children’s personal information. Such consent may be obtained in the following ways:
• When personal information is being collected for internal use only. In this case, email may be used to obtain parental consent. This also requires the additional steps of a follow-up email, letter or phone call to verify the consent. This method was used prior to April 21, 2002.
• When personal information is being made publicly available, such as in a chat room, message board, personal home page, profile, or email account. OR, when personal information is being disclosed to third parties.

In such cases, website operators are obliged to employ a more reliable means of securing parental consent. This may include: (a) A form with a parent’s signature through postal mail or fax; (b) A credit card number in connection with a transaction; (c) A toll-free phone number managed by trained personnel; (d) Email consent in conjunction with a digital signature from a parent; (e) Email consent in conjunction with a PIN or password; (f) Consent through a CARU-approved method. After April 21, 2002, only these methods were acceptable for securing parental consent.

3. Limit Collection, Use and Disclosure of Personal Information Collected from Children
Web site operators are prohibited from conditional a child’s participate on the basis of disclosing more personal information than is reasonably necessary to participate. The collection of personal information from a child ought to be limited to that which is reasonable for participation. For instance, a web site operator cannot offer a prize for greater disclosure of personal information. Parents should also be given the option to consent to the collection and use of their children’s personal information. They should also be permitted to prevent disclosure of such information to third party affiliates.

4. Provide Access upon Verification of Parental Identity
Upon parental request, web site operators are obliged to disclose both the type of information collected from children and the specific information that has been collected. Parents are permitted, at any time, to refuse further use or future collection of personal information from their child. They can also ensure the deletion of their child’s personal information. However, before this happens, operators must verify the identity of the parent in the same methods used for securing parental consent (i.e. those listed in “2. Obtain Verifiable Parental Consent”).

5. Maintain Reasonable Security
Web site operators are obliged to create and implement reasonable mechanisms for protecting the confidentiality, security and integrity of children’s personal information. Examples of such mechanisms include:
• Appropriately destroying unnecessary personal information.
• Limiting employee access to personal information.
• Ensuring physical security of servers.
• Encrypting data during transmission.
• Using firewalls.

Summary
This article looks at the EU-US Safe Harbor framework in light of the CARU Safe Harbor Program, which aims to protect children’s online privacy and meet the requirements of the COPPA (Children’s Online Privacy Protection Act). The CARU program is partially based on the Safe Harbor Compliance Checklist. This checklist is made of the following five elements: (1) Provide Notice; (2) Obtain Verifiable Parental Consent; (3) Limit Collection, Use and Disclosure of Personal Information Collected from Children; (4) Provide Access upon Verification of Parental Identity; and (5) Maintain Reasonable Security.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (CIPP; I.A.c.iii.)
• Children’s Online Privacy Protection Act of 2000; COPPA (CIPP/G; I.B.a.ii.)

Background: Information Access Commissioner

As early as 1971, with the passing of Quebec’s Consumer Protection Act, all individuals were guaranteed right of access to their credit records. Later, the Professional Code and other laws governing professions were developed. Quebec’s Information Access Commissioner (Commission d’accèss à l’information du Québec, or CAI) was created on June 22, 1982 in response to increased public concern over privacy protection issues as well as enabling access to information. The CAI prides itself as a leader in developing an innovative privacy framework.

The CAI is responsible for overseeing two major privacy laws:

• the Act Respecting Access to Documents held by Public Bodies and the Protection of Public Information (referred to as the Public Sector Act)
• the Act Respecting the Protection of Personal Information in the Private Sector (referred to as the Private Sector Act)

There are three main functions of the CAI:

1. Adjudicate

• The CAI functions as an administrative tribunal.
• Reviews decisions of public authorities who refuse individuals access to personal files or administrative documents.
• Resolves misunderstandings regarding the Private Sector Act.
• Goes through the processes of: mediation, hearings with both parties, decisions, appeals at the Court of Quebec.

2. Supervise

• The CAI oversees compliance regarding the collection, storage, use and communication of personal data in the private and public sectors.
• The CAI may authorize the transfer of personal information, give opinions on agreements, carry out investigations or verify compliance with privacy legislation.

3. Advise

• The CAI facilitates implementation strategies for ensuring compliance with provincial privacy legislation.
• The advisory function of the CAI is preventative and educational.
• Some examples of this function include: telephone information service; publishing guidelines and information documents; assessing pilot projects; attending conferences and conventions.

Consent According to the CAI

The concept of consent is central to the Private Sector Act and Public Sector Acts. The CAI defines consent as the agreement to collect personal information. Consent is a deliberate act on the part of the individual that must meet all of the following characteristics:

• Manifest: This means that consent must be clear, certain and indisputable.
• Free: This means that the individual was not compelled to give his/her consent.
• Enlightened: this means that consent must be precise, rigorous and specific. The individual giving the consent must be made well aware to make an informed decision on the scope of the consent. The organization collecting the information must indicate:
  • the information that will be communicated
  • to whom the information will be communicated
  • why and how the information will be communicated
  • the consequences of collecting and communicating the information
  • Specific: The consent must be given for a specific purpose and a pre-defined length of time in order to meet the purposes the organization indicated.

Public Sector Privacy in Quebec

The Public Sector Act, enacted in 1982, regulates documents held by public bodies and the protection of personal information. There are two main components of the Act. The first gives individuals right of access to their documents held by public bodies. The second component gives maximum protection to personal data held by public bodies. It recognizes right of access as well as right of correction of personal data.

The Public Sector Act applies to the following organizations:

• Government departments and agencies
• Municipalities, metropolitan communities, regional county municipalities
• School boards, subsidized private educational institutions, colleges, universities
• Health and social services networks
• Youth centers, shelters
• Clinics and hospitals

Requests for access or correction to personal data files must be responded to within twenty calendar days of receipt. Individuals encountering difficulties with this application, or individuals being denied access or correction may seek redress through the CAI.

Private Sector Privacy in Quebec

In 1994, Quebec was the first Canadian jurisdiction to enact private sector privacy legislation. The federal legislation regarding private sector privacy (Personal Information Protection and Electronic Documents Act, or PIPEDA) was enacted in 2000, while other similar provincial legislation (PIPA Alberta, PIPA British Columbia) were passed in 2004.

This gave Quebec’s CAI and the Quebec courts over ten years of experience in interpreting and applying the provisions. This provided a rich body of jurisprudence which has offered invaluable insight for other jurisdictions overseeing private sector privacy compliance.

There are four main principles of the Quebec Private Sector Act:

• A person (an individual or corporation) must have a serious, reasonable and legitimate reason for establishing a file of personal information on someone.
• Every individual has the right to access his/her file, unless the rights of third parties are violated, or there is a serious reason to refuse access.
• Every individual has the right to correct an inaccurate, incomplete or obsolete file.
• Every individual or corporation that opens a file about an individual is responsible for maintaining confidentiality.

The Private Sector Act applies to any person or company carrying on an enterprise in the province of Quebec, who collects, holds, uses or communicates personal information. Under the Act, the definition of an enterprise takes the following four elements into account:

• the operations of the enterprise are repetitive jurisdictional acts
• there is coordination between human and material resources
• the enterprise responds to and aims to satisfy certain needs
• the success of the enterprise is depended on market forces and efforts

For instance, an enterprise may include:

• private medical clinics
• unions
• law firms

Applying the Private Sector Act

Private enterprises are entitled to collect personal information, but this information must be deemed necessary to its ability to perform the service. The enterprise is responsible for informing the individual of:

• the object of the file
• the use for the information
• the categories of people who will have access to the information within the organization
• the location of the file
• the individual’s rights of access or correction

The following examples present situations in which the Private Sector Act can be applied:

Example #1

In a retail store, an individual intends to purchase a good or a service with her credit card. The merchant requires the customer to show her driver’s license and asks for information indicated on another card before processing the sale.

According to the CAI, the credit card has all the necessary personal information. The fact that the customer has the credit card implicitly indicates that the customer has already provided her identifying information. No additional personal information should be collected as it is unnecessary for the processing of the transaction.

Example #2

At a video rental store, the clerk requires customers to identify themselves with their driver’s licenses. The store also wants to keep the driver’s license number on file for future rentals. The store refuses to provide customers with membership to the services, unless the customers provide the requested information.

According to the CAI, no enterprise is entitled to collect the driver’s license information from individuals. Only peace officers and the automobile insurance agency are entitled to this information.

Example #3

The social insurance number (SIN) is an identifying number issued by the federal government for employment and income tax purposes. Although private enterprises may have a justification for collecting this information, the CAI cautions individuals when disclosing this number. Enterprises entitled by law or regulation to collect the SIN may include: employers, Quebec Revenue Ministry, Canada Customs and Revenue Agency.

Example #4

An individual would like to lease an apartment. The landlord has requested that the individual fill out a personal information document. The landlord also requests to conduct a credit check.

A credit check can be conducted with minimum personal information, once consent has been secured. The credit bureau requires the first and last name; current and previous addresses; and the date of birth of the potential tenant. Thus, additional personal information (e.g. driver’s license number, SIN number) is not required for the landlord’s purposes. The landlord cannot refuse to rent the apartment on this basis.

Substantially Similar

Quebec’s Private Sector Act was deemed substantially similar to the federal PIPEDA. Essentially, the declaration indicates that the provincial legislation is equivalent to the federal legislation and effectively incorporates the ten principles of the PIPEDA.

The effect is that the PIPEDA does not apply to the organizations in Quebec that are subject to private sector legislation. However, the PIPEDA continues to apply to federal works, undertakings and businesses in the province of Quebec as well as transborder flows of data over the course of commercial activities.

Summary

This article discusses provincial legislation regarding privacy in Quebec. It outlines the Public Sector Act and the Private Sector Act. Given that Quebec was the first jurisdiction to develop and implement privacy protection legislation, the Acts provide a useful resource for other Canadian jurisdictions.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Act Respecting the Protection of Personal Information in the Private Sector (Quebec) (III.A.d.)
• Canadian Public Sector Privacy (IV.A.)

Introducing Google Buzz

Google launched what it expected would be the Twitter/Facebook competitor, Google Buzz on February 9, 2010. It was advertised as “a new way to share updates, photos, videos and more, and start conversations about the things you find interesting.” Buzz was designed to integrate with Gmail – which already had over 146 million users at the time of the launch – and other interface interaction elements with other Google products, such as Google Reader.

The service can also be accessed through supported mobile devices. The mobile version of Buzz is integrated with Google Maps, in order to let users know their location and identify other users who are around them.

Buzz was received with great interest. In the first two days after its launch, tens of millions of users created over nine million posts and comments. On average, there were over 200 posts per minute through mobile phones worldwide.

Responses

However, not all responses to Buzz were positive. Immediately after its introduction, privacy-minded users noticed that Buzz automatically set them up with followers and people to follow. This group of followers is chosen based on the contacts the user emails and chats with the most.

Another issue of concern was that the people a user follows and the people that follow the user are made public to anyone viewing the user’s profile. This is the default setting, which allows anyone who views a profile to see the people who a user chats with or emails most. The implications of this setting were worrisome to some users. For instance, a boss may discover that a subordinate has frequent email contact with executives at a competing firm.

What was distressing to most critics was that Google did not openly explain how the publicly viewable follower lists were determined. Buzz’s unclear opt-out approach put many users in the position of unknowingly sharing personal information. It is clear that Google’s choice to design the lists to show publicly by default was a strategic decision to get as many people using Buzz as quickly as possible. While it may be a helpful setting for some users, others may not feel comfortable with sharing with the world who they email or chat with most.

This glaring privacy flaw was brought to the spotlight two days after Buzz was launched, when Harriet Jacobs saw her personal information revealed to her ex-husband and his abusive friends. Unfortunately, Google automatically allowed her most frequent contacts to view her Google Reader, all the comments on her Reader, as well as her current location, workplace and other sensitive information. Her most frequent email contacts happened to be her ex-husband, his friends and other hostile blog commenters. She was unable to block these users as she never created a Google profile or Buzz profile, which left her unable to prevent them from following her.

Making Changes

Within three days of launching Buzz, Google issued a public apology and made some changes to the program in response to the widely-publicized consumer privacy concerns. It added a more visible opt-out selection to allow users to choose not to show their connections or followers on their profile. This was a rapid response to user concerns, especially when compared to Facebook’s Beacon privacy problems in 2007, which took over a month to resolve.

Although the changes were a positive step in terms of supporting user privacy rights, critics pointed out that Google did not go far enough to address immediate concerns. For instance, the selection box for sharing followers was checked by default. Since this is an option for sharing private or sensitive information, many argued that the box should be unchecked. Given its nature, it would be best to leave that as an opt-in feature.

Furthermore, the opt-out selection did not give users an adequate explanation as to what they were allowing Buzz to publish. Users were not informed that Buzz would publish the list of people they email and chat with most. Although the privacy settings could be adjusted, the problem was that most users do not know how to change these settings. The majority of users simply click “save and continue” until the application is fully set-up, unfortunately reading little of the information contained in the dialog boxes. This made it clear that Google’s changes were an inadequate response to the scope and implication of user’s concerns.

In April 2010, privacy officials from Canada, Germany, France, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK raised privacy concerns regarding Google Buzz, as well as other Google services. The letter pointed out that even months after its launch, Buzz was still disregarding its user’s privacy rights, despite Google’s promises to the contrary.

Opt-In vs. Opt-Out

Opt-out mechanisms give users the opportunity to express non-agreement to a specific purpose. Unless the user takes action to opt-out, the organization assumes consent and proceeds. The organization should clearly inform the users that failing to opt-out means that the user consents to the use or disclosure of information. For instance, the Google Buzz box presented users with the opt-out choice with a pre-checked box that read, “Show the list of people I’m following and the list of people following me on my public profile.”

Opt-in consent is often referred to as “express consent.” With opt-in consent, the organization presents the users with the opportunity to express positive agreement to a stated purpose. Only with the user’s action will the organization assume consent. Opt-in consent is considered the strongest form of consent. The Privacy Commissioner of Canada encourages organizations to use this form of consent wherever it is appropriate, as it is least likely to result in misunderstandings and complaints.

In the Google Buzz case, an effective opt-in statement for new users might have been a checkbox reading “Show the list of people I’m following and the list of people following me on my public profile. Right now, the list is made up of people you email and chat with most.”

Recommendations

Jennifer Stoddart, the federal Privacy Commissioner of Canada expressed her unease over how such a problematic application like Buzz was launched for public use in the first place. Stoddart did not support the decision to release Buzz in its “beta” form, as it should have demonstrated compliance with fair information principles before it was introduced. She felt it was unacceptable to launch a product that had such significant privacy issues, with the intention of addressing those problems only as they arise. This was also not the first time Google made a glaring privacy error, as Google Street View was launched earlier, without consideration of privacy, data protection laws or cultural norms.

Stoddart and the Privacy Commissioner’s Office sent Google a number of recommendations that would enable it to integrate fundamental privacy principles into its online services. The recommendations included:

• Collecting and processing only the minimum amount of personal information that is necessary for achieving the purpose of the product or service.
• Providing clear, unambiguous information regarding the use of personal information.
• Allowing users to provide informed consent.
• Creating privacy-protective default settings.
• Ensuring that privacy control settings are clear and easy to use.
• Ensuring that all personal data is adequately protected.
• Giving users simple procedures for account deletion.
• Honoring user requests in a timely manner.

Summary

This article examines privacy issues raised through the launch of the social networking program Google Buzz. It outlines some critical responses to the privacy settings and risks that the application exposes users to. The article also explores opt-in and opt-out consent mechanisms. Finally, the article takes a look at the Canadian Privacy Commissioner’s response and recommendations to Google Buzz.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Online privacy, online data collection (V.B.c.)
• End user expectations (V.C.c.a.i.)
• End user preferences, opt-in vs. opt-out (V.C.c.a.ii.)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)

What is Choice/Consent?

Choice/Consent is the second of five Fair Information Practices published by the FTC to guide the collection, use and disclosure of personal information. The FTC states,“At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”

There are two forms of consent exercised by individuals.

Opt-in requires the affirmative consent of the individual. The user must take action to allow a business to process their information and provide a product or service. For example, a user may visit a website and submit their email or check a box with their registration to receive the site’s email newsletter.

Opt-out requires the implicit consent of an individual. Since a user has not taken action to stop the processing of their information, they are said to give implicit (unspoken or assumed) consent. When a user receives marketing messages in their mailbox they no longer wish to receive, they may unsubscribe from the newsletter. This is consider opting-out.

The use of the choice/consent mechanism as the main regime for protecting personal information has been widely criticized. It is believed that many consumers are not aware or educated enough in privacy law to understand their rights and ability to control information.

Secondary Use of Information

The FTC defines secondary use as “uses beyond those necessary to complete the contemplated transaction.” Companies are required by law to state in their privacy policies any secondary uses of information including whether it may be disclosed to third parties.

The control of personal information with regard to marketing is the most common implementation of choice/consent. It is used to control the receipt of marketing messages, the use and disclosure of information to third parties, and the collection of information through cookies in order to create tailored advertising. Though the disclosure of information may be necessary to complete a transaction with a company, an individual is allowed to object to any and all secondary use or disclosure of their information.

Mandatory vs. Optional Data Collection

Mandatory is any information that is necessary to complete the immediate transaction. Optional information includes any information an entity may wish to collect about an individual for internal purposes, but is not required to complete the immediate transaction. In a web form, mandatory field must be filled in before the form can be submitted. Optional fields may be left blank or unanswered and the form will still process. By completing optional information fields, an individual is giving their consent to the collection and use of such information.

Businesses practicing responsible information privacy will limit the collection of information, especially that which is optional because the more information collected, the greater the risk to privacy.

Choice/Consent and Regulations

The CAN-SPAM Act of 2003 regulates email marketing messages in the U.S. In addition to content regulations, the CAN-SPAM Act requires all marketing messages to have an unsubscribe mechanism at the bottom and that consumer requests be honored with ten days.

The European Data Directive addresses consent in Article 7 which requires data subject consent for the processing of data, though consent is not required for a few, specific situations. It is also addressed in Article 14 which guarantees the data subjects right to object to the processing of data. Furthermore, Article 8 requires the explicit consent of a data subject to process sensitive information such as racial or ethnic origins, political or religious beliefs, sexual orientation, health information, or trade union membership.

Almost all data protection laws allow individuals the opportunity to make choices regarding the use of their personal information.

In Conclusion:

Choice/Consent deals with an individual’s ability to control the use of their information. Because, as of now, the choice/consent regime is the major framework for protecting privacy in many industries, it is the duty of the consumer to read privacy practices and make informed decisions regarding how they wish their information to be used.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles: Choice/Consent (I.E.ii)
• Privacy Considerations Online including choice and consent, secondary use of data and mandatory vs. optional information. (III.B.c.i-iii.)