California privacy -- The just-published California budget nixes the California Office of Privacy Protection, the first state-level privacy office in the United States and the source of crucial privacy assistance and information for Californians and California businesses. The World Privacy Forum is urging the Governor to reinstate funding for this critical office for Californians.
Important software update for Apple users -- We have revised our iPhone and iPad privacy tipsheet to reflect Apple's new software update for the iOS4 devices. We encourage all iOS4 device owners to update their software. Some device owners may also want to opt out of location sharing.
If the devices are left with older versions of the iOS4 software, the data stored on the iPhones and iPads will be unencrypted and can include latitude, longitude, when the location was visited, for how long, and the data could have been collected for as long as a year. Up to 2 MG of data can be stored, which can be a lot of location data.
Update -- We have updated our tipsheet to reflect the new information that has been published regarding the Apple smart phone geolocation issue. Apple plans to make changes to its software to improve the privacy problems the tipsheet discusses.
Apple Privacy -- Some of Apple's products, including iOS 4 iPhones and iPads, have been tracking consumers' detailed location information and storing the data directly on the devices. This raises privacy concerns, as the data on the phones and iPads is unencrypted and may be accessed directly. This tipsheet explains iPhone and iPad iOS4 geolocation privacy issues, including who needs to be most concerned about them, and what to do. Health care providers, overseas human rights workers, members of law enforcement and victims of domestic violence are among those who have special considerations and sensitivities to this privacy issue.
Consumers receive breach letters -- Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants' names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient's Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a "throwaway" or temporary email address if deciding to register at a Pharmaceutical product web sites.
Educational Privacy -- The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students' medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.
Joint Comments on HIEs -- California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.
California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.
Data Broker Settlement -- In April 2009, the World Privacy Forum sent the FTC a complaint regarding a lack of online opt-outs for consumers at some online data broker web sites. Our complaint focused on the difficulties online consumers would have opting out of certain web sites. In our complaint, we noted that online consumers were having difficulties with the opt outs. Today the FTC issued a final decision in this matter, and specifically improved online opt outs for consumers at US Search.
Some of the advertising that is done online comes with hooks. Using a variety of technologies, some largely unseen, online advertisers can track online activities, sometimes in profound ways that consumers are not expecting. Not all online advertising has "hooks" that are problematic or that raise privacy challenges. But a type of advertising called "behaviorally targeted advertising" often does. Behavioral advertising has two key components: tracking and targeting.
NTIA Multistakeholder Process -- The US Department of Commerce has announced that it is supporting privacy legislation and a "stakeholder process" to determine self regulatory rules for Internet privacy. WPF wrote about what a fair stakeholder process needs to include in our comments to the US Department of Commerce. We urge that at a minimum, the stakeholder process will include these items: 1) Consumer and business representation be equal in any multi-stakeholder process. 2) Approval of consumer representatives must be a necessary element in any formal decisions, just as the approval of business will be necessary. 3) Consumers must select their own representatives through a process yet to be determined, and consumer representatives may not be designated or limited by business or government. 4) Consumer organization that require financial assistance to participate in the multi- stakeholder process should receive support for travel and other expenses (but not for staff support). 5) Government agencies may participate in the process, but no agency may have a vote. 6) Participants in the process must chose their own rules and presiding officer. 7) Certifiers of accountability with codes of conduct should be not-for-profit organizations that are wholly independent of business, consumers, and government.
The World Privacy Forum submits these comments to the European Advertising Standards Alliance on its Best Practice Recommendation on Online Behavioural Advertising.
Comments on EASA --The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.
The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.
WPF Comments on the FTC Privacy Report -- The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.
WPF launches Facebook page -- The World Privacy Forum has begun posting materials to its new Facebook page. "Millions of users are looking for information on Facebook. Our goal is to reach consumers with high-quality privacy materials and information, so it makes sense for us to reach out to people through this medium" said executive director Pam Dixon.
The World Privacy Forum filed comments on the US Department of Commerce Green Paper today and urged the department to adopt a fair stakeholder input process that included consumers in a robust and meaningful way. WPF outlined seven specific steps for the department to take to ensure a fair process.
Comments to the Department of Commerce -- The World Privacy Forum filed comments on the US Department of Commerce Green Paper today and urged the department to adopt a fair stakeholder input process that included consumers in a robust and meaningful way. WPF outlined seven specific steps for the department to take to ensure a fair process. The comments are available here.
The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.
Health privacy -- The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.
FTC privacy report -- The Federal Trade Commission has published its report on online privacy. The World Privacy Forum will be issuing comments on the report at 2:30 pm Eastern today in a press briefing.
This report evaluates the US Department of Commerce’s international privacy programs, their efficacy, and their value to business and to consumers. The role of the Commerce Department has become more important in light of the Obama Administration's establishment of a Subcommittee on Privacy and Internet Policy in October 2010. The Subcommittee is chaired jointly by the Department of Commerce and the Department of Justice, and it is intended to promote “individual privacy,” among other things. [1] This report reviews, analyzes, and summarizes major international privacy activities of the Department of Commerce, with a focus on the Safe Harbor Framework established in 2000 with the European Union in response to the requirements of the EU Data Protection Directive. The report also considers briefly the Department’s work on the Asia Pacific Economic Cooperation (APEC) Privacy Framework.
The rise of privacy as an issue of international attention has taken place during the past forty years. Various agencies of the US Government have played roles on international privacy matters, including the State Department, Federal Trade Commission, Department of Homeland Security, Office of Management and Budget, the Department of Commerce, and scattered other agencies. The privacy activities of these agencies have waxed and waned over the decades. Of the US agencies, the US Federal Trade Commission has played by far the most significant role in consumer privacy issues, for example, identity theft, financial privacy, and a host of issues related to privacy and fair business practices. Historically, the Department of Justice, primarily a law enforcement agency, has never played a significant role in consumer privacy. Indeed, in its law enforcement capacity, the Justice Department is often directly antagonistic to the protection of consumer privacy.
The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.