Personally Identifiable Information

On November 2, 2016, California Attorney General Kamala Harris released a report outlining best practices for the education technology industry (“Ed Tech”).  In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Attorney General Harris noted the need to implement robust safeguards for collection, use, and sharing

In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:

“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.  (The FTC’s rule implementing the Children’s Online Privacy Protection Act defines “personal information” to include a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”)
Continue Reading FTC’s Jessica Rich Argues IP Addresses and Other Persistent Identifiers Are “Personally Identifiable”

As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015.  The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust.  Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.

COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children.
Continue Reading Congressional Privacy Bill: Do Not Track Kids Act of 2015

By Caleb Skeath

As we reported last this week, the Congressional Privacy Bill (S. 547/H.R. 1053) contains provisions that would establish a national data breach notice law, along with the Commercial Privacy Rights Act of 2015 and the Do Not Track Kids Act of 2015.  Following our analysis of the Commercial Privacy Rights Act, we have analyzed the bill’s data breach provisions below.  These provisions would allow for up to 60-days for individual notifications following discovery of a breach, and the bill’s definition of “personally identifiable information” (PII) is significantly broader than any anologous definition within the current state data breach notification laws.  Continue reading for an in-depth analysis of the data breach provisions, and stay tuned for forthcoming analysis of the Do Not Track Kids Act of 2015.
Continue Reading Congressional Privacy Bill: Data Breach Notice Provisions

By Caleb Skeath

As we reported yesterday, the Congressional Privacy Bill has been released, following the release of the White House’s proposal for a privacy bill in late February.  The bill contains the Commercial Privacy Rights Act of 2015, the Congressional counterpart to the White House’s proposal, along with data breach notification provisions and the “Do Not Track Kids Act of 2015,” which proposes substantial revisions to the Children’s Online Privacy Protection Act (COPPA).  As with the White House proposal, the Privacy Rights Act would implement a comprehensive regime of substantive privacy requirements.  Our analysis of the Commercial Privacy Rights Act is below, and we will separately post further analysis of the data breach provisions as well as the Do Not Track Kids Act.
Continue Reading Congressional Privacy Bill: Commercial Privacy Rights Act of 2015

Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.

SB 1177 prohibits operators of online sites or mobile apps who know that their services are used primarily for K-12 school purposes and whose services designed and marketed as such (“operators”) from using K-12 student data in four specific ways. First, SB 1177 prohibits operators from engaging in targeted advertising on any website or mobile app (including their own) if the advertising would be based on any information obtained from the operations of its K-12 online site or mobile app. Second, SB 1177 prohibits operators from using information obtained from the operations of the K-12 online site or mobile app to create a “profile” about a K-12 student, unless the profile is created in furtherance of K-12 school purposes. Third, operators are prohibited from selling a student’s information. And, fourth, SB 1177 prohibits operators from disclosing personally identifiable information, unless certain special circumstances exist, such as responding to or participating in judicial process.

In addition to the four prohibitions listed above, SB 1177 places two affirmative requirements on operators. The bill requires that operators “[i]mplement and maintain reasonable security procedures and practices” appropriate to the information protected, and to specifically protect the information from “unauthorized access, destruction, use, modification, or disclosure.” In addition, SB 1177 requires operators to delete personally identifiable information regarding a K-12 student upon request by a school or school district.

AB 1584 addresses the access and use of K-12 student data by third party vendors. AB 1584 explicitly permits local educational agencies to enter into contracts with third parties to provide online services relating to management of pupil records or to otherwise access, store, and use pupil records in the course of performing contractual obligations.
Continue Reading California Strengthens Student Privacy Protections