California's Right to Know Act

California recently introduced "AB-1291 Privacy: Right to Know Act of 2013: disclosure of a customer’s personal information."  If enacted, the bill would update California's 2003 "Shine the Light" law (Civil Code Section 1798.80-1798.84) to account for the new data mining technologies and information sharing practices that have proliferated over the past ten years.  According to the bill's sponsor Assemblymember Bonnie Lowenthal, "AB 1291 expands the definition of personal information to include sensitive data, such as location, buying habits, and sexual orientation. By modernizing the requirements, consumers have a right to know not just how their basic information may have been used for junk mail, but also how it's collected and shared with data brokers, advertisers, and others."

The 2003 "Shine the Light" law enabled California residents to find out how businesses utilize their personal information.  In general, the law requires most companies (except federal financial institutions and those with less than 20 employees) that do business with California residents to either disclose how personal information is being shared for direct marketing purposes or allow customers to opt out of information sharing.  The law provides Californians the right once a calendar year to obtain free of charge the type of personal data that a business has disclosed to third parties for direct marketing activities and the names and contact information of all third parties that received the personal data.

Since 2003, data mining and behavioral advertising has proliferated beyond what many may have envisioned when the "Shine the Light" law was enacted.  To reign in some of these practices, a coalition of privacy organizations are advocating updating the law to account for new technologies.  According the Wall Street Journal, there has been significant industry backlash against updating the 2003 law. 

The Right To Know Act's general principles appear to follow the European Union's philosophy that its citizens have a right to require companies doing business with them to provide them with the type of information that is being collected about them.  Europe's privacy laws generally provide its citizens more control than the U.S. over how personal data may be utilized.  This was demonstrated when six EU data protection authorities  recently initiated coordinated enforcement measures against Google for failing to fix alleged flaws in its 2012 privacy policy update.  Google's privacy policy change along with Austrian law student Max Schrems experience with Facebook may have sparked the decision to introduce the Right to Know Act. 

Earlier this year, NBC News reported that Equifax has a database that contains almost 200 million employment and salary records that covers more than a third of all U.S. adults.  Some of these records may include week by week pay stub information.  While it may be troubling that Equifax has acquired this detailed information, at least under the Fair Credit Reporting Act consumers are able to obtain a report once a year about the data that is being collected about them.

Personal privacy may be further damaged by the new new partnership between Facebook and data brokers Acxiom, Epsilon, and Datalogic that is designed to better monetize the content of their users. The FTC is so concerned about some of the practices of data brokers that late last year it announced that it is studying how the industry collects and utilizes consumer data.  In what might be an effort to ward off potential future regulation, Axciom recently announced it was planning a service to allow consumers to obtain their personal files.     

Should advertisers be able to analyze your personal emails and/or your personal files in the cloud and utilize the information to behavioral advertise and/or combine this information with other digital and/or real world data across multiple platforms to create personal user profiles that may be accessed not only by marketers but also by insurance companies, banks, law enforcement, etc...?  What if due to the types of ads that are processed on a particular email account a company is able to make an inference about one's sexual orientation, race, religion, etc.. and this inference is utilized for discriminatory purposes? 

The intentions of the law are noble; however, due to the way the bill is currently drafted it may lead to some unintended compliance costs for businesses.  Therefore, I believe the California state legislature should work to find common ground between supporters and opponents of the bill that would increase transparency for consumers without creating an economic hardship on the business community.  

To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

AP Twitter Account Hack Causes Dow Jones to Plunge

As social media becomes a bigger part of our everyday lives, the legal issues surrounding social media increase greatly.  One of the verified Associated Press Twitter accounts was hacked earlier today and the hacker tweeted, "Breaking: Two Explosions in the White House and Barack Obama is injured".   Within minutes the Dow Jones Industrial Average plunged 140 points.

Hacking into the AP's Twitter account may violate multiple federal and state laws.  Was this hack done to intentionally create chaos and/or harm our financial makets?  Was the hacker testing how the U.S. financial markets, and/or the media, and/or the government would react to the hack? What was the motive behind the hack?  Was this just a big joke done for personal pleasure?  Do those who lost money in the stock market because of the hack have a cause of action against the hacker?

These are some of the many questions that may be answered in the near future.
   
To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

Will Social Media Crowdsourcing Catch The Boston Marathon Terrorists?

The Boston Marathon terrorist bombing was a cowardly act that killed at least 3 people, caused at least 13 people to lose limbs, and hospitalized 183.  This terrorist act should remind us that post 9/11 there are still threats to democracy and our way of life. 

While our nation mourns this terrible tragedy, law enforcement officials are hard at work trying to capture the perpetrators of this dastardly act.  One of the tools that the police are utilizing in their hunt for the terrorists is social media crowdsourcing. According to Wikipedia, crowdsourcing "is the practice of obtaining needed services, ideas, or content by soliciting contributions from a large group of people, and especially from an online community".  Will social media be able to quicken the pace to identity and then capture the perpetrators of this tragedy? 

Facebook, Google, and Microsoft have each been fined and/or forced to change their practices because some of their activities have been found to violate state and/or federal law/regulations.  While some of these practices have raised the angst of regulators and/or privacy advocates the technology of these companies may also help catch the Boston Marathon Terrorists.

Facebook has been utilized by Massachusetts authorities to catch criminals.  Google Earth has been used to solve various crimes.  Microsoft worked with the New York City Police Department to develop a counter-terrorism and crime prevention system.  While some of these technologies may be leading us closer to a surveillance state they may also help prevent terrorism and catch criminals. 

To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

When will the FTC follow the EU's lead in protecting digital privacy?

Are Google's March 2012 privacy policy changes legal?  This is a question that the European data protection authorities have been working on since Google first announced its intention to change its privacy policies in January 2012.  Soon after the announcement, France asked European data protection authorities to open an inquiry into the matter. In addition, U.S. Representative Edward Markey announced his intention to ask the FTC whether Google's privacy policy changes were also legal in the United States.   

On April 2, 2013, the United Kingdom's Information Commissioner's Office (ICO) stated, "the ICO has launched an investigation into whether Google’s revised March 2012 privacy policy is compliant with the (European) Data Protection Act. The action follows an initial investigation by the French data protection authority CNIL, on behalf of the Article 29 group of which the ICO is a member. Several data protection authorities across Europe are now considering whether the policy is compliant with their own national legislation." 

The ICO's announcement was in conjunction with France's Commission nationale de l’informatique et des libertés (CNIL-France's privacy body) press release that stated on March 19, 2013, "representatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom. Following this meeting, no change (by Google to its Privacy Policy) has been seen."  The CNIL further stated, "[t]he article 29 working party’s analysis is finalized. It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation."

How will this development affect Google?  It means that French data protection authorities along with regulators in the UK, Netherlands, Germany, Spain and Italy may take joint legal action involving an investigation and possible fines into Google's privacy policy changes that enables it to combine the data it obtains from users across all of its digital services.  The ICO has the authority to levy fines of up to £500,000 for breaches of the Data Protection Act. The CNIL may fine an entity up to €300,000 (£255,000).  While these fines may not be much of a deterrent to Google and/or other companies to stop allegedly violating European privacy laws, regulators may also sue to block a company from operating in Europe.  If this route is taken against Google and/or others it may harm a company's ability to operate in Europe.   

How will the EU's continued privacy law investigations into Google's practices affect Google's users in the United States?  When will the FTC follow the EU's lead and request more information about Google's updated privacy policies?  While it is too soon to speculate on the FTC's next move, it would not surprise me if the FTC eventually investigates Google and/or others who change their privacy policies to better enable the data mining of users' content. 

The EU data protection authorities and the FTC must properly balance the personal privacy rights of citizens with the ability of digital companies to be able to continue to thrive and expand.  Should Apple, Facebook, Google, etc.. be allowed to collect, archive, and utilize user data without any limits?  Last December, there was a major outcry when Instagram (Facebook bought it last year for $1 billion dollars) changed its privacy policy so it would be able to better data mine/monetize the personal content of its users.  Only after a very public uproar, did Instagram reverse course on most of its proposed privacy policy changes.       

What if Instagram followed through with all of its planned privacy policy changes?  Would users have any real recourse against the service absent deleting their account?  Should digital platforms be able to change their privacy policies to enable them to better data mine their users' personal data at any time?  Some digital services/platforms have become so intertwined in our lives (Ex:  Apple, Facebook, Google, etc...) that users may be willing to agree to any updated terms to continue to participate.

The television show South Park had an interesting observation about what happens when a company changes its policies in an episode last year titled the Human Centipad. This episode demonstrated to the extreme of what may happen when a company is able to unilaterally change its policies and its users must agree to them to continue to utilize the service.  

When Apple, Facebook, Google, etc... update their policies and these changes appear to erode personal privacy protections and/or enable more data mining that does not appear to be in the best interest of users should regulatory authorities around the world, including the FTC, stop or modify these changes?  If Google's privacy policy changes are not legal in Europe should they be legal in the United States?  Should European digital users be afforded greater privacy protections than those in the United States?    

To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

Utah Bans Student-Athlete Social Media Monitoring Firms

Utah recently became the latest state to enact legislation that bans schools from deploying social media monitoring firms that require students verify their social media user names and/or passwords. Utah joins Delaware, California, Michigan, and New Jersey in protecting their schools, students, and taxpayers from social media snake oil salesmen who are selling legal liability time bombs. 

The Utah legislation appears to have been prompted because of a Time Magazine article that discussed the student-athlete social media policy of one Utah school.  This academic institution appeared to require student-athletes sign a social media policy that stated, "To the extent that any federal, state, or local law prohibits the Athletic Department from accessing my social networking accounts, I hereby waive any and all such rights and protections."  According to constitutional law expert Professor Phil Closius, this student-athlete social media policy was "clearly suspect".  Under Utah's new law (H.B. 100), this policy is not just clearly suspect but against the law.

What does Utah's new law along with similar laws across the country mean for schools?  In short, academic institutions need to re-examine their student-athlete social media policies and education programs to ensure compliance with all applicable state and federal laws.  Athletic departments need to understand that social media is not just a public relations issue but a serious legal matter that requires the counsel of social media law experts who understand college athletics and NCAA compliance.  Drafting and implementing improper student-athlete social media policies may create millions of dollars in legal liability. 

Consultants who sell "student-athlete social media monitoring services" to athletic departments are selling legal liability time bombs.  Deadspin has already exposed several companies as having no connection to college athletics before starting their "social media monitoring firms". Some companies that are approaching colleges appear to be making material misrepresentations to market their services.  For example, how does someone transition from being a health care recruiter to a social media student-athlete compliance and education consultant overnight? 

The bottom line is that states across the country are banning schools from being able to deploy firms to monitor and archive their students' personal digital content.  These laws may cumulatively save schools around the United States hundreds of millions of dollars in monitoring, legal, compliance, and insurance costs.

In order for social media monitoring services to properly function students must at least verify their social media user names.  Absent student verification these services are unable properly work.  Furthermore, athletic departments should not be fooled into believing these services are compliant with all state and/or federal laws.  In general, these companies also claim their services are educational tools while others claim they want to protect the online reputation of schools and/or students.  Has anyone asked those who are approaching schools for their teaching credentials?

It appears that the founders of these companies have no verifiable experience that would lend any credibility to their claims.  Consultants who are marketing student-athlete social media monitoring services to athletic departments do not understand social media, NCAA compliance, public policy, or the law; and they apparently care more about making a sale than protecting schools and student-athletes.     

To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.

Arkansas Bans NCAA Student-Athlete Social Media Monitoring Companies

Arkansas has became the latest state to enact legislation that bans schools from deploying social media monitoring firms to track their students' personal digital accounts.  Arkansas joins Delaware, California, Michigan, New Jersey and Utah in protecting their schools, students, and taxpayers from fear and misinformation.

Consultants who sell student-athlete social media monitoring services to athletic departments are selling legal liability time bombs.  Deadspin has already exposed several companies as having no connection to college athletics before starting their "social media monitoring firms". Some companies that are approaching colleges appear to be making material misrepresentations to market their services.

One consultant quoted me (who appears to have no verifiable experience in college athletics, social media, law, or compliance before he started selling his services to NCAA schools) in a press release touting his social media monitoring service last year.  Quoting me to market a service that may create tremendous legal liability for NCAA schools is very troubling. Lawyers and risk professionals who understand this issue would never endorse a service that may increase a school's legal liability and/or may advise an academic institution to violate state and/or federal law.

The bottom line is that states across the country are banning schools from being able to deploy firms to monitor and archive their students' personal digital content.  These laws may cumulatively save schools around the United States hundreds of millions of dollars in monitoring, legal, compliance, and insurance costs.

To learn more about these issues you may contact me at www.shearlaw.com.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.

University of Maryland Law School's Symposium on Social Media and the Law

On Friday, April 5, 2013, from 9:00 am to 3:30 pm the University of Maryland Francis King Carey School of Law's Journal of Business & Technology Law is sponsoring a symposium titled, "Social Media and the Law: An Exploratory Look into the Legal Effects of Online Interconnectedness." The event is free, open to the general public, and lunch will be provided to those who RSVP.

Speakers will present on a range of topics, including: the constitutionality of student athlete social media policies; the relationship between social media interfaces and copyright law; and how social media laws are developing with respect to employment law, contracts, and privacy matters. Our speakers include private practitioners, a higher education media relations representative, and professors of law and communications. To RSVP please visit the Journal's website: http://www.law.umaryland.edu/academics/journals/jbtl/symposia.html .