What Do They Really Know About Me in the Cloud? A Comparative Law Perspective on Protecting Privacy and Security of Sensitive Consumer Data
2013; Wiley; Volume: 50; Issue: 2 Linguagem: Inglês
10.1111/ablj.12012
ISSN1744-1714
Autores Tópico(s)Digitalization, Law, and Regulation
ResumoAmerican Business Law JournalVolume 50, Issue 2 p. 413-482 Original Article What Do They Really Know About Me in the Cloud? A Comparative Law Perspective on Protecting Privacy and Security of Sensitive Consumer Data Nancy J. King, Nancy J. KingSearch for more papers by this authorV.T. Raja, V.T. RajaSearch for more papers by this author Nancy J. King, Nancy J. KingSearch for more papers by this authorV.T. Raja, V.T. RajaSearch for more papers by this author First published: 28 May 2013 https://doi.org/10.1111/ablj.12012Citations: 8 This article received the Holmes-Cardozo Award for Outstanding Submitted Conference Paper and the Ralph J. Bunche Award for best paper on international law at the 2012 Annual Conference of the Academy of Legal Studies in Business. We would like to thank the editors and reviewers of the American Business Law Journal for their insightful comments to improve this article. Read the full textAboutPDF ToolsExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onEmailFacebookTwitterLinkedInRedditWechat Footnotes 1See Robert Krulwich, How Much Do They Know About Me in the 'Cloud'?, krulwich wonders (Feb. 27, 2012, 11:10 AM), http://www.npr.org/blogs/krulwich/2012/02/27/147497042/how-much-do-they-know-about-me-in-the-cloud (discussing a video by Mark Rigely, a graphic designer from San Francisco, California, showing "how emails, ISP data, weblogs and voice data are being used to paint our portraits, and how, with time, those portraits become dense with detail, pattern and personality"). According to Rigely, "The average user will have 736 pieces of this personal information collected every day." Id.; see also James Ball, Me and My Data: How Much Do the Internet Giants Really Know?, The Guardian, Apr. 22, 2012, at 12. 2See Omer Tene & Jules Polonetsky, Privacy in the Age of Big Data: A Time for Big Decisions, 64 Stan. L. Rev. Online 63, 65 (Feb. 2, 2012), http://www.stanfordlawreview.org/sites/default/files/online/topics/64-SLRO-63_1.pdf (commenting that the "tasks of ensuring data security and protecting privacy become harder as information is multiplied and shared ever more widely around the world"). 3Cloud-sourcing is the outsourcing of elements of an organization's information technology (IT) infrastructure with access achieved via the Internet. Andrew Joint et al., Hey, You, Get Off of that Cloud?, 25 Computer L. & Security Rev. 270, 270 (2009). 4See World Economic Forum, Advancing Cloud Computing: What to Do Now? Priorities for Industry and Governments 5 (2011), available at http://www3.weforum.org/docs/WEF_IT_AdvancedCloudComputing_Report_2011.pdf (explaining that in cloud architectures it is not always clear under which legal jurisdiction data in the cloud fall because cloud architectures may split up and store data in multiple locations; noting also that in some cases, it is impossible to determine where a particular piece of data is physically located at a particular moment). 5See Battle of the Clouds, Economist, Oct. 15, 2009, at 16, available at http://www.economist.com/node/14644393 (noting that consumers benefit from cheaper and more accessible software while businesses benefit from simplification and reduced costs while also noting also potential drawbacks to cloud computing). 6See, e.g., Online Storage Provider Dropbox Sued over Data Breach, Thomson Reuters News & Insight (July 15, 2011), http://newsandinsight.thomsonreuters.com/California/News/Journal/2011/07_-_July/Online_storage_provider_Dropbox_sued_over_data_breach (reporting the filing of a lawsuit in federal district court in California against an online cloud storage provider that claims invasion of privacy and violation of California's unfair-competition law). The plaintiff in the suit seeks to represent a class of consumers seeking damages and other relief after a data breach occurred that allegedly resulted from a security failure that allowed logged-in users to access data contained in other users' accounts. Id. 7The terms information privacy and data protection are used synonymously in this article and encompass the concept of information security. Protecting the security of personal data is a key principle of data protection laws designed to protect the information privacy of personal data. See, e.g., Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 1063 ( 4th ed. 2011) (discussing the security safeguards principle from the Organization for Economic Cooperation and Development's (OECD) 1980 guidelines for the transfer of personal information across national borders, which provide "personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, desctruction, use, modification or disclosure of data"). The term personal data refers to personally identifiable data about a natural person. Id. at 872–73, 1112. As used in this article, the term consumer refers to one who is acting for personal, household or family purposes. See, e.g., A Handbook of Business Law Terms 136 ( Bryan A. Garner ed., 1999). Personal data about customers in the hands of businesses may be consumer data to the extent that the customer is a natural person as opposed to a business. 8Article 29 Data Protection Working Party, Opinion 8/2010 on Applicable Law, at 21, 0836-02/10/EN WP 179 (Dec. 16, 2010) [hereinafter Art. 29 Opinion 8/2010], available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf. 9 United States—Trade, Eur. Commission, http://ec.europa.eu/trade/issues/bilateral/countries/usa/index_en.htm (last updated Oct. 29, 2012). Of course, regulators around the world have similar concerns about weak or inconsistent privacy laws that may hinder cross-border provision of online services. 10Significant international efforts to establish information privacy principles and industry self-regulatory codes to support global commerce have produced the Asian-Pacific Economic Cooperation Privacy Framework (APEC) and a 2011 report by the OECD. See Press Release, Federal Trade Commission, FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other Economies in the Asia-Pacific Region (Nov. 14, 2011), available at http://www.ftc.gov/opa/2011/11/apec.shtm (commenting on a self-regulatory code of conduct that the Federal Trade Commission (FTC) and U.S. Department of Commerce helped to create that is designed to establish more consistent privacy protections for consumers when their data move between countries with different privacy regimes in the APEC region); Org. for Econ. Co-operation and Dev., The Evolving Privacy Landscape: 30 Years After the OECD Privacy Guidelines (2011), available at http://www.umic.pt/images/stories/publicacoes5/Privacy%20Guidelines.pdf (addressing technological changes that have occurred in the interim since the OECD's 1980 Privacy Guidelines were adopted). 11 Nigel Kendall, Privacy Matters, Wall St. J. (June 28, 2011, 1:56 PM), http://online.wsj.com/article/SB10001424052702303714704576382892280173266.html (quoting Microsoft's Jean-Philippe Courtois). Courtois argues there are opportunities to find common ground between the privacy regulations of the United States and the EU, especially in light of the efforts of the U.S. Privacy Coalition, which has launched a campaign to urge the U.S. government to support the Council of Europe's Privacy Convention. Id. 12See infra text accompanying 19. 13 Commission Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 1, COM (2012) 11 final (Jan. 25, 2012) [hereinafter Draft Data Protection Regulation], available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. 14Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, 32–33, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. 15 The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy 6 n.6 (2012) [hereinafter Consumer Privacy Bill of Rights], available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf (referencing guidance from the National Institute of Science and Technology for the five essential characteristics of Cloud Computing: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service). 16 Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (2012) [hereinafter FTC Report 2012], available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. 17 Honor Mahony, EU Gets to Grips with Cloud Computing, EUobserver (Apr. 5, 2011, 4:22 PM), http://euobserver.com/893/32048. 18 European Network and Info. Sec. Agency, Security and Resilience in Governmental Clouds: Making an Informed Decision 11 (2011) [hereinafter ENISA Guidelines], available at http://www.epractice.eu/files/Security%20and%20Resilience%20in%20Governmental%20Clouds%20-%20Making%20an%20informed%20decision.pdf (guiding European public agencies on the use of cloud computing). 19See id. 20See Pew/Elon Study: Cloud Computing Will Expand, Security and Privacy Issues Must Be Addressed, Elec. Privacy Info. Ctr. (June 11, 2010), http://epic.org/2010/06/pewelon-study-cloud-computing.html. 21See Drew Amorosi, Data Breach Spring, Infosecurity Mag. (June 30, 2011), http://www.infosecurity-magazine.com/view/19084/data-breach-spring/ (summarizing the major security breaches that occurred in 2011, which in some cases affected both European and U.S. consumers, and discussing whether the frequency and scope of these security breaches may stimulate adoption of stronger consumer privacy regulation and enforcement). 22See, e.g., Identity Fraud Rose 13 Percent in 2011 According to New Javelin Strategy & Research Report, Javelin Strategy & Research (Feb. 22, 2012), https://www.javelinstrategy.com/news/1314/92/Identity-Fraud-Rose-13-Percent-in-2011-According-to-New-Javelin-Strategy-Research-Report/d,pressRoomDetail (finding that "victims of data breaches are 9.5 times more likely to be a victim of identity fraud" than nonvictims). 23 U.K. Info. Comm'r's Office, Personal Information Online Code of Practice 40 (2010) [hereinafter UK Online Code of Practice], available at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf. 24 Peter Mell & Timothy Grance, U.S. Dep't of Commerce, Nat'l Inst. of Standards & Tech., Special Pub. No. 800-145, The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology 1–2 (2011) [hereinafter NIST Definition], available at http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf; see also Lee Badger et al., U.S. Dep't of Commerce, Nat'l Inst. of Standards and Tech., Special Pub. No. 800-146, Draft Cloud Computing Synopsis and Recommendations (2011) [hereinafter NIST Guidance], available at http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf (using the definition of cloud computing from NIST Definition, supra); The NIST Cloud Computing Project, Nat'l Inst. Standards & Tech., http://csrc.nist.gov/nice/states/maryland/posters/cloud-computing.pdf (last visited Oct. 29, 2012) (using a similar definition). 25See NIST Guidance, supra 24, at ES-1 (commenting on the economic benefits to cloud subscribers of using public or outsourced cloud computing services). 26 Ashlee Vance, An Open-Source Food Fight in the Cloud, Bloomberg Businessweek (Apr. 3, 2012), http://www.businessweek.com/articles/2012-04-03/an-open-source-food-fight-in-the-cloud. 27Id. Vance discusses the emerging role of open-source cloud software projects, such as Citrix's CloudStack software, that enable any service provider to create its own cloud computing system that will be able to interact with Amazon's cloud service. Id. 28A private cloud describes cloud infrastructure that is operated solely for an organization. It may be managed by the organization or by a third party, and it may exist on premise or off premise. A community cloud describes cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns that may include mission, security, policy, and compliance considerations. A community cloud may be managed by the organizations in the community or a third party, and it may exist on premise or off premise. A public cloud describes cloud infrastructure that is made available to the general public or a large industry group. It is usually managed by a CSP who sells its services to the public, and the cloud generally exists off premise from its users. A hybrid cloud describes cloud infrastructure that is composed of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). See NIST Definition, supra 24, at 3; see also ENISA Guidelines, supra 18, at 27–28 (referring to the basic cloud types as "architectural solutions"). 29 NIST Definition, supra 24, at 2. 30For clarification, this article focuses on the security and privacy challenges of using public cloud computing. It is, however, recognized that the use of Virtual Private Clouds (VPC) may allow organizations to exercise more control and enhance security in the cloud. See, e.g., Amazon Virtual Private Cloud, Amazon Web Servs., http://aws.amazon.com/vpc/ (last visited Nov. 25, 2012) (explaining Amazon's VPC offerings). 31See Mark Prinsley, Privacy Concerns in Clouds, Fin. Times (Mar. 7, 2011, 4:34 PM), http://www.ft.com/intl/cms/s/0/269a0312-48d2-11e0-9739-00144feab49a.html#axzz1uQ9Ajsaq ("Processing in 'the cloud' may involve a complex web of parties processing data in a variety of locations around the world by sub-contractors of the party with whom the customer has contracted."). One challenge of applying the EU's Directive to international data transfers in cloud computing is that the current regulation relies on a definition of data transfer from "point to point," while data transfers in cloud computing may be continuous. Peter Hustinix, European Data Prot. Supervisor, Address at the Third European Cyber Security Day: Data Protection and Cloud Computing Under EU Law (Apr. 13, 2010) [hereinafter Hustinix Speech], available at http://www.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/Publications/Speeches/2010/10-04-13_Speech_Cloud_Computing_EN.pdf. 32See UK Online Code of Practice, supra 23, at 28 (noting that "[e]ven if your company is based in the UK and only offers services to people in the UK, your use of internet-based computing may still involve transferring personal data overseas"); Prinsley, supra 31 ("Cloud computing involves a degree of loss of control of data by the customer so that the service provider, and not the customer, makes decisions about how the data is processed."); see also Andrew L. Goldstein, Exploring Legal Issues in the Cloud, Computer Tech. Rev. (Nov. 14, 2011, 11:27), http://wwpi.com/index.php?option=com_content&view=article&id=13911:exploring-legal-issues-in-the-cloud&catid=317:ctr-exclusives&Itemid=2701734 ("Some cloud providers . . . refuse to reveal where data is stored or processed . . . [while other] cloud vendors (such as Amazon) offer the option to store a customer's data only in a certain country or area, such as the U.S. or the EU."). 33 Goldstein, supra 32 (noting reports of data breaches by major CSPs including Google, Amazon, and Salesforce.com and commenting that "nearly half of IT executives reported a security lapse or security issue with their cloud services provider within the last 12 months"). 34"Information security is an essential component of information privacy: it is often said that privacy is not possible without security." Peter P. Swire & Sol Bermann, Information Privacy: Official Reference for the Certified Information Privacy Professional (CIPP) 161 (2007). " 'Information Security' describes the systems, policies and controls within a typical, enterprise-level information security operation." Id. Providing adequate security for customer data may be a legal requirement; for example, "having poor security and failing to maintain responsibility for the personal data" that a business collects violates EU data protection laws. UK Online Code of Practice, supra 23, at 36. 35 Andrew C. DeVore, Cloud Computing: Privacy Storm on the Horizon?, 20 Alb. L.J. Sci. & Tech. 365, 369–73 (2010); see also Nancy J. King & V.T. Raja, Protecting the Privacy and Security of Sensitive Customer Data in the Cloud, 28 Computer L. & Security Rev. 308, 309–10 (2012) (providing an overview of the strengths and weaknesses in cloud computing in terms of privacy and security). 36 Comm'n of Ministers, The Protection of Individuals with Regard to Automatic Processing of Personal Data in the Context of Profiling, 1099th meeting, 23 Nov. 2010, Doc. No. CM/Rec (2010)13, 8 app. § 1 (2010), available at https://wcd.coe.int/ViewDoc.jsp?id=1710949&Site=CM. See generally Directive 2000/31/EC, of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular E-Commerce, in the Internal Market, 2000 O.J. (L 178) 1; Directive 95/46/EC, supra 14, art. 17. Personal data is defined as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Id. art. 2(a). The EU's Article 29 Working Party considered the question of whether cookies and IP addresses are personal data and concluded that both IP addresses and cookies containing unique user identification are personal data. Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, at 16–17, 01248/07/EN/WP 136 (June 20, 2007), available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf. 37See Directive 95/46/EC, supra 14, para. 10 (explaining that one of the purposes of EU laws regulating the processing of personal data is to protect the fundamental rights and freedoms of European people, notably the right to privacy, that is recognized in article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms). 38 Virginia Boyd, Financial Privacy in the United States and the European Union: A Path to Transatlantic Regulatory Harmonization, 24 Berkeley J. Int'l L. 939, 965 (2006) (citing Douwe Korff, EC Study on the Implementation of the Data Protection Directive 78 (Study Contract ETD/2001/B5-3001/A/49, July-Sept. 2002), available at http://ssrn.com/abstract=1287667). 39Directive 95/46/EC, supra 14, arts. 8(1), (2)(a) (prohibiting the processing of special categories of personal data without the data subject's explicit consent or another lawful basis); see also King & Raja, supra 35, at 310. 40Directive 2002/58/EC, of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, art. 9(1), 2002 O.J. (L 201) 37–47. 41See Julia Angwin, Bill Would Curb Data Gathering, Wall St. J., Mar. 10, 2011, at B2 (reporting proposed federal legislation by Senators McCain and Kerry that "would create the nation's first comprehensive privacy law, covering personal-data gathering"). As of the date of this writing, the McCain/Kerry bill has not yet become law. 42 Children's Online Privacy Protection Act of 1998, Pub. L. No. 105-277, 112 Stat. 2681 (codified at 15 U.S.C. §§ 6501–6506 (2006)) [hereinafter COPPA]; see also Janine Hiller et al., POCKET Protection, 45 Am. Bus. L.J. 417, 417–18 (2008) (discussing a $1 million fine against Xanga.com for failing to adhere to COPPA). 43 Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (codified at 15 U.S.C. §§ 6801–6809 (2006)) [hereinafter GLB]. The GLB's safeguards rule requires companies handling nonpublic personal information (NPI) to have written information security plans that describe how a company has prepared for and plans to protect NPI. Jared A. Harshbarger, Cloud Computing Providers and Data Security Law: Building Trust with United States Companies, 16 J. Tech. L. & Pol'y 229, 240–41 (2011). 44 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 1173, 110 Stat. 1936, 2024–25 (codified as amended at 42 U.S.C. § 1320d-2 (Supp. 2011)) [hereinafter HIPAA]. Regulations adopted under HIPAA set the standards for protecting the privacy of personally identifiable health information (PHI). Harshbarger, supra 43, at 239–40. These regulations specify eighteen data points, known as protected health identifiers, that could potentially identify a patient. Id. PHI must be protected from disclosure by reasonable and appropriate means including administrative, physical, and technical safeguards and risk assessments. Id. Technical safeguards required for PHI that are likely relevant to cloud service applications include those related to "passwords and keys, unique identification, digital signatures, firewalls, virus protection, virtual private networks and encryption." Id. at 240. 45 Fair Credit Reporting Act of 1970, Pub. L. No. 91-508, 84 Stat. 1114 (codified at 15 U.S.C. §§ 1681–1681x (2006)). Also relevant are the Red Flag Rules issued by the FTC under the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, § 114, 117 Stat. 1960–61. Harshbarger, supra 43, at 241–42. The Red Flag Rules supplement requirements under HIPAA and GLB that are designed to prevent identity theft. Id. The Red Flag Rules require financial institutions and creditors to have written identity theft prevention programs that are designed to identify, detect, and respond to patterns of behavior known as "red flags" that may indicate identity theft is occurring. Id. 46 Federal Trade Commission Act, Pub. L. No. 63-203, ch. 311, § 5, 38 Stat. 719–21 (1914) (codified as amended at 15 U.S.C § 45(a)(2) (2006)) (generally referred to as section 5 of the FTC Act). 47See, e.g., Complaint, In re Life Is Good, Inc., No. C-4218 (F.T.C. Jan. 17, 2008), available at http://www.ftc.gov/os/caselist/0723046/080117complaint.pdf (accusing an online retailer of deceptive trade practices by promising through its privacy policy that it would keep customer personal data secure when, in fact, the data were not stored securely). 48See Nancy J. King & Pernille Wegener Jessen, Profiling the Mobile Customer—Privacy Concerns When Behavioural Advertisers Target Mobile Phones—Part I, 26 Computer. L. & Security Rev. 455, 468–69 (2010) (discussing FTC powers and an action against one website that had failed to follow its own privacy policy). Deceptive practices include material misrepresentations or omissions that are likely to mislead reasonable consumers, while unfair practices involve substantial harm to consumers where the harm is not reasonably avoidable by consumers and the benefits of the practices to consumers do not outweigh the harm. Id. at 468 n.109. 49See, e.g., Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v. ChoicePoint, Inc., No. 0523069 (N.D. Ga. Jan. 26, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf (reflecting that ChoicePoint agreed to pay $10 million in civil penalties and $5 million in consumer redress for violations of the FTC Act that occurred when it failed to put reasonable security policies in place that compromised the sensitive personal data of consumers). 50Decision and Order, BJ's Wholesale Club, Inc., No. C-4148 (F.T.C. Sept. 20, 2005), available at http://www.ftc.gov/os/caselist/0423160/092305do0423160.pdf (addressing the company's failure to adequately secure sensitive personal information including credit card numbers that allowed hackers to acquire customers' personal data and make fraudulent credit card charges as an unfair trade practice). 51The FTC did not specify which items were sensitive, but it required BJ's Wholesale Club to design a personal data safeguards program appropriate to protect the sensitivity of the data, which included customers' names, phone numbers, residence addresses, telephone numbers, Social Security numbers, credit and debit card information, personal identifiers such as customer numbers held in "cookies" that identified individual consumers, and other information combined with one of the previously listed items. Id. at 2–3. 52Complaint and Injunction, Request for Request for Investigation and for Other Relief, Google, Inc., F.T.C. No. 1023136 (Mar. 17, 2009), available at http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf. 53See id. Google provides an array of cloud services including e-mail, online document storage and editing, integrated desktop and internet search, and scheduling programs. See id. at 5. 54Id. at 13. 55For a description of fair information practices and the origin of the concept, see Solove & Schwartz, supra 7, at 698–99 (noting that fair information practices "can be understood most simply as the rights and responsibilities that are associated with the transfer and use of personal information"). "Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection." Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What Larry Doesn't Get), 2001 Stan. Tech. L. Rev. 1, ¶ 44 (2001), http://stlr.stanford.edu/pdf/rotenberg-fair-info-practices.pdf (footnote omitted). 56See infra 138 (providing examples of the type of information that can be considered PII). Since at least 2009 the FTC has expressed the view that there is a need to go beyond strict definitions of PII in order to protect personal data associated with computers and other personal communication devices. See, e.g., Fed. Trade Comm'n, Self-Regulatory Principles for Online Behavioral Advertising 22–23 (2009) [hereinafter FTC Guidelines], available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf (giving reasons that include the possibility of merging non-PII with PII and development of new and more sophisticated technologies enabling linking of non-PII and PII; the capacity for certain information that are anonymous by themselves to become identifiable when combined and linked by a common identifier; recognition that the distinction between PII and non-PII may have no bearing on the sensitivity of the privacy risks at issue—a user's searches on a computer may reveal sensitive private information to another user of the computer; and evidence that consumers are concerned about the collection of their data online regardless of whether the information is characterized as PII). 57 FTC Report 2012, supra 16, at 18. 58Id. at 20–21. 59Id. 60Id. 61Id. at 21. In a departure from the FTC's earlier guidance, affiliated companies are treated as third-party companies, unless the affiliate relationship is clear to consumers. Id. at 41–42. In guidelines issued in 2010, due to "heightened privacy concerns and the potential for significant consumer harm from
Referência(s)