Sunday, May 2, 2010

What To Look For In Any Proposed Privacy Regulations

Recently, there has been a great deal of discussion in the United States regarding the privacy implications of collecting and using spatial (or location) data. In February, Congressional hearings were held on privacy and location-based services. The Federal Trade Commission (FTC) has asked for comments on whether Children’s Online Privacy Protection Act should address the collection of geolocation data. In addition, privacy officials from a number of countries sent a well-publicized letter to Google criticizing its privacy practices with respect to a number of well-known services, including Google Street View.

Scrutiny of spatial technology from a privacy standpoint was to be expected, given the current legal and policy framework in the United States with respect to the collection of personal information in general. (Spatial Data Privacy and the Law: What a Spatial Data Company Can Do? (July 25, 2006)) As a result, the industry can expect increased calls for federal privacy regulation with regards to the collection, use and distribution of spatial data. In fact, Representative Rick Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet is quoted as saying "I think you can expect to see this [topic] emerge as part of a larger legislative item".

However, in many instances legislators, regulators and their respective staffs will be addressing this issue with a limited understanding of the technology. As a result, there is a good chance that the language they use will be unclear or overly broad. Therefore, companies should be particularly mindful of the exact wording on the following items:

1. What is the nature and type of spatial data that is being considered for regulation? Terms such as “spatial data”, “geolocation data” or “location data” are broad and will need to be further defined. These definitions will be crucial.

2. What companies might be subject to regulation? Similarly, the definition of the company or industry subject to the proposed regulation will be very important.

3. Whether the proposed regulation applies to collection, use and/or distribution? Proposed regulations may permit the collection of spatial data but limit its use for certain purposes. Alternatively, regulations may restrict the ability to distribute the data to a third party. Such nuances could be very important to a company’s current and/or future operations.

4. Are notice and/or consent requirements included? Is consent or notice required to collect data? What constitutes consent? Does the proposed regulation include “opt-in” requirements? Are additional steps required to distribute the data or is notice/consent only required once? Particular attention should be paid to these requirements.

5. What security measures are required with respect to data? Privacy regimes will frequently require safeguards to ensure that any data collected is protected from improper use by either outside hackers or internal employees. It is important to understand what safeguards are being proposed and their potential impact on operations.

No comments: