|
|
View 20 years of Medical Identity Theft
The World Privacy Forum has mapped
the location of incidents of medical identity theft in the United
States Using Data from the ....
 Consumer
Privacy Tip of the Week
Robocall tips
Are you harassed by robocalls? Here's a tip: when you
get a robo call, press 2 on your phone dialpad. Robocalls
are supposed to offer you an automated opt-out, and many robocalls use
the numeral 2 on the phone to get you to the electronic opt out. It
won't work all of the time, but here at WPF we are finding it to be
a useful tip for the robocalls we receive. Here is some additional information
about robocalls from the FTC: http://business.ftc.gov/documents/alt161-reining-robocalls
and http://www.ftc.gov/bcp/edu/microsites/phonefraud/robocalls.shtml
Let us know how this tip is working for you!
05/14/2012 Genetic Privacy | Bioethics
WPF filed
comments with the Presidential Commission for the Study of Bioethics
today urging the Commission to recognize the need for enhanced genetic
privacy protections in a digital world. WPF noted that "The increasing
identifiability of genetic data presents major privacy issues for research
activities that must be acknowledged and addressed." WPF suggested
four key ways that Certificate of Confidentiality programs could be
enhanced for privacy protection, and urged the Commission to speak out
about the importance of protecting patient privacy in research activities
involving genetic information. "The Commission should advocate providing
patients with reasonable controls over research uses of their data as
electronic records develop and spread throughout the health care system."
Public comments may be submitted to the Commission until May 25, 2012.
Read
WPF's Comments to the Presidential Commission for the Study of Bioethics
(PDF)
04/26/2012 Google Drive | Cloud computing
Google Drive -- Google's cloud storage service -- has inspired a round
of stories about cloud
privacy and Google Drive. The stories have reached conflicting conclusions
about privacy risks for users of Google Drive, and consumers are approaching
us with a lot of questions. Google Drive does have a Terms of Service
that is unfriendly. This is a concern for consumers, but it is especially
a concern for businesses or people who work with data subject to either
regulation, or some sort of privilege. Health data, financial data, attorney-client
data, or work produced under non-disclosure agreements all qualify, among
other examples. Recently, the US Department of Health and Human Services
fined
an Arizona health care provider $100,000 for violating HIPAA in part
by using Internet-based email and calendaring systems without a specific
Business Associate Agreement in place. Cloud storage falls into the same
kind of risk scenario. WPF wrote a report that discusses these cloud-based
privacy risks in detail,
Privacy in the Clouds. The risks we discuss in that report
have not changed. If you are a consumer, understand that you need to select
the most private sharing option on Google Drive if you use it. (On our
Facebook newsfeed, we have a brief discussion of Google
Drive share settings with a screenshot. ) Also understand that your
information could be subpoenaed without notice to you, including health
information if you place it on Google Drive. For business, there is a
lot of potential risk that needs to be analyzed prior to business use
of Google Drive. See our report
for a detailed discussion of risks and potential mitigations.
Read Privacy
in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing
| See our Cloud
Privacy Page for tips for consumers and business
04/24/2012 Medical ID Theft
WPF has completely updated its landmark
medical identity theft tips and advice for patients and consumers.
"The new FAQ
contains detailed advice for anyone who is a victim of medical ID theft,
or is worried about becoming one," says Pam Dixon. "The FAQ
and our shorter
consumer tips have been updated to reflect our most recent research."
In 2006, WPF published the first known report on medical ID theft and
coined the term. Since then, WPF has been in the forefront of researching
this crime and working to assist victims and those working with victims.
The FAQ and tips are free of charge. More medical ID theft materials may
be accessed at the WPF medical
ID theft page.
Updated
Medical ID Theft FAQ | Updated
Consumer Tips | Medical
ID Theft page
04/18/2012 Health Privacy | E-health
In a rare enforcement action of HIPAA, HHS
fined an Arizona health care provider $100,000 for a variety of HIPAA
violations, especially regarding electronic exchanges of protected health
information. The HHS document outlining the reasons for the fine should
act as a wake-up call to health care providers using public email, calendaring,
and other tools for communication of ePHI. HHS specifically noted that
the fined health care provider did not conduct an adequate risk assessment
prior to using the email and Internet tools. The full HHS document is
a must-read for health care providers. WPF has been warning about the
need for full e-risk assessments since 2005 and strongly advocates for
medical-identity-theft-specific risk assessments.
Read
the HHS enforcement agreement | Read
WPFs best practice document for medical ID theft
04/11/2012 WPF Completes Medical ID Theft Training
Medical ID Theft Training
Pam Dixon of WPF conducted a detailed training for law enforcement and
health care professionals on medical identity theft detection, prevention,
and cures. The training was held at the campus of the Denver Health Medical
Center. Visit the WPF
Medical ID Theft page for more information about medical identity
theft, including questions and answers for victims, best practices for
health care providers, and a geographical map of the crime.
Visit
the WPF Medical ID Theft Page
04/02/2012 WPF comments on Multi-Stakeholder Process
WPF filed two sets of comments with the US Department of Commerce regarding
the MultiStakeholder Process and the privacy topics to be taken up. The
first set of comments were WPF's formal filing of the joint Civil
Society MultiStakeholder Principles on behalf of WPF and the American
Civil Liberties Union, Center for Digital Democracy, Consumer Action,
Consumer Federation of America, Consumers' Union, Consumer Watchdog, Electronic
Frontier Foundation, National Consumers' League, Privacy Rights Clearinghouse,
and US PIRG. The second set of comments were WPF's
own comments to the Department. WPF urged the Department to employ
a fair process, choose focused topics, and to apply the full range of
the Consumer Privacy Bill of Rights to each topic.
Read
the WPF comments | See the joint
Civil Society MultiStakeholder Principles
03/26/2012 Data Broker opt out
WPF Strongly Endorses Centralized Data Broker Opt-Out Mechanism
WPF, in 2011
comments to the FTC, urged
the FTC to create a centralized place for consumers to opt-out of data
broker tracking. This is a long-standing issue WPF has worked on.
Previously, WPF filed
a petition in 2009 to the FTC regarding mail-in data broker opt outs,
which resulted
in an FTC action and improvements for consumers. In its new report
published today, the FTC
has picked up WPF's centralized opt out recommendation, specifically
citing WPF's comments. From its report: "The Commission recommends
that the data broker industry explore the idea of creating a centralized
website where data brokers that compile and sell data for marketing could
identify themselves to consumers and describe how they collect consumer
data and disclose the types of companies to which they sell the information."
The WPF strongly supports this idea and views assistance to consumers
in this area as vital.
WPF
April 2009 Data Broker Complaint | FTC
2010 settlement and response to WPF data broker complaint
03/26/2012 FTC privacy report
The FTC's new
privacy report -- a long -awaited planbook for privacy in the digital
age - has picked up several
key recommendations the WPF has made. First, the report picks up WPF's
direct recommendation in its
2011 comments that the FTC set up a centralized web site to allow
consumers to opt out of data brokers. The FTC has directly called for
this as a primary part of its
report. The WPF strongly supports this. Pam Dixon of the WPF originated
the Do Not Track idea in 2007, and with a group of privacy experts, submitted
the original idea to the FTC that year. Now, DNT has also made it into
the final FTC report. The FTC report also acknowledges that privacy self-regulatory
efforts have not gone far enough, and cited the WPF comments in this area.
The FTC is planning on working with the Department of Commerce's privacy
multi stakeholder process. WPF led a coalition of civil liberties, privacy,
and consumer groups in drafting civil
society guidelines for the privacy multi stakeholder process.
WPF's
2011 formal recommendations to the FTC | Final
FTC report | Civil
Society guidelines for multistakeholder process
03/14/2012 following WPF on Facebook
WPF maintains an active
Facebook page, and it features slightly different content than our
home website. For Facebook, we make regular newsfeed postings about WPF
activities and also post content for people who want to follow privacy
via their Facebook newsfeeds. This past week, stories we've posted include
a report on the economics of privacy, the new Pew study on privacy, a
privacy-related human interest story, and news about the VZBW lawsuit
in Germany against Facebook. It's not the only way to keep up with WPF,
but if you are on Facebook a lot, it is a good way. Our page is located
here.
WPF Facebook page
02/23/2012 MultiStakeholder Privacy Principles
The World Privacy Forum has led an effort to craft a
set of principles with the nation’s leading civil liberties,
privacy, and consumer groups. Today, the groups are releasing a set of
baseline Multi-Stakeholder
Principles in response to the U.S. Department of Commerce’s
plan for a multi-stakeholder process on privacy. (The U.S. Department
of Commerce is undertaking a representative process for bringing together
members of industry and civil society to form new privacy rules.) These
leading groups believe that for the multi-stakeholder process to succeed,
it must be representative of all stakeholders and must operate under procedures
that are fair, transparent, and credible. The World Privacy Forum
and the signatories of these baseline principles believe the principles
will provide the multi-stakeholder process the legitimacy it needs to
succeed. Protecting the online privacy of consumers is crucial to ensuring
the availability, utility, and vitality of the Internet. For any approach
to privacy to be meaningful, it must reflect fair information practices,
including mechanisms to assure accountability. Signatories to the baseline
principles include the World Privacy Forum, American Civil Liberties Union,
Center for Digital Democracy, Consumer Action, Consumer Federation of
America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation,
National Consumers League, Privacy Rights Clearinghouse and U.S. PIRG.
The principles are here.
02/17/2012 Online privacy | NAI |FTC complaint
The World Privacy Forum filed
a complaint with the US Federal Trade Commission today regarding the
circumvention of users' expressly stated browser privacy choices without
notice. "The World Privacy Forum requests that the Federal Trade
Commission (FTC) investigate Google, Vibrant Media, Media Innovation Group,
and Pointroll for potential violations of Section 5 of the FTC Act. These
companies willfully overrode users’ privacy preferences as expressly
stated by the users in their browser settings. Overriding privacy preferences
and doing so without notice are both unfair and deceptive business practices."
The complaint further requests the Commission look into the companies'
violations of the NAI code, and in Google's case, violation of its consent
agreement with the Commission.
Read
the WPF Complaint to the FTC
02/17/2012 Online privacy | Apple privacy
Companies caught overriding Safari browser privacy settings
Stanford University has released a study
documenting how Google and other companies overrode Safari users' browser
privacy settings. The WPF encourages Apple users to download the Firefox
browser and use Firefox, if at all possible, instead of Safari. Firefox
did not have the same problem, and it allows for additional privacy add-ons,
such as AdBlock Plus which are helpful privacy-enhancing tools. Firefox
is available here, more about AdBlock Plus is available
here. More about Firefox addons here.
02/01/2012 Search engine privacy
Don't put all of your digital activities in one place ....
WPF has updated its search engine privacy tips page to include more tips
on how to segregate online activities. This has always been important,
and it has become more important in light of Google's announcement that
it will be sharing data across its business units. See the WPF updates
to its search engine privacy tips page.
01/31/2012 Facial recognition | Digital signage
The World Privacy Forum filed extensive
comments to the FTC today following up on Pam Dixon's testimony at
a December 2011 FTC facial recognition privacy workshop. The WPF comments
noted that "A walk-out opt-out is not a viable way of managing consumer
consent in the area of facial recognition or detection technologies."
The comments discussed the importance of recognizing the Face Print as
a unique biometric, and also discussed the need for finding ways of consumer
consent that are reasonable. Given the ubiquity of cameras in some retail
and public spaces, just walking away will become less and less of an option
for consumers going forward, the comments argued. The comments also included
the WPF's ground breaking report, The
One-Way Mirror Society, and the joint Consumer
Privacy Principles for Digital Signage.These principles were signed
by the nation's leading privacy and consumer groups.
Read
the comments | Read the One
Way Mirror Society Report | See the Consumer
Privacy Principles for Digital Signage
01/30/2012 Consumer financial protection
WPF filed comments with the Consumer Financial Protection Bureau today
asking it to make its consumer complaints database available for research.
Our comments are here.
01/23/2012 GPS tracking | United States v. Jones
The US Supreme Court unanimously ruled that police must get a warrant
before using GPS devices to track criminal suspects. This case was narrow
and dealt specifically with a GPS device physically attached to a suspect's
vehicle. The concurring opinion of Justice Sotomayor points out that the
subtler issues of digital era tracking were not dealt with in this case,
for example, cell phone tracking, web site tracking, etc. She wrote: "More
fundamentally, it may be necessary to reconsider the premise that an individual
has no reasonable expectation of privacy in information voluntarily disclosed
to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller,
425 U. S. 435, 443 (1976)." She continued: "This approach is
ill suited to the digital age, in which people reveal a great deal of
information about themselves to third parties in the course of carrying
out mundane tasks."
Read
the opinion, United States v. Jones
01/18/2012 SOPA | PIPA
WPF opposes censorship bills; supports right to create and use anonymization
tools to protect privacy
The World Privacy Forum is deeply concerned about the profound, far-reaching
privacy consequences of two bills, SOPA and PIPA. The bills have many
negative aspects. In terms of the privacy impacts, one of the serious
consequences is that the right to create and use anonymization software
tools would be essentailly criminalized. The very privacy tools that allowed
the Arab Spring to flourish through anonymized activist activity would
be in legal jeapordy. This is a highly negative outcome, and is negative
enough that WPF strongly opposes these two bills. We are encouraging individuals
to use the well-developed EFF SOPA/PIPA
action center to learn more and to make a stand. The US Department
of State has been involved in an Internet freedom initiative that encourages
the use of Internet tools to encourage freedom and democracy (21st
Century Statecraft paper). Many of the ideas were encapsulated in
a speech
on the topic in 2010 by Secretary of State Clinton. She wrote:
"In the last year, we’ve seen a spike in threats to the
free flow of information. China, Tunisia, and Uzbekistan have stepped
up their censorship of the internet. In Vietnam, access to popular
social networking sites has suddenly disappeared. And last Friday
in Egypt, 30 bloggers and activists were detained. One member of this
group, Bassem Samir, who is thankfully no longer in prison, is with
us today. So while it is clear that the spread of these technologies
is transforming our world, it is still unclear how that transformation
will affect the human rights and the human welfare of the world’s
population.
On their own, new technologies do not take sides in the struggle for
freedom and progress, but the United States does. We stand for a single
internet where all of humanity has equal access to knowledge and ideas.
And we recognize that the world’s information infrastructure
will become what we and others make of it. Now, this challenge may
be new, but our responsibility to help ensure the free exchange of
ideas goes back to the birth of our republic. The words of the First
Amendment to our Constitution are carved in 50 tons of Tennessee marble
on the front of this building. And every generation of Americans has
worked to protect the values etched in that stone.
Franklin Roosevelt built on these ideas when he delivered his Four
Freedoms speech in 1941. Now, at the time, Americans faced a cavalcade
of crises and a crisis of confidence. But the vision of a world in
which all people enjoyed freedom of expression, freedom of worship,
freedom from want, and freedom from fear transcended the troubles
of his day. And years later, one of my heroes, Eleanor Roosevelt,
worked to have these principles adopted as a cornerstone of the Universal
Declaration of Human Rights. They have provided a lodestar to every
succeeding generation, guiding us, galvanizing us, and enabling us
to move forward in the face of uncertainty.
So as technology hurtles forward, we must think back to that legacy.
We need to synchronize our technological progress with our principles.
In accepting the Nobel Prize, President Obama spoke about the need
to build a world in which peace rests on the inherent rights and dignities
of every individual. And in my speech on human rights at Georgetown
a few days later, I talked about how we must find ways to make human
rights a reality. Today, we find an urgent need to protect
these freedoms on the digital frontiers of the 21st century."
(Remarks on Internet Freedom, Secretary of State Hillary
Rodham Clinton, Jan. 21, 2010.)
We couldn't agree more. It is essential that individuals have the freedom
to create and use privacy-enhancing software without that activity being
criminalized.
EFF
information about SOPA | Full
Text of Secretary Clinton's speech on Internet Freedom
12/30/2011 Facebook
In response to the FTC's proposed settlement with Facebook over the company's
multiple privacy violations, the World Privacy Forum has asked
the FTC to make key changes. "We applaud the FTC for its work
on the Facebook case," said executive director Pam Dixon. "We
support many parts of the settlement. However, we urge the FTC to provide
full redress for affected consumers by rolling back the privacy controls
to the 2009 defaults, and we also urge the FTC to follow the 2004 Gateway
Learning, Corp. precedent and require Facebook to disgorge profits they
made from violating their privacy policy retroactively." The comment
period is open to the public until December 30.
Read
the WPF comments on the Facebook settlement | FTC
Facebook settlement page | Read
all comments on the Facebook settlement (comments due Dec. 30, 2011.)
12/08/2011 Facial Recognition
WPF testifies at FTC facial recognition hearing
Pam Dixon of WPF testified at the FTC's
Facial Recognition workshop, speaking on a panel about the policy
implications of facial recognition technology. The World Privacy Forum's
report on Digital Signage was mentioned several times at the hearing,
as were the collaborative consumer protection principles the WPF led.
In her comments, which are available in the FTC's
transcript of the hearing panel, Dixon noted that opting out of facial
recognition technologies by simply walking away from them was not a solution.
"The walkout opt out is just not credible in an environment of ubiquitous
collection. How much are consumers going to be asked to walk out of?
FTC facial recognition
workshop| WPF
report: One Way Mirror Society | Consumer
Privacy Principles for facial recognition technology
10/27/2011 Common Rule | Health Privacy
The World Privacy Forum filed extensive
comments with the US Department of Health and Human Services about
its proposed changes regarding the rules governing human subject medical
research. In the comments, WPF noted that the HHS approach to privacy
for research subjects was incomplete and did not use all Fair Information
Practices. WPF strongly urged HHS to revise its proposal on a number of
issues, including consent and the use of biospecimens in research. The
World Privacy Forum is urging HHS to acknowledge that the realm of health
data that is truly non-identifiable has shrunken remarkably, for example,
biospecimens with DNA cannot be considered non-identifiable anymore. "In
our comments, we are requesting that HHS give
individuals the opportunity to make choices about the use of their
own health data and specimens," said Executive director Pam Dixon.
WPF also stated in its comments that "A
central database with identifiable information about participants in human
subjects research is a terrible idea." (See p.
21 of WPF comments.)
Read
the WPF comments on the Common Rule proposal (PDF, 22 pages)
10/14/2011 New Report
The World Privacy Forum has published a report on past
self-regulatory efforts in the area of privacy,
Many Failures: A brief history of privacy self-regulation. "Privacy
self-regulation has been a Potemkin Village of consumer protection,"
says executive director Pam Dixon. "History shows a pattern of past
self-regulatory efforts that have been erected quickly and have faded
after regulatory threats fade." The report is authored by Robert
Gellman and Pam Dixon. It includes details about programs such as the
IRSG, the Privacy Leadership Initiative, the Privacy Alliance, and other
programs. A key finding of this report is that the majority of the industry
self-regulatory programs that were initiated failed in one or more substantive
ways, and many disappeared entirely.
Read
the Report (PDF)
10/13/2011 Internet privacy
The World Privacy Forum's executive director Pam Dixon will testify about
online consumer privacy before the House
Committee on Energy and Commerce today. Written testimony is posted
at the Committee
web site, and here.
09/14/2011 Internet privacy
The Trans Atlantic Consumer Dialogue (TACD), which WPF is a member of,
has sent a letter regarding Internet privacy to a Congressional subcommittee
explaining that European privacy controls are not burdensome, but rather
of key importance. The TACD is a forum of more than 80 US and European
consumer groups and represents several hundred million consumers in North
America and the United States.
Read
the TACD letter
08/04/2011 Medical ID Theft
The World Privacy Forum has released a new map that reveals the geography
of medical identity theft. This is the first map of its kind, and is based
on the Federal Trade Commission Consumer Sentinel data. The map is interactive,
and gives details on the cities where medical identity theft occurred
over the course of a year. The World Privacy Forum published the first
report on medical identity theft in 2006, coining the term in the report
and bringing the crime to public attention. WPF continues to actively
research this important privacy issue.
Interactive
map | Medical
ID theft page
08/01/2011 Medical Privacy | HIPAA
The World Privacy Forum today filed its comments
on the proposed changes to the HIPAA privacy rule, supporting some
proposed changes and suggesting additional changes to enhance patient
choice. In particular, the WPF supports the new
patient right to an access report that has been added (p. 4) , and
has requested that Health Information Exchanges also be required to provide
accountings of disclosures to patients (p. 18). The WPF generally argued
that
HHS needs to look forward and allow changes in information technology
to fully benefit patients by providing the facility for more accounting
rather than less (pp. 2-3) . If the HIPAA rule gives patients a greater
ability to monitor how their information is used and disclosed, patients
will pay attention and requests for accounting of disclosures will become
more common.
Read
the WPF comments
07/15/2011 Online privacy
Digiday Panel Talk
Executive director Pam Dixon will be speaking about online privacy and
consumers at the Digiday Data Management Summit on Monday, July 18.
Panel Information
07/15/2011 HIPAA
The US Department of Health and Human Services has opened sections of
the HIPAA rule for comments. All members of the public may comment on
the proposed changes to the rule. Comments are due by August 1. For more
information, see
the HHS web site.
Related: Patient's
Guide to HIPAA
07/12/2011 Facebook Photo Identification
Consumer Tip: Opt Out of Automatic Facebook Facial Recognition
If you have a Facebook account and if you have ever been tagged in a
photo of yourself on Facebook, we want to alert you to an important Facebook
setting. Unless you have proactively changed your privacy settings, Facebook
will use facial recognition tools to compare photos and make tag suggestions.
When new photos that look like you have been uploaded, Facebook will suggest
tags with your name. To opt out of this, in Facebook go to Account,
then choose Privacy Settings from the drop down
menu. Click the Customize Settings link, and then scroll down
and look for the Suggest Photos of Me to Friends line. To opt
out, click Edit Settings, then choose Disable on the
drop down menu. Also see the Facebook
Photo Tagging help page.
06/27/2011 Medical ID theft
Medical ID theft rising
The World Privacy Forum is quoted in a Marketplace
story regarding our most recent medical identity theft research. WPF
wrote the first major research on medical ID theft and coined the term.
Our consumer resources for detecting, preventing, and resolving the crime
are located here.
Listen
to the Marketplace story | Visit
the WPF medical ID theft page
06/08/2011 Department of Commerce /Cybersecurity
The US Department of Commerce released a green paper on cybersecurity
with recommendations for improving cybersecurity via self regulation,
or voluntary codes of conduct. The report, Cybersecurity,
Innovation, and the Internet Economy also contains a discussion of
some privacy issues, such as the impact of data breach notification laws.
Comments are due in 45 days.
Read
the DOC report | Related: WPF
report on Department of Commerce's privacy programs
05/31/2011 Data breach
The World Privacy Forum filed comments with the Federal Trade Commission
regarding its consent decree against Ceridian regarding a substantial
data breach. WPF has requested that the Commission present more facts
in the case to the public, and has also requested more clarity about the
FTC complaint process, noting that it is not a transparent process for
the public.
Read
the WPF Ceridian comments
05/23/2011 FERPA, Educational privacy
The WPF filed detailed comments on the U.S. Department of Education's
notice of proposed changes to the Family Educational Rights and Privacy
Act. WPF has concerns that the increased sharing of student information
that the proposed rule will allow will diminish student privacy in a significant
and permanent way. WPF is urging the DOE to amend its proposed rule to
establish increased privacy protections for sensitive student information
held in databases and elsewhere.
Read
the WPF comments on FERPA
05/17/2011 California privacy
California budget plan nixes state's privacy office
The just-published California budget nixes the California Office of Privacy
Protection, the first state-level privacy office in the United States
and the source of crucial privacy assistance and information for Californians
and California businesses. The World Privacy Forum is urging the Governor
to reinstate funding for this critical office for Californians. See the
proposed
budget, page 114for the cuts. WPF will be publishing more about how
to save California's privacy office.
CA
proposed budget (See page 114.)
05/10/2011 Smartphone privacy update
We have revised our iPhone and iPad privacy tipsheet to reflect Apple's
new software update for the iOS4 devices. We encourage all iOS4 device
owners to update their software. Some device owners may also want to opt
out of location sharing. Read
our tipsheet for more details.
04/28/2011 Smartphone privacy update
We have updated our tipsheet to reflect the new information that has
been published regarding the Apple smart phone geolocation issue. Apple
plans to make changes to its software to improve the privacy problems
the tipsheet discusses.
Read
the updated tipsheet
04/21/2011 Apple iPhone and iPad privacy
Some of Apple's products, including iOS 4 iPhones and iPads, have been
tracking consumers' detailed location information and storing the data
directly on the devices. This raises privacy concerns, as the data on
the phones and iPads is unencrypted and may be accessed directly. This
tipsheet explains iPhone and iPad iOS4 geolocation privacy issues, including
who needs to be most concerned about them, and what to do. Health care
providers, overseas human rights workers, members of law enforcement and
victims of domestic violence are among those who have special considerations
and sensitivities to this privacy issue.
Read
the WPF Apple iPhone and iPad consumer tipsheet
04/18/2011 Pharma privacy
Registrants at GSK product web sites receive breach letter
Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair,
and many others, sent a letter to consumers who had registered on one
or more of its product websites. Due to the Epsilon data breach, registrants'
names, email, and the product they registered for was breached. Information
people give to a company via a pharmaceutical product web site such as
this is not usually covered under HIPAA. See our Patient's Guide to HIPAA
for more on what is covered under HIPAA and what is not. WPF recommends
that consumers use a "throwaway" or temporary email address
if deciding to register at a Pharmaceutical product web sites.
Patient's
Guide to HIPAA: Who Must Comply with HIPAA?| GSK
Breach letter via PHI Privacy.
04/16/2011 FERPA
The Family Educational Rights and Privacy Act of 1974, FERPA, has been
amended substantially. The proposed amendments have been published and
are open for comment until May 23, 2011. The current changes impact students'
medical, educational, and informational privacy interests. WPF will be
filing detailed comments on FERPA, including how the proposal interacts
with California privacy laws. We will be posting additional materials
on commenting soon.
FERPA
notice of proposed rulemaking
04/07/2011 Medical privacy, California HIE
California has proposed regulations for health information exchange projects
in the state. WPF has submitted comments encouraging more privacy protections,
and we are joined in our comments by Privacy Activism and the Center for
Digital Democracy. One key request in the comments is that California
not allow patient consent to be waived in HIE projects. We are also requesting
that California create a unified web listing of its HIE projects for increased
transparency and to facilitate patient access to HIE information and policies.
Read
WPF's comments | Related:
Proposed CA regulations
03/25/2011 Online data broker
WPF complaint to FTC results in online data broker settlement
In April 2009, the World Privacy Forum sent the FTC a
complaint regarding a lack of online opt-outs for consumers at some
online data broker web sites. Our complaint focused on the difficulties
online consumers would have opting out of certain web sites. In our complaint,
we noted that online
consumers were having difficulties with the opt outs. Today the FTC
issued a final decision in this matter, and specifically improved online
opt outs for consumers at US Search.
Read the WPF
data broker complaint | Read the FTC announcement
and decision
(Full docket here.)
| Permalink
03/24/2011 California HIE
Proposed California regulations for electronic health information exchanges
The California Office of Health Information Integrity has proposed regulations
for electronic health information exchange projects based in the state.
The regulations are based on several years of policy work done by the
CalPSAB, a multi-stakeholder board the WPF has participated in as a co-chair.
Comments on the proposed regulations are due April 1. See the CalOHII
notice for more information.
03/19/2011 Commerce
The US Department of Commerce has announced that it is supporting privacy
legislation and a "stakeholder process" to determine self regulatory
rules for Internet privacy. WPF wrote about what a fair stakeholder process
needs to include in our comments to the US Department of Commerce. We
urge that at a minimum, the stakeholder process will include these items:
1) Consumer and business representation be equal in any multi-stakeholder
process.
2) Approval of consumer representatives must be a necessary element in
any formal decisions, just as the approval of business will be necessary.
3) Consumers must select their own representatives through a process yet
to be determined, and consumer representatives may not be designated or
limited by business or government.
4) Consumer organization that require financial assistance to participate
in the multi- stakeholder process should receive support for travel and
other expenses (but not for staff support).
5) Government agencies may participate in the process, but no agency may
have a vote.
6) Participants in the process must chose their own rules and presiding
officer.
7) Certifiers of accountability with codes of conduct should be not-for-profit
organizations that are wholly independent of business, consumers, and
government.
For more, read our
full comments to Commerce
02/25/2011 EASA
The World Privacy Forum submitted comments
today on the European
Advertising Standards Alliance's Best Practice Recommendation on Online
Behavioural Advertising. Our comments
focus upon three key areas: First, the EASA recommendation fails to recognize
the protection of consumer privacy in Online Behavioral Advertising (OBA)
as a key policy goal. Second, the recommendation's protections are narrow,
creating illusory protections for user privacy, whether or not they opt
out of OBA. Finally, we critique the oversight and compliance mechanisms,
which are not likely to foster consumer confidence nor police the industry.
Drawing upon the WPF's 2007 report, The
NAI: Failing at Consumer Protection and at Self-Regulation, the
comments
argue that EASA's approach suffers from the same weaknesses as self-regulatory
approaches deployed in the United States, and that European lawmakers
should not replicate the failed American approach. Law students from the
Samuelson Law, Technology & Public Policy Clinic helped draft the
comments
as part of an ongoing project on consumer privacy and OBA.
Read
the WPF comments to EASA (PDF, 13 pages) | Related: WPF
2007 NAI report | Related: EASA's
Best Practices Recommendations |Permalink
02/18/2011 FTC
The World Privacy Forum filed comments
with the FTC in response to its preliminary staff report,
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework
for Businesses and Policymakers.
In our comments, we urge the FTC to take affirmative steps to protect
consumer privacy online and offline. Our comments include a brief history
of privacy self regulation, and point out how privacy self regulation
has consistently failed. The comments also discuss Do Not Track, and urge
the FTC to take a broader look at tracking protections for consumers.
WPF also specifically requested that the FTC identify credit reporting
bureaus subject to Fair Credit Reporting Act regulations and assist consumers
in locating those bureaus.
Read
the WPF comments to the FTC. (PDF, 18 pages) | Related: FTC
Roundtable series | Related: FTC
staff report
02/01/2011 WPF Facebook page
The World Privacy Forum has begun posting materials to its new Facebook
page. "Millions of users are looking for information on Facebook.
Our goal is to reach consumers with high-quality privacy materials and
information, so it makes sense for us to reach out to people through this
medium" said executive director Pam Dixon. The World Privacy Forum
Facebook page is located here: http://www.facebook.com/pages/World-Privacy-Forum/166886663345222?ref=sgm.
01/28/2011 Department of Commerce
The World Privacy Forum filed comments on the US Department of Commerce
Green Paper today and urged the department to adopt a fair stakeholder
input process that included consumers in a robust and meaningful way.
WPF outlined seven specific steps for the department to take to ensure
a fair process. The comments are available here.
Read
the WPF comments (PDF, 6 pages) | Related: See
the Nov. 2010 WPF report on the US-EU Safe Harbor program.
12/10/2010 Medical privacy ,
The World Privacy Forum filed comments today about how medical records
and other health information is intersecting with online advertising and
online activities. The WPF comments were filed with the Department of
Health and Human Services in response to its request for comments on personal
health records, privacy, and social media.
Read
the full comments | Related: PHR
privacy page | Related:
Patient's Guide to HIPAA
12/01/2010 FTC Privacy Report
The Federal Trade Commission has published its report on online privacy.
The World Privacy Forum will be issuing comments on the report at 2:30
pm Eastern today in a press briefing. Check our Twitter feed for updates.
Twitter: @privacyforum
Read
the FTC report
11/22/2010 New Report
The World Privacy Forum published a new report today that evaluates the
US Department of Commerce's work on privacy protection for consumers,
given its role overseeing such critical programs as the US/EU Safe Harbor
data agreement. The report, The US Department of Commerce and International
Privacy Activities: Indifference and Neglect, identifies a number
of issues of concern regarding the Department's privacy programs, most
particularly, the current Safe Harbor framework. The report's analysis
find that three separate studies consistently show that many and perhaps
most Safe Harbor participants are not in compliance with their obligations
under Safe Harbor.
Download
the report (PDF, 22 pages) | Permalink
11/18/2010 LifeLock
The Federal Trade Commission began sending checks to almost a million
consumers who were subscribers to the LifeLock ID theft protection service.
LifeLock agreed to pay fines of $11 million to the FTC and $1 million
to a group of state attorneys generals to settle charges that had been
made against the company. Consumers with questions about this distribution
may call 888-288-0783 or see the FTC's web page on this, http://www.ftc.gov/refunds.
Read the FTC's
full press release | Visit the FTC's
LifeLock Refund Page
11/09/2010 Opt out, online privacy
The popular WPF Top
Ten Opt Out List has been newly updated. We have added a new section
to our list with step by step details on how to opt out of RapLeaf. We
encourage consumers to view any of their profiles that exist at RapLeaf
and to opt out of RapLeaf permanently. We have also updated the phone
numbers and other information on the rest of our opt out list. To see
more, visit our Opt Out List.
See the
Top Ten Opt Out List | Related: Internet
privacy landing page
10/28/2010 ID theft, legal info
The FTC has published a new ID Theft guide. The new guide is designed
to help attorneys and volunteers who assist ID theft victims. The guide
covers laws that protect victims, and pro bono legal information. A must-read
for those helping victims.
New
FTC ID Theft Guide - pro-bono
10/27/2010 FTC, Google WiFi
Federal Trade Commission drops Google WiFi case; but tells Google that
it's internal review processes are inadequate
The FTC sent a letter to Google today expressing concern about the company's
privacy practices, but at the same time, the FTC informed Google that
it was dropping its investigation of the Street View WiFi case. The FTC
wrote: "FTC staff has concerns about the internal policies and procedures
that gave rise to this data collection. ... the company did not discover
that it had been collecting payload data until it responded to a request
for information from a data protection authority." The FTC told Google
it should develop and implement procedures to properly collect, dispose
of, and maintain information.
Read
the full FTC letter to Google
10/26/2010 Resource, case file, Amazon.com v Lay
Amazon.com filed a lawsuit in April to fight the North Carolina Department
of Revenue's request for detailed information on Amazon.com customers.
The North Carolina tax department requested Amazon.com to hand over "all
information for all sales to customers with a North Carolina shipping
address" between 2003 to 2010. In the decision, Seattle, Washington
U.S. District Court Judge Marsha J. Pechman wrote, "Citizens are
entitled to receive information and ideas through books, films, and other
expressive materials anonymously." She also stated that "The
fear of government tracking and censoring one's reading, listening, and
viewing choices chills the exercise of First Amendment rights." This
is an important decision for privacy rights, and online privacy in particular.
Read
the decision (PDF, 26 pages)
09/13/2010 HIPAA, medical privacy
The World Privacy Forum filed two sets of detailed regulatory comments
on recently proposed changes to HIPAA. The first comments focused on proposed
changes to HIPAA in the area of marketing patient information. The proposed
changes would be harmful to patient privacy, and are contrary to the law.
WPF
was joined in the marketing comments by the Center for Digital Democracy,
Consumer Action, Consumer Federation of America, the Electronic Frontier
Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy
Times. The second set of comments WPF filed included the comments
on marketing as well as on additional provisions that would be problematic
if enacted.
8/02/2010 Financial privacy, SEC
The World Privacy Forum filed comments today criticizing the SEC proposed
regulations that would release an unprecedented amount of financial details
about individual borrowers through the EDGAR database. The WPF was joined
by other privacy, consumer, and human rights organizations in its comments,
which focused on the privacy issues with the proposed regulations. Pam
Dixon, executive director of the WPF, stated in the comments that the
SEC's new regulations would "Place on the public record and online
the largest amount of personal financial information about borrowers ever
disclosed, including information never before made public." The comments
also note that the SEC's plan greatly increases the risk of identity theft
for individual borrowers whose information will be released publicly.
Read
the SEC comments
07/21/2010
A press release
issued by Connecticut's AG Richard Blumenthal revelaed that 38 states
have joined a mulitstate investigation of Google's Street View wi fi sniffing
program. Blumenthal stated in the release: “We are asking Google
to identify specific individuals responsible for the snooping code and
how Google was unaware that this code allowed the Street View cars to
collect data broadcast over WiFi networks. Information we are awaiting
includes how the spy software was included in Google’s Street View
network and specific locations where unauthorized data collection occurred.
We will take all appropriate steps -- including potential legal action
if warranted -- to obtain complete, comprehensive answers.”
See the complete
press release
06/15-16/2010
WPF will be speaking at the CFP conference on two panels. On June 15,
Pam Dixon will participate in a plenary session on data brokers. On June
16, Dixon will moderate a health care privacy panel. This panel will focus
on electronic health care in the state of California and the current privacy
issues in electronic health exchange.
CFP conference
web site
06/09/2010
The World Privacy Forum, as co-chair of the California Privacy and Security
Advisory Board, was pleased to vote on an opt-in privacy standard for
Californians in the June CalPSAB board meeting. The standard will be part
of a set of guidelines the state of California uses in its development
of electronic health care records. This set of guidelines was the culmination
of two years of policy work with the CalPSAB board.
See the complete
guidelines | Related: Patient's
Guide to HIPAA
5/18/2010 Medical privacy
The World Privacy Forum filed comments
with the US Department of Health and Human Services today in response
to its Request for Information about possible changes to the HIPAA health
privacy rule. WPF strongly supported patients' current right to request
a history of disclosures of their medical files, and requested an expansion
of this right. WPF noted in its comments to HHS that "An individual
cannot fully protect his/her privacy interest in a health record (and
most other records) unless he/she has a right of access to the record,
the right to propose a correction, and the right to see who has used the
record and to whom it has been disclosed. Each of these elements is essential."
Read
the full WPF comments | Related: Patient's
Guide to HIPAA
2/25/2010 New privacy principles
The nation's leading consumer and privacy groups released a set of baseline
consumer privacy principles to be included in digital signage networks.
The principles were released at the Digital Signage Expo in Las Vegas,
Nevada, where World Privacy Forum executive director Pam Dixon spoke about
the principles to a large group of digital signage industry professionals.
Download
the DS principles document with signatories
1/27/2010 FTC Privacy Roundtable
World Privacy Forum to speak at FTC Privacy Roundtable
Thursday, January 28, WPF Executive Director Pam Dixon will be speaking
at the FTC's Privacy Roundtable about the privacy implications of digital
signage networks and will be specifically discussing the new report: The
One-Way Mirror Society: Privacy Implications of the New Digital Signage
Networks. Few consumers, legislators, regulators, or policy makers
are aware of the capabilities of digital signs or of the extent of their
use. The technology presents new problems and highlights old conflicts
about privacy, public spaces, and the need for a meaningful debate.
More about the
FTC event | Read
the Report
1/04/2010 Genetic discrimination
The World Privacy Forum filed comments today with the Department of Labor
requesting that the DOL expand its protections of how genetic information
may be used by health insurance companies or group health plans. The World
Privacy Forum urged the DOL to include genetic information posted on social
networking sites in its consideration of the GINA regulations.
See
the WPF comments to the DOL | More
on genetic privacy at the WPF
12/07/2009 FTC Privacy Roundtable
FTC Privacy Roundtable: WPF to testify on information brokers
WPF executive director Pam Dixon will testify at the FTC Privacy Roundtable
about information brokers and commercial data practices and they impact
consumers. Dixon will be discussing the business models of data brokers,
issues with smart grids, and opt-out
problems, among other issues.
See
the WPF written comments to the FTC | Related: WPF
FTC petition re: data broker opt-outs | Related: Smart
Grids and Privacy
12/04/2009 Genetic non-discrimination regulations (GINA)
The World Privacy Forum filed comments on proposed regulations for implementing
Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested
a change to the proposed regulations, asking the Department of Health
and Human Services require immediate posting of revised notices of privacy
practices on the web sites of affected health plans. Under the proposed
regulations, written notice of revised privacy practices to individuals
could be delayed due to the cost of postal mailing. The WPF noted that
a revised privacy notice posted on a health plan's web site would not
incur postal costs, and that regulated entities should take this minimum
step to inform consumers of any changes regarding privacy practices affecting
genetic non-discrimination.
See
the WPF comments on Title I of GINA | Related: WPF
Genetic privacy page
11/19/2009 Congressional testimony
WPF executive director Pam Dixon testified at a joint subcommittee hearing
focused on privacy and the collection and use of online and offline consumer
information. Dixon's testimony focused on the new "modern permanent
record" and how it is used and created. Dixon said "The merging
of offline and online data is creating highly personalized, granular profiles
of consumers that affect consumers’ opportunities in the marketplace
and in their lives. Consumers are largely unaware of these profiles and
their consequences, and they have insufficient legal rights to change
things even if they did know." The testimony explored concrete examples
of problematic consumer profiling activities.
Read
the full testimony (PDF)
11/11/2009 FTC "Exploring Privacy" Roundtable Series
WPF to speak at FTC Exploring Privacy Roundtable
The World Privacy Forum has been invited to speak at the Federal Trade
Commission's first Privacy Roundtable, to be held December 7, 2009 in
Washington DC.
More
on the FTC Exploring Privacy Roundtables | See the
WPF comments to the FTC for the Roundtable (First filing).
11/06/2009 FTC Privacy Roundtable
The World Privacy Forum filed comments last week for the FTC Privacy
Roundtables, the first of which will be held December 7, 2009. The WPF
comments urged the FTC to consider the Fair Credit Reporting Act as a
key privacy model to apply to additional areas, to use the full version
of Fair Information Practices, and discussed how a rights-based framework
was the key to advancing consumers' interests. The comments discussed
list brokers at length, and explained how even the most informationally
cautious consumer will land on numerous marketing lists and databases.
The WPF comments noted that not all marketing lists are used to target
ads to consumers; some lists and databases are used to deny consumers
goods and services. The comments contain a detailed section on privacy
frameworks, a section on direct marketing, and an appendix with supporting
information.
See WPF's
FTC comments | Related: WPF
Intro to Fair Information Practices page
11/03/2009 Madrid Declaration
A significant civil society document with more than 100 signatories worldwide
has been published in conjunction with the 31st annual meeting of the
International Conference of Privacy and Data Protection Commissioners.
The document, known as the Madrid Declaration, affirms support
for the complete canon of fair
information practices as expressed by the OECD, affirms support of
privacy as a fundamental human right, and warns that "the failure
to safeguard privacy jeopardizes associated freedoms, including freedom
of expression, freedom of assembly, freedom of access to information,
non-discrimination, and ultimately the stability of constitutional democracies."
See the Madrid
Declaration | Related: WPF
Intro to Fair Information Practices page
11/02/2009 Red Flag Rule
The Federal Trade Commission has delayed the enforcement date of the
Red Flag Rule until June 1, 2010.
FTC announcement
of Red Flag delay
10/26/2009 Data Breach | HHS HITECH Breach Notification
The World Privacy Forum filed comments on the HHS data breach rulemaking
and asked for substantive changes in several areas. In particular, WPF
asked HHS to expressly state a requirement for a breach risk assessment
in the final rule itself, and to set a requirement that the risk assessment
must be conducted by an independent organization. The WPF also asked that
HHS set breach risk assessment standards so that there is some uniformity
and guidance as to what constitutes an appropriately rigorous risk assessment
when a breach occurs. In the comments, WPF also discussed the relationship
between medical identity theft and medical data breach and how this impacts
patients and consumers.
Read
the WPF comments on HITECH Breach Notification | Related: Medical
ID theft page
10/22/2009 Security freeze | Financial privacy | identity theft
The World Privacy Forum has updated its credit freeze (security freeze)
page to reflect changes in some state-level laws.
See the
updated security freeze page
09/28/2009 Red Flag | Identity theft
The World Privacy Forum has updated its Red
Flag report, Red Flag and Address Discrepancy Requirements: Suggestions
for Health Care Providers. The update reflects the new effective
date of the Red Flag Rule, (November 1, 2009) and incorporates other minor
updates in the text. This report replaces the original Red Flag report
published September 2008.
Read
the updated Red Flag report | Related: Medical
ID Theft Page
08/24/2009 Financial privacy | Privacy Act
The World Privacy Forum filed comments today urging the U.S. Treasury
Department to obtain consumers' consent before checking their credit reports.
Consumers who participate in the government's Home Affordable Modification
Program (HAMP) -- an Obama administration program created to help consumers
renegotiate their mortgages so they can keep their homes -- must allow
the Federal Government to check their credit reports without first obtaining
consent. This procedure sets a negative precedent, and is at odds with
consumer expectations of privacy. The Treasury gave itself this power
in an obscure set of "Routine Uses" in a Privacy Act notice
published along with the proposed system of records for the program. The
World Privacy Forum has objected to this, and has filed detailed comments
with the Treasury about the lack of consumer consent. The public comment
period on this program is open until September 4, 2009.
Read
the WPF comments to the Treasury | Read the
Treasury System of Records Notice | See other WPF Agency comments
at our Agency
Comment Page
08/19/2009 Health IT
The Health IT Standards Committee will be meeting tomorrow, August 20,
from 9 a.m. to 3 p.m. in Washington DC. Those interested in this meeting
can participate in person, or via the phone and web. The privacy and security
workgroup will report at 1:30 pm Eastern. Location and call-in information
is available at
the HHS web site.
Get more
information and details about the meeting (HHS) | WPF
Medical Privacy page
08/17/2009 Data breach rules
The Federal Trade Commission has issued its final Health Breach Notification
Rule for vendors of Personal Health Records and related entities, as required
under ARRA, The American Recovery and Reinvestment Act of 2009. The initial
proposed Health Breach Notification Rule was generally thoughtful and
thorough. The World Privacy Forum submitted extensive
comments on the proposed rule both supporting parts of it and making
some suggestions for changes. The FTC incorporated several specific WPF
suggestions into the final rule. In particular, the FTC incorporated the
applicability of the rule to foreign entities with U.S. customers (Final
Rule p. 17), and the applicability of the rule to search engines appearing
on Personal Health Record web sites (Final Rule p. 34). The new rule will
be published in the Federal Register shortly; until then, it is available
at the FTC web site. Also available is a form that entities covered under
this rule can use to report data breaches to the FTC. The Health Breach
Notification Rule will be effective 30 days after publication in the Federal
Register, and full compliance with the rule will be required beginning
180 days after publication.
See the FTC's
final Health Breach Notification Rule (PDF)| See the
FTC data breach notice form (PDF) | Related: WPF
Personal Health Record page
08/10/2009 Web tracking
The World Privacy Forum filed comments with the Office of Management
and Budget regarding its proposal to begin to allow the use of tracking
cookies on government web sites. The proposal was published in the Federal
Register, and outlined a three-tiered plan for how web tracking technologies
might be used. The Forum's comments focused on methods of opt-out, data
retention, secondary use, user authentication, new tracking technologies
such as Flash cookies, and the need for new opt-out mechanisms. The Forum
also urged the federal government to not allow third party tracking of
consumers' use of government web sites, and to guard against any discrimination
against consumers who do not want to be tracked.
WPF
comments about web tracking on government sites | Federal
Register notice about the program | Related: WPF
Internet privacy landing page
07/17/2009 Cloud computing
The World Privacy Forum sent a letter to Los Angeles Mayor Villaraigosa
today expressing concerns and questions about a proposed contract to move
the city of Los Angeles' email and some other computing tasks to a cloud-based
system. The Forum expressed concerns in particular about the lack of contractual
protection for health data, AIDs data, genetic information, domestic violence
and sexual assault victim information, among other sensitive information.
The Forum suggested the city undertake an independent and thorough risk
assessment prior to completing the contract, and suggested a robust public
comment process that includes all stakeholders. The City will take up
the issue of this contract at a city council Information
Technology Committee meeting on Tuesday
July 21. The World Privacy Forum published a detailed analysis of
the privacy issues of cloud computing in February which outlines the challenges
and ambiguities that governments and others face as they make decisions
about what data to put in the cloud.
WPF
letter to Mayor Villaraigosa | WPF
Cloud Computing Page | WPF
report: Privacy in the Clouds
07/14/2009 Social networks
Facebook, MySpace, Xing receive warning letters from EU consumer group
In the wake of Europe's Article 29 Working Party Opinion on Social Network
Providers adopted in June, the Federation of German Consumer Organizations
(VZBV) has sent out warning letters to five social networking providers
in Germany, including Facebook and MySpace. The letters focus on the excessive
rights the companies allow themselves in their respective Terms of Use
agreements, and on shortcomings in the privacy policies. VZBV is comprised
of 41 German consumer associations.
VZBV press release
(in German) | Related: Article
29 Working Party Opinion on Social Network Providers
07/13/2009 Behavioral advertising
IAB releases flawed guidelines for controlling behavioral advertising
practices
The Interactive Advertising Bureau has released its self-regulatory guidelines
for online advertisers. The guidelines are inadequate to protect consumers,
and in some cases, create loopholes for significant consumer harm. In
the area of sensitive information, the guidelines are especially weak.
The IAB definition of sensitive information is much weaker than the definition
of sensitive information already adopted by industry in the formal NAI
agreement, which is still in effect today. Additionally, the new IAB guidelines
rely on weak accountability standards; a World Privacy Forum report analyzed
the NAI accountabilty and reporting, and found that the Network Advertising
Initiative (NAI) accountability mechanisms had failed. The IAB accountability
mechanisms do not improve on the NAI accountability mechanisms, and as
such, are problematic at best.
IAB
industry guidelines | Privacy
groups' proposal on behavioral advertising | WPF
report on the failure of online advertising self-regulation
06/19/2009 Social Networking
EU: Article 29 Working Party releases Opinion on social networking sites
The Article 29 Working Party has adopted an important Opinion regarding
social networking sites as of June 12. The opinion covers privacy, advertising,
sensitive information, and other issues relating to online social networking.
Regarding sensitive data, the Article 29 Working Party stated: "Data
revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership or data concerning health or sex life
is considered sensitive. Sensitive personal data may only be published
on the Internet with the explicit consent from the data subject or if
the data subject has made the data manifestly public himself." Regarding
use of sensitive data to target advertising, the Article 29 opinion stated:
"The Working Party recommends not using sensitive data in behavioral
advertising models, unless all legal requirements are met." The opinion
also stated that the EU Data Protection Directive generally applies to
the processing of personal data by social networking services, even when
their headquarters are outside of the EEA, and that social networking
service providers are considered data controllers under the Data Protection
Directive.
Article
29 WP Opinion on Social Networking sites and press
release | TACD
press release on opinion | TACD
May 2009 Resolution on Social Networks
06/10/2009 TACD
World Privacy Forum at TACD meeting
The World Privacy Forum participated in the Trans Atlantic Consumer Dialogue
meetings in Brussels this June, and is pleased to announce that WPF is
now a full member of the TACD. The TACD is a network of 80 EU and U.S.
consumer organizations that develop joint consumer policy recommendations
for the EU and U.S. in an effort to promote the consumer interest in transatlantic
policymaking.
TACD web site
06/01/2009 Data Breach of Health Records - FTC
The World Privacy Forum filed extensive comments with the Federal Trade
Commission today regarding its notice of proposed rulemaking for data
breaches of information containing actual health care information or health
care-related information. The FTC rulemaking will apply to a variety of
record holders, especially vendors of personal health records. The Forum
supported much of the FTC's proposed rulemaking, finding the rulemaking
generally thoughtful and careful. In some areas, the Forum urged the FTC
to narrow and further define and strengthen the proposed rule. The World
Privacy Forum urged the FTC to tighten language around scope, the definition
of "personal health record," law enforcement delays of consumer
notification, and urged the FTC to further clarify the definition of what
falls under the category of "de-identified data." Citing the
research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to
require commercial companies and others holding health care data that
has been partially de-identified to still report those breaches to the
FTC and the public, and to monitor for re-identification.
Read
the comments | Related: Medical
privacy page | PHR
Page | Medical
ID Theft page
05/21/2009 Health Record Data Breaches - HHS
World Privacy Forum files comments with HHS regarding data breach guidance
The World Privacy Forum filed comments with the Department of Health
and Human Services today regarding the HITECH Act guidance that HHS published
along with a request for comments. The Forum urged the Department to tighten
its proposed guidance, and to add more protections, oversight, and rules
for "limited data set" breaches.
Read
the comments | Related: Patient's
Guide to HIPAA | Medical
Privacy Page | NHIN
Page
05/08/2009 Job Search Privacy
The World Privacy Forum's popular and long-standing Job Searcher's Guide
has been completely updated. We have a site-by-site comparison of the
privacy practices of online job search sites. This guide was originally
posted in 2003, and has been updated regularly. This was a major update
of this resource. The World Privacy Forum publishes extensive job search
privacy resources in addition to the Guide, including a very popular guide
to resume posting privacy.
Visit the Job
Searcher's Guide | Related: Visit the job
search privacy page or visit the resume
posting privacy tips
05/07/2009 Credit Freeze
We have updated the World Privacy Forum's state-by-state guide on how
to place a credit, or security, freeze. Only a few states are lacking
a security or credit freeze law now.
Visit the
credit freeze page
05/01/2009 Genetic Privacy | GINA
The World Privacy Forum filed comments on the proposed regulations on
the Genetic Information NonDiscrimination Act, or GINA. The comments request
that the Equal Opportunity Employment Commission close down several potential
loopholes in consumer protection in the proposed regulations. The Forum
specifically asked the EEOC to consider curtailing the amount of commercially
available information employers could access about employees, for example,
through marketing databases. WPF also requested that those covered under
GINA be required to maintain audit trails in certain circumstances, and
urged that wellness programs be structured in such a way so as to prevent
information leakage through billing and other activities.
Read
the comments | Related: WPF
Genetic Privacy Page
04/16/2009 Online privacy | FTC
The World Privacy Forum sent a letter to the Federal Trade Commission
asking it to look into four companies offering online consumers the ability
to opt out, then asking those consumers to use a variety of postal-mail-based
methods to do so.
Read
the letter to the FTC | Related: WPF
Top Ten Opt Out page
03/27/2009 CVS Caremark | FTC proposed consent agreement
The World Privacy Forum filed comments with the Federal Trade Commission
in response to its proposed consent agreement with the CVS Caremark pharmacy
chain. The proposed agreement is in response to a CVS data breach. The
agreement does not impose a monetary penalty on CVS, and does not provide
remedies for consumers affected by the data breach.
Read
the WPF comments | Related:
FTC consent agreement with CVS
03/27/2009 CHILI - California Health Information Identification data
base
A substantial new resource for individuals seeking to research California
laws and regulations regarding health information has come online. The
CHILI database is a project of the California Office of Health Information
Integrity, and has interfaced with the California Privacy and Security
Advisory Board, which the World Privacy Forum co-chairs. The CHILI database
can be searched by HIPAA section, California Code section, California
health information law keywords, or by statutory scheme.
See the CHILI database
home page
02/23/2009 New Report
The World Privacy Forum's newest report examines the privacy and confidentiality
issues of cloud computing that have been largely overlooked to date. It
is a thorough analysis with policy findings. Privacy
in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing
was written by Robert Gellman for the World Privacy Forum. Cloud computing
tips for
consumers and business are also available.
Go
directly to the report (PDF) | See the report and the consumer tips
on the World Privacy Forum Cloud
Privacy Page | Read the press
release
02/18/2009 Medical privacy | HIPAA | FTC
According to a legal complaint, CVS pharmacies -- the largest pharmacy
chain in the United States -- did not take appropriate steps to protect
its customers' and employees' sensitive information when it improperly
disposed of documents, labels, prescription bottles, and other items with
clearly identifiable and highly sensitive personal information such as
SSNs, prescription information, driver's license numbers, and other information
still on those materials. CVS agreed to pay $2.25 million to settle its
violations of HIPAA as part of a Resolution Agreement with the Department
of Health and Human Services. CVS has also signed a consent agreement
with the FTC; the public can comment on this agreement until March 20,
2009. The World Privacy Forum will be filing comments with the FTC on
the consent agreement with CVS, which we will post here.
Read the
FTC complaint against CVS | Read
the FTC consent agreement with CVS | Read
the HHS Resolution Agreement with CVS
02/12/2009 Internet privacy
FTC releases its online advertising principles; Commissioner Harbour
urges FTC to go beyond self-regulation
The Federal Trade Commission released its self-regulatory principles
for behaviorally-targeted advertising today. The World Privacy Forum will
be holding a press conference responding to the principles at 12:30 p.m.
Eastern.
Read the text of
the FTC statements | See
the WPF Behavioral Advertising Page for our resources and documents on
behavioral advertising
2/05/2009 Biometrics
World Privacy Forum opposes California DMV plan
The California DMV (Division of Motor Vehicles) has proposed, through
an expedited 30- day process, that it begin taking detailed facial scans
of drivers and storing the scans in a state-wide database. This change,
among other proposed DMV changes, represents a substantial policy shift
for the state of California. The World Privacy Forum has urged that this
process goes through normal legislative procedures so that there is adequate
time for public input and for formal hearings.
Read
the backgrounder
01/28/2009 International Privacy Day
The World Privacy Forum celebrated International Privacy Day by joining
other privacy and civil liberties organizations in encouraging the U.S.
Senate to adopt the Council
of Europe Privacy Convention. The U.S. has already ratified the Council
of Europe Convention on Cybercrime. International Privacy Day was founded
three years ago by the Council of Europe, and is celebrated by privacy,
civil liberties, and consumer groups in Europe, North America and elsewhere.
See the proposed
U.S. Senate resolution | Read more about the Council
of Europe Privacy Convention | Related: WPF's
Fair Information Practices page
01/27/2009 Monster.com | Consumer Alert | Job search privacy
According to the job site Monster.com, its users' IDs and passwords,
email addresses, names, phone numbers, and some "basic demographic
data" were compromised in a data breach. Monster notified victims
of the security breach through its web site on Friday, January 23, 2009.
It is unclear how many people this notice impacts, as Monster.com did
not give an estimate. In press reports, however, Monster has admitted
that the breach is global, with Asia Pacific and Eastern Europe being
spared. Job seekers' information can be used like a road map for criminal
ventures, including identity theft, phishing and spamming. User passwords,
which Monster.com says were compromised in this breach, are especially
valuable as they can potentially be used to access other sites or email
accounts, especially if a person regularly uses the same passwords. The
World Privacy Forum has published a consumer alert about this data breach
with tips for victims. This data breach also impacts USAjobs.com, the
government job search site affiliated wiith Monster.com.
See the new
Consumer Alert with safety tips | See more job
search privacy resources
01/05/2009 School privacy | FERPA
New privacy rules for schools released; World Privacy Forum comments
had positive impact for student and parent privacy
In May 2008 the World Privacy Forum submitted detailed comments on proposed
changes to the Family Educational Rights and Privacy Act regulations (FERPA).
The FERPA regulations are the rules that control how schools treat and
release student information. The final FERPA regulations have now been
published and reveal that the World Privacy Forum comments had a positive
impact. The new regulations agreed with WPF's comment that if a school
requests a Federal tax return from a parent, that the parent has the right
to redact all financial information from the form, and affirmed that the
school does not have a requirement to ask for the tax form in the first
place. The regulations also agreed with the WPF comment that the risk
of re-identification of published student information is cumulative, and
made recommendations that educational institutions take into account all
releases of student information it has made, not just new releases.
Read the new
FERPA regulations (PDF) | See
the World Privacy Forum FERPA comments
Search by date, type of material, or keyword
WPF Site Navigation Options
Keyword listing of World Privacy Forum reports, research, comments,
tips
|
Listing of most recent WPF materials |
Listing of World Privacy Forum materials by date |
Listing of WPF reports |
Listing of WPF consumer tips |
Listing of agency comments |
|
|
|
|
Privacy
in the Clouds examines the privacy and confidentiality issues of cloud
computing. 
Digital Signage examines the new forms of sophisticated digital signage networks.
WHAT'S NEW
FINANCIAL PRIVACY
JOB SEARCH PRIVACY
MEDICAL PRIVACY
SEARCH ENGINE & INTERNET PRIVACY
WPF EVENTS
WPF India Privacy Forum, July 2012, Mysore, India.
FTC Hearing on Mobile Disclosures, March 30, 2012, Washington,
DC. WPF will be on a panel.
Medical ID Theft training, Denver Health Medical Center,
April 11, 2012, Denver, Colorado.
2012 International Consumer Electronics Show, Las Vegas.
Jan. 10.
FTC Hearing on Facial Recognition, Dec.
8, 2011, Washington, DC.
Consumer Dialogue, Nov. 2, 2011, New York City.
Congressional Testimony: Pam Dixon, October
13, 2011.
National Press Club: Washington, DC, Oct. 11, 2011.
Yes, they know it's you, Q and A.
Digiday Data Manageent Summit, Park City, Utah, July
18, 2011. Panel on online privacy.
TransAtlantic Consumer Dialogue, Brussels, Belgium,
June 21-22, 2011. Pam Dixon will be presenting a patient's Bill of Rights.
Berkeley Law Do Not Track Roundtable, , Berkeley, California,
Feb. 9, 2011. Pam Dixon will be participating in the roundtable.
CalPSAB, December 9, 2010
CFP, San Jose California, June 16, 2010, Pam Dixon will
moderate expert panel on health information exchange.
CFP, San Jose California, June 15 Plenary session on
data brokers and privacy.
CalPSAB, Sacramento, CA, June 9. WPF co-chairs CalPSAB.
NTIA, WPF testimony, Washington DC, May 7, 2010.
IAPP Global Privacy Symposium, April 19, 2010, Washington
DC. Workshop on cloud computing and privacy.
BHIMC, April 15, 2010, Los Angeles, WPF on panel on
health privacy and digital networks.
Digital Signage Expo, Las Vegas Convention Center, February
25, 2010. Panel on digital signage and privacy.
FTC Privacy Roundtable, Information Brokers, Pam Dixon,
December 7, Washington DC.
House Energy & Commerce Committee,November 19, 2009,
Washington DC.
Annual ID Theft Passport Advisory Council Meeting, (I-PAC),
Presentation/briefing on medical identity theft, Sacramento, Nov. 5, 2009.
Center for Ethics in Science and Technology, Identity
theft trends and news, Reuben H. Fleet Science Center, San Diego, Nov.
4, 2009, panel.
New York University Law School, October 2, 2009. Panel
on safe harbors and online privacy.
CalPSAB, September 16, 2009, Sacramento.
California Bar Annual Meeting, September 12, 2009, San
Diego. Panel on global privacy issues.
NNEDV Training of Teachers, August 2009, San Francisco.
Privacy
Laws & Business, 22cnd International conference July
6-8, 2009. St. John's College, Cambridge, UK.
Trans Atlantic Consumer Dialogue, June 7-10, Brussels,
Belgium. Cloud Computing.
California Western School of Law, April 2, 2009, San
Diego, class lecture on health information technology and privacy.
CalPSAB, March 27, Oakland, California.
NNEDV, March 17-19 2009, San Antonio, Texas.
World Congress, February 23 2009, La Costa, California.
Congressional Internet Caucus, Jan. 14, 2009, Washington
D.C.
World Congress, December 10-11 2008, Washington D.C.
CalPSAB, Dec. Los Angeles, CA.
IPSC2008, co-hosted by World Privacy Forum, November
11-12 Tokyo, Japan.
|
