Consumers Mixed on Retailers’ Use of Facial Recognition Technology

Many consumers are unaware that retailers use facial recognition technology in retail stores to monitor shoppers and prevent shoplifting. Consumers see cameras in retail stores and assume it is to monitor for shoplifting and theft, but many are unaware that facial recognition technology is used so their actual identity can be determined while they are shopping in the store.

The Brookings Institute recently released a survey of 2,000 adults asking about their feelings relating to the use of facial recognition technology in retail stores, airports, schools and stadiums. Fifty percent of the respondents said they were “unfavorable” to the use of facial recognition technology in retail stores to prevent theft and only 27 percent were favorable. Interestingly, the results differ depending on the respondents’ gender and age, and the region in which they live. As to retail stores using facial recognition technology, 51 percent of women were unfavorable to its use, compared to 49 percent of men. Even more interesting, 58 percent of those aged 18-34 were unfavorable, compared to 50 percent of those aged 35-54 and 40 percent of those over 55.

With regard to schools, men were 38 percent and women 37 percent unfavorable to the use of facial recognition technology, and again, those in the 18-34 age bracket were 44 percent unfavorable, compared to 38 percent of those aged 35-54 and 28 percent of those over the age of 55.

When it comes to airports, 46 percent of women were unfavorable to the use of facial recognition technology, compared to 42 percent of men, and in stadiums, 46 percent of women were unfavorable and 40 percent of men were unfavorable to the use of facial recognition technology.

Those living in the west were by far the ones who object to the use of facial recognition technology in all four categories.

The results are very interesting and some of them make logical sense, but the results are helpful in determining the temperature of consumers with emerging technology in every-day life.

Website ADA Lawsuits

One of our clients told us this week that he loves to read the blog and Insider, but that he would really appreciate it if we would point out some hot compliance tips so when he scans the Insider he can see hot button topics that he should be aware of that he might not otherwise know about in the privacy and security world.

We thought it was a great idea, so here is the inaugural hot compliance topic.

Section 5 of the Federal Trade Commission Act requires all consumer facing websites to include a Privacy Policy or Statement of Privacy Practices to provide consumers with information about how the company collects, maintains and uses consumers’ information provided through the website.

We frequently complete website documents for companies, and we update them based upon new risks and litigation that crops up. For instance, several years ago, there was a rash of lawsuits around the Telephone Consumer Protection Act (TCPA), and many companies updated their websites to reflect language in response to that rash of litigation (among other compliance measures).

In the last year or so, there is a new rash of class action litigation relevant to websites that allege that websites are not compliant with the Americans with Disabilities Act (ADA), including allowing appropriate access for the visually impaired and most recently, alleging that the website failed to provide appropriate access for the physically impaired [view related post].

The Department of Justice has published ADA guidelines that are helpful in determining what measures companies should take for their websites to be ADA compliant. The guidance can be accessed here.

Plaintiffs’ attorneys are searching publicly available websites to determine whether they are ADA compliant, and if they aren’t, filing suit against them. As a result, now may be a good time to review your website documents and update them as necessary.

Privacy Tip #160 – In the Near Future: Taking Control of Your Data

I often hear people say that they have no control of their data, that their data is being monetized by big companies, that they don’t know what those companies are doing with their data, that they are frustrated when they receive notification that their data has been compromised, and they didn’t even know that company had their data in the first place.

Unfortunately, many people throw up their hands and give up trying to control their data, who has it and who is monetizing it. Their attitude is that the train has left the station already and the cows are out of the barn.

Enter Sir Tim Berners-Lee (who you might remember has been credited with creating the web 28 years ago). Berners-Lee is as frustrated as others, and has started a new open source project with the goal to put the control of individuals’ data back in the hands of the individual.

The project is called Solid ( According to Berners-Lee, his goal for Solid is to change “the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance—by giving every one of us complete control over data, personal or not, in a revolutionary way.”

He further states that Solid is “guided by the principle of ‘personal empowerment through data’ which we believe is fundamental to the success of the next era of the Web. We believe data should empower each of us…and you will have far more personal agency over data—you decide which apps can access it.”

Right now, it is just a framework, but the goal is that eventually Solid will be part of the “fabric of the web.” Rock on.

Privacy attitudes are changing. Technology is evolving, laws are changing, and when you think about it, the digital world is still in its infancy. Solid is a unique platform that is worth watching.

FTC Settles with Four Companies over Privacy Shield Certification

In the wake of the determination by the European Commission that the EU-US Safe Harbor Framework was insufficient to protect EU citizens’ personal information, the Privacy Shield Framework was implemented by the Department of Commerce.

Companies who apply for Privacy Shield certification are required to file an application, which requires the companies to attest to certain things that they are doing to protect personal data of individuals before personal information of EU citizens are transferred to the U.S.

Although the Department of Commerce administers the Privacy Shield Framework, the Federal Trade Commission (FTC) enforces it, which recently settled with four companies it alleged falsely claimed that they participated in Privacy Shield.

According to the FTC, IDMission, LLC, mResource LLC d/b/a Loop Works, LLC, SmartStart Employment Screening, Inc. and VenPath, Inc. falsely claimed that they were Privacy Shield certified. The allegations included that the companies listed participation in the Privacy Shield Framework on their websites and they either failed to complete their applications and certification, or failed to renew their certification.

The settlements require the companies to stop misrepresenting Privacy Shield status on their websites and comply with FTC reporting requirements.

These settlements are an important reminder to companies participating in the Privacy Shield Framework to monitor the status of their certification and not allow it to lapse, as well as keeping their websites accurate about certification. The FTC has been open about the fact that it continuously monitors company websites about Privacy Shield Certification.

ULC’s Reliance on 1946 Supreme Court Case for Drone Innovation

Over 100 years ago manned aviation revolutionized transportation. However, it is less well-known that it also sparked a big change in property rights.

In the 1946 Supreme Court case, United States v. Causby, the court determined that although historically owning land was thought to convey a property right “to the periphery of the universe,” this concept had “no place in the modern world.” That is, Congress recognized that as far back as the Air Commerce Act of 1926, “navigable airspace” (i.e. the airspace above minimum safe altitudes) had to be subject to a “public right of freedom of foreign and interstate air navigation.” This resulted in the idea that “the air is a public highway” from the Causby court.

Now, with the rise of unmanned aerial systems (UAS or drones), the well-settled concept of navigable airspace as a public good and air navigation as a federal right are facing scrutiny. UAS are unique (and vastly different from manned aircraft) because they fly low, in the interstitial spaces. UAS can operate almost anywhere; this means that UAS have expanded the safe altitude for flight dramatically. Under Federal Aviation Administration (FAA) rules for the operation of UAS, UAS are authorized to fly below 400 feet (and above, with the appropriate FAA waiver).

Now, the Uniform Law Commission (ULC), a publicly funded organization with state-appointed members from around the country that encourage uniform state-law approaches to all sorts of issues, has established a committee for drafting tort laws relating to drones. The committee’s draft proposal would restrict drone operations by allowing property owners a right to exclude all drones from the airspace up to 200 feet above any structure or the ground. Essentially, drones would be restricted from flying below 200 feet without express individual permission from the landowner, establishing a “per se” trespass tort law. The act of the flight itself would be an injury that could lead to a lawsuit against the drone operator without any actually physical injury caused.

There is a practical problem with this proposal –it would cut the usable airspace in half. That is, the FAA allows UAS operations below 400 feet (and in accordance with Part 107 UAS regulations), but a 200-foot minimum altitude may be a bit unworkable because it would be hard to negotiate a right of transit in that limited space. Additionally, because the FAA has authority to regulate navigable airspace, it would seem that state law restricting drone flights to above 200 feet, FAA regulations would preempt state law. Of course, this issue of preemption has been debated when it comes to drones as well lately because of the FAA’s push to get states and state law enforcement involved in the regulation of these devices.

We will follow this ULC draft as it progresses; for now, many in the drone industry turn to Causby and believe that the idea that property owners have the right to exclude drones flying above their property simply “has no place in the modern world.”

President Trump Signs the FAA Reauthorization Act: What Does it Mean for Drones?

On October 5, 2018, President Trump signed the Federal Aviation Administration (FAA) Reauthorization Act which establishes new conditions for the recreational use of drones and immediately repealed the Special Rule for Model Aircraft. The FAA is currently evaluating the impact of this change and how the organization will implement these changes.

In addition to continuing to support the $36 million NextGen program and paying the FAA’s 14,000 air traffic controllers, the FAA is instructed to provide greater regulation of drones—that is, the Act allows the government to shoot down or take down by other counter-UAS means a drone that is “identified as high-risk and a potential target for unlawful unmanned aircraft activity.”

Specifically, Subtitle B of the Act (which deals with drones) sets forth the following:

  • The FAA is tasked with developing regulations to expand the operation of small unmanned aerial systems (UAS) (currently operating under Part 107) to operations beyond-visual-line-of-sight, at night and over persons;
  • Requires the FAA to update existing regulations within one year to permit the carriage of packages by small commercial UAS operators within the United States;
  • The development of a framework to establish a standard for regulating UAS operations, whether operated for commercial purposes or for recreation. Drone hobbyists will now have to complete aeronautical knowledge testing and comply with other operating requirements currently applicable only to commercial drone operators;
  • The Government Accountability Office (GAO), the Department of Transportation (DOT) and the National Telecommunications and Information Administration (NTIA)to review the privacy issues and concerns associated with the operation of UAS; and,
  • Requires the FAA to consult with the Department of Homeland Security (DHS) and the Department of Justice (DOJ), which are authorized to take countermeasures against a UAS posing a danger to federal facilities and assets (see above).

We will follow the FAA’s implementation of the new Act and any guidance related to these changes.

The Reality of Self-Driving Cars and the Regulatory Hurdles

The National Highway Traffic Safety Administration (NHTSA) says in its guidelines for automakers and state regulators regarding autonomous vehicles that “‘automated’ or ‘self-driving’ vehicles are a future technology rather than one that you’ll find in a dealership tomorrow or in the next few years,” because “a variety of technological hurdles have to be cleared, and other important issues must be addressed before these types of vehicles can be available for sale in the United States.” However, the NHTSA also says that “fully automated cars and trucks that drive us, instead of us driving them, will become a reality.”

So, where does that leave us? Well, it leaves a lot of work for the federal government, states and automakers and their suppliers. For example, currently, as written, federal auto regulations require that all vehicles have a steering wheel and brakes, so if automakers want to test autonomous vehicles without people-centric controls, they have to obtain waivers. States, on the other hand, have to regulate how vehicle operators are licensed in these autonomous vehicles, as well as the ‘new’ rules of the road and how insurance is regulated. Right now, there is a lot of different legislative activity among the states related to autonomous vehicles, but it is a patchwork. To alleviate some of this confusion, the Uniform Law Commission (ULC) has been working to develop legislation for automated vehicles that states can use. As it stands, the draft version of these rules from the ULC state that automakers must self-certify to NHTSA that their vehicles meet safety requirements and that the vehicle will abide by the rules of the road. People riding in self-driving cars would not have to have driver’s licenses.

On the Federal side, the U.S. House of Representatives has approved a bill relating to autonomous vehicles, and the Senate has its own version, although it has not yet been provided to the Senate Commerce Committee.

For now, automakers and passengers alike are left with the patchwork of rules and regulations. As the technology progresses and automakers prove that these vehicles are safe for the roads, we will likely see a clearer path of legislation. We will continue to monitor this evolving space.

OIG Announces New Multidisciplinary Cybersecurity Team

The Office of Inspector General (OIG) recently announced the creation of a cybersecurity team focused on combating threats within the Department of Health & Human Services (HHS), and within the health care industry. The team includes auditors, evaluators, investigators, and attorneys with experience in cybersecurity matters, and its work is intended to build on the cybersecurity priorities the OIG has previously identified in its annual assessments and reports. Continue Reading

Protecting the Privacy of Children Online – More Updates on COPPA

Last week, two Senators, Senator Edward J. Markey of Massachusetts and Senator Richard Blumenthal of Connecticut sent a letter to the Federal Trade Commission (FTC) regarding apps designed for children and whether they are in compliance with the Children’s Online Privacy Protection Act (COPPA), See 15 U.S.C. 6501 and regulations at 16 C.F.R. Part 312 et. seq.  The Senators stated that they are concerned that thousands of apps may “improperly track children and collect their personal information.” The Senators requested a response from the FTC by October 31. The letter also asked that the FTC “investigate whether these apps, and the advertising companies they work with, are in fact tracking children with persistent identifiers and collecting their personal information in violation of COPPA…” Continue Reading

FDA Announces Playbook for Medical Device Cybersecurity

On October 1, 2018, the Food and Drug Administration (FDA) issued its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” to address continued threats to medical devices that could affect patient safety.

The 32 page playbook, developed by MITRE Corp., states that “the purpose of the playbook is to serve as a tool for regional readiness and response activities to aid [healthcare delivery organizations] in addressing cybersecurity threats affecting medical devices that could impact continuity of clinical operations for patient care and patient safety.”

The objectives of the framework are to:

  • Provide baseline medical device cybersecurity that organizations can incorporate into their emergency preparedness and response
  • Assist with clarifying lines of communication and outline roles and responsibilities for internal and external responders
  • Offer a standardized approach to response efforts across organizations and regions
  • Provide enhances coordination activities among stakeholders
  • Provide information regarding decision making for escalated responses
  • Identify resources that can be leveraged for preparedness and response
  • Serve as a response tool that can be customized for regional preparedness that can be broadly implemented.

The playbook emphasizes that cybersecurity is a “team sport” and that patient safety is maximized with regional collaboration and information sharing. Part of the playbook recommends that regional partners must build trust relationships and share best practices with each other, develop mutual aid agreements, exchange point of contact information, conducting joint exercises, identify regional incident command/coordination center, and share cybersecurity advisories and alerts.

The playbook could also be a guide for states and municipalities on how to prepare for and respond to a cybersecurity threat beyond threats to medical devices as it outlines basic preparedness and response strategies. It is a virtual “how to” that can assist governmental and private entities alike. The playbook can be accessed here.