LITIGATION SUPPORT TIP OF THE NIGHT

The latest version of Apple’s iOS system for iPhones will prompt users to choose whether or not they want each individual app installed on their mobile devices to track their personal data. This feature will only operate if a user enables it under Settings . . . Privacy . . .Tracking:

If an app receives permission to collect personal data, the device’s ID; the advertising ID; the user’s name; and the user’s email address will be used in conjunction with data from third parties to send you targeted advertising. Apple’s notice for its Transparency Tracking feature warns that when permission to track is given “[t]he app developer may also choose to share the information with data brokers which may result in the linking of publicly available and other information about you or your device.”

Notably the notice acknowledges that this feature does not prevent an app dev from using your personal data to send you targeted ads on the iPhone. The restriction only applies to using the data to target you elsewhere.

After the feature is enabled when you open an app, you’ll get a notice like this;

You set the option to turn off personal data collection for use off your iPhone:

Oddly, on my iPhone some apps such as Amazon and Google Maps do not prompt the user to respond to the tracking transparency feature.

Some companies use the term, 'business sensitive information' for categories of documents and data which are not considered to be private, but for which certain protections may be required. Trade secrets, information which falls under non-disclosure agreements, and data subject to copyrights or patents may be considered 'BSI'. The information may be about a business or its clients, investments or competitors.

The Breach Response Plan of the Federal Deposit Insurance Corporation defines BSI as information that could be used to identify a company for the purposes of committing fraud or another crime.

A statement of work prepared by IBM distinguishes between BSI, PII, and other types of information.

In ruling on a motion to quash a subpoena request for board of directors PowerPoint presentations concerning but not limited to the subject matter of the case, Judge Colin Lindsay held that, ". . . it appears that plaintiffs are simply seeking business information about Express from Sterling. Although not directly mentioned in response to this request, the Court realizes that plaintiffs assert that Express sought to expand within the HSRG market using, at least in part, Vogt's customer list and other information obtained by Kapsalis during his employment with plaintiffs. Nonetheless, the scope of this request is overbroad because it could capture a wide range of business-sensitive information that has no relevance to this case." Babcock Power, Inc. v. Kapsalis, No. 3:13-CV-717-DJH-CHL, 2016 U.S. Dist. LEXIS 23554, at *12 (W.D. Ky. Feb. 25, 2016) (emphasis added).

Virginia's Consumer Data Protection Act will be effective at the beginning of 2013. It applies to any business which processes the personal data of more than 100,000 consumers, or which earns more than 50% of their revenue from the sale of personal data, while also processing data for more than 25,000 consumers.

Consumers will be able to apply to get access to their data, and also request that it be corrected. A consumer can choose to opt out of having his or her personal data used for processing. Consumer requests have to be responded to within 45 days. An additional 45 day extension may be given for complex requests.

A data controller must provide a consumer with his or her data up to twice a year free of charge. A reasonable fee can be charged for excessive requests, but the controller will have to prove that the request is repetitive or unnecessary.

The Act gives a consumer the right to, "To obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means."

If a controller denies a consumer's request, he or she can appeal, and must be notified of a final decision within 60 days. The controller will then have to provide an online system which will allow the consumer to file a complaint with the Virginia Attorney General.