Separating your online persona from your personal information has always been a safety and wellbeing concern for content creators. Recently, there has been a drastic uptick in content creators sharing stories of people finding and using their personal information to stalk, harass, and  literally invade their private spaces. Most recently, popular streamer and content creator Amouranth has detailed the harrowing events of an alleged stalker attempting to break into her home. Even if you believe you have taken all appropriate steps to keep your personal information private, remaining vigilant and checking for privacy blind spots is essential. This post outlines areas where your personal information may be available to the public and how to mitigate the disclosure of, or remove, such information.

Business Entity Information
Generally, registering a business entity like an LLC may ask you to disclose the names and contact information for all managers, owners, agents, officers, and agents. Some States even require these disclosures. However, states like Delaware, Nevada, New Mexico, and Wyoming do not require owners, members, or mangers of Limited Liability Companies to provide their identities. Known as “anonymous LLCs,” registering your LLC in these states with the minimum amount of information required can help prevent your personal information from being readily accessible by bad actors.

An important caveat to this supposed anonymity is that even if you register an LLC in one of these confidential states but register to do business in a state that requires disclosure of ownership, you may lose the protection of your information. Depending on the State, there may be complex solutions to this forced disclosure though.

Trademark Registrations
If you’ve registered any trademarks, like your brand or your logo, the information you included in your application is freely searchable by the public. Such information potentially includes your address and contact information. You can shield your personal information in your trademark registration by specifying different addresses for your street and domicile (home) addresses. Your street address will be public, and your domicile address will be private. If you do not have a formal business address for your street address, you can use a P.O. Box, virtual office, or a c/o address. Ensure that you follow such steps for any new trademark registrations you file to protect your information.

To change your existing domicile address on a trademark registration, file a Change Address or Representation (CAR) form with the United States Patent and Trademark Office (USPTO). Note that while this will update your address on the trademark registration, this does not remove your previously used address from the public record.

Property Records
Many states make property records searchable online. If possible, protect your personal information by buying property through an anonymous entity or through a trust. A trust is a private system or arrangement where title to property is held by one person or entity for the benefit of other people or entities. After creating, signing, and notarizing a trust document that specifies how the assets are going to be managed and distributed, transfer your home or other real estate property into a trust by updating your deed with your trustee’s name as the new owner by signing front a notary public. Then file your new deed with the proper office. Of course, if you have an existing mortgage, you’ll want to speak with your mortgage-holder about how to facilitate this transfer in an appropriate way.

Criminal and Court Records
Your information will be included on arrest records, in criminal cases or civil cases of which you were personally involved. Though the process and requirements vary from state to state, you can ask the court to seal your record to keep all or portion of any document, exhibit, or transcript filed or lodged with the court to be kept confidential, omitted, or blanked out. If you are experiencing harassment or being threatened, consider seeking out a restraining order or injunction with the court and using it as the basis for your motion to seal.

Information Brokers
Information brokers collect personal information from a wide variety of public and private sources that they sell or license for a fee. Such information can include your name, address, relatives, and other contact information. Each site likely has its own opt-out process, or you can use paid data removal services such as DeleteMe, Reputation Defender, or OneRep to delete at least some of your information from these sites.

Conclusion
While it is incredibly difficult to hide all personal information from the internet, the above steps are some easy ways to remove and/or limit the personal information available about you. When it comes to privacy, a little knowledge and action can go a long way to protect yourself. 

(This post was authored by Patrick Hankins, Associate Attorney at Quiles Law)

On September 11, 2018, New Mexico’s Attorney General Hector Balderas filed a federal lawsuit against an app developer and its contracted advertisers for violating the Children’s Online Privacy Protection Act (“COPPA”), New Mexico’s Unfair Business Practices Act, and the Federal Trade Commission Act. The 85-page complaint contains allegations that Tiny Lab Productions, an app developer, operated 91 apps designed for children that failed to adequately comply with COPPA. The complaint states that the developer collected and sold children’s data to advertisers, who then used the data to track and profile the children for targeted advertising without parental consent. Under COPPA, companies must comply with a certain privacy rules before they are able to collect a child’s data, including obtaining explicit consent from the child’s parents. New Mexico also alleges that some of the apps’ advertisers, namely Google (and its advertising company, AdMob) and Twitter (and its advertising company, MoPub,), marketed these apps through their platforms, which gave the public a false impression that the apps were in compliance with COPPA.
 
The Attorney General is seeking a permanent injunction to prevent any further tracking practices and destruction of any improperly obtained personal data, along with civil penalties for the COPPA violations, and nominal and punitive damages for violating New Mexico’s Unfair Business Practices Act. 
 
App developers and online businesses need to recognize that privacy and data collection practices have become a principal concern for the Federal Trade Commission and Attorneys General throughout the country, especially when it pertains to the collection of children’s data. Website and online service operators should be aware of COPPA and must understand that compliance with it is necessary in order to avoid facing punishment.
 
What is COPPA?
COPPA is a series of federal laws that was enacted by Congress in 1998 to protect the privacy of children under 13 years old. Congress created the regulations to protect children from unknowingly sharing their data with companies, after noticing an increase of marketing techniques that targeted children. The data that was being collected often included personal information ranging from the child’s first and last name, home address, telephone number, and more recently, files that contained the child’s image or voice, and geolocation information that made it easy to identify the child’s street name and home city or town. Congress recognized that children giving away this information posed obvious dangers, and enacted a list of practices for website and online service operators to implement. Effectively, these practices allow parents to control what types of data operators are able to collect from their children. The Act was revised in 2012 to apply to social networks and smartphone apps as well.
 
Who does COPPA apply to?
Many people believe that COPPA only applies to commercial websites and online services that are directed to children under 13 years old, but the Act also extends to other operators who collect data from children. Under the Act, all general audience website or online service operators with actual knowledge that they are collecting, using, or disclosing personal information from children under 13 must also comply with COPPA. Additionally, all website or online service operators that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children will be subject to penalties for not complying with the Act.
 
The Act defines “online services” in a broad manner that includes any service available over the Internet or that connects to the Internet or a wide-area network. This includes all mobile apps that connect to the Internet, Internet-enabled gaming platforms, and services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online. It also includes Internet-enabled location-based services also are online services covered by COPPA.
 
How to comply
Operators must make sure they follow these requirements in order to comply with COPPA:

1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;  
2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);  
4. Provide parents access to their child's personal information to review and/or have the information deleted;
5. Give parents the opportunity to prevent further use or online collection of a child's personal information;  
6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

 
What are the consequences of not complying?
For each violation of COPPA, courts may impose a civil penalty of up to $41,484. Courts look at a variety of factors when determining how severe of fine it should levy. If the operator was not collecting a great deal of personal information and had it never violated the Act previously, a court would be less likely to impose the maximum fine. However, if the operator repeatedly violated COPPA, collected a multitude of personal information, and it was sharing the data with third parties, a court would be more inclined to impose the maximum penalty. The fine amount can quickly add up since each violation is penalized. Last January, VTech Electronics agreed to pay the Federal Trade Commission $650,000 over charges that it violated COPPA by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected.  
 
Conclusion
As data collection and tracking continue to be valuable marketing tools for companies, it is important for these companies to understand that they must comply with certain regulations if they wish to perform these practices and collect data from children under the age of 13. By failing to do so, companies will be exposed to steep fines considering the volume of data that is continuously being collected. Without proper compliance and protections in place, a company may end up being subject to fines that can cause permanent damage to the company. If you have any questions on how to correctly with COPPA, please feel free to contact us. 

This afternoon, I will be attending an event which focuses on the latest iPad solutions for retailers. I have seen several stores around Manhattan which use iPads as point of sale terminals instead of the old-fashioned cash registers, which makes sense as iPads are user-friendly and the apps are flexible in design. However, in a time where there is seemingly a major privacy leak every few months, the use of an iPad in point of sale transactions raises privacy concerns for the consumer and retailer, such as:

• Does the app/iPad store credit card information?
• Does the app/iPad store information about the consumer?
• If any information is stored, how secure is the information in the iPad?
• If any information is stored, how secure is the iPad itself? (i.e. is it removed from the store nightly or placed in a safe, etc.)
• If any information is stored, are there security measures so that all employees will not have access to the consumer's information?
• How is credit card data transferred to the retailers merchant account service?

These are some of the questions I seek to have answered at the event this afternoon, and the questions that your business should consider in choosing a point of sale app for an iPad. The answers to these questions will not only help your business choose an app, but they also should form the basis of your business' privacy policy, which, although dense, explains to the consumer how information is collected, stored and transferred. A well written privacy policy can help your business avoid liability on privacy issues. Given the new ways by which businesses are conducting its' point of sale transactions, privacy policies are no longer exclusive to the online world.