Select Internet Privacy Issues for the Business Lawyer, Including Website Privacy Policies

As e-commerce grows, so, too, grows the concern over how personal information is gathered, used and protected on the Internet. For instance, cookies, small files stored on the hard drive of the user’s computer, silently gather information which uniquely identifies the user to specific Web sites, often without the user’s knowledge. The electronic footprints created by cookies when a Web user moves about in cyberspace, commonly called a “clickstream,” can be monitored, recorded and “mined” for information and used to profile a Web user or to recreate the user’s online experience. This information may be gathered by online advertisers and merchants (who compile data for hints about consumer preferences, or to target Internet advertising), Internet Service Providers (who can precisely monitor and record an entire clickstream, since all of the user's online commands are sent through the ISP), government, private investigators (who may be acting on behalf of employers or other private parties looking for information that has not been volunteered, including evidence of wrongdoing), and the news media. Bugs (small graphic images files embedded in a web page) and bots (intelligent personal profile agents) are similar to cookies and are also of concern because of their ability to gather, use, and share personal information. In addition, new technologies permit hackers to invade your computer, scan for anything and everything on its memory drives, and even to set up phantom operations, unbeknownst to you, from your computer.

The primary issues raised by cookies, bugs, and bots are privacy, informed consent and “ownership” rights in the collected data. Although the FTC has recognized the importance of privacy and the chilling effect that a lack of protection may have on the willingness to engage in e- commerce, the FTC has also considered “legitimate” uses of cookies in personalizing Web sites that instantly display information selected by the user (e.g., local weather and news, specific discussion groups, etc.). The FTC has also heard from proponents of online profiling that believe advertising revenues subsidize the free exchange of information and that the inability to conduct online profiling may reduce the effectiveness of online advertising and, therefore, reduce the amount companies are willing to invest in online advertisements. See, Online Profiling: A Report to Congress, pages 8-17 (June 2000). A recent survey by a major university found that 54 % of users have chosen to give personal information such as a name or email address, with another 10 % willing to do so. That is nearly two-thirds of Internet users agreeing to give up some privacy. This article reviews the laws that now provide protection againstnonconsensual appropriation of this type of information.

1. The Federal Trade Commission Has Recommended Legislation Implementing Six Privacy Principals. Despite initial hopes by the Federal Trade Commission (FTC), Congress, and the Clinton Administration that the Internet industry would be able to regulate itself in the use of private data, the industry has fallen short of the expectations set by Washington’s policy-makers. The legislation proposed by the FTC would “set forth a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites” by implementing the FairInformation Practice Principles, which are:

(1) Notice. Web sitesshould provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly orthrough non-obvious means suchas cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site.

(2) Choice. Web sites should offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate the transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities).

(3) Access. Web sites should offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review the information and correct inaccuracies or delete  information.

(4) Security. Web sites should take reasonable steps to protect the security of the information they collect from consumers.

(5) Self Regulation. Web sites should self regulate by, for example, using privacy seals and having procedures in place for complaint resolution.

(6) Enforcement. Web sites should have procedures in place for enforcing their privacy policies and educating their employees on the importance of online privacy. Additionally, a Privacy Officer should be appointed.

(Federal Trade Commission, Privacy Online: Fair Information practices in the Electronic Marketplace: A Report to Congress, pages 36-43 (May 2000)). Elements of the Fair Information Practice Principles can be seen, to varyingdegrees, in legislation already proposed and enacted by Congress to protect certain consumers (children) and to address privacy concerns in certain industries (financial services and health care).

2. Current Legislation. Privacy for Children: Children’s Online Privacy Protection Act of 1998 (COPPA), 5 U.S.C. §§ 6501 to 6506),

In response to FTC concerns about protecting the privacy of children’s personal information online, Congress passed COPPA, which requires that operators of Web sites directed to children under the age of 13 or who knowingly collect personal information from children under 13 on the Internet:

􀂃 provide parents notice of their information practices;

􀂃 obtain, prior verifiable parental consent for the collection, use, and/or disclosure of personal information from children (with certain limited exceptions);

􀂃 upon request, provide a parent with the ability to review the personal information collected from his/her child;

􀂃 provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;

􀂃 limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and

􀂃 establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. Implementing rules established by the FTC (contained in 16 CFR 312) created the possibility of “safe harbors” for Web site operators that comply with “self-regulatory guidelines issued by representatives of the marketing or online industries, or by other persons that, after notice and comment, are approved by the [FTC].” 16 CFR 312 at

Section 312.10.

Since COPPA and its implementing rules were enacted, the FTC has filed charges against numerous companies citing violations of COPPA resulting in unfair and deceptive acts. To name only a few: (1) Ohio Art Company, makers of the Etch-ASketch children’s drawing screen, who agreed to pay $35,000 in civil penalties to settle the FTC charges; (2) Monarch Services, Inc. and Girls Life, Inc., operators of;, Inc. and Nolan Quan, operators of; and Looksmart Ltd., operator of, who together agreed to pay a total of $100,000 in civil penalties to settle the FTC charges; (3) American Pop Corn Company, operator of the “Jolly Time” website, who agreed to pay $10,000 in civil penalties to settle the FTC charges; and (4) in the investigation involving the largest COPPA civil penalties to date, Mrs. Fields agreed to pay civil penalties of $100,000 and Hershey agreed to pay civil penalties of $85,000. Additionally, the FTC recently sent out fifty warning letters to various sites. Astonishingly, according to a recent COPPA compliance survey conducted by the FTC, only 50% of websites are in full compliance with COPPA. Private Financial Information: Gramm- Leach-Bliley Act, Pub. L. 106-102, 12 U.S.C. §§ 42a, 248b, 1820a, 1828b, 1831v o 1831y, 1848a, 2908, 4089,15 U.S.C. §§ 80b-10a, 6701 6711 to 6717, 6731 to 6735, 6751 to 6766, 6781, 6801, to 6809, 6821 to 6827, 6901 to 6910.

The Gramm-Leach-Bliley Act requires federal agencies such as the Federal Reserve Board, the Securities Exchange Commission and the FTC to produce rules that implement the privacy protections found in the Act. Specifically, the Act requires that “financial institutions” (which includes “banks and thrifts, securities firms, credit unions and finance companies,”) give notice to consumers and customers of the “conditions under which the institution may disclose ‘nonpublic personal information’ . . . to ‘nonaffiliated third parties.’” 3 Rules implemented by the bank regulatory agencies, the SEC and the FTC all address the notice requirements under the Act and its application to Web sites. Each of the rules requires that notices be “clear and conspicuous” and outline how Web site 3 CCH Incorporated, Federal Banking Law Reports, Issue No. 1862 (June 2, 2000). notices can fulfill this requirement.4 The rules also provide how and when notice and opt out requirements may be given to customers and consumers by electronicmeans (such as through e-mail or on a Web site). 5 Private Health Information: Health and Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §1320a-7, 1320a-7a, 1320a-7d, 1320a-7e, 1395b-5 HIPAA sets forth requirements for certain private health information. HIPAA applies directly to (1) any health care provider who transmits health information in electronic form, (2) health plans, and (3) health care clearinghouses (collectively referred to as “Covered Entities”). Full compliance for most covered entities was required by April 14, 2003, with the exception of small health plans, which is required by April 14, 2004. Because many organizations that handle private health information are not directly covered by the Act, the proposed rules require Covered Entities to secure agreements from “Business Associates” (defined under the rules as a person to whom a Covered Entity discloses protected health information so that the person can carry out, assist with the performance of, or perform a function or activity on behalf of the Covered  Entity). Examples of Business Associates who receive protected health information from a Covered Entity include auditors, billing firms, third-party administrators, and data processing firms. The Covered Entity, through the Business Associate Agreement, must take reasonable steps to ensure that the Business Associate does not use or further disclose the information other than as permitted or required by the contract, ensure that subcontractors or agents agree to the same provisions, make protected health information available to the individual who is the subject of the health information, and make its internal practices, books and records relating to the use and disclosure of protected health information available to the secretary of HHS. Any contract between a Covered Entity and a Business Associate must authorize the Covered Entity to terminate the contract if it determines that the Business Associate has violated a material term of the agreement.

3. Old Privacy Laws should not be Ignored.

Privacy laws existed before Vice- President Gore invented the Internet, and they apply to information irrespective of its electronic storage or transmission. For example, the Family Educational Rights andPrivacy Act of 1974 (FERPA), commonly known as the Buckley Amendment, provides that any school or institution that receives federal funds for education may not release school records or any other personally identifiable information without the prior consent of the student, with a few specific exceptions. 20 U.S.C. §§ 1221, 1232g. Likewise, “records” may also be protected by the Privacy Act of 1974, 5 U.S.C. S 552a, the Freedom of Information Act, and state open records laws. For a survey of existing privacy laws that pre-date the Internet, see 62A Am Jur 2d 623, Privacy, and 37A AmJur 2d 1, Freedom of Information Acts (including discussion of the federal Privacy Act).

4. State Law. Currently, California and a handful of other states are in the process of developing their own Internet privacy laws. How, and to whom, they are applied remains to be seen. Even without new laws, state consumer fraud and unfair business practices statutes may be applied to protect private information exchanged over the Internet. For example, the state of Missouri filed a lawsuit in September 2000 against Internet merchant, accusing the site of giving personal information about consumers to third parties after promising it would not do so. Additionally, many states have developed or are in the process of developing new laws related to spamming and cyber trespass, a new version of the old tort of trespass to chattels. Some courts have found cyber trespass in cases where unauthorized access or use of data has occurred. This can occur, for example, by harvesting data from another party’s site (without that party’s permission) using bots.
5. European Union Directive on Privacy. U.S. companies operating Web sites send Web images worldwide, and customers may respond from anywhere on the globe. If those customers reside in one of the 15 member states of the European Union, the 1995 Directive on Data Protection applies and regulates how personal data may be collected, what it is used for, and how it is stored and transmitted. The basic difference between the Directive and the FTC guidelines is that the Directive requires a user to “opt in,” or agree that personal data may be shared; it is not sufficient for the Website operator to use the data in the absence of instructions from the user to “opt out.” The Directive not only protects information being exchanged within and between the EU nations, but also information being sent outside of the EU countries. Under the Directive, member states are required to prevent any transfer of data to a third countries (such as the U.S.) that do not “ensure an adequate level of protection.” Chapter IV, Article 25, paragraph 4 of EU Directive. Early on it was determined that the U.S. did not adequately provide for the protection of personal data, and for several years the U.S. was in negotiations with the European Commission in an effort to establish grounds upon which U.S. companies could continue to receive information from EU citizens. Just this year, the U.S. Department of Commerce issued Safe Harbor Privacy Principles that were approved by the EU Commission on May 31, 2000. The EU Parliament, however, was not satisfied with the principles expressing dissatisfaction with the remedies for individuals damaged by inadequate privacy protections in particular. The EU Commission effectively ignored the Parliament’s Resolution and adopted its Decision finding the U.S. Safe Harbor Privacy Principles adequate. The safe harbor allows U.S. companies to opt-in to the safe harbor program. Companies seeking safe harbor protections must self-certify to the U.S. Department of Commerce that their Web site provides:

􀂃 Notice of purpose and use of data collection.

􀂃 Choice to opt out of disclosures to third parties.

􀂃 Assurances of third party protections.

􀂃 Access to personal information to correct or delete errors.

􀂃 Reasonable security.

􀂃 Reasonable steps that personal data is reliable and collected only for its intended use.

􀂃 Available and affordable recourse for complaints and failure to comply.

Companies can comply with the requirements by including model safe harbor provisions in written agreements with parties transferring data from the EU.( Handling data in a manner that does not comply with the EU Directive may give rise to a claim for damages by the data’s subject resulting in a judgment awarded by an EU member court.

6. The Canadian Personal Information Protection and Electronic Documents Act. This law, which became effective January 1, 2001, governs collection, use, and disclosure of personal information. It will become effective in stages, but by January 2004, the Act will apply to all intraprovincial, interprovincial, and internationla commercial activities of all organizations.

7. Privacy Laws of Other Countries Additionally, approximately 50 countries have developed online privacy laws, with substantial variations among them. A web site must comply with the privacy laws of all countries from which it gathers personal information.

8. A Checklist for Privacy Policies.

We conclude this article with a 10-point checklist of provisions to be considered in any Website privacy policy in order to  comply with the regulations discussed above.

a. What information is gathered at the Website? For what purpose?

b. How to opt out, how to access, correct and delete personal information.

c How the policy can be changed.

d. How the personal information is treated in the event of bankruptcy, dissolution, or other corporate transfer.

e. Sale or use of information to third parties.

f.Cookies: What they are, how they are used, and how to disable them.

g. Links: What links are provided to other sites operated by third parties. Disclaimer for personal information voluntarily disclosed by users to those third parties.

h. What information is publicly posted? For instance, on a jobsearch site, include a disclaimer regarding current employer’s ability to gain access to the user’s resume.

i. Prohibited Uses. Examples:

(a) any use that violates law or the privacy, publicity or other personal rights ofothers,

(b) any illegal, defamatory, obscene, threatening or abusive use (including posting any material that reveals intellectual property without permission of the owner or that infringes intellectual property rights or that is sexually explicit),

(c) posting any incomplete, false, or inaccurate information or information which impersonates another or is not your own accurate data relating to your seeking employment opportunities

j. Security of connection.

k. Recourse. What procedures are available for complaints about violations; choice of law, forum, and arbitration?

9. Other Major Areas of Concern.

In addition to online privacy, there are a number of other areas of potential legal risk involved in the operation of a Web site. These include but are not necessarily limited to intellectual property rights, online contracts, defamation (particularly with regard to publication of content by users and compliance with the Communications Decency Act), consumer protection laws, advertising laws, securities laws for publicly held companies, laws governing any sort of promotions or sweepstakes, tax laws, site security, and cyberliability insurance.

10. Web Site Reviews.

Every Web Site should have a Web Site Review performed to identify and address areas of a site that place a company at risk for potential liability. Lewis and Roca provides a Website Review Service. If you are interested in discussing this service,

please contact the authors at (Scott DeWald) or (Sheila Heidmiller).

Click here for a PDF of the original article


Related Attorneys