By Susan E. Gindin[1]
February 13, 2000
Web sites that collect personal information from visitors may need to create and implement online privacy policies. First of all, the Web site posting of a privacy policy is a good business practice because it tells visitors how their personal information that is collected will be handled. Studies have shown that consumers are reluctant to transact business via the Internet due to privacy concerns, and that consumers would "rather forego information or products available through the Web than provide" personal information without knowing the site's information practices.[2] In fact, e-commerce companies lost approximately $2.8 billion in 1999 as a result of consumers' privacy concerns, according to Forrester Research, a technology research advisory and business intelligence firm.[3]
In addition, an effective privacy policy may be required by law. Web sites with customers or business operations in the European Union are subject to the European Union's Data Protection Directive,[4] and Web sites that collect personal information from children are subject to the Children's Online Privacy Protection Act of 1998.[5] Both require the posting of privacy policies. Also, if enacted, some proposed federal legislation would require all Web sites that collect personal information to post online privacy policies.[6]
Other U.S. Web sites may be required to establish privacy policies because of membership in an industry organization that mandates establishment of a privacy policy and adherence to the organization's self-regulatory code of conduct. For example, the Individual Reference Services Group,[7] which is made up of LEXIS/NEXIS, credit reporting companies, and other companies which sell personal information, requires that its members follow fair information practice standards, and provides for a boycott on the sale of personal information to companies that violate the standards. The U.S. government has strongly encouraged such use of self-regulatory codes of conduct as the preferred means for protecting privacy, in lieu of legislation. As set out in A Framework for Global Electronic Commerce,[8] which the Clinton Administration issued in 1997, the U.S. government generally favors a laissez-faire, market-driven approach to regulating the Internet in an effort to stimulate electronic commerce.
The Federal Trade Commission (FTC), which has actively encouraged self-regulatory approaches to protecting privacy, has indicated that Web sites that collect, process, and disseminate personal information should follow fair information practices by providing consumers:
Drafting the Privacy Policy
A good starting point may be one of the Web sites that provides a fill-in-the-blanks template for creating a privacy policy, and which can be modified to fit the needs and nature of the business.[10] When drafting the policy, a number of issues should be considered. One such consideration is the company's business needs. Input for the policy should be solicited from all sectors of the company to avoid conflicts between the policy and actual company practices. For example, before creating a policy that includes a statement that "the personal information collected from visitors to this site will never be disseminated to third parties", the company needs to hear from the marketing department, which may have plans to share customer lists with other companies. The FTC's enforcement action against popular Internet site, GeoCities, was based on its finding that GeoCities violated the Federal Trade Commission Act by misrepresenting in its Policy Statement how personal information collected online would be used, and representing, falsely or misleadingly, that GeoCities was collecting and maintaining children's personal information when this information was actually collected directly by third parties hosted on the GeoCities' site.[11]
A second consideration is the company's long-term business plans. It may be difficult to change the privacy policy to accommodate new business plans once the policy has been communicated to customers. For example, America Online experienced a public relations nightmare when it attempted in mid-1997 to quietly amend its "Terms of Service," which had stated that AOL would not reveal members' personal information to third parties. Once the amendment, which provided that AOL might make telephone numbers of AOL members available to AOL partners for telemarketing, was discovered, AOL received an onslaught of complaints from AOL subscribers, politicians, and privacy-rights groups, and as a result, abandoned its plans.[12]
As noted, there are additional considerations when the Web site collects information from children or if the company has customers in the European Union. The Children's Online Privacy Protection Act of 1998 ("COPPA"), which was enacted October 21, 1998, requires commercial Web sites directed to, or which knowingly collect personal information from, children under 13 to post a notice on the Web site explaining that they collect personal information and how it will be used.[13] Personal information is defined as:
"individually identifiable information about an individual collected online, including - (A) a first and last name; (B) a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the Commission [FTC] determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph."[14]
The Act further requires that such Web sites:
• obtain "verifiable" parental consent before collecting, using, or disclosing information obtained online from children;[15]
• provide a parent with the ability to review the information collected from his/her child, to prevent further use of information already collected, and to prevent the future collection of information from that child;[16]
• limit collection of personal information for a child's participation in an online activity;[17] and
• establish and maintain procedures to protect the confidentiality, security, and integrity of the information collected.[18]
On November 3, 1999, the FTC issued final regulations under the Act, which take effect on April 21, 2000.[19]
Web sites with customers or business operations in the European Union should heed the European Union's Data Protection Directive. The Directive, which took effect October 25, 1998, requires European Union member countries to enact statutes that regulate the use and processing of personal data within the European Union. Among the Directive's requirements are that the member country statutes require that data collectors process personal data only for specified, explicit, and legitimate purposes[20] and that data collectors maintain the security and confidentiality of personal data.[21] The statutes must also provide that personal data be processed only when the subject of the data has clearly consented, or where the processing is legally necessary or in the public interest.[22] The processing of data revealing racial or ethnic origin, political, religious, or philosophical beliefs, union membership, or health or sex life is prohibited by the Directive, with some limited exceptions.[23] Data collectors must also give the subjects of the data notice of data collection practices,[24] and the right to access and correct data collected about them.[25] In addition, the Directive requires that the data subject be given an opportunity for recourse in the event his personal data is misused.[26]
Of particular concern to entities in the U.S., is the Directive's Article 25, which prohibits the dissemination of personal information to entities in countries where privacy standards are considered inadequate. The U.S. does not currently provide "adequate" privacy protection as required by Article 25, in that the U.S. does not have comprehensive legislation that regulates information processing by the private sector as well as by state and local governments which the European Union regards as adequate protection.[27] However, the U.S. Commerce Department is currently negotiating with the European Union over establishment of Safe Harbor Principles that would enable U.S. entities to receive personal data from the European Union through compliance with the Principles.[28] Furthermore, personal data transfers to the U.S. may be permitted under certain circumstances by the Directive's Article 26. For example, Article 26(1) permits transfers necessary for the performance of a contract between the data subject and the transferring entity, or where the data subject has consented to the transfer. Other transfers may be permitted under Article 26(2) where the receiving entity contractually guarantees adequate protection for data subjects.[29]
Another consideration is whether to join a privacy seal program such as those offered by the BBBOnLine,[30] CPA WebTrust,[31] or TRUSTe.[32] These organizations issue seals indicating that the Web site adheres to the seal-granting organization's privacy principles and agrees to comply with the seal-granting organization's oversight and dispute resolution process.[33] Membership in one of these organizations may enable an entity to satisfy Safe Harbor requirements, indicating that the entity is in compliance with the privacy requirements, outlined in the Children's Online Privacy Protection Act[34] and under negotiation with the European Union.[35]
Implementing the Privacy Policy
Simply creating a privacy policy is not enough. The policy must also be implemented so that it is effectively communicated to Web site visitors and to the company's employees. Implementation requires the following measures:
First, the privacy policy should be posted prominently on the Web site. The FTC has indicated that Notice is an essential fair information practice, and in the GeoCities matter, the FTC indicated that the privacy notice should be displayed prominently:
[C]ompliance with all of the following shall be deemed adequate notice: (a) placement of a clear and prominent hyperlink or button labeled PRIVACY NOTICE on the home page(s), which directly links to the privacy notice screen(s); (b) placement of the information required in this Part clearly and prominently on the privacy notice screen(s), followed on the same screen(s) with a button that must be clicked on to make it disappear; and (c) at each location on the site at which any personal identifying information is collected, placement of a clear and prominent hyperlink on the initial screen on which the collection takes place, which links directly to the privacy notice and which is accompanied by the following statement in bold typeface:
NOTICE: We collect personal information on this site. To learn more about how we use your information click here.[36]
Second, the privacy policy must be adhered to by the company. Otherwise, the company's practices may be found to violate the Federal Trade Commission Act. The FTC is empowered by the Federal Trade Commission Act to take action against companies whose acts or practices are deceptive or unfair.[37] An act or practice is unfair if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."[38] The FTC has begun to take action against Web sites, as seen by the FTC's action against GeoCities because the FTC found discrepancies between GeoCities' actual practices in handling the personal information it collects and GeoCities' stated policy.
Third, the policy must also be communicated to everyone in the company so that employees don't inadvertently violate the policy. America Online learned this lesson firsthand when one of its customer service representatives violated AOL's privacy policy by revealing private information about an AOL member to a third party. This resulted in a high-profile legal case, and in AOL agreeing to pay damages to the AOL member for violating his privacy.[39]
In conclusion, the creation of a Web site privacy policy requires careful consideration of various factors, including the plans and needs of the business as well as national and international legal issues. In addition, the policy should be posted prominently on the Web site and followed by the company. The creation and implementation of an effective privacy policy is good publicity, and will inspire confidence in customers that their personal information will be handled responsibly in Internet transactions.
NOTES
[1]Susan E. Gindin, at
http://www.info-law.com, is an attorney concentrating on Internet law and information technology issues. She has written several articles on privacy issues, including Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet, 34 San Diego L. Rev. 1153 (1997) <http://www.info-law.com/lost.html>; Everyone Knows You're a Dog: The EU Data Protection Directive and Personal Data, 1 J. Internet L., Mar. 1998; and As the Cyber-World Turns: the European Union's Data Protection Directive and Trans-border Flows of Personal Data, Jan. 1998 <http://www.info-law.com/eupriv.html>.[2]Federal Trade Commission, Consumer Privacy on the World Wide Web, July 21, 1998, <
http://www.ftc.gov/os/1998/9807/privac98.htm>, citing Louis Harris and Associates, Inc. and Dr. Alan F. Westin, Commerce, Communications and Privacy Online, A National Survey of Computer Users at 20-21 (1997).[3]Greg Sandoval & Troy Wolverton, Security, Privacy Issues Make Net Users Uneasy, CNET.com, Jan. 7, 2000, <
http://news.cnet.com/news/0-1007-200-1518321.html>. See also GVU's 9th WWW User Survey, 1998, at <http://www.cc.gatech.edu/user_surveys/survey-1998-04/> (reporting that a 1998 study conducted by the Graphics Visualization and Usability Center at Georgia Institute of Technology revealed that over 50% of respondents had given false information at least once when registering at a Web site, mainly due to privacy concerns).[4]Official Journal of the European Communities of 23 Nov 1995 No. L.281 p.31, hereinafter "the Directive."
[5]Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. No. 105-277 (October 21, 1998), hereinafter "COPPA."
[6]See, e.g., Online Privacy Protection Act, S. 809, introduced by Senators Burns and Wyden on April 15, 1999.
[7]<
http://www.irsg.org>.[8]<
http://www.iitf.nist.gov/eleccomm/ecomm.htm>.[9]See Federal Trade Commission, Consumer Privacy on the World Wide Web, July 21, 1998 <
http://www.ftc.gov/os/1998/9807/privac98.htm>.[10]See, e.g., TRUSTe, <
http://www.truste.org/wizard> and Direct Marketing Association, <http://www.the-dma.org> under Privacy Action; Direct Marketers; Privacy Policy Generator.[11]In the Matter of GeoCities, Complaint, <
http://www.ftc.gov/os/1998/9808/geo-cmpl.htm>. See also Decision and Order, <http://www.ftc.gov/os/1999/9902/9823015d&o.htm>.[12]See, e.g. Seth Schiesel, America Online Backs Off Plan to Give Out Phone Numbers, N.Y. Times, July 25, 1997, at C1. See also AOL CEO Steve Case's letter to members regarding the incident (July 24, 1997) <
http://www.news.com/SpecialFeatures/0,5,12794,00.html>.[13]COPPA, §1303(b)(1)(A)(i).
[14]§ 1302(8).
[15]§ 1303(b)(1)(A)(ii).
[16]§ 1303(b)(1)(B).
[17]§ 1303(b)(1)(C).
[18]§ 1303(b)(1)(D).
[19]Children's Online Privacy Protection Rule; Final Rule, 64 Fed. Reg. 59,888 (1999) (to be codified at 16 C.F.R. pt. 312). See also Federal Trade Commission, How to Comply With The Children's Online Privacy Protection Rule, Nov. 1999, <
http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm>.[20]Art. 6.
[21]Arts. 16, 17.
[22]Art. 7.
[23]Art. 8.
[24]Arts. 10 & 11.
[25]Art. 12.
[26]Arts. 22 & 23.
[27]See, e.g. European Commission, First Orientations on Transfers of Personal Data to Third Countries: Possible Ways Forward in Assessing Adequacy (June 26, 1997) <
http://zeus.bna.com/e-law/docs/eudata1.html>.[28]See Electronic Commerce Task Force, U.S. Dept. of Commerce, Safe Harbor Principles, <
http://www.ita.doc.gov/td/ecom/menu.htm>.[29]See European Commission, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, Chap. 4, Adopted by the Working Party July 24, 1998, <
http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp12en.htm> for guidance regarding use of contracts.[30]<
http://www.bbbonline.org>.[31]<
http://www.cpawebtrust.com>.[32]<
http://www.truste.org>.[33]See also Lisa Guernsey, Web Surfers' Fear Prompt Privacy Seals, N.Y. Times, Apr. 29, 1999, at D9.
[34]COPPA § 1304.
[35]See Electronic Commerce Task Force, U.S. Dept. of Commerce, Safe Harbor Principles, <
http://www.ita.doc.gov/td/ecom/menu.htm>.[36]In the Matter of GeoCities, Decision and Order, <
http://www.ftc.gov/os/1999/9902/9823015d&o.htm>.[37]15 U.S.C. § 45(a).
[38]15 U.S.C. § 45(n).
[39]McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998). See discussion of the case and settlement: Philip Shenon, Navy and America Online Settle Case on Gay Privacy, N.Y. Times, June 12, 1998, A-1.
Copyright © 2000 Susan E. Gindin