E-Business 101, Part 3: Privacy

One of the distinguishing characteristics of the World Wide Web (the “Web”) is interactivity. Visitors don’t just read text on a Web site – they interact with it – and as they do the Web site usually gathers information about them. Some personal information is gathered overtly through form’s requesting personal information. Studies suggest that over 90% of Web sites aimed at consumers collect at least some personal information and more than 55% collect at least some demographic information. More information is gathered covertly as visitors navigate through the Web.

In this article we focus on privacy issues facing Web site operators. First, the Article will provide an overview of several U.S. laws addressing privacy issues applicable to Web site operators, including both laws specifically directed to electronic communication, Web site operators, etc., and laws, while not so specifically directed, may never-the-less be applicable. Second, the Article will provide recommendations for attorneys advising clients on online privacy issues.

Privacy is an emotional issue for many people. When a Web site’s information gathering techniques are understood, a visitor is able to balance his or her desire for privacy against the value of the service provided by the Web site being visited. When the Web site’s information gathering techniques are not understood, a visitor cannot make an informed decision and privacy disputes are likely to arise.

Many people are disturbed when the first learn of the level to which their on-line activities have been monitored and feel a sense of loss of control. The information is being gathered because it has commercial value to Web site operators, advertising agencies and others.

{mospagebreak title=Cookies}

Many privacy concerns arise as a result of the use of “cookies” by Web sites and the storage of cookies on computers used by visitors to the Web sites. Cookies are small bits of code or computer software, usually stored on a visitor’s computer hard drive. Cookies contain code that will be sent from the visitor’s computer to the Web site the next time that the visitor returns to the Web site, thereby providing the Web site with information about the visitor. The name cookie derives from UNIX objects called magic cookies. These are tokens that are attached to a user or program and change depending on the areas entered by the user or program. Cookies are also sometimes called persistent cookies because they typically stay in the browser for long periods of time. By retrieving a previously stored cookie when a visitor accesses a Web site, the Web site may be able to monitor the activities of the visitor, the visitor’s navigation on the Web, and other personal information. A recently filed federal class action in Colorado alleges that Excite@Home subsidiary Matchlogic planted cookies on consumers’ hard drives to track their Web habits for commercial purposes, thereby violating the Electronic Communications Privacy Act of 1986 (ECPA) and the Computer Fraud and Abuse Act of 1986.

The ECPA extended earlier privacy protection to electronic mail, as well as to radio paging devices, cellular telephones, private communication carriers and computer transmissions. The ECPA is particularly important in the limiting of employers’ monitoring of their employees’ emails. In general, the ECPA was designed to protect the contents of stored electronic mail and voice mail and to prevent the intentional interception, disclosure or use of electronic communications. The ECPA also prohibits providers of electronic communication services from disclosing  contents of a communication that they have stored electronically without the lawful consent of the person who originated the communication. Perhaps more importantly, the ECPA restricts access by government agencies to customer records belonging to electronic service providers. In order to gain access to such records without notifying the customer, a government agency must first obtain a search warrant, court order, or subpoena.

{mospagebreak title=Various Acts and Laws}

The Children’s Online Privacy Protection Act of 1998 (COPPA) is designed to give parents the ability to control what information is collected from their children online. COPPA provides that Web sites cannot collect information from children under the age of thirteen without first obtaining parental consent. COPPA applies to commercial Web sites directed to, or knowingly collecting information from, children under the age of thirteen. Such Web sites must: (1) notify parents of their information practices; (2) obtain verifiable parental consent before collecting a child’s personal information; (3) give parents a choice as to whether their child’s information will be disclosed to third parties; (4) provide parents access to their child’s information; (5) let parents prevent further use of collected information of their child; (6) not require a child to provide more information than is reasonably necessary to participate in an activity; and (7) maintain the confidentiality, security and integrity of the information.

The Protection of Children from Sexual Predators Act (PCSPA) requires an Internet service provider (ISP) to notify a designated federal agency regarding pornography discovered by the ISP that contains a visual depiction of a minor engaging in sexually explicit conduct. An ISP does not need to monitor communications for child pornography. Thus, the PCSPA, while not directly limiting ISPs from collecting information, does mandate that the ISPs disclose personal information in certain circumstances to government agencies. For example, if an ISP knows the identity of a communicator of child pornography and the originator is located with the United States, the ISP must notify an Federal Bureau of Investigation (FBI)  office in the area in which the communicator is located. If the ISP does not know the identity of the communicator of the child pornography, but the ISP believes that the communication containing the child pornography originated within the United States, the ISP must notify an FBI office in the state in which the ISP is located. If the ISP believes that  the originator of the child pornography is located outside of the United States, the ISP must notify the U.S. Customs Service, regardless of whether or not the ISP knows the identity of the communicator.

The Federal Trade Commission (FTC) has taken a very proactive role in pursuing privacy protections for consumers. For example, the Fair Credit Reporting Act (FCRA) protects user information collected by credit bureaus, medical information companies, tenant screening services, and other consumer reporting agencies. Under the FCRA, consumer reporting agencies cannot provide information in a consumer report to anyone who does not have a purpose as set forth in the FCRA. While the FCRA does not expressly apply to Web sites, it may apply to Web sites of consumer reporting agencies depending on how they collect, use and disseminate consumer information.

Another example of a law that might impact the operation of a Web site, even though the law is not directed solely and specifically to online activities is the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBFSMA), which became effective on November 12, 2000. The GLBFSMA allows banks, insurance companies, and brokerage firms to affiliate and diversify. The GLBFSMA also allows affiliates of the same company to share consumer information among themselves, so long as the affiliates allow the consumers to opt-out of such sharing of information and the affiliates disclose privacy and confidentiality policies to the consumers.

Many states have also enacted laws that protect the privacy of Web users and Web site visitors. Many of these laws provide similar protections to the ECPA discussed previously above.

{mospagebreak title=International Implications}

Privacy is not just a domestic issue. In fact, the policies of many foreign countries often are more conservative and restrictive than those  found  in the United States. As the flow of information across international borders is growing, the need for Web site operators to be aware of foreign regulations on privacy is also growing.

The European Directive on Privacy requires ISPs and e-businesses within the European Community to disclose how they intend to use any personal information they collect. More importantly, the European Directive on Privacy requires countries trading with any member country of the European Community to adopt measures that adequately protect personal information and to prevent data transfers to countries that do not adopt appropriate safeguards. On July 26, 2000, the European Commission approved the latest U.S. Safe Harbor proposal. The Safe Harbor agreement formally went into affect on November 1, 2000, and allows U.S. based Web sites to voluntarily subscribe to a set of principles and procedures for the handling of information originating in the European Union. The European Commission has agreed that any U.S. Web site that subscribes to Safe Harbor should be considered to be providing an adequate level of privacy protection for such information.

Practice Pointers:

  • When advising a client with a Web site, conduct due diligence to understand how the client is gathering, storing, and using information about visitors to the Web site. Determine each political state that may claim jurisdiction over the activities of the Web site. As discussed in our last article, Web sites present unique jurisdictional issues. Then review the applicable privacy laws and work with the client to ensure that the clients’ practices comply with the applicable law.

  • If any business is transacted in Europe, then we recommend utilization of the Safe Harbor provisions adopted by the European Community this past summer.

  • Comprehensive privacy policies should be created for each website. Clients should be instructed to make the Privacy Policy easily accessible from each page of the website (and especially introductory pages and pages where information is gathered). The Privacy Policy should disclose whether Persistent Cookies are utilized by the website. If Persistent Cookies are used, the Privacy Policy should also disclose what information will be collected from the visitors, and how the information will be stored, used and distributed.

A number of website operators are not choosing to participate in commercial privacy certification programs like that offered by Truste (www.TRUSTe.com). Website Operators should be reminded of the “hot bottons” associated with Privacy Concerns and encouraged to only collect information that is absolutely necessary. Avoid drafting absolute statements or guarantees regarding the security of the Web site or the information collected from visitors via the Web site. Further, clients should be cautioned to  be careful when changing aspects of a Web site’s privacy policy. In particular, they should use caution to avoid any possible conflict with prior Privacy Policies that will apply to information gathered before a change in policy. To minimize risk, Privacy Policies should be drafted that anticipate future uses, sales, distributions, of personal information.

E-mail the Author

Author’s Biography

[gp-comments width="770" linklove="off" ]