Berkman Center for Internet & Society.

Using ICANN's UDRP Harvard Law School > Berkman Center > Open Education > E-Commerce: An Introduction


-




Syllabus
Discussion
Reference
Discussion
Discussion
Search

Session 4: Consumer Privacy

Teaching Fellows: Rita Lin

Guest Panelists:

Blake T. Bilstad, Esq.
Corporate Counsel, Secretary
MP3.com, Inc.
www.mp3.com/

Keith P. Enright, Esq.
Principal, TECHNE Consulting
Executive Director, PrivacyLaw.Net
www.privacylaw.net/

Supplemental Material:

"Memorandum on Privacy Audits and Privacy Policies," Michael Strapp, Harvard Law School.

"Privacy Audit Checklist," Keith P. Enright, Esq.

CONSUMER PRIVACY - TABLE OF CONTENTS

I. Introduction

II. Information Collection

III. Liability for Online Profiling

IV. Developing a Privacy Policy

V. Statutes and Regulations

VI. References

VII. Additional Materials

I. Introduction

Privacy is one of the most complex legal issues facing e-commerce ventures today. Many sites, such as the one in our case study, have little interest in actively profiling their users or discovering personal information about them. However, these sites will often collect significant amounts of personally identifiable data that may trigger liability risks.

Some of this data is actively supplied by users. For example, the WGU site collects names, physical and email addresses, and credit card information through forms. Users may also voluntarily supply personal information in their threaded discussion messages, which are archived on the site. On the other hand, some of this data is passively collected. The host server records routine information about each visit. Some of the site's banner ads allow third-party advertisers to track users' browsing habits.

Our task in this section is to assess the liability risk of a site's information collection practices. We can break this task down into four main steps. First, we must determine what information is collected by the site. Second, we must evaluate the potential liability for those information collection practices. Third, we must choose whether to develop a privacy policy to disclose those practices. And, fourth, we must verify our compliance with statutes or regulations. This lecture will examine each of these four steps.

[Back to top]

II. Information Collection

Many e-commerce sites directly ask users for personal information through forms. However, in addition to such information, many sites also record data about their users' browsing habits. This data can be matched with personal and demographic information to create a profile of user preferences. Sites might use these profiles to target advertising or offer customized services. Or, sites might engage in weblining, where different users are offered different prices based on their profiles. Users who have more money or want a product more are charged more; alternately, reduced prices are denied to users who shop so well for bargains that vendors will make no profit by selling to them. Business Week has a great article on weblining (Website)(Stepanek).

Attorneys must be cognizant that some e-commerce clients may not always be aware of the extent to which their site collects data about its customers. At first glance, the site in our case study might not appear to collect much information. But, if we look deeper, we can see that users are disclosing information in two important ways: first, data automatically collected by the site's server software, and second, data collected by third-party advertisers through our site.

In our case study, the server software will almost certainly collect a great deal of information automatically. Most server software will automatically record a web log of browsing habits: what pages users visit, the time and duration of those visits, advertisements viewed and clicked on during those visits, purchases made, query terms entered in search engines, and the referring website that directed the user to the company's page. Furthermore, most software will automatically obtain information about each user's IP address, computer name, browser type, email address (if provided by the user's browser or a "web bug"), network owner, and domain registration.

In addition to this information, our site does allow third-party advertisers to place cookies on users' hard drives. Ads on our site are placed through DoubleDealer, a (fictional) advertising network similar to DoubleClick. DoubleDealer uses cookies to develop long-term profiles of users' browsing habits across multiple visits and different sites. It has a profile for every user that has ever looked one of their ads. Every time a user sees a DoubleDealer ad--whether on our case study website or another site that carries their ads--her computer will send a note to DoubleDealer indicating what kind of website she's looking at. And DoubleDealer will store that information in her file, so it knows to send her more ads related to skiing or new age music or whatever she seems to like. In this sense, DoubleDealer tracks users through our site and all the other sites on its advertising network. As counsel to the WGU site, it is important that we recognize DoubleDealer's practices because they could create liability risks and must be disclosed in our site's privacy policy.

From the example of our case study, we can see the importance of understanding the website's data collection practices. Automatic software logs and third-party cookie placements are two of the most easily overlooked aspects of information collection. Many sites have no interest in actively profiling their customers and might even insist to their counsel that they collect no personal information. But most of these sites do collect information automatically through thier server software, and many allow third-party cookie placement. According to a recent FTC privacy survey, although 57% of the busiest sites allowed third-party cookie placement, only 22% disclosed that fact in their privacy policies (Website) (FTC,Privacy). Before developing privacy policies or weighing the legal risks of online profiling, online vendors and their attorneys should be certain that they are aware of the true extent of the site's data collection practices.

A. COMMON TECHNOLOGIES

Cookies

Cookies collect information as a user surfs the web and feed the information back to a web server. An online vendor's site will send cookies (which is most simply an identification number) to a user's computer, where it is stored in a file on the user's hard drive and serves as a digital identifier tag that notifies the vendor whenever that user re-enters the vendor's website. Although users can configure their browser to disable cookies, some sites require users to accept them before allowing entry.

Cookies have two main uses. First, by allowing the site to "remember" the user, they can customize a website by producing special content targeted to a specific user. For example, cookies are commonly used to automatically supply passwords for users who prefer not to re-enter their password each time they access a site. Second, cookies are used by network advertising agencies, such as DoubleClick, to target product advertisements based on long-term profiles of users' buying and surfing habits. When the advertiser contracts with many different websites, it can follow the same cookie as that user surfs the web. Advertisers then collate this information about the user's habits in a central database.

For more information on cookies, see Energy Department's Computer Incident Advisory Council report (Website) (Energy). Also, check out Cookie Central (Website) (Cookie). Netscape has a technical specification for cookies as well (Website) (Netscape).

Web bugs (or pixel tags)

Web bugs are images--usually invisible because they are only one pixel wide by one pixel high--that are embedded in web pages and HTML-formatted emails. Advertising networks often use web bugs on web pages to add information to personal profiles stored in cookies and to collect statistics about how many hits the site gets. Ad networks also use web bugs in "junk email" campaigns to determine how many users read the emails and visited the linked site, to remove users from the list who did not open the marketing emails at all, or to synchronize cookies with the user's email address.

The EFF has a great FAQ on web bugs (Website) (EFF, 1999). You can bake your own cookie at Privacy.net (Website)(Privacy.net).

B. DEVELOPING TECHNOLOGIES

Cookies and web bugs are only the beginning. New technologies are being developed every day to gather more comprehensive data on consumer behavior. For an overview of some of these new data-collection technologies, along with some info on privacy-enhancing technologies such as P3P, see Developing Technologies.

[Back to top]

III. Liability for Online Profiling

Although the FTC has recommended legislation to regulate online profiling (Website) (FTC, 2000), current American privacy law contains almost no general prohibitions against the collection of consumer data. Today, most privacy initiatives target specific industries or types of data, such as consumer credit reports, cable TV subscriber information, or personal financial information. See Protected Categories for more information.

In our case study, the WGU site will almost certainly not face liability based on a sector-specific federal statute because it does not collect information that falls under any of the protected categories. The only applicable federal law would be Electronic Communications Privacy Act (ECPA), which some privacy advocates have argued prohibits the use of cookies without prior consent. According to this interpretation of the ECPA, our site could be liable for allowing DoubleDealer to place cookies on users' hard drives. However, this interpretation of the ECPA is controversial, and few claims have reached final judgment. The site could also face common law or state law claims.

Before discussing the legal grounds for action, however, it is useful first to get a sense of the larger public policy concerns behind these arguments. Proponents of online profiling contend that collecting data about consumers allows sites to improve service. Sites can customize content, evaluate consumer reaction to products, and target ads to a consumer's interests. Proponents argue that revenues from targeted ads have subsidized the current wealth of free content online; without such a subsidy, the web may move toward a fee-based access system that would price low-income readers out of the market. For more information on these arguments, visit the Association of National Advertisers (Website) (ANA, 2001) and the Direct Marketing Association (Website) (DMA, 2001). Legal scholars have also suggested that the expansion of privacy threatens free speech rights protected by the First Amendment. Solveig Singleton has a great law review article on this topic (Singleton, 2000).

On the other hand, privacy advocates argue that users should not be tracked without their notice or consent. These advocates argue that consumers are not adequately informed about passive information collection technologies. According to a Business Week survey, only 40% of users have even heard of cookies, and of those, only 25% were able to select the correct definition on a multiple choice questionnaire (Website) (Business Week, 2000). Furthermore, privacy advocates contend that even if most of the information currently collected is not personally identifiable, it poses serious privacy concerns because of the inherently invasive scale of the monitoring. They also worry that corporations will later decide to combine the currently non-identifiable databases of browsing habits with personal information from other sources. Finally, advocates have posited that the consumer discomfort with online monitoring will chill use of resources on sensitive topics such as abortion, HIV, or depression, and prevent the electronic marketplace from reaching its full potential.

A. CONSUMER CLASS ACTION SUITS

Due to the absence of specific legislation regulating online profiling, consumer class action suits have proceeded under many different legal theories. Some plaintiffs have argued that cookies and web bugs allow unauthorized access to the user's hard drive (where the cookies are stored) and therefore violate the Electronic Communications Privacy Act (ECPA), (Website) (§§ 2510-22) and (Website) (§§ 2701-11). Others have suggested that passive information collection is actionable as a common-law privacy tort or trespass. Still others have also pursued their claims under state laws, such as Texas's anti-stalking statute or California's prohibition against deceptive and unfair trade practices.

Only one consumer suit filed against online profilers has reached final judgment. In late March, a United States District Court dismissed a highly publicized consumer class action suit against DoubleClick (DoubleClick, 2001). The plaintiffs' pleadings alleged that DoubleClick's use of cookies violated three federal laws: the Electronic Communications Privacy Act, which prohibits unauthorized interception of electronic communications; the Wiretap Act, which prohibits wiretapping in some situations; and the Computer Fraud and Abuse Act, which prohibits unauthorized access to a computer. The court found no violation of the laws because sites consented to the use of cookies by third-party advertisers. Furthermore, the court held that there was no evidence that these laws were intended to prohibit cookie use by online advertisers. The decision has been appealed to the Second Circuit. DoubleClick still faces more suits in Texas and California based on state privacy and consumer protection laws.

Despite the DoubleClick decision, the legal limits on online profiling remain unclear. A California district court recently denied a motion to dismiss a class action suit against Intuit and ruled that Intuit's use of cookies may violate parts of the ECPA (Intuit, 2001). Furthermore, in many state and federal jurisdictions, the use of cookies or similar technologies to track users' browsing habits will be an issue of first impression. Although the DoubleClick decision may prove persuasive to courts, other jurisdictions will not be bound by it. And suits may continue to proceed under state statutes on privacy and consumer rights.

Electronic Communications Privacy Act (ECPA)

The ECPA, (Website) (§§ 2510-22) and (Website) (§§ 2701-11), imposes civil and criminal penalties for the intentional interception, disclosure, or use of electronic communications that affect interstate or foreign commerce. Electronic communications are defined as any transfer of information by means of wire or electromagnetic system. Courts have interpreted the term to include email (Bochach, 1996).

The major obstacle to using the ECPA to restrict online profiling is that it exempts parties from liability if they obtain the prior consent from "users" (§ 2701) or "parties to communication" (§ 2511). Based on the "user" exception in § 2701, a federal district court ruled in DoubleClick that the ECPA does not bar the use of cookies by third-party advertisers. The court found that Websites where ads were placed constitute "users" under the ECPA. As long as the Website agrees to the use of cookies, the requirement of "prior consent by users" is satisfied and DoubleClick cannot be held accountable (DoubleClick, 2001). Supporters of the decision have drawn an analogy to the law governing third-party listening in telephone conversations: if two people are talking on the phone, either one has the independent authority to consent to listening by third parties.

However, critics of the decision have argued that only the consumer can give consent to cookie placement because the consumer's hard drive is the relevant site of stored information. And at least one California court agrees. In a recent decision regarding a class action suit filed against Intuit, which owns quicken.com, a California district court refused to dismiss a claim based on the ECPA (Intuit, 2001). The ECPA has two major parts relevant to online profiling: Section 2701 prohibits unauthorized access to stored communiciations, and Section 2511 prohibits the interception of electronic communications for tortious or criminal purposes. The court denied Intuit's motion to dismiss the Section 2701 claim. Although the court did not address DoubleClick's consent reasoning directly, it emphasized that the users' hard drives were their own and thus that users alone could consent to cookie use. The court held that if the plaintiffs' allegations are true, Intuit did violate the stored communications provision of the ECPA by placing cookies on users' hard drives. However, the court did dismiss the claims under Section 2511 because it saw no evidence that Intuit's purpose was criminal or tortious. The plaintiffs' argument that cookies violated users' privacy and therefore constituted a common-law privacy tort were unsuccessful in swaying the court's finding with regard to Section 2511.

In sum, the question of whether the ECPA prohibits cookie placement remains unresolved--particularly with regard to Section 2701.

Common-law Privacy Tort

The common law doctrine of personal privacy includes four grounds for tort liability (Restatement1). Susan Gindin wrote a great law review article explaining the application of these traditional privacy torts to cyberspace (Website) (Gindin, 1997).

1. Unreasonable intrusion upon the seclusion of another

"One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person." (Restatement2)

Comment c of the Restatement provision indicates that the section has been applied to wiretaps. However, like the ECPA, the major difficulty is that the provision applies only to information not voluntarily provided, which may bar claims where online profiling practices are disclosed in the terms of use or privacy policy.

2. Unreasonable publicity given to another's private life

"One who gives publicity to a matter concerning the private life of another is subject to liability to the other for the invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public." (Restatement (Second) of Torts, 1965)

There are two major obstacles to applying this doctrine to online profiling. First, the private information must be communicated so broadly that it is "substantially certain to become one of public knowledge" (comment a). Since most marketing data from online profiling is kept within the advertising firms, the publication of private information will often not be sufficiently wide to sustain a tort action under this provision. Second, the private information must not be of public record. Like the ECPA or the previous privacy tort, this provision bars recovery by users who provide information voluntarily or seek to protest the dissemination of publicly available information such as birth dates or marital status.

3. Publicity that unreasonably places another in a false light before the public

"One who gives publicity to a matter concerning another that places the other before the public in a false light is subject to liability to the other for invasion of privacy, if (a) the false light in which the other was placed would be highly offensive to a reasonable person, and (b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed." (Restatement (Second) of Torts, 1965)

The problem with finding tort liability for online profiling under this provision is that it is limited to the dissemination of erroneous information. Under this tort, consumers can insist on the right to correct false information in the databases, but they cannot claim the right to prohibit surveillance altogether.

4. The appropriation of another's name or likeness

"One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy." (Restatement (Second) of Torts, 1965)

This tort may create a cause of action for the sale of personal information to online publishers or unsolicited commercial emailers. However, plaintiffs have thus far been unsuccessful in this vein of argument (Shibley, 1975).

Other common-law bases of liability

Other common-law bases of liability include breach of contract, unjust enrichment, and fraud (where express promises in a privacy policy have been violated) as well as trespass to chattels. In two classic texts, Alan Westin (Westin, 1967) and Arthur Miller (Miller, 1969) have also argued that personal information should be regarded as a form of common-law property.

State statutes

Of course, laws protecting privacy will vary by state. Numerous consumer class action complaints about online profiling have alleged violation of state statutes against deceptive or unfair trade practices. Others have relied on anti-stalking statutes (Stewart, 2000). The New York Times has an article on the case (Website) (Kaplan, 2000). CNET News also has an article (Website) (CNET, 2000). Some states also offer special protection for particular classes of data, such as medical information. For more information, check with counsel who is familiar with the laws of the individual state.

Pending cases

Consumer class action suits are currently pending against RealNetworks, Toysrus.com, Avenue A, MatchLogic, Intuit, Amazon, and Pharmatrak. See Pending Consumer Class Actions for more information.

B. STATE ATTORNEY GENERALS

States have also brought actions against online profilers under a variety of legal theories, often involving state consumer protection statutes. The Michigan Attorney General's Office recently settled a case with eGames, an online games retailer. The state had accused eGames of violating Michigan's Consumer Protection act by failing to disclose online profiling by third-party advertisers on its site. The eGames case was the latest in a series of charges related to online profiling brought by the Michigan Attorney General. See State Attorneys General for more information about state actions.

C. FEDERAL TRADE COMMISSION (FTC)

Under Section 5 of the FTC Act, the FTC has the authority to sue companies that engage in unfair or deceptive trade practices. Thus far, the Commission has limited its use of this authority to pursuing online corporations who fail to comply with statements in their posted privacy policies. It has not pursued corporations who track users' movements online through passive information collection technologies such as cookies, as long as such practices do not violate the guarantees offered in the site's privacy policy.

The FTC has made clear that it does not consider online profiling to be per se deceptive or unfair when such practices are disclosed in privacy policies and users have the opportunity to opt-out. In fact, the FTC cleared DoubleClick, a network advertising firm that uses cookies and web bugs to target advertisements, of wrongdoing in a recent investigation. However, if online profiling is not disclosed to consumers, the Commission's stance may be different. In its consent decree agreement with Geocities and its report to Congress on privacy, the FTC hinted that it might consider undisclosed profiling to be per se unfair--even if the site has not posted a privacy policy at all (Website) (FTC, 2000).

D. POTENTIAL CONFLICTS WITH THE FIRST AMENDMENT

Even if the disclosure of personal information can be limited by existing statutes, administrative regulations, or common law, consumers who seek to halt online profiling may face an additional hurdle: a potential conflict with the First Amendment (website)(1st) of the United States Constitution. Eugene Volokh, a well-known scholar on online speech, has argued that privacy rules may violate the free speech rights of those who wish to disclose information, such as news agencies (Volokh, 2000).

Although the Supreme Court has not directly addressed the issue, the Court has thus far upheld privacy laws against constitutional challenge and refused to treat the sale of personal information as speech. In Reno v. Condon, the Court held that personally identifiable information constituted a "thing in commerce" rather than speech and upheld a South Carolina law restricting the disclosure of drivers' personal information without prior consent (Website) (Condon, 2000). In Los Angeles Police Dept. v. United Reporting, the Court also rejected a First Amendment challenge to a California statute that limited access to the names and addresses of arrested individuals (Website) (United Reporting, 1999). Like the law of online profiling generally, the First Amendment issue remains unsettled.

[Back to top]

IV. Developing A Privacy Policy

A. WHY HAVE A PRIVACY POLICY?

Under current American law, companies are not legally obligated to post privacy policies. Indeed, privacy policies may actually put companies at legal risk. The FTC has investigated and sued companies for failure to comply with their stated policies. Moreover, once a partial disclosure of information practice has been made, companies may even face an obligation to fully disclose all privacy practices. Although the FTC has never explicitly stated that partial disclosure triggers full disclosure, it scrutinized statements that "arguably raised an inference of at least one potential use" of personal data in its report to Congress on online privacy. In other words, "click here to be on our mailing list" could be deceptive if users' email addresses are later sold to third-party advertisers--even though no guarantee is ever made that the email address will be used exclusively for the site's mailing list.

Despite the legal risks, many sites voluntarily choose to adopt privacy policies. Why?

First, privacy policies can increase consumer confidence in a site's online offerings. Consumers may feel more comfortable offering personal information or making purchases if privacy policies are posted. According to a report by AT&T in 1999, 27% of Internet users would ordinarily be unwilling to provide their names and postal addresses for a hobby website. However, if the site displayed a privacy policy and a seal of approval from a well-known consumer advocacy organization like the Better Business Bureau, 58% of those users would be more likely to provide the information. The lack of consumer trust has translated directly into lost revenues. According to the FTC, due to consumer privacy concerns regarding online purchases, e-commerce companies lost as much $2.8 billion in revenue in 1999 and are projected to lose $18 billion by 2002 (Website) (FTC, 2000).

Second, the European Union Data Directive has provided an added incentive for e-commerce firms in the US to post privacy policies. Article 25 of the Directive prohibits the transfer of personal data from the EU to certain countries lacking "adequate" privacy protection policies, such as the US. However, to prevent the blockage of all personal data flow between the US and Europe, the US Commerce Department has negotiated a Safe Harbor agreement with the EU. Under the Safe Harbor, American firms may continue to receive personal data from the EU, as long as they post privacy policies and comply with seven main principles of privacy protection. See the subsection on the EU Data Directive below.

B. DESIGNING A PRIVACY POLICY

Privacy Audit

The first step is to conduct a privacy audit to decide what information will be collected, how it will be used, and whether it will be shared with outside parties. For more information on how to conduct a privacy audit, see Michael Strapp's "Memorandum on Privacy Audits and Privacy Policies." The Software and Information Industry Association has an excellent and informative privacy workbook (Website) (SIIA, 2001), as does the Michigan Attorney General's Office (Website) (Michigan AG's Office, 2000).

There are also numerous industry certification programs, such as TRUSTe or BBBOnline that offer seals of approval and regular auditing. See Industry Certification Programs for a list.

General information about privacy policies

  • Privacy policies should be drafted in plain and direct English. If the site targets consumers in non-English-speaking nations, translations should be available.
  • Privacy policies should be customized. Sensitive or personally identifiable information may require a higher degree of protection than aggregate or non-personally identifiable information.

Elements of a privacy policy

    1. Notice

    • What data is being collected? How? Are cookies or web bugs used?
    • What is the primary use of the data? What are other secondary uses?
    • What third parties will have access to the information?
    • What security measures are in place to ensure the confidentiality and accuracy of information?
    • Are goods and services offered on the website made available to users only if they provide personal information?
    • Will the site owner disclose users' personal information if it believes in good faith that the law requires it?

If third-party advertisers collect data on consumers through ads placed on the site, this practice should be disclosed and consumers should be informed that the site itself does not retain such information. Similarly, if data collection is outsourced to another company or a third-party, this practice should be disclosed even if the data is intended for internal use only.

2. Choice: opt in or opt out?

Most companies have adopted the opt-out approach, which allows consumers to choose not to allow their data to be shared with third parties or used for marketing purposes. Under opt-out, the default choice is to allow use of personal data. Under opt-in, the default is to restrict use of personal data.

Companies are free to choose between allowing customers to opt out or opt in. Regulation requiring opt in rather than opt out has been struck down by courts as violating the First Amendment's requirement of narrow tailoring. In U.S. West v. Federal Communications Commission, the court struck down FCC rules requiring phone companies to obtain affirmative opt-in permission to share customer calling patterns with third parties (U.S. West, 1999).

3. Access and accuracy

Companies must decide whether they will allow users to access their data, correct inaccuracies, or remove information they do not wish disclosed. Companies benefit from accurate customer information, and user access can improve customer service by ensuring that goods are properly shipped or customers receive information that most accurately matches their interests. However, the consumer access to data may require additional expenses, computing resources, and personnel. Online access may not always be feasible, particularly for companies that store more sensitive data such as medical information. In such cases, written mail might be more appropriate.

    4. Data security and integrity

  • Are technical and physical safeguards in place to prevent unauthorized access, especially for sensitive or personally identifiable information?
  • Are sufficiently robust encryption techniques used when confidential information is stored in a file or travels across a network?
  • Are employees and managers trained appropriately?
  • Is data obtained from trusted sources? Is data up-to-date?
  • Where appropriate, are there measures to ensure that data is stripped of personally identifying information?

Be careful about explicit or implicit guarantees of security. Breaches can create legal claims based on contract or tort.

    5. Redress and enforcement

  • If consumers feel that their privacy has been violated, how should they contact the company? What steps will the company take to resolve those issues?
  • What measures are in place to ensure compliance with the policy?
  • Is there an accessible and responsive dispute resolution process?
  • Are there ongoing assessment procedures? Are the results publicly disclosed?

Internal audits may be appropriate for companies that only collect aggregate or non-personally identifiable information, whereas third-party monitoring may be appropriate for companies that collect more sensitive information.

    6. Revision of policy

  • Is the privacy policy subject to change or otherwise conditional?

    Posting a privacy policy

To provide notice to consumers, the privacy policy should be posted prominently. In the matter of GeoCities, the FTC developed a list of requirements for adequate notice:

  • A clear and prominent hyperlink or button labeled "PRIVACY NOTICE" on the home page, which directly links to the privacy policy;
  • Clear and prominent display of the elements of the policy with a button that must be clicked on at the bottom of the screen to make it disappear; and
  • A clear and prominent hyperlink to the privacy policy at each location where personal identifying information is collected, along with the following statement in bold typeface: "NOTICE: We collect personal information on this site. To learn more about how we use your information, click here."

C. LEGAL ENFORCEMENT OF PRIVACY POLICIES

Companies that violate their privacy policies may face legal action in addition to negative consumer reaction. In our case study, the ComeStudyAbroad.com site can limit its liability by making sure to disclose both the data automatically collected by its server software and the cookies placed by its third-party advertisers.

Federal Trade Commission

The FTC does not have the authority to require sites to post privacy policies. However, once a policy is posted, the FTC has claimed the authority to require compliance with stated practices. The FTC has investigated and sued several online companies for deviating from statements made in their privacy policies. The Commission has argued that such deviations constitute unfair and deceptive trade practices, for which it is authorized to seek remedies under the FTC Act (Website) (FTC Act, 1938).

The law is not yet clear on whether the FTC has the authority to enforce privacy policies and whether the failure to comply with stated policies constitutes deceptive trade practices. No final judgments have been made because all relevant cases have either settled through consent orders or currently await trial. Thus far, the FTC has sued or investigated GeoCities, Toysmart, DoubleClick, Amazon, and a series of online pharmacies. See Federal Trade Commission for summaries of each of these cases.

State enforcement

State attorney generals have sought to enforce privacy policies under both civil and criminal law, often invoking state consumer protection statutes. For instance, Toysrus.com, DoubleClick, Clearstation, Infobeat, More.com, and Living.com all face suits by state attorney generals for failure to comply with stated privacy practices. See State Enforcement for summaries of each of these cases.

Private tort actions

Private suits have been predominantly brought under the ECPA and common-law privacy invasion. See Pending Consumer Class Actions for more information.

Consumers have also used contract law to enforce privacy policies. One consumer successfully sued Kozmo.com in California small claims court for breach of contract after Kozmo.com sent e-mail to users who had specifically opted out of receiving such announcements. The plaintiff was awarded $50 in damages and $27.50 in court costs. The plaintiff has put a text of her judgment and an account of her story online (Website) (Spertus, 2001).

[Back to top]

V. Statutes and Regulations

Although Congress is currently debating a comprehensive privacy legislation scheme, the United States has traditionally taken a sectoral approach to privacy. Individual statutes require different standards of conduct from different industries such as credit reporting, financial institutions, telecommunications services, or cable television. Sensitive data, such as financial or medical information, also face different standards of regulation. Data collection by the federal government is regulated by its own special set of statutes. None of these categories will apply to our case study. For more information on these statutes, see Protected Categories below.

At this point, no statute covers the general collection of personal information online. Unlike the European Union, which requires databases to be registered and approved by government data protection agencies, the United States has relied on the market and self-regulation to address privacy concerns. However, in recent years, many in the U.S. have argued that the current market-based approach is inadequate and new legislation should be enacted. According to the FTC, only 41% of randomly selected sites and 60% of popular sites met the basic standards for notice and choice (Website) (FTC, 2000). The Commission has concluded that self-regulation is inadequate and has recommended that Congress adopt legislation to set forth basic standards for online information gathering.

A. ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)

In our discussion about the liability of online profiling, we saw that the ECPA may provide a cause of action against online profilers.

The ECPA can also be used to protect anonymity online. In McVeigh v. Cohen, the U.S. Navy obtained personal information from America Online regarding an anonymous user who described himself in his AOL user profile as a gay military officer (McVeigh, 1998). The court found that the ECPA barred the government from obtaining a user's personal information from an online service provider without a warrant, subpoena, or court order.

However, the ECPA's restrictions on revealing users' personal information apply only to government subpoenas. In Terry Jessup-Morgan v. America Online, Inc., the court held that the ECPA does not regulate disclosure of subscriber identities to private individuals (Website) (Jessup-Morgan, 1998). Instead, those seeking to preserve anonymity from private parties must turn to alternative doctrines, such as common-law privacy tort or unfair trade practices (Aquacool, 2000).

The text of the ECPA is available at (Website) (18 U.S.C. §§ 2510-22) and (Website) (§§ 2701-11)

B. CHILDREN'S ONLINE PRIVACY PROTECTION ACT (COPPA)

COPPA applies to two major categories of websites:

  • Commercial websites directed to children under 13
  • General audience websites with actual knowledge of personal data collected from children under 13

If a site satisfies either of these descriptions, personal information cannot be collected from children without parental consent. COPPA also imposes other restrictions requiring notice, parental access to information and the option to change it, the ability to opt-out of future information collection, and assurances of information security. COPPA is enforced by the FTC, which has posted an excellent guide on compliance (Website) (FTC, 1999).

Under the COPPA safe harbor, businesses can also participate in approved self-regulatory programs that exempt them from prosecution by the FTC. Currently, the Better Business Bureau's Children's Advertising Review Unit (CARU) is the only FTC-approved safe harbor program. However, TRUSTe, the Entertainment Software Rating Board (ESRB), and PrivacyBot.com have all submitted proposals for approval.

The text of COPPA is available at (Website) (15 U.S.C. §§ 6501-06)

C. EUROPEAN UNION DATA DIRECTIVE

The Data Directive, which went into effect in October of 1998, lays forth requirements for privacy practices in member countries. (Website) (95/46). Article 25 also prohibits the transfer of personal information regarding EU citizens to countries lacking "adequate" privacy laws. In January 1999, the EU determined that US privacy laws were inadequate under the Data Directive and therefore barred all data transfers to the US after June 2001.

In an effort to preserve trans-Atlantic transactions, the U.S. Commerce Department entered into negotiations with the EU and developed a Safe Harbor agreement. Under the agreement, US companies may voluntarily exempt themselves from the Data Directive by choosing to follow seven privacy principles: notice, choice, onward transfer (i.e., binding third-parties to follow the seven privacy principles), security, data integrity, and access to correct or remove information. These principles are enforced by the federal government and approved self-regulatory agencies such as TRUSTe or BBBOnline. See the Commerce Department's Safe Harbor website (Website) (Commerce Dept., 1999).

However, very few American companies have taken advantage of the Safe Harbor. Why? First, the Data Directive permits data transfer if sites obtain prior consent from data subjects. Many U.S. companies plan to develop contracts with EU business partners, who can obtain consent from the data subjects, or clickwrap agreements with EU data subjects themselves. Second, since the enforcement of the Data Directive against the US is at a standstill until at least June 2001, companies may simply be waiting until enforcement is imminent before joining a Safe Harbor program. Third, even if American companies exempt themselves from the Data Directive, local privacy laws in EU countries may still block data transfers.

D. PROTECTED CATEGORIES

A number of federal statutes that protect specific categories of private information. There are special rules for financial and medical information, as well as phone and video rental records. The government also faces different restrictions on what kind of personal data it can collect and how it can collect that data.For an overview of these statutes, see the Additional Materials section.

E. PENDING U.S. LEGISLATION

A number of bills are currently pending in Congress concerning privacy in general as well as privacy online. Keep an eye on new updates through EPIC's bill-tracking service (Website) (EPIC, 2001).

[Back to top]

VI. References

Marcia Stepanek, Weblining, BUSINESS WEEK, Apr. 3, 2000, available at http://www.businessweek.com/2000/00_14/b3675027.htm. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), available at http://www.ftc.gov/reports/privacy2000/privacy2000text.pdf. [Back to text]

U.S. DEPARTMENT OF ENERGY, INTERNET COOKIES (1998), available at http://www.ciac.org/ciac/bulletins/i-034.shtml. [Back to text]

Cookie Central at <http://www.cookiecentral.com>. [Back to text]

Netscape, Client Side State HTTP Cookies at <http://home.netscape.com/newsref/std/cookie_spec.html>. [Back to text]

Electronic Frontier Foundation, The Web Bug FAQ at <http://www.eff.org/pub/Privacy/Profiling_cookies_webbugs/web_bug.html>. [Back to text]

Bake Your Own Internet Cookie, Privacy.net at <http://privacy.net/cookies/> [Back to text]

FEDERAL TRADE COMMISSION, ONLINE PROFILING: A REPORT TO CONGRESS (2000), available at http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf. [Back to text]

Association of National Advertisers at <http://www.ana.net>. [Back to text]

Direct Marketing Association at <http://www.the-dma.org>. [Back to text]

Solveig Singleton, Privacy versus the First Amendment: A Skeptical Approach, 11 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 97 (2000). [Back to text]

Business Week/Harris Poll: A Growing Threat, BUSINESS WEEK, Mar. 20, 2000, available at http://www.businessweek.com/2000/00_12/b3673010.htm. [Back to text]

18 U.S.C. §§ 2510-22, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.html. [Back to text]

In re DoubleClick Inc. Privacy Litigation, 2001 WL 303744 (S.D.N.Y. Mar. 29, 2001). [Back to text]

In re Intuit Inc. Privacy Litigation, 2001 WL 370081 (C.D. Cal Apr. 10, 2001). [Back to text]

In re Intuit Inc. Privacy Litigation, 2001 WL 370081 (C.D. Cal Apr. 10, 2001). [Back to text]

18 U.S.C. §§ 2510-22, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.html. [Back to text]

Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996). [Back to text]

In re DoubleClick Inc. Privacy Litigation, 2001 WL 303744 (S.D.N.Y. March 29, 2001). [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652A-E. [Back to text]

Susan E. Gindin, Lost and Found in Cyberspace, 34 SAN DIEGO LAW REVIEW 1153 (1997), available at http://www.info-law.com/lost.html#common. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652B. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652C. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652D. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652E. [Back to text]

Shibley v. Time, Inc., 341 N.E.2d 337, 339 (1975) (holding that Time's sale of its subscription list to direct mail advertisers did not constitute an appropriation of personality). [Back to text]

ALAN F. WESTIN, PRIVACY AND FREEDOM (1967). [Back to text]

Arthur R. Miller, Personal Privacy in the Computer Age: The Challenge of New Technology in an Information-oriented Society, 67 MICH. L. REV. 1089 (1969). [Back to text]

Stewart v. Yahoo! Inc. (Dallas Cty. Dist. Ct., filed February 2000) (alleging that Yahoo! and Broadcast.com violated Texas' anti-stalking statute by using cookies to track consumers online). [Back to text]

Carl S. Kaplan, Lawsuit Says Web Cookies Allow Illegal Stalking, NEW YORK TIMES, Feb. 18, 2000, available at http://www.nytimes.com/library/tech/00/02/cyber/cyberlaw/18law.html. [Back to text]

Texas Company Accuses Yahoo of Privacy Violations, CNET, Jan. 26, 2000, available at http://news.cnet.com/news/0-1005-200-1533164.html. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), available at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf. [Back to text]

U.S. CONST. amend. I, available at http://caselaw.lp.findlaw.com/data/constitution/amendment01/.[Back to text]

Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People From Speaking About You, 52 STAN. L. REV. 1049 (2000) available at http://www.law.ucla.edu/faculty/volokh/privacy.htm. [Back to text]

Reno v. Condon, 528 U.S. 141 (2000), available at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=000&invol=98-1464. [Back to text]

Los Angeles Police Dept. v. United Reporting Publishing Corp., 528 U.S. 32 (1999), available at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=000&invol=98-678. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), available at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf. [Back to text]

Software and Information Industry Association, Online Privacy: Protecting Your Business and Your Customers at <http://www.siia.net/sharedcontent/govt/resources/privacyworkbook.pdf>. [Back to text]

Michigan Attorney General's Office, Guide to Privacy Policies at <http://www.ag.state.mi.us/inet_info/priv_guide.htm>. [Back to text]

U.S. West v. Federal Communications Commission, 182 F.3d 1224 (10th Cir. 1999). [Back to text]

15 USC § 45(a), available at http://caselaw.lp.findlaw.com/scripts/ts_search.pl?title=15&sec=45. [Back to text]

Ellen Spertus, Spertus v. Kozmo.com at <http://www.spertus.com/ellen/Kozmo/kozmo.html>. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), available at http://www.ftc.gov/reports/privacy2000/privacy2000text.pdf. [Back to text]

18 U.S.C. §§ 2510-22, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, available at http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.html. [Back to text]

McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998). [Back to text]

Terry Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105 (E.D. Mich. 1998), available at http://legal.web.aol.com/decisions/dlpriv/jessup.html. [Back to text]

John Doe aka Aquacool_2000 v. Yahoo! (C.D. Cal, filed May 11, 2000) (plaintiff who posted pseudonymous comments criticizing his employer on a Yahoo! message board alleged that Yahoo! violated its privacy policy by divulging his identity after receiving a subpoena from his employer). [Back to text]

15 U.S.C. §§ 6501-06, available at http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/91/toc.html. [Back to text]

Federal Trade Commission, How to Comply with the Children's Online Privacy Protection Rule at <http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm>. [Back to text]

Council Directive 95/46, 1995, available at http://www.privacy.org/pi/intl_orgs/ec/final_EU_Data_Protection.html. [Back to text]

Department of Commerce, Safe Harbor at <http://www.export.gov/safeharbor>. [Back to text]

Electronic Privacy Information Center, EPIC Bill Track at <http://www.epic.org/privacy/bill_track.html>. [Back to text]

[Back to top]

VI. Additional Materials (Optional Reading)

A. DEVELOPING TECHNOLOGIES FOR INFORMATION COLLECTION

Consumer Profile Exchange standard

A group of companies, including IBM, MicroStrategy, and First Union, have developed an XML-based standard that allows companies with different software and techniques for collecting consumer information to share their data more easily in a common format. The Washington Post has an interesting article on the developing standard. Robert O'Harrow, Jr., Internet Firms Act to Ease Sharing of Personal Data, WASHINGTON POST, Dec. 5, 2000, at E1, available at http://www.washingtonpost.com/wp-dyn/articles/A23676-2000Dec4.html.

Pentium III's Unique Numerical Identifier

An identifying serial code number is hardwired into each of Intel's Pentium III chips. The chip was designed to improve security for e-commerce transactions and allow information systems managers to track individual computers across internal networks. However, privacy advocates have argued that the numerical identifier may be used to associate online profiles with a user's personally identifiable information. In response to the controversy, most PC manufacturers have disabled the feature. CNET News has an article on these identifiers. Stephanie Miles, Groups Press Agency on Pentium III, CNET, Mar. 8, 1999, available at http://news.cnet.com/news/0,10000,0-1003-200-339677,00.html.

Windows 98 Identifier

Windows 98 contains a unique serial number that identifies the user who registered the copy of Windows running on that PC. The number is used to track users on the Microsoft website, but because of a bug, can be accessed by other sites as well. Check out the story on CNET News. Erich Luening and Mike Ricciuti, New Security Hole Found in Windows98, CNET, Mar. 10, 1999, available at http://news.cnet.com/news/0,10000,0-1003-200-339806,00.html.

P2P profiling

Peer-to-peer file sharing may allow companies to develop profiles of users based on the shared files stored on their computers. Salon has an interesting article on this possibility. Janelle Brown, Napster Parasites, SALON, Feb. 9, 2001, available at http://www.salon.com/tech/feature/2001/02/09/napster_parasites/index.html.

Wireless GPS

The FCC has recently required new mobile phones to incorporate technologies designed to pinpoint the location of 911 callers. Many wireless phone manufacturers therefore incorporated Global Positioning System (GPS) technology, which uses satellite signals to track a user's location, inside the handsets of their new models. Privacy advocates have argued that wireless GPS will allow large telecommunications companies to track customers' movements. See CNET's news coverage. John Borland, Wireless Phone Tracking Plans Raise Privacy Hackles, CNET, Nov. 10, 2000, available at http://news.cnet.com/news/0-1004-200-3624256.html?tag=st.ne.ni.gartnercomm.ni.

Platform for Privacy Preferences (P3P)

P3P is a standard intended to enhance consumer privacy protection. It is being developed by the World Wide Web Consortium (W3C). P3P-enabled sites will include machine-readable information indicating the data the site collects and how the data will be used. Users will enter their privacy protection preferences in their browser, which will display a warning if no privacy policy is displayed or the site is gathering data the user does not wish to disclose. The next release of Microsoft's Internet Explorer will incorporate P3P technology. The New York Times has an article on how P3P will work in IE . John Schwartz, The Nexus of Privacy and Security, NEW YORK TIMES, Dec. 8, 2000, available at http://www.nytimes.com/2000/12/08/technology/08SECU.html. The W3C also has a good overview of P3P in general . World Wide Web Consortium, P3P Public Overview at <http://www.w3.org/P3P/Overview.html>.

[Back to text]

[Back to top]

B. PENDING CONSUMER CLASS ACTIONS

RealNetworks

RealNetworks has faced a rash of class action suits (RealNetworks cases, 1999). Many of the suits are currently in arbitration because courts have enforced the arbitration clause even though it bars plaintiffs from bringing class action suits (Lieschke, 2000). The complaints allege that RealNetworks assigned globally unique identification numbers to its music listening software that could have been used to track its users without their knowledge. Relief is sought under the ECPA. Check out the news coverage on InternetNews (Website) (McWilliams, 1999) and CNET (Website) (Macavinta, 1999).

Toysrus.com

Toys R Us faces lawsuits in U.S. District court in New Jersey and California. The suits allege that the company's website allowed third-party market researchers to access consumers' personal data in violation of the site's privacy policy. Coremetrics, a San Francisco-based marketing firm, allegedly tracked surfer's movements on the site. The complaints allege breach of contract, common-law privacy invasion, and violation of the ECPA.

Avenue A and MatchLogic (an Excite @Home subsidiary)

Two class action suits were filed on 11/22/00 in Denver (against MatchLogic) and Redmond (against Avenue A). The complaints allege that cookies and web bugs were used by the two online advertising companies in violation of the ECPA, Computer Fraud and Abuse Act, and common law trespass. News coverage can be found at the Industry Standard (Website) (Davis, 2000) and CNET (Website) (Hansen, 2000). The text of the complaint against Avenue A is also online (Website) (Chance, 2000).

Amazon

The complaint alleges that Alexa software and Amazon, its distributor, acted in violation of common-law privacy rights, common-law trespass, and the ECPA (Supnick, 2000). The software allows users to surf the web, but allegedly transmits information about the sites visited to the user's ISP, which then responds with targeted advertising based on the user's movements.

Pharmatrak

The complaint alleges that the Boston-based company violated the ECPA and Computer Fraud and Abuse Act for tracking consumer activity on pharmaceutical websites (Darby, 2000). Although the defendant's privacy policy indicates that its data collection technology could directly identify users when combined with a tracking database, Pharmatrak's CEO argued that the technology would not be used. There's a brief blurb in the Boston Globe on the case (Website) (Boston Globe, 2000).

[Back to text]

C. STATE ATTORNEY GENERALS

eGames

eGames sells a variety of personal computer games, which can be downloaded from its site or purchased as CD-ROMs through retailers. In September 2000, Michigan Attorney General issued a Notice of Intended Action alleging that eGames had violated the state's Consumer Protection Act. The notice alleged that the company had not adequately disclosed online profiling by third-party advertisers at the company's website. Furthermore, the notice alleged that eGames' software allowed Conducent, a third-party advertiser, to use the company's software to monitor consumers' activities on their personal computers. The case settled on January 10, 2001. eGames agreed to remove all undisclosed third-party advertising software and to make available a free software patch to remove Conducent's software from its existing games. The company also agreed not to gather personally identifiable information without notice and consent, and it agreed to an expanded privacy policy explaining how personal data is collected through cookies as well as how users can access and correct their profiles. The Attorney General's press release on this case is online (Website) (Michigan AG's Office, 2000).

Other Michigan online profiling cases

The Michigan Attorney General's Office has brought a series of online profiling suits against Ortho Biotech, AmericasBaby.com, Stockpoint, and iFriends Network. In each case, the complaint alleges that the defendant site allowed third-party advertisers to passively collect information using web bugs or cookies and failed to disclose this practice in its privacy policy. The Michigan AG's office contended that failure to disclose third-party monitoring violated the Michigan Consumer Protection Act, the Michigan Fraudulent Access to Computers Act, and consumers' common-law rights to privacy and to be free from "trespass to chattels."
In each of the Notices of Intended Action, the Michigan AG's office indicated that it was particularly concerned about third-party cookie placement because of the lack of notice to users who may not realize they are being tracked as they surf: "As a general matter, consumers expect that a Website they have chosen to visit will interact with their computers, specifically with their browsing software. Cookies placed by visited sites, such as those placed by Stockpoint itself, may fall within this expectation for some consumers. (Websites who place and read their own cookies on visitors' computers, however, should disclose the use of their cookies.) But most consumers do not understand or expect that cookies are routinely placed and read by DoubleClick, Adforce, and other third parties with whom users have not chosen to establish an online relationship."

[Back to text]

D. INDUSTRY CERTIFICATION PROGRAMS

The following list is a sampling of some industry certification programs:

[Back to text]

E. LEGAL ENFORCEMENT OF PRIVACY POLICIES

Federal Trade Commission

GeoCities

GeoCities is a major virtual community and web hosting service that allows consumers to develop homepages, post them online, and associate them with a GeoCities virtual neighborhood. GeoCities required all users to provide personally identifying information through a New Member Application form as a condition for membership. The FTC alleged that the statements on the form misrepresented the uses of this personal data collected by GeoCities.

The complaint made three major allegations. First, the FTC argued that GeoCities sold personal data to unauthorized third parties after assuring users that the data would be used only to provide members the specific advertising offers and products or services they requested. Second, the FTC alleged that GeoCities sold "optional" information (education level, income, marital status, occupation, and interests) to third-party advertisers after assuring users that the data would be used for internal statistical purposes only and would never be released to anyone without the member's prior permission. Third, the FTC accused GeoCities of allowing third parties to collect information from children through online contests while creating the impression that GeoCities itself operated the contests and retained the information.

On August 13, 1998, the FTC brought suit against GeoCities. The suit was the first online privacy suit ever brought by the Commission. The suit was immediately settled through a consent order. GeoCities agreed to post a prominent privacy notice explaining the kind of information collected, what its purpose is, to whom it is being sent, and how users can obtain and remove the information. It agreed to notify all members of their opportunity to have their information deleted from the databases of GeoCities and third-parties, and the settlement required GeoCities to contact all third parties and request that they immediately delete all improperly disclosed information.

The complaint (Website) (Geocities complaint, 1998) and consent order (Website) (Geocities consent order, 1998) are available at the FTC's site.

Toysmart

Toysmart was an online toy retailer. It collected detailed personal information about its users, including billing information, shopping preferences, and family profiles that contained the names and birth dates of children. Toysmart's privacy policy stated that such information would never be sold to third parties. However, after the company filed bankruptcy, it sought to sell its database of personal information.

On July 10, 2000, the FTC filed for a preliminary injunction in federal district court to stop the sale of the database, claiming that the sale would violate the privacy policy and thus constitutes a deceptive trade practice. The case was settled on July 21, 2000. Toysmart agreed not to sell the database as a stand-alone asset separate from the company itself. The company also agreed to sell the database only to a buyer that would comply with the posted privacy policy and change the current uses of customer information only if customers opted in to authorize such a change. If no such buyer could be found within a year, the database would be destroyed.

Privacy advocates who deemed its restrictions inadequate roundly criticized the settlement agreement. Thirty-nine state attorney generals signed a statement objecting to the settlement and requesting that Toysmart be required to seek permission from each individual customer before selling the information. The dispute was resolved when Disney, a majority stakeholder in Toysmart, eventually agreed to purchase and destroy the database.

The complaint (Website) (Toysmart complaint, 2000) and consent decree (Website) (Toysmart consent decree, 2000) are available at the FTC's site.

DoubleClick

DoubleClick, a large network advertising company, uses cookies and web bugs to track users across different websites and record their surfing habits. These user profiles are not personally identifiable, and DoubleClick's privacy policy assured users that their information would remain anonymous. However, after the company's purchase of direct marketing firm Abacus in 1999, DoubleClick announced plans to combine these profiles with personally identifiable information in Abacus's database, which includes names, addresses, demographic data, and purchase history.

EPIC, a privacy advocacy group, brought a complaint against DoubleClick before the FTC. The complaint alleged that DoubleClick's false assurances of user anonymity in its privacy policy constituted deceptive trade practices. It also alleged unfair trade practices because the users who received the company's cookies were often not aware of monitoring and thus could not take advantage of opt-out procedures.

In February 2000, the FTC opened an investigation into DoubleClick's practices. One month later, the company announced that it had scrapped plans to merge the two databases. After reviewing DoubleClick's practices to ensure its reversal was genuine, the FTC closed the investigation in January 2001. In a letter to DoubleClick's attorney, Christine Varney, the FTC said, "it appears ... that DoubleClick never used or disclosed consumers' personally identifiable information for purposes other than those disclosed in its privacy policy." However, the FTC left the door open for further investigation if the company's policies change, and the company agreed to make several changes in its privacy policy.

EPIC's complaint to the FTC (Website) (DoubleClick complaint, 2000) and the FTC's letter closing the investigation (Website) (DoubleClick letter, 2000) can be found online.

Amazon

Online privacy advocates, the Electronic Privacy Information Center (EPIC) and Junkbusters, have sent letters to the FTC urging investigation of Amazon's recent revision of its privacy policy. Amazon's old privacy policy guaranteed that it would "never" disclose customer information to third parties. The new policy allows limited disclosure of personal data to third parties for fraud protection and credit risk reduction. It also removed the option allowing customers to send email requesting that the online retailer not share their personal data with other companies. The privacy groups allege that Amazon's policy change constitutes deceptive trade practices. The FTC has not yet disclosed whether it has decided to commence an investigation.

Online Pharmacies

In July 2000, the FTC brought action in a District Court in Nevada against a group of online pharmacies and their operators. In addition to alleging that the pharmacies made false claims about their medical and pharmaceutical facilities, the complaint also alleged that they had made false privacy assurances. The FTC alleged that the pharmacies falsely told customers that personal data was encrypted and securely transmitted over an SSL connection. It also charged that the pharmacies falsely told customers that their personal information would be used exclusively for medical consultations and billing purposes.

The case settled. The pharmacies agreed to a consent decree that prohibited them from "selling, renting, leasing, transferring or disclosing the personal information that was collected from their customers without express authorization from the customer." It also required them to develop a privacy policy that met the FTC's guidelines for fair information practices, including notice, consent, security, and access.

Check out the complaint (Website) (Rennert complaint, 2000) and consent order (Website) (Rennert consent order, 2000).

[Back to text]

State Enforcement

Toysrus.com

In December 2000, New Jersey's Division of Consumer Affairs launched an investigation into allegations that the toy retailer has violated its privacy policy by allowing third-party marketing researchers from Coremetrics to access consumers' personal data.

Clearstation and DoubleClick

Cook County State's Attorney filed suit against Clearstation on December 5, 2000, in Illinois Circuit Court. The complaint alleges that both sites violated the state's Consumer Fraud Act by misrepresenting policies on cookie placement. Against investment analysis site Clearstation, the complaint alleged that the company failed to disclose cookie use by third-party advertisers in its privacy policy. It also alleged that the company's privacy policy stated that long-term cookies were not used, although the site used cookies for up to one year. Against network advertising firm DoubleClick, the complaint alleged that DoubleClick's policy suggested that its cookies were limited to generic information only when the cookies used a lengthy alphanumeric data stream capable of monitoring users for up to thirty years.

InfoBeat

In January 2000, the New York Attorney General's office filed suit against InfoBeat, an email newsletter distributor. Although InfoBeat's privacy policy promised never to disclose users' personal data without prior consent, the New York AG's office claimed that when subscribers clicked on advertisements in InfoBeat's html-formatted newsletter, their email addresses were disclosed to third-party advertisers. The case settled, and InfoBeat agreed to fully disclose its practices in its privacy policy, inform prospective members of its practices, and offer them the opportunity to cancel their membership and have all personal data deleted. Check out the settlement agreement for more information (Website) (New York AG's Office, 2000).

More.com

On September 13, 2000, the Missouri Attorney General's office filed suit against the online retailer of health care and nutrition products. The complaint alleged that the site violated its own privacy policy by disclosing users' personal data to third-party advertisers through web bugs.

Living.com

On September 25, 2000, the Texas Attorney General's office filed suit against the bankrupt online retailer under Texas's Deceptive Trade Practices Act. The complaint sought to prevent the company from violating its privacy policy by selling its consumer lists and personal financial information during bankruptcy proceedings. The parties settled. Living.com agreed to allow its court-appointed bankruptcy trustee to oversee the destruction of all sensitive financial data, such as bank account, credit card, and social security numbers. The trustee was permitted to sell the customer list as long as customers were informed and given a chance to opt-out via email.

[Back to text]

F. PROTECTED CATEGORIES

Note that this is not a comprehensive list. It is merely intended to give a flavor for common types of sector-specific regulation.

Financial Information

Fair Credit Reporting Act
(Website) (15 U.S.C. § 1681)

Requires consumer reports agencies to inform consumers of the sources and contents of their reports, provide a list of requesting parties, and obtain consumer consent before providing information to employers or prospective employers.

Gramm Leach-Bliley Act
(Website) (15 U.S.C. §§ 6801-10) and (Website) (§§ 6812-27)

Requires financial institutions to provide notice of the company's privacy policy and offer consumers the opportunity to opt-out of disclosure of personal data to third parties. Also requires institutions to protect against anticipated security threats and unauthorized access that could result in substantial harm or inconvenience to the customer.

Fair Debt Collections Practices Act
(Website) (15 U.S.C. § 1692)

Prohibits debt collectors from publishing a list of consumers who refuse to pay their debts except to a credit bureau.

Electronic Funds Transfer Act
(Website) (15 U.S.C. § 1693)

Requires financial institutions that provide electronic banking services to inform consumers of policies concerning the disclosure of automated bank account information to third parties.

Entertainment and Telecommunications

Cable Communications Policy Act of 1984
(Website) (47 U.S.C. § 551)

Requires notice to cable subscribers of all collection and disclosure of personally identifiable information.

Video Privacy Protection Act of 1988
(Website) (18 U.S.C. § 2710)

Regulates the disclosure of video rental and sales records. Prohibits disclosure of personally identifiable video rental or sales records without informed written consent, unless the records are subpoenaed by a law enforcement agency, disclosed in the ordinary course of business, or required for a civil proceeding where a compelling need exists that cannot be otherwise accommodated.

Communications Act of 1934, as amended by the Telecommunications Act of 1996
(Website) (47 U.S.C. § 222)

Prohibits the disclosure of customer proprietary network information (e.g., phone records) without the affirmative written consent of the customer. Exceptions exist for aggregate consumer data, information used to provide related services such as phone books, or emergency situations.

Medical Information

Health Insurance Portability and Accountability Act of 1996
(Website) (42 U.S.C. § 1320a)

Requires the Department of Health and Human Services to regulate the privacy of individually identifiable health information after Congress failed to pass legislation protecting medical privacy by August 21, 1999. Draft regulations are available at the EPIC website (Website) (EPIC, 1999).

Federal Government Access

Privacy Act of 1974
(Website) (5 U.S.C. § 552a)

Requires notice when personal data collected by the federal government will be made available to the public.

Right to Financial Privacy Act of 1978
(Website) (12 U.S.C. §§ 3401 et seq.)

Regulates disclosure of consumer financial information to the government by financial institutions.

[Back to text]

 

-

Please send all inquiries to: Diane Cabell

Home | Introduction | Setting Up | Transactions | Privacy | Disputes | Reference | Search

The Berkman Center for Internet & Society

Design by: Robert Ditzion and Grethe Thilly