FOR EDUCATIONAL USE ONLY
Practicing Law Institute
Patents, Copyrights, Trademarks, and Literary Property
Course Handbook Series
PLI Order No. G0-00DZ
September, 2000
eCommerce Strategies for Success in the Digital Economy
September 2000
*663 WEBSITE PRIVACY
POLICIES IN PRINCIPLE AND IN PRACTICE
Scott Killingsworth [FN1]
Copyright (c) 1999 - 2000, All Rights Reserved.
*667 Abstract
After a brief excursion into the recent history and business context of Website
privacy issues, this paper summarizes the major sources of applicable privacy
law within the United States, and offers a methodology for constructing a
privacy policy and information practices that are consistent both with one
another and with the law.
*669 I. INTRODUCTION
For e-commerce websites, having a privacy policy is no longer optional. Federal
legislation, FTC enforcement, the European Union Privacy Directive, [FN2] economic coercion and consumer demand have
all recently converged to create a new environment in which implementing a
privacy policy is a business necessity for most, and legally advisable for all.
In principle, privacy policies are simple: if your website collects
individually-identifying information about visitors or customers, tell them how
and why you collect the information, how it is used and to whom it is
disclosed, and give them some choice in the matter. But the short history of
personal privacy on the web is already replete *670 with examples
of how treacherous the execution of this simple formula can be: Internet icons
like Yahoo, DoubleClick, America Online, RealNetworks and GeoCities, and major
corporations like United Airlines, have all stumbled on privacy issues. The
hazards are many: first, the emerging legal rules, self-regulation models and
web-community norms are all moving targets; second, though consistent in
thrust, the legal rules differ in important details; and third, there is a
noticeable gap between what is legal and what may be necessary to avoid a
public-relations disaster. Applying these fragmented, evolving principles to a
web-based business that is itself in constant flux can be like trying to thread
a needle while roller skating on a boat in choppy seas.
This paper describes how to design a website privacy policy that will be
effective both legally and in practice. It addresses specific issues that must
be confronted in drafting and implementing a policy, and offers suggestions for
avoiding pitfalls. But we begin with context: the business pressures that make
a privacy policy necessary and the legal principles that apply.
II. DEFINING THE PROBLEM: "YOU HAVE ZERO PRIVACY ANYWAY. GET OVER
IT."
Scott McNealy's impulsive remark to a
roomful of reporters [FN3] could hardly be more politically
incorrect, but it mirrors the perceptions of many on both sides of the privacy
fence. On the one hand, some website operators *671 have avidly
exploited the Internet's special aptitude for harvesting, sifting, and
remarketing information about visitors, often surreptitiously, with little if
any respect for the wishes of the individuals involved. On the other, awareness
of these zero-privacy practices has led many consumers to develop an abiding
distrust of "the Internet," [FN4] with consequent misgivings about
disclosing personal data or doing business online.
Though concern about computers and privacy is nothing new, [FN5] the Internet offers unique temptations
both for collectors of personal information and for individuals who are asked
to reveal it. A department store or mail order house may be able to deduce
customer interests by tracking purchases, but on the Internet merchants can
track not only what customers buy but also what else they look at and for how
long. If the customer arrived at the merchant's site in the usual way, via a
hyperlink from a referring site, the merchant's server logs will record the *672
identity of the referring site, providing a source of additional clues about
the customer's interests or browsing patterns. Instead of relying on
hit-or-miss surveys to assess the efficiency of advertising in bringing
customers to the store, web merchants can receive a database-ready audit trail
detailing which customers clicked on which ads on their way to the site. With
the help of web-based advertising networks that deliver cookies with their
banner advertisements and thereby track browsing at all sites participating in
the network, a website can learn about its visitors' browsing habits elsewhere
on the Internet, their employer types (deduced from top-level domain names),
the time of day they browse and where they live. [FN6] Combined with personal demographic
information gathered in a registration or transaction process-- or purchased
from third parties-- and analyzed with sophisticated data-mining and predictive
programs, this information can become a powerful marketing tool. [FN7] The *673 process is tempting
not only because the data is so valuable, but also because obtaining it is so
easy. Virtually every "dotcom" startup's business plan includes a
section on the site's ability to construct and exploit demographic and
psychographic [FN8] profiles of visitors, blurring the
"fine line between good service and stalking." [FN9]
For consumers, the temptations to disclose information are many, from the
convenience of ordering products online, to the benefits of registered
membership in a free community or portal site (such as user-defined content,
public or private discussion forums, etc.), to the personalized buying
suggestions, and even third-party advertisements, that arrive as a result of
making one's self known to a site. And again, it is so easy to disclose the
information. The problem is that once the cat is out of the bag, it may be
difficult to stop the resulting onslaught of marketing e-mails, savory and
otherwise, and direct mail and telephone solicitations-especially if the
website has shared the information with third parties.
As the web has matured into a mainstream business channel, the need to strike a
more appropriate balance between business and consumer interests has become
plain. The backlash of mistrust provoked by some websites' cavalier treatment
of personal information threatens to impede the growth of e-commerce, and so
enlightened self-interest dictates that the business community focus on
building consumer confidence in the *674 web. Privacy policies
have become the centerpiece of this effort.
III. THE IMPORTANCE OF BEING EARNEST
Of course, adopting a privacy policy is not enough; to protect the public and
the website, the policy must be followed. This lesson was driven home by the
Federal Trade Commission's (FTC) 1998 GeoCities [FN10] enforcement action, a watershed event
that exemplified both the grounds for consumer privacy concerns, and the
government's response to them. One of the ten most visited websites, GeoCities
was a "virtual community" that hosted members' home pages and
provided other services such as free electronic mail (e-mail), clubs and
contests to its 1.8 million members. The membership application requested both
mandatory and optional personal information, and included options as to whether
the member wanted to receive specified marketing information. The site also
promoted a club and contests for children, participation in each of which
required the child to submit personal information and to establish a GeoCities
home page.
The website included statements assuring members that their personal
information would be shared with others only in order to provide members the
specific advertising they requested, and that optional registration information
would not be disclosed without the member's permission. Actually, the members'
information had been sold or rented to third parties who used it for other
purposes, including targeted advertising. [FN11] As to children, the FTC *675
found that the website created the impression that GeoCities was collecting the
contest and registration information, when in fact this was done by third
parties hosted on its site. [FN12]
These blunders gave the FTC the platform it needed to make a public example, [FN13] and to put into practice its oft-stated
views on how websites should handle personal privacy issues. The case settled
with a consent order [FN14] that prohibited GeoCities from misleading
consumers about its data collection, use or disclosure practices, and from
misrepresenting who was collecting personal information. GeoCities agreed to
post a privacy policy explaining what information is collected on the site, its
intended use, what third parties might receive it and how the member could
access the information and have it erased from GeoCities' computers. In
addition, GeoCities was required to obtain express parental consent before
collecting personal information from children, and to delete all information
previously collected unless the parents agreed otherwise. [FN15] The FTC's timing was politically astute:
a week before the case was made public, the FTC had asked Congress to *676
enact legislation protecting children's privacy online; [FN16] before the GeoCities order was officially
issued, Congress had passed the Children's Online Privacy Protection Act of
1998 (COPPA). [FN17]
What is most legally interesting about GeoCities is that it is based entirely
on misrepresentation. The FTC does not (except under COPPA) have authority
either to require websites to post privacy policies, or to prescribe their
content, but under Section 5 of the FTC Act it has broad enforcement power over
"deceptive acts or practices." [FN18] If instead of saying one thing and doing
another, GeoCities had made no promises at all, it might have avoided becoming
the most notorious bad example in the history of online privacy.
IV. WHY VOLUNTEER FOR LIABILITY?
As GeoCities shows, from a strictly legal perspective [FN19] McNealy's "zero-privacy" remark
has much to recommend it as an eight-word privacy policy. As long as one is not
catering to children, gathering information from European consumers, [FN20] or in an industry where information
practices are already regulated, [FN21] the main source of liability exposure in
this area is violating one's *677 own policy, and the McNealy
doctrine would be impossible to violate. Why should any business volunteer for
potential liability by publicly adopting a higher privacy standard? Quite
simply, one can't afford not to.
A. THE NEW CONFIDENCE GAME
Every web-based business has a stake in consumer confidence. Even brands that
already enjoy solid reputations have an interest in avoiding any taint from
consumer fear, uncertainty and doubt concerning the web as a whole. And despite
the spectacular growth of e-commerce, much doubt remains. Credible studies
indicate that concern for privacy is the number one factor keeping non-Internet
users off the net, [FN22] and less than a quarter of all web users
have actually purchased anything online. [FN23]
The obvious product of this distrust is that people avoid disclosing personal
information by opting against online transactions and website registration. [FN24] Less obvious but equally troubling for
online marketers is the "garbage in" syndrome: in two recent surveys,
over forty percent of Americans who registered at websites admitted to
providing false information some of the time, mainly because of privacy
concerns; the figure for European *678 registrants was over
fifty-eight percent. [FN25] Meanwhile, the market has responded to
user privacy concerns with a variety of products and services designed to
provide anonymous surfing and to block meaningful tracking of browsing
behavior. [FN26] The message to marketers is clear: if you
want useful and accurate data, earn it by assuring consumers that you will use
it appropriately.
Posting a privacy policy can make an enormous difference in consumer
confidence: in survey after survey, overwhelming majorities of net users say
that privacy policies are important, [FN27] or would matter to them in deciding
whether to trade information for benefits, [FN28] or would increase their Internet usage, [FN29] purchases, [FN30] or information disclosure. [FN31] Moreover, as privacy policies *679
become nearly universal, [FN32] the implicit message of not posting a
policy may be that one should be assumed a "data bandit" until proven
otherwise. [FN33]
Just as having no privacy policy can be a handicap, claiming the high ground
with a conspicuously consumer-friendly policy can confer competitive benefits.
People are especially sensitive about the release of their information by the
original recipient to unnamed others. [FN34] Reacting to this sensitivity, many
websites have adopted a black-box *680 model that consolidates
the marketing function for third-party products in the website so that
consumers' identifying information need not be shared with the third-party
advertisers. The outside vendor may specify group demographics for the targeted
consumers but will not have access to an individual's information until an
order is actually placed, and may not receive it even then. [FN35] A website that goes out of its way to
identify itself in plain language as the consumer's privacy ally makes a
powerful marketing statement - particularly if the contrast with competitors'
indiscretions is explicit. Consider these excerpts from a musical instrument
retailer's policy:
What you do with zZounds today is nobody else's business. And we promise to
keep it that way...Not all businesses respect their customer relationships like
we do at zZounds. Many businesses, including other large music instrument
retailers, are eager to share the information they have collected about you.
Your trust and your privacy is for sale to the *681 highest
bidder.... This will not happen when you shop at zZounds. [FN36]
Indeed, taking this idea one step further, a growing market niche has developed
around the business model in which the website openly bargains for web users'
demographic and psychographic profiles in return for a promise of limited
anonymity, coupled with the privilege of sending targeted advertising to the users.
The message of companies such as Juno [FN37] and MyPoints [FN38] is: tell us what we need to know to send
you ads that will interest you, and we will keep your data confidential. To the
extent that the marketing actually reflects the user's interests,
advertisements will not be "junk mail" to the user, and they will be
far more effective on a per exposure basis for retailers.
Finally, nothing undermines trust like a well-publicized betrayal. It has
proven surprisingly easy for marketers, tightly focused on how information can
be profitably used and sold, to misjudge (or be oblivious to) consumer reaction
to new initiatives. Properly implemented, a privacy policy serves as an
internal touchstone for a company's consumer information practices. As the *682
standard for evaluating any change in these practices, the policy can help inoculate
against the kind of ill-considered strategies that create public relations
meltdowns. [FN39]
B. SEAL APPEAL
"Privacy Seal" programs such as those sponsored by TRUSTe [FN40] or BBBOnLine [FN41] may also win consumer confidence. Privacy
counterparts to the Good Housekeeping and Underwriters' Laboratories seals,
these programs bring the credibility of third-party assessment, verification,
and dispute resolution to a website's information practices. These programs
also require adherence to certain minimum standards in areas such as notice of
information practices, consumer choice as to secondary uses [FN42] of the information and its transfer to
third parties, consumer access to stored data, information security, and data
integrity. Both organizations have special rules for sites targeted at
children, consistent with those of COPPA.. [FN43]
*683 Both organizations require completion of self-assessment
questionnaires that probe the site's information practices in great detail - a
useful exercise for anyone preparing a privacy policy - and both impose strict
license agreements and provide for ongoing compliance reviews. [FN44] BBBOnLine adds a mandatory, structured
dispute resolution mechanism. [FN45] As of January, 2000, TRUSTe had 1000
licensees, including all of the major portals, 15 of the top 20 sites and
approximately half of the top 100 sites; [FN46] BBBOnLine rolled out its privacy seal in
March of 1999, with approximately 300 applications on file [FN47] and by January, 2000 had over 200 sites
enrolled. [FN48]
The potential of these seal programs to win consumer trust was illustrated by a
1999 survey in which web users were shown twenty-seven certification marks used
online, and asked to pick the two marks they were familiar with *684
that most increased their trust of a website. [FN49] The BBBOnLine and TRUSTe marks were
ranked second and third (behind only the Verisign symbol), with thirty-six
percent of respondents ranking BBBOnLine [FN50] in their top two, and thirty-one percent
naming the TRUSTe symbol.
For over four years the FTC has consistently encouraged industry self-
regulation efforts such as these seal programs, which promise such benefits to
the government as avoidance of the First Amendment issues that arise when the
government attempts to control the flow of information, and conservation of
limited government enforcement resources. [FN51]
C. GORILLA MARKETING
As mentioned above, even the most trusted brands have a stake in public
confidence in e-commerce generally, and in privacy protection as one of its
components. The "800-lb. gorillas" of the net are beginning to weigh
in pointedly on the side of privacy policies. Recently the Internet's two
largest advertisers, [FN52] IBM [FN53] and Microsoft, [FN54] *685 announced that they
would no longer advertise on websites that did not post privacy policies. A
week after the Microsoft announcement, Disney's Go Network, which includes
Disney.com, Infoseek, ABCNews.com, and ESPN.com, raised the ante by declaring
that they would neither advertise on, nor accept advertising from, sites
lacking a comprehensive privacy policy. [FN55]
Similar pressures are being exerted by trade associations such as the Direct
Marketing Association (DMA), which required its 3,600 members to adopt its
"Privacy Promise" [FN56] by July 1, 1999. This policy requires
members to inform customers of their right not to have their personal information
sold, rented or exchanged; to honor consumer requests not to be contacted again
by the member or not to have their information shared with others; and to
consistently use the DMA's contact-suppression lists of consumers who have
informed the DMA that they do not wish to receive direct-mail or telephone
solicitations (an e-mail suppression list is planned as well). In addition, the
DMA has created an automated privacy policy generator [FN57] that can be used by *686
its members or others to create a simple privacy policy. A number of other
industry associations, [FN58] particularly in the banking and consumer
marketing fields, recommend model information practice guidelines to their
members. [FN59]
These "gorillas" are not proselytizing privacy wholly out of concern
for individual rights or the credibility of the Internet; they see a bigger
gorilla on the horizon. A political consensus on appropriate use of consumer
information has arrived, and effective self-regulation (at the level of the
individual company and of the Internet community as a whole) is probably the
only way to head off federal privacy legislation, with its threat of
inflexibility and bureaucratization. These companies know that the alternative
to adopting a privacy policy is to have the government adopt one for them. The
choice is not between whether to volunteer for liability or to avoid it; the
choice is whether to define one's own standard or to accept whatever standard
the political process may define. We turn now to the "Fair Information
Practices" consensus, its history and its gradual transformation into law.
V. FAIR INFORMATION PRACTICES
The consensus approach to personal information privacy is a market-based model
that allows consumers to participate in decisions on disclosure and use of
their personal information, within a framework of data security *687
and integrity. As articulated by the FTC, [FN60] the elements of "Fair Information
Practices" are notice, choice, access, security, and enforcement.
A. NOTICE
Consumers are entitled to clear and accessible notice of a website's practices
of collecting, using, and disclosing personal identifying information, before
the information is collected. Notice is the foundation on which the other
principles operate, and accordingly the notice should address matters such as
who is doing the collecting, what data is being collected and how it is being
collected, how the data will be used, to whom it will or may be disclosed, and
the consequences of refusing to give the information. The notice should also
discuss the website's policies on choice, access, and security.
B. CHOICE
Consumers should be offered choice as to how their information is used beyond
the purpose for which it was initially provided (e.g., to gain access to
website features or to complete a transaction). Choice may be
"opt-in" ("click here if you would like to receive valuable
information from carefully selected business partners") or
"opt-out" ("click here if you prefer not to receive junk mail
from total strangers"). "Opt in" offers the stronger privacy *688
protection because it establishes a default rule against disclosure and use.
The most important choice points are those concerning secondary uses by the
website gathering the information (such as inclusion in the company's targeted
mailing lists), and disclosure of the information to third parties.
C. ACCESS
Consumers should have reasonable access to stored information about them [FN61] and an opportunity to correct
inaccuracies or to have the data deleted.
D. SECURITY
Websites should take reasonable steps to protect the security of the data, both
internally and vis-à-vis outsiders, and to ensure its integrity (freedom from
alteration) and accuracy. [FN62]
*689 E. ENFORCEMENT
These principles must be enforceable to be effective. The appropriate
enforcement apparatus and the minimum standard of what enforceability means are
at the heart of a spirited debate over whether self-regulation is sufficient [FN63] or additional federal legislation is
needed. Undoubtedly, the FTC has pressed for universal adoption of privacy
policies in part to bootstrap itself into GeoCities-style enforcement authority
under section 5 of the FTC Act. Also, a key issue in the negotiations between
the United States and the European Union (EU) over the EU Privacy Directive [FN64] has been an EU requirement that
enforcement include a right to money damages for those injured by privacy
violations.
For young children, there is a codicil to the principles of notice, choice and
access: Parents must receive the notice and exercise choice on behalf of young
children, and parents should have access to the information on file about their
children.
These five principles owe their current acceptance to both their considerable
history and their flexibility. First presented in a 1973 study by the
Department of Health, Education and Welfare, [FN65] they soon became the framework for the
Privacy Act of 1974. [FN66] They were *690 adopted as
guidelines by the Organization for Economic Cooperation and Development (OECD) [FN67] in 1980, and with some important
refinements, formed the basis of the EU Privacy Directive. Lately, they have
been strongly advocated by the Commerce Department and the FTC (the GeoCities
order is a roadmap of Fair Information Practices) and have found their way into
a number of laws and legislative proposals.
The flexibility that makes these principles so widely acceptable to consumer
advocates, government, and industry alike could be equally well described as
"vagueness," and the specter of endowing these principles with the
force of law - to be further defined, refined, and expanded in the American
way, through detailed regulations and endless litigation - is enough to make
any businessperson an apostle of self-regulation. Self-regulation, after all,
is simply the ability to decide for oneself what "reasonable" means.
VI. THE LEGAL LANDSCAPE
Though America has recognized enforceable privacy rights in personal
information for nearly a century, [FN68] the legal context for website privacy
policies is, for the most part, new and rapidly evolving. Drafting a privacy
policy means navigating a variety of United States statutes and legal
principles of relatively narrow scope-- a situation that has been described
euphemistically as a "sectoral" [FN69] or *691 "layered"
[FN70] approach and realistically as a
"patchwork" or "minefield" -- as well as anticipating where
United States and EU law may be headed. Without attempting a complete analysis,
this section highlights the major legal issues that impact formulation of a
privacy policy.
A. PRIVACY TORTS
Although the common law of torts is not currently a major concern for the
ordinary business practices of commercial websites, it cannot be ignored. The
most relevant common law concept is invasion of privacy by public disclosure of
private facts. [FN71] However, this cause of action arises only
if the information revealed would be highly offensive or humiliating to a
reasonable person, is of no legitimate public concern, and is disclosed widely
enough to be "substantially certain to become...public knowledge." [FN72]
The case of naval officer Timothy McVeigh is a cautionary tale for online
businesses in this area (although it is by no means clear that the elements of
this tort were actually present in that case). [FN73] A Navy investigator duped an America
Online (AOL) service representative into confirming that McVeigh was the person
behind an AOL *692 user profile that listed the user as being
gay; [FN74] the Navy attempted to expel McVeigh from
the service on that basis. For AOL, which settled out of court, the incident
uncovered a need to redouble its staff education efforts on protection of
members' privacy, including "scenario training" aimed at helping
customer service representatives deal effectively with attempts to access
member information via subterfuge. [FN75]
Looking ahead, website operators should be alert for cases which may lower the
threshold of "public disclosure" in light of the ease of wide
dissemination of data over the web; but even if this occurs, the likelihood of
tort liability for disclosure of ordinary marketing information seems remote.
Sites that deal in especially sensitive information such as health status,
mental illness, emotional or family problems, and sexual matters are at greater
risk. Someday, someone who has ended up on a mailing list targeted at
participants in anonymous discussion forums on masochism, obsessive-compulsive
disorder, and Ivy League football is going to get mad enough to sue, and just
might win.
For purposes of this article, the most important feature of tort law is that
consent is a defense. In the tort context, it may be debatable whether
submitting information on a website constitutes legally binding consent to the
information practices stated in the website's privacy policy, but the argument
is at least plausible. Websites that deal with highly sensitive information,
including those with anonymous or private discussion forums, typically have a *693
click-wrap user agreement that can be integrated with the privacy policy to
ensure valid consent.
B. THE FTC ACT
As the GeoCities discussion suggests, and the FTC seems to have publicly
conceded, [FN76] the FTC's jurisdiction under the FTC Act
is effectively limited to ensuring that a website's practices mirror its stated
policies, if any. Previously, the FTC staff had asserted that even if no
promises are made to the user, some information practices might be
"inherently unfair" in the context of collection and release of
information from children, [FN77] but this position seems moot in light of
COPPA and is unlikely to be asserted as to data collected from adults. There is
no private right of action under the FTC Act, so consumers seeking damages for
privacy policy violations must find another theory of liability, such as
contract. [FN78]
C. COPPA
*694 Enacted in October 1998, COPPA applies to commercial [FN79] websites and online services that are
targeted at children or that have actual knowledge that information is being
collected from a child. [FN80] It codifies the FTC's Fair Information
Practices as imposed in the GeoCities Consent Order, starting with the
requirement of posting a privacy policy describing what information the site
collects and how it uses and discloses that information. [FN81]
The cornerstone of COPPA is prior "verifiable parental consent" [FN82] to the collection, maintenance, and
disclosure of information about children twelve and under. COPPA complements
this initial parental "opt-in" [FN83] with a continuing "opt-out"
right to stop further use or collection of information from the child [FN84] and also gives parents access rights to
stored information. [FN85] Exceptions to the "verifiable
parental consent" requirement accommodate the practicalities of getting
the consent in the first place (how would you know whose parent to contact or
how to contact the parents, unless you ask the child?) and allow isolated
e-mail contacts and actions necessary to protect the child's safety, to comply
with the law, or to deal with website security issues. [FN86]
Covered websites are prohibited from extracting extraneous information from
children as a prerequisite for *695 entering an online contest or
other activity [FN87] and are required to use "reasonable
procedures to protect the confidentiality, security, and integrity of personal
information collected from children." [FN88] Finally, the law provides for a
"safe harbor" whereby a website will be deemed in compliance with
COPPA if it complies with an industry self-regulatory program approved by the
FTC. [FN89]
Enforcement of COPPA depends entirely on its implementing regulations; the only
actual offense under the law is violation of the regulations. [FN90] The regulations, [FN91] which take effect April 21, 2000, address
such issues as defining when a website is "targeted at children,"
what is considered "personal information," and how to notify parents
and obtain verifiable parental consent. As to the latter, the regulations
impose, on a transitional basis, a two-tier scheme for consent depending on the
activities involved and the use the website intends to make of the information
gathered. Until April 21, 2002, initial parental consent for internal uses of
information by the website can be obtained via e-mail, with follow-up
confirmation via either e-mail, postal mail or telephone; but for disclosures
to third parties and online activities such as personal homepages, message
boards and chat rooms *696 which inherently disclose information,
[FN92] prior consent must be obtained by more
reliable (and burdensome) means such as postal mail, use of a credit card,
digital signature technology, a toll-free telephone bank with trained
operators, or e-mail containing a password issued by the site. After April 21,
2002, all consents must be obtained by the more rigorous means just listed. [FN93]
Equally important in the present context, the regulations impose specific
requirements for the content and placement of the website's privacy policy. [FN94] The content requirements essentially
mirror the structure of COPPA itself, requiring the website to disclose what
information it collects and what it does with the information, and to advise
visitors of their rights under COPPA. [FN95] The placement requirements are designed
to ensure that the notice will be prominently displayed where it is most
needed: on the site's home page and adjacent to each request for personal
information. [FN96]
For most websites, the response to COPPA should be to avoid knowingly
collecting information from young children, either by omitting age questions
altogether or by providing data fields for age where 0-12 are invalid entries.
These measures could be accompanied by a notice that the website does not wish
to collect information from children twelve and under. For websites that
actively cater to children, the law has ramifications not only for the privacy
policy itself but also for site and database design. Like any *697
privacy policy, COPPA sets a behavioral standard that the site operator must
design its back-office systems to implement.
D. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)
Enacted in 1986 and hence not explicitly addressed to the web as it exists
today, the ECPA provides both criminal penalties and civil remedies, including
punitive damages, for unauthorized interception or disclosure of electronic
communications and unauthorized access to stored communications. [FN97] Parsing through the definitions reveals
that the ECPA's reach may be greater than first appears.
"Interception" means acquisition of the "contents" of a
communication, [FN98] and "contents" is expansively
defined to include "any information concerning the substance, purport, or
meaning of that communication." [FN99] "Electronic communication"
includes "any transfer of signs, signals, writing, images, sounds, data,
or intelligence of any nature," [FN100] a definition broad enough to encompass a
browser request for a particular web page, the transmission of a cookie, and
other browser-server interactions.
The ECPA has obvious application to the monitoring or disclosure of e-mails, or
of discussions in private forums or chat rooms, by a site that provides those
services. Presumably the statute's exceptions permitting interception and
disclosure by "parties to the communication" [FN101] exempt the collection, analysis, and *698
disclosure of clickstream data by websites; however, in some contexts an
argument could be made to the contrary. [FN102]
Exceptions also exist for interception and disclosure of electronic
communications by third parties with the consent of a party to the
communication. [FN103] As with tort law, it may be unclear
whether simply posting a privacy policy that warns of monitoring or disclosure
will lead to a conclusive presumption of consent. [FN104] Therefore, website operators
contemplating monitoring or disclosure that might be questionable under ECPA
should consider an auditable click-wrap consent.
E. FAIR CREDIT REPORTING ACT (FCRA)
The FCRA [FN105] may apply to a website if it regularly
collects and furnishes to others certain types of information [FN106] that may be used for purposes such as *699
credit or insurance underwriting, employment decisions, or deciding whether to
enter into a transaction with the person in question. These "consumer
reports" may be used only for limited purposes, which do not include the
marketing of any products other than insurance and credit. Even for the two
industries in which consumer reports may be used for marketing, consumers must
have an opportunity to opt out of receiving unsolicited insurance and credit
offers. [FN107] An exception to FCRA that allows the use
and reporting of one's direct "transactions and experience" with the
consumer [FN108] would permit the sharing of most
transaction information gathered by most websites from their customers.
However, where a website merges its own data with data obtained from other
sources and discloses the results, the exception would not apply.
Especially relevant to website privacy policies are several provisions
requiring express consumer consent to particular disclosures (e.g., disclosures
in connection with employment decisions or medical information). Similarly, an
exemption for disclosures of consumer reports to company affiliates applies
only if the consumer was clearly and conspicuously informed of the possibility
of such disclosures and had an advance opportunity to opt out. [FN109]
Because the requirements of FCRA are complex, interpretive problems abound,
particularly as to the distinction between a regulated "consumer
report" and an unregulated "marketing profile." [FN110] Accordingly, any *700
website that reports consumer information obtained from third parties should
evaluate its information practices to determine whether the statute applies. If
it does, it will have a significant impact on the website's information
practices and privacy policy.
F. THE EU PRIVACY DIRECTIVE
The EU Privacy Directive sets minimum standards for personal information
processing within the EU, and prohibits the transfer of this data to non-EU
countries that do not provide "adequate" privacy protection. [FN111] Because most European nations have had
comprehensive privacy statutes for some time, the United States, with its ad
boc or "sectoral" approach, has not been recognized as providing
adequate protection.
In 1998, negotiations began between representatives of the EU and the United
States Department of Commerce to remedy this discrepancy between the U.S.
privacy protectin standards and the EU notion of what protection is
"adequate." In March of this year the Commerce *701
Deaprtment and the European Commission reached an agreement on a set of
"Safe Harbor" principles [FN112] that American companies could adopt in
order to qualify their data protection practices as "adequate," and
so ensure continued access to consumer data from Europe. In effect, the Safe
Harbor measures "adequacy" largely in terms of conformity to the EU
model.
Once EU's adoption of the Safe Harbor has become fully effective, EU data
protection officials will treat U.S. entities that comply with the Safe Harbor
as being in compliance with the EU Directive itself. U.S. companies may qualify
for the Safe Harbor either by adopting their own enforceable privacy policies
that comply with the Safe Harbor principles or through membership in a self-
regulatory organization that polices compliance with the principles. The Safe
Harbor protection (and data handling requirements) will apply from the date the
company self-certifies its compliance with the principles to the Commerce
Department.
The Safe Harbor standards are similar to the FTC Fair Information Practices,
but include important elaborations on those principles. First, the EU considers
data concerning union membership, religious and political affiliation, medical
condition, sexuality, and racial or ethnic origin to be especially sensitive,
and therefore requires an express "opt-in" before this information
can be disclosed to third parties or used for any purpose incompatible with
that for which it was originally submitted. For all other personal information,
there must be an "opt-out" opportunity to prohibit its use in marketing,
either by the original recipient or by others to whom the data is *702
transferred. When data is to be disclosed to third parties [FN113] pursuant to a privacy policy notice (as
opposed to transfers with the explicit consent of the consumer), the transferor
must ensure that the recipient also follows the Safe Harbor rules. [FN114]
Other key provisions of the Safe Harbor principles address access to personal
information and enforcement. The principles state that individuals must have
access to personal information about them except where the burden or expense of
providing access would be disproportionate to the risks to the individual's
privscy, or where the rights of other persons would be violated. Enforcement
mechanisms must include rigorous sanctions against companies that certify
adherence to the principles but then fail to comply with them.
Besides these substantive differences from the FTC Fair Information Practices,
a host of additional issues stem from the fact that the EU Privacy Directive is
law and the FTC practices are not. Those who question whether effective self-regulation
is really any different from government prescription have only to look at the
fastidious and rigid implementation by the EU of the broad principles that the
Privacy Directive and the Fair Information Practices have in common.
*703 In light of the additional requirements of the Safe Harbor,
American websites will have to decide whether it is worthwhile to accept data
from the EU at all, and if so, whether to partition one's data and information
practices according to national origin, or to allow the EU principles to govern
one's entire operation.
G. FINANCIAL SERVICES REGULATIONS
1. Internet-Specific Regulations. Reflecting the explosive growth of online
banking, the Office of Thrift Supervision, [FN115] the Office of the Comptroller of the
Currency, [FN116] and the FDIC [FN117] have all recently issued guidance to
institutions under their supervision urging them to post privacy policies on
transactional websites. For virtually all web-banking accounts, the Electronic
Funds Transfer Act [FN118] and implementing regulations [FN119] already require financial institutions
to inform customers of the institution's policy on disclosing account
information to third parties, including affiliates.
*704 2. Gramm-Leach-Bliley Act. The 1999 Gramm-Leach-Bliley Act, [FN120] also known as the Financial Services
Reform Act, represents a dramatic reshaping of U.S. regulation of financial
institutions. Its main thrust is to repeal the Glass-Steagall Act [FN121] and to permit financial institutions to
affiliate with securities broker-dealers, merchant banks and insurance
companies, as well as with a potentially wide variety of other businesses in financial
or "complementary" fields.
Title V of the Act imposes substantive restrictions on the disclosure of
personally identifiable financial information acquired by financial
institutions, other than publicly available information. [FN122] It applies only to financial
information, but applies to that information whether gathered online or offline
and whether gathered directly from the consumer or from third parties. [FN123] Generally speaking, [FN124] this information may not be disclosed to
unaffiliated third parties unless the consumer has been given notice of the
institution's privacy policy, including conspicuous notice of any potential
disclosure to third parties, and gives the consumer an opportunity to "opt
out" of the third-party disclosures before they are *705
made. [FN125] Notably, this restriction closes the
door to banks' sales of their "transactions and experience" data to
unaffiliated third parties, which was permissible under FCRA. [FN126] The Act also places restrictions on
redisclosure of personal financial information received by third parties from financial
institutions. Moreover, institutions are specifically prohibited from
disclosing account numbers or access codes to third parties for use in
telemarketing, direct mail marketing, or e-mail marketing purposes.
Furthermore, Gramm-Leach-Bliley does not pre-empt state laws that grant greater
protections to personal information, so institutions and their attorneys
formulating privacy policies are not relieved of the necessity of consulting
state banking or general privacy laws.
All institutions (whether or not they disclose personal information) are
required to formulate privacy policies and to provide them to each customer
when the customer relationship is established and at least annually as long as
the relationship continues. [FN127] Unlike COPPA, Gramm-Leach-Bliley does
not require the institution to divulge the uses to which the information will be
put, nor does the law grant the consumer any right of access to the information
collected or require the privacy policy to discuss access.
The issue of disclosure to corporate affiliates was a major point of contention
during the debates on Gramm-*706 Leach-Bliley, as might be
expected in connection with a law that would allow your heath insuror to
affiliate with your bank and your broker. For the time being, the affiliates
have won this battle: the law imposes no new restrictions on disclosure of information
among corporate affiliates. However, the law does not expressly authorize such
disclosures and it specifically does not override the provisions of FCRA
relating to affiliates. The result would seem to be that financial institutions
may exchange "transactions and experience" information with
affiliates, as permitted by FCRA, but the exchange with affiliates of
information sourced in part from third parties may require prior notice and an
opt-out opportunity, if the information would otherwise constitute a
"consumer report" and the institution is a "consumer reporting
agency" under FCRA. [FN128]
Gramm-Leach-Bliley leaves many questions to be answered by implementing
regulations, which because of the wide variety of institutions affected could
be promulgated by a handful of different agencies. [FN129] Among *707 the most
provocative questions is that of what businesses will be considered
"financial institutions." The law [FN130] defines this key term to mean
institutions engaging in financial activities as described in Section 4(k) of
the Bank Holding Company Act of 1956, a section replaced in its entirety by
Section 103 of Gramm-Leach-Bliley. The primary function of the new section,
which runs some ten single-spaced pages, is to define (and allow federal
regulators to further define) the types of activities the new financial holding
companies and their affiliates may engage in, and includes such broad terms as
"indemnifying against loss," "providing investment advisory
services," "providing any device or other instrumentality for
transferring money or other financial assets," and "facilitating
financial transactions for the account of third parties." That these
descriptions, designed to expand the reach of permissible activities for
financial institutions, should also serve as a snare for all other businesses
engaged in these activities by designating them as "financial
institutions," seems more likely a drafting error than an affirmative
policy choice on the part of Congress, but only time and implementing
regulations will tell whether this will be their effect.
Gramm-Leach-Bliley may be law now, but the privacy battle it spawned has merely
changed venue. Before Gramm-Leach-Bliley was signed into law, twenty- three
House members introduced H.R. 3320, the Consumer Right to Financial Privacy
Act, which is still pending. This bill would rewrite Title V of Gramm-
Leach-Bliley to treat affiliates the same as unrelated third parties; [FN131] to require affirmative opt-in for any
disclosure to affiliates or third parties of personal financial information, or
for any use of that information other than as necessary to effect, *708
administer, or enforce the transaction for which it was gathered; [FN132] and to give consumers access to, and a
right to dispute, information maintained about them. [FN133] In addition, the law would broaden (if
possible) Gramm-Leach- Bliley's definition of "financial institution"
to expressly include those engaging in activities that are "incidental or
complementary to financial activities." [FN134]
H. HEALTHCARE LAWS
Medical records have long been recognized as deserving of special
confidentiality, a recognition reflected in a longstanding proliferation of
special-purpose confidentiality laws at both the state [FN135] and federal [FN136] levels. As medical records have moved
wholesale into electronic form and their transmission over data networks has
become routine, concern over medical privacy has grown in parallel and has
begotten more legislative activity. According to one source, over 300 bills
relating to medical records confidentiality were introduced in state
legislatures *709 in 1999 alone. [FN137] In the federal arena, several
comprehensive healthcare information privacy bills are currently pending in
Congress, [FN138] but the most important development is
the issuance of proposed privacy regulations [FN139] by the Department of Health and Human
Services under the Health Insurance Portability and Accountability Act of 1996
("HIPPA"). [FN140] HIPPA required issuance of such
regulations if comprehensive federal legislation governing privacy of
electronic medical records were not passed by August 21, 1999, and proposed
regulations were published November 3.
The proposed regulations will apply directly to all individually-identifiable
health information that is, or has been, maintained or transmitted in
electronic form by health care providers, health plans, and health care
clearinghouses; [FN141] indirectly they will apply to a much
broader population, because when the directly-regulated entities disclose healthcare
information to business partners such as subcontractors, practice management
companies, auditors, accreditation agencies and the like, *710
they are required to obtain confidentiality agreements from these recipients. [FN142]
The regulations restrict disclosure of health information other than for
purposes directly related to treatment, payment for treatment, and internal
operations of the regulated entity [FN143], unless the patient affirmatively opts
in to additional disclosures via a consent meeting seven specified criteria. [FN144] In addition, the regulations grant
patients strong rights of access to their data [FN145], including copying rights, along with
the right to require correction of inaccurate or incomplete data.. [FN146]
Unique to these regulations is a provision requiring the regulated entities to
give an accounting to the patient of when, why, and to whom the patient's
information has been disclosed, other than the core disclosures allowed by the
regulations. [FN147] Finally, the regulations requires health
care providers and plans to provide patients with a privacy policy which
recapitulates the major elements of the regulations.
The HIPPA regulations do not establish uniformity in the treatment of medical
information; as with Gramm-Leach-Bliley, state statutes and regulations are
pre-empted only to the extent that they offer less protection to *711
patients than the regulations. In effect, the regulations establish a lowest
common denominator, albeit quite a high one. It remains to be seen whether this
failure to establish a uniform regime for the protection of all medical data
will give new impetus to the comprehensive bills now languishing in committee;
in the meantime, affected entities have two years to adapt their systems and
business processes before the HIPPA rules become final. As the increasing
migration of healthcare information networks to the web collides with the
security, access and correction rights granted by the HIPPA rules, these rules will
profoundly shape the future of health-data websites.
I. OTHER SECTORAL LAWS
Other sector-specific federal laws apply to information which could conceivably
be gathered on a website but which today ordinarily is not, such as cable
television subscriber records [FN148] and video rental data. [FN149]
J. THE ONLINE PRIVACY PROTECTION ACT OF 1999
This bill [FN150] is not yet law, and the FTC is on record
that it may not be needed. [FN151] But it is typical of the bills *712
regulating privacy practices - the sticks to self-regulation's carrot - that
are regularly introduced and reflect, to varying degrees, the FTC's Fair
Information Practices. [FN152] This proposal would require commercial
websites to post privacy policies and to implement the principles of choice,
access, and security - essentially COPPA without the special protections for
children. Like COPPA, the bill delegates regulatory authority to the FTC and,
for industries exempt from FTC jurisdiction, assigns enforcement responsibility
to the appropriate federal regulatory agencies (e.g., the Comptroller of the
Currency for national banks). This bill and others like it serve as a warning
that any site currently avoiding Fair Information Practices merely because none
of the existing laws apply to *713 it, may soon face the need to
redesign its site, its practices, and its policies.
K. HOW IT ALL FITS TOGETHER
It doesn't. What is most apparent about this loose assortment of laws is the
combinatorial complexity resulting from their inconsistent treatment of every
major variable. Some laws regulate only particular types of information, and
only in the hands of certain classes of business, while others apply to all
personally identifying information gathered from particular classes of person.
Under some laws the method of collecting the information is critical; under
others it is irrelevant. The boundary between opt-out and opt-in mandates
shifts depending on the context. Some laws regulate both disclosure and use,
others, only disclosure; some grant access rights and others do not; and some
laws afford private remedies while others depend on enforcement by one or more
of a gaggle of regulators. And the hoppers are full of proposals for change.
Because of the fragmented and overlapping quality of the laws in this field and
the likelihood of equally fragmented, incremental change, it is generally
impractical for a website to tailor its practices to applicable law as to each
category of information. As a result, complying with the "highest common
denominator" - the strictest rule applying to any information processed by
the site - is usually necessary as to all information collected. It is enough
to make one wonder whether the European model of comprehensive data-privacy
laws may have its advantages after all.
VII. DOING THE THING RIGHT
*714 If adopting a privacy policy is "doing the right
thing," it is no less imperative to "do the thing right." Two
recurring points stand out in the discussion so far: first, a valid consent
solves many problems; second, the key to avoiding liability is to have practice
follow policy. With these principles in mind, and with an eye towards likely
changes in one's own organization, a website can seize control of the risks and
define the terms of its covenant with the public. For a very simple website,
this may not be difficult, but as websites increase in complexity and the
boundaries between them become less distinct, implementing a bulletproof policy
may not be as easy as it looks.
A. CAN'T WE JUST COPY A FORM?
Plenty of good privacy policies are available on the web for copying, and TRUSTe,
the Direct Marketing Association, and even the Organization for Economic
Cooperation and Developmental host sites that will generate a customized draft
of a privacy policy based on one's answers to a list of questions. Why not just
pick one of these policies and be done with it? Comparing any two sophisticated
policies, or one generated by TRUSTe and one by the DMA, shows why: they're all
different. A policy is functional only to the degree that it matches the
business model and activities of the site, and deals with any special legal
requirements that may apply. The permutations are as limitless as the
creativity of website developers. And from a customer relations viewpoint,
policy, practices, and the tone or personality of the notice may need to be
tailored to the site's target audience (remember the zZounds example? [FN153]). The issues are *715
complex enough that IBM has announced a new privacy policy consulting service,
with basic workshops starting at $15,000, [FN154] and privacy audits (including systems
reviews) by Big Five accounting firms can easily run into six figures. [FN155]
The way to create a policy that meets your site's distinctive needs is to use a
process that ensures that all the relevant issues will be systematically
addressed. Our recommended process includes four steps: (1) an Audit of current
practices; (2) Goal Setting; (3) Policy Formulation, Drafting, and Site Design;
and (4) Implementation and Maintenance. At each stage, participation and buy-in
by each relevant constituency-- marketing and sales, strategic planning,
business development, information systems and website design, and legal-- is
critical. Experience suggests that none of these groups can reliably describe
what the others are doing at any given time, much less predict what they will
want to do or why; and hence any marketer who gives a proxy to the information
systems department (or vice-versa) on issues of site design or policy probably
deserves what they get. We will summarize the steps in this process and then
return for a closer look at some important policy and drafting issues.
1. Audit. You can't formulate or document a policy unless you know exactly what
your site does. Step one is to analyze how you collect, use, and disseminate
information, both within your organization and with affiliates and other third
parties. Every place information *716 is collected and each way
of collecting it-- registration, contests, special offers, orders, mailing-list
subscriptions, notification services and user customizations, as well as
passive data-collection methods, such as cookies-- needs to be catalogued, and
the information collected should be identified. [FN156]
Once identified, the information must be traced to its destinations, internal
and external. The following questions should be answered: How is the data
analyzed or combined with data from other sources? [FN157] To whom is it available within your
organization (including affiliates), and how are they authorized to use it? How
do they actually use it? How do they plan to use it? It is helpful to divide
the existing and anticipated uses for the data into primary uses (those
necessarily incident to the purpose for which the information was collected),
and secondary uses (those related to purposes different from those for which
the information was collected).
With respect to primary uses, determine whether you outsource any portion of
the function (such as order fulfillment or credit card verification). If you
do, you must determine whether there are appropriate restrictions on the
outsourcing party's use and disclosure of the data. Is data being collected
that is not used, and if so, why? [FN158] *717 This is also a good time
to evaluate the physical and technical means used to keep the data secure.
If data is shared with third parties for secondary uses, what are those uses,
and is there a contractual prohibition against unrelated uses and further
disclosure? Are there means for detecting unauthorized use, such as
"seeded" names in the data? [FN159] Do you have the right to remove a user
from the third party's list upon request? Are there contracts requiring you to
continue to provide any of these parties with data for a specified time, thus
limiting your flexibility to implement more conservative data practices?
As web pages become more elaborate and marketing and content partnerships more
common, the boundaries within which a privacy policy applies may become
indistinct. Therefore, you should review the site for co-branding or other
joint marketing sections, frames of third-party content, and other third-party
links where it may not be evident who is collecting the information. Then you
should consider clarifying this by means of relabeling, alerts, conspicuous
links to the relevant party's privacy policy, or a combination of these in
order to clearly define your privacy "jurisdiction." [FN160] Where third parties are collecting data
directly from your site (as opposed to your disclosing it to them), have you
imposed contractual privacy rules in order to avoid guilt by association?
You should also search your site to locate all statements about the use of
information collected or about privacy *718 rights-- especially
isolated statements that should be folded into a comprehensive policy or
eliminated altogether. One "rogue" statement can undo careful
drafting elsewhere. [FN161] Be alert, as well, for statements that
contradict one another. Last June, United Airlines found itself in a
public-relations nightmare on this score when users noticed that what the
website's privacy policy gave, the user agreement took away. Although the
privacy policy pledged that United would not authorize any use of profile
information except by the consumers themselves, the click-wrap "terms and
conditions" statement said that by using the site, users gave their
"express and unambiguous agreement" [FN162] that they had "no expectation of
privacy" [FN163] resulting from the use of United's
services. Further, through the click-wrap agreement, users gave their "express
and unambiguous approval" [FN164] for United to use their personal
information "for purposes of solicitations, promotions, and marketing
programs." [FN165]
The audit phase concludes with an analysis of whether any special legal
requirements apply as a result of any of three considerations: (1) the type of
information collected *719 (e.g., health status), (2) from whom
it is collected (e.g., children or Europeans), or (3) how it is used or
disclosed (e.g., credit reporting). This analysis lays the groundwork for
decisions on how to comply with, or become exempt from, those requirements.
2. Goal Setting. The next step is to consider what you really want to do with
the data and with your website in the foreseeable future. This step can be
skipped if the site meets your needs, but most audits result in ideas for
improvement. If the site will be redesigned, new business models adopted or
data practices changed, the privacy policy must reflect or anticipate these
changes.
The major issue is the role of information collection and disclosure within the
overall business plan; the fact that this exercise concerns data does not mean
that the goal must be to collect as much data as possible and to maximize its
use and disclosure. Do you want to position your site as a "privacy
ally," to take a middle-of-the road stance, or to place emphasis on the
other benefits your site offers, while maximizing your freedom to use consumer
data? Could you win more business with less trouble by focusing on better
customer service instead of emphasizing data mining? Are you willing to make
strong commitments, or is your goal to minimize any possible liability?
Redesigns must also pass the practicality test: do you have the technical
ability and financial strength to implement a data-management system reflecting
the new business model? A potential redesign could include adding tags
indicating when information was first collected (to track which version of an
amended privacy policy applies) and for what purpose the information was
collected (to distinguish between primary and secondary uses for that data), or
to segregate data on children or EU residents and process it differently.
Likewise, if your *720 business has both online and offline data
harvesting operations but uses a single company-wide database, you must either
apply the website privacy policy to all data, even that gathered offline, or
tag data according to its origin and design your systems to process it
accordingly. The cost of redesigning back office data structures can be
startling [FN166] and may far outweigh the benefits of a
redesign that looks good on paper, especially if you are modifying a
"legacy system" that was only recently installed. In that case, it
may make more sense to scale back target-marketing ambitions and to adopt
conservative data practices.
Finally, any redesign may reopen questions raised in the audit phase: would the
new practices trigger special legal burdens, or require cooperation or new
assurances from third parties to whom you disclose information?
3. Policy Development, Drafting and Site Design. With the goals defined, the
next step is to map out in detail how the website will handle data, and to
reflect that map in a privacy policy and a site and data structure design.
Again, coordination and feedback among technical, marketing, legal and other
constituencies as the design progresses are critical to keep policy and
practice from diverging.
The threshold question is whether to join one of the "privacy seal"
programs, since doing so will both drive the policy development process and
circumscribe the available policy options. These programs have many advantages;
in particular they instill confidence without a "need to read" the
privacy policy itself. But they also impose additional start-up and maintenance
costs and demand certain minimum disclosures and practices that may not be *721
required otherwise. [FN167] These programs have teeth; in addition
to expulsion from the program for noncompliance, either BBBOnLine or TRUSTe
could sue for breach of the promises in its licensing contract. [FN168] Worse, a failure to comply with
BBBOnLine's dispute resolution mechanism may earn you a referral to the FTC.
BBBOnLine may conduct an unscheduled inspection of your website, and TRUSTe
uses technical means to detect any privacy policy changes you may implement. Be
aware that these programs may also ratchet up their membership requirements
from time to time. [FN169]
Most other policy issues involve choosing how the site will implement Fair
Information Practices, a subject discussed separately below.
4. Implementation and Maintenance. The final step is implementing the new
policy and data practices. At this point, human factors may be even more
important than technical measures such as testing the database, setting
security parameters, and protecting against hackers. The *722
greatest risk of unauthorized use or disclosure comes from employees, and the
greatest risk with employees is not malevolence but ignorance. Employees should
be trained on the substance and importance of the new policy and held
accountable for misuse or improper disclosure. In some cases separate
employee-directed policies may be needed to complement the online policy,
especially in organizations where there are many sources of personal data other
than the website. Where website data is shared with affiliates, both the policy
(or contractual restrictions) and employee awareness efforts should follow the
data. In general, the more consistent data policies are across such an
organization, the less likely a catastrophic mistake becomes.
Implementation may require establishing or amending contractual relationships
with third parties. If the privacy policy gives assurances about third-party
use of personal data, all existing third-party contracts should be reviewed for
restrictions consistent with these assurances, and procedures should be in
place to ensure imposition of privacy obligations in all new relationships with
third-party users, including support contractors and outsourcers. Of course, if
the data is valuable, contractual restrictions on use and further disclosure
should be routine, though the "privacy" rubric may not be in
evidence. Here the interests of the consumer and the collecting website are
aligned because the former's privacy is the latter's confidential business
information. Likewise, agreements for links or for framed or embedded
third-party content may need to be modified to make sure that it will be
obvious when a user has left your privacy policy's "jurisdiction."
Finally, management policies should require that any change to the website
structure or data-entry screens, to the privacy policy, to third-party data
sharing or partnering *723 arrangements, or to the database structure
or access rights, must be checked against the privacy policy considerations
mentioned above (including legal review) and authorized by responsible
executive management. If applicable, procedures should be established for
notifying the privacy seal program of the change.
We turn now to a discussion of policy choices that must be made, and of some
drafting opportunities and pitfalls.
VIII. SELECTED POLICY AND DRAFTING ISSUES: IMPLEMENTING FAIR INFORMATION
PRACTICES
The easy generalities of fair information practices must ultimately give way to
concrete policies. [FN170] Here are some of the implementation
issues to be considered.
A. NOTICE
A privacy policy should be conspicuous; if your policy is user-friendly, you
want users to know it, and if your policy is aggressive, you don't want anyone
to be able to claim they didn't see it. Ideally, the home page, every data-
entry screen, and every invitation for the user to e-mail information should
include a prominent link to the policy. As to alerts or other signals that
different policies will apply to linked sites and co-branded areas, a balance
must be struck between the likelihood of user confusion in each case and design
and clutter considerations. It may be useful to delegate this problem to the
third parties involved.
*724 In addition to the question of site boundaries vis-à-vis
unrelated third parties, the notice should address the boundaries of the
privacy policy as it relates to corporate affiliates, other operating
divisions, and data gathered through sources other than the website. [FN171]
If you want to simplify your legal obligations by excluding data from sources
like children or non-United States residents, or if access to parts of the site
or special features is conditioned on disclosure of personal data, the notice
should so state. If you match data submitted on the site with data from other
sources to build a more complete profile, it may be appropriate to disclose
this. Certainly, if the merged data is made available to third parties, this
should be disclosed. If you intend to purchase supplemental data on consumers,
bear in mind that doing so may require disclosing personal information (e.g., a
list of names, social security numbers, or other unique identifiers) to the
supplemental data vendor, and this will have to be disclosed in your privacy
policy.
B. CHOICE
A major policy consideration is the extent to which user choice will be an
all-or-nothing decision. For example, in order to register for special features
on your site, must the user agree to secondary uses of the data submitted, or
will you allow a user to register and veto secondary uses? [FN172] It *725 may make sense to
vary your rule depending on whether the primary use mainly benefits the website
or the user; it would be foolish to condition a product sale upon consent to
secondary use and third-party disclosure because some sales will be lost as a
result, but conditioning contest entries upon such consent is a different
story. The rule could also be varied among different secondary uses. For
example, allowing use of demographic data for targeted banner ads may be
required as a condition of registration, but the user could be permitted to opt
out of disclosure to third parties.
Another issue is opt-out versus opt-in choice. The former will yield the most
data since data flow continues until the user takes steps to stop it; the
latter is best if you want to be perceived as a privacy ally. Opt-in decisions
need to be easily reversible.
"Consent" is another word for choice. Where applicable law requires
user consent, you must decide whether to rely on the theory that an opt-out
scheme affords "implied consent," or whether to require opt-in with
an audit trail to be on the safe side. COPPA and the EU Privacy Directive
foreclose this issue in some cases by requiring opt-in consent.
C. ACCESS
A key question is exactly what data the user will have access to, the main
distinctions being among data collected on the website, data collected or
purchased elsewhere, and preference or profile data derived through analysis of
the *726 first two. The EU Privacy Directive contains an
exclusion for access to processed data where the processor's trade secrets
would be exposed. [FN173] Companies with extensive operations
outside of the website are well advised to make it clear that the policy's
access provisions apply only to data collected on the website, unless subject
to contrary legal requirements. By making this clear, a company avoids the
burdensome obligation to seek out and make available all data in the company's
possession concerning a particular consumer. [FN174]
With respect to passively collected data such as cookie or log file data, the
question is whether to grant access at all, since this data may not be
comprehensible without further processing.
D. SECURITY
Policy questions as to security include how extensive your technical and
human-factor security measures will be, and how much detail about those
measures should be revealed to the public. An overly detailed description can
both compromise the effectiveness of the security measures and unduly commit
the website to these particular procedures.
E. ENFORCEMENT
What enforcement mechanisms will you allow or require users to pursue? The
privacy seal programs *727 impose their own requirements in this
regard but do not limit other remedies for consumers. Limiting users' options
for enforcement may be both prudent and achievable, as we will see in the next
section.
IX. CONTRACT CONCEPTS
A. IS YOUR PRIVACY POLICY A CONTRACT? ARE YOU SURE?
Considering enforcement leads to the question: what is the legal effect of a
privacy policy? As between the website and the user, a privacy policy bears all
of the earmarks of a contract, but perhaps one enforceable only at the option
of the user. It is no stretch to regard the policy as an offer to treat information
in specified ways, inviting the user's acceptance, evidenced by using the site
or submitting the information. The website's promise and the user's use of the
site and submission of personal data [FN175] are each sufficient consideration to
support a contractual obligation. Under this analysis, users would have the
right to sue and seek all available remedies for breach of the privacy policy,
without the need for private rights of action under such regulatory statutes as
the FTC Act.
But for the website, this contract may be a net full of holes, one that the
website may get caught in but the user may easily slip through. Many popular
websites use contractual concepts by making statements such as, "By using
this site you agree to our privacy policy," or even riskier, "We may
change our policy at any time, so check back here frequently; your continued
use following the posting of a policy change constitutes consent to the new *728
policy." These statements are sometimes contained in a privacy policy
accessible only through a tiny link at the bottom of the home page that can be
found only by actively scrolling down the page. Any website that relies on the
binding effect of such a "contract," for example, by expanding its
third-party disclosure of pre-existing customer data, [FN176] is treading on dangerous ground. In such
a case there is no independent evidence that the user assented to this
"contract." In contrast, if the user wishes to enforce the contract,
she has only to affirm that, in fact, she did read and accept the website's
offer to protect her information and relied on its assurances when she
entrusted the site with her personal information.
Of course, in order to claim the benefits of this contract, the user would have
to acknowledge having accepted it, and this gives the website an opportunity to
turn contractual obligation to its advantage by including protective
provisions. But relying on acknowledgment by the consumer as a condition
precedent to a contract claim does not solve the amendment problem mentioned
above (where the contract assented to was the original one), nor does it afford
protection against tort liability or generate a legally reliable consent when
one is required by law.
*729 B. MAKING IT LEGAL
The more unavoidable the privacy notice, the less opportunity for a disgruntled
user to claim that he did not see, read, or understand the privacy policy. At a
minimum, links to the privacy notice should be conspicuously placed next to
data-collection "submit" buttons. [FN177] But why not go a step further and ensure
that a bilateral contract is in force? If a privacy policy is essentially a
contract enforceable at the option of the user, there is no downside to making
the contract mutual. The express assent manifested by a click-wrap agreement [FN178] offers valuable opportunities for
moderating risk.
Click-wrap contracts are regularly formed on websites. When a purchase is made,
the user is typically asked to agree to terms and conditions, and sites that
allow user postings such as discussion forums and chat rooms usually require
member agreements as a condition of registration. By incorporating the privacy
policy into a click-wrap user agreement, or turning it into one, the website
can potentially limit remedies and damages, exclude consequential damages,
provide for notice of and a right to cure any breach, require mandatory
dispute-resolution mechanisms such as a negotiation-mediation- arbitration
sequence, specify governing law and forum, shorten the statute of limitations,
extract representations from the user (e.g., as to nationality or age), provide
for contingencies *730 through a force majeure clause, and create
clear evidence of binding consents or waivers.
Given the minimal money damages likely to result from any given privacy breach
and the probability that most consumer complaints can be resolved with a
sincere apology and a promise to do better (or to delete the information), it
is fair to ask whether a contractual privacy policy is overkill. The two-word
answer is: class actions. In the context of the web, with its computerized user
databases and instantaneous communication across a global network, a privacy-
policy violation is more likely to involve 10,000 individuals than only one.
Wherever individual damages are small, plaintiffs numerous, and fact patterns
similar, class action attorneys will soon follow. [FN179] And they are not interested in apologies
or data deletions unless they can be translated into fee dollars.
In Hill v. Gateway 2000, Inc., [FN180] the Hills brought a warranty and RICO
claim against Gateway and managed to get it certified as a class action. The
Gateway product had come with a shrink-wrap contract containing a mandatory arbitration
clause, which the trial court refused to enforce. The Seventh Circuit reversed,
enforced the arbitration clause and nullified the class action certification.
Since most arbitration rules do not *731 accommodate class
actions, an alternative dispute resolution clause such as that used by Gateway
may effectively neutralize the class action threat. [FN181]
Another advantage of a bilateral contract is that it can provide a meaningful
mechanism for amendment, should it ever be necessary to change the privacy
policy in ways that might be considered adverse to the user. The example given
previously, where the site warns of unilateral amendments and advises the user
to check in periodically, might be viewed as less overreaching if a user can be
shown to have expressly agreed to it. Also, it seems very likely that
amendments would be enforceable if accompanied by a prior e-mail to the user
with an opportunity to opt out or delete his/her data rather than accept the
change. Privacy expectations seem to be a one-way ratchet-- the more users
learn about corporate data practices, the more privacy they demand, and the
more the legislative process grants privacy rights-- but there are still many
cases in which a user-unfriendly amendment might be desirable. Examples include
situations where a privacy-oriented business model did not work, or where the
website is acquired by another business with a different privacy policy.
C. DRAFTING TECHNIQUES
Whether or not a click-wrap agreement is adopted, contract drafting concepts
such as coverage, clarity, caution and conciseness should be brought to bear on
the privacy policy. The challenge is to be clear and concise, and to use plain
language, without making overly broad or *732 absolute promises.
There is a difference between promising "your data is secure" and
saying, "we use industry-standard security measures to protect your
data." From the website's point of view, the former cries out for a
protective list of exceptions-- the many ways security can be compromised-- but
the latter speaks for itself. Should you say, "Your data will never be
released without your consent," or "We will never authorize release
of your data without your consent?" Perhaps it depends on how much you
trust your systems, your security, and your employees. Confining promises to
objective facts within the promisor's control is the heart of the drafting art.
A second important consideration involves identifying the necessary exceptions
to the privacy promise. In the preceding example, exceptions would be needed
for release under subpoena, search warrant, court order, civil investigative
demand, or other compulsory process such as civil discovery. A cautious drafter
might also except disclosures necessary to protect the website's rights or to
prevent harm to other individuals; to identify persons who may be violating the
law, the user agreement, or the rights of third parties; [FN182] and to cooperate with investigations of
purported unlawful activities. In some cases routine disclosures to regulatory
agencies, such as bank examiners, may also be necessary. Some website owners
believe that they cover all of these situations with the statement that they
will never willfully disclose personal information without consent.
As this article illustrates, privacy policies divide naturally into two
components: fairly simple principles and detailed implementation of those
principles. The former tend to be reassuring, the latter stupefying. Many of
the *733 better privacy policies take advantage of this division
by beginning with the reassuring general principles and referring the reader to
a list of "Frequently Asked Questions," or just an expanded
discussion, for all of the details, qualifications, examples, explanations and
exceptions.
D. EXAMPLE: BOUNDARY CONDITIONS
The drafting principles of coverage and of caution can eliminate many legal
problems with privacy policies because both principles address the issue of
consistency between the written policy and the activities that it describes. We
close with an illustration: the issue of boundaries, of where the policy
applies and where it does not-- an area where many privacy policies have
foundered and where many more are ticking time bombs.
Coverage means identifying every place where a user might mistakenly assume
that your privacy policy applies and preempting that false assumption. Using
the results of the audit and policy formulation phases, the drafter would make
clear who is collecting the data in co-branded or partner areas and whose
privacy policy applies, warn users about outward links and framed third-party
sites, and identify to what extent, if any, the site has imposed privacy
requirements on these third-party sites. The data-gathering activities of
banner ad cookies would also be mentioned and excepted.
A site that hosts third-party home pages under a common domain name should
certainly mention that those pages are not covered by the host privacy policy,
although this is seldom done. Some corporations maintain multiple sites under
similar brands or domain names, or linked to one another as a network, but with
different privacy policies. Since users would tend to assume that a *734
company's sites would all share the same policy, the drafter would need either
to consolidate the policies or to identify the different sites and warn the
users that privacy policies may vary. Outsourcers such as employee-leasing
companies or web-hosting firms should be mentioned, along with their coverage
by the policy or by narrower confidentiality agreements. And if a company wants
to allow affiliated entities to use its customer data, it may wish to define
the boundaries of its organization to include present and future affiliates [FN183] at the cost of having the policy apply
to those as well.
If the privacy policy is intended to apply only to information gathered over
the internet, it should specifically exclude data collected through other
means, such as data gathered by unrelated brick-and-mortar operations of the
company or its affiliates and data purchased or leased from other parties. As
mentioned earlier, in some industries (e.g., financial services), for some
types of information (e.g., health information), and for some companies (e.g.,
those subject to the EU Privacy Directive) common legal obligations will apply
regardless of how the information was gathered, and for the sake of
administrative simplicity it will be necessary to devise a common policy across
the entire organization. Where this is not necessary, it may be unwise - at
least if the website's privacy policy restricts the use of information
meaningfully more than is required by law.
An example of the impact of careful boundary drafting is the RealNetworks
incident in November 1999, when it was discovered that the company's
RealJukebox software was transmitting to the company information about the
users' music collections, unbeknownst to the users, (and *735
possibly unbeknownst to RealNetworks' senior management as well). RealNetworks
was a TRUSTe licensee and TRUSTe promptly launched an investigation, ultimately
determining that RealNetworks had not violated its online privacy policy
because the information in question had not been gathered through its website.
This led to the establishment by TRUSTe of a pilot program for privacy policies
relating to software products, the first of which was adopted by RealNetworks.
The principle of caution looks to the future and anticipates change. The
boundaries of an organization may shift over time, and yet in an environment
where acquisitions and divestitures are announced daily, few privacy policies
provide for this possibility. [FN184] Sharing information with a new parent,
its other subsidiaries, a merged entity, or an acquired entity is not only
common, but may be essential to the viability of many business combinations and
so should be expressly foreshadowed in the privacy policy. Likewise, it may be
wise to reserve the right to disclose or duplicate the customer database in
order to sell the assets of an operating division.
X. CONCLUSION
An effective privacy policy expresses a delicate balance of marketing, legal,
technical, and customer-relations *736 issues, and successfully
implementing a policy for a complex site can be challenging. Following the
process suggested here should result in a privacy policy and information
practices that are mirror images of one another, enabling the website to offer
privacy assurances with confidence and to manage confidences with assurance.
[FN1]. J.D., Yale University, 1975; B.A., Yale
University, 1972. Mr. Killingsworth is Co-Chair of the Intellectual Property
and Technology Group of the Atlanta and Washington firm Powell, Goldstein,
Frazer & Murphy, and advises clients on licensing, strategic alliances,
e-commerce and other technology- related business matters. He can be reached at
(404) 572-6600 or at skilling @@pgfm.com.
[FN2]. Council Directive 95/46, 1995 O.J. (L
281) 31 [hereinafter EU Privacy Directive].
[FN3]. P. Sprenger, Sun on Privacy: 'Get Over
It' Wired News (Jan. 26, 1999) <
http://www.wired.com/news/politics/story/17538.html>. McNealy is the
Chairman and CEO of Sun Microsystems, which is both the developer of the Java
programming language used to implement applets in web browsers and a member of
the Online Privacy Alliance.
[FN4]. Because similar personal information may
be shared with a number of sites, and because there is a delay between the
initial disclosure of information and the onset of such aggravations as
unsolicited e-electronic mail (e-mail) messages, the exact source of the
privacy invasions is often hidden from the consumer. This disconnection between
cause and effect can lead to a "one bad apple" syndrome whereby the
actions of a small number of irresponsible websites may be attributed to the
Internet as a whole.
[FN5]. Many of the privacy concerns and
principles discussed in this article can be traced to a 1973 study by the
Department of Health, Education and Welfare, Secretary's Advisory Committee on
Automated Personal Data Systems, Records, Computers, and the Rights of
Citizens. According to a 1992 survey, over two-thirds of Americans believed
that "the present uses of computers are an actual threat to personal
privacy" and that "if privacy is to be preserved, the use of
computers must be sharply restricted in the future." Equifax-Louis Harris
Consumer Privacy Survey, Equifax Executive Summary 1992 ¶4 (visited Nov. 3,
1999)
<http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1992.html>.
[FN6]. See http://
www.doubleclick.com/advertisers/network/boomerang/reporting.htm> for an
explanation of reports available to advertisers subscribing to DoubleClick's
"Boomerang" service, including answers to such questions as
"What are your customers' interests? Where do your customers work? When
are your customers online? and Where do your customers live?" According to
DoubleClick, all of this information is collected anonymously <http://
www.doubleclick.com/advertisers/network/boomerang/privacy.htm>, but see note
7 below. (All sites visited January 29, 2000).
[FN7]. Consumers who voluntarily submit
personally-identifying information to websites that participate in
DoubleClick's Abacus Alliance may find that this information is disclosed to
DoubleClick and then associated with the anonymously-gathered data about their
web browsing generally (described above), unless they specifically opt out at
each participating site visited <http://
www.doubleclick.net/company_info/about?doubleclick/privacy/> (visited
January 29, 2000). DoubleClick apparently offers an opt-out cookie that is
effective throughout its network, but on January 29, 2000 the author received
only error messages when attempting to activate this feature at <http://
www.douleclick.net/company_info/about_doubleclick/privacy/privacy2htm#optout>.
[FN8]. This Orwellian-sounding term refers to an
analysis of attitudes, interests and opinions as distinct from mere demographic
data; such an analysis can bring improvement in predictive success.
[FN9]. Tara Lemmey, President of Narrowline (now
Executive Director of the Electronic Frontier Foundation), quoted in Esther
Dyson, Privacy Protection: Time to Think and Act Locally and Globally, Release
1.0, (Apr. 1998) <http:// www.edventure.com/release1/0498body.html>.
[FN10]. In the Matter of GeoCities, a
corporation, FTC File No. 9823015 < h
ttp://www.ftc.gov/os/1999/9902/9823015cmp.htm>.
[FN11]. Id.
[FN12]. Id.
[FN13]. The FTC action and proposed settlement
were first announced in early June 1998, in SEC filings in connection with
GeoCities' upcoming public offering that August. GeoCities, Corp., SEC Form S-1
Registration Statement (June 12, 1998)
<http://www.sec.gov/Archives/edgar/data/1062777/0001017062-98-
001328.txt>.
[FN14]. GeoCities, FTC Docket No. C-3850
(decision and order) (Feb. 5, 1999)
<http://www.ftc.gov/os/1999/9902/9823015d0.htm>.
[FN15]. Regarding children's issues, a similar
settlement was reached in May 1999 with Liberty Financial Companies; see In re
Liberty Fin. Cos., FTC File No. 9823522 (agreement containing consent order),
(visited Sept. 28, 1999) < http:www.ftc.gov/os/1999/9905/lbtyord.htm>.
[FN16]. Privacy Online: A Report to Congress,
FTC report (June 4, 1998) <
http://www.ftc.gov/reports/privacy3/index.htm> [hereinafter Privacy Online]
was sent to Congress June 4, 1998.
[FN17]. Child Online Privacy Protection Act of
1998, 15 U.S.C. §§ 6501- 6506 (1998) [hereinafter
COPPA]. 15 U.S.C. §§ 6501-6506 (1998).
[FN18]. 15 U.S.C. § 45 (1998).
[FN19]. In this instance "legal
perspective" seems oxymoronic: despite what law school teaches, business
is about much more than avoiding every possible risk.
[FN20]. See infra Part VI.f (discussing the EU
Privacy Directive).
[FN21]. Industries with regulated information
practices include healthcare, banking, video rentals, cable television, and
telecommunications.
[FN22]. Detailed results can be viewed at
Business Week/Harris Poll: Online Insecurity, Business Week (last modified Mar.
5, 1998) <http:// www.businessweek.com/1998/11/b3569107.htm> [hereinafter
Online Insecurity].
[FN23]. ~LOUIS HARRIS AND ASSOC., INC. &
ALAN F. WESTIN, PRIVACY AND AMERICAN BUSINESS AND PRICE WATERHOUSE, INC.,
E-COMMERCE & PRIVACY SURVEY (JUNE 1998) < HTTP://WWW.PRIVACYEXCHANGE.ORG/ISS/SURVEYS/ECOMMSUM.HTML>
(STATING THAT 23% OF INTERNETT USERS HAVE PURCHASED ONLINE, WHEREAS THE
BUSINESS WEEK/HARRIS POLL PUT THE FIGURE AT 22%).
[FN24]. See Online Insecurity, supra note 22
(finding that despite the benefits of registering at websites, 59% of Internet
users never do).
[FN25]. GEORGIA INSTITUTE OF TECHNOLOGY,
GRAPHICS VISUALIZATION AND USABILITY CENTER'S 9TH WWW USER SURVEY (APR. 1998)
<HTTP://
WWW.CC.GATECH.EDU/USER_SURVEYS/SURVEY-1998-04/GRAPHS/GENERAL/Q46.HTMM>.
[FN26]. Examples of such products include
anonymous proxy servers for browsing privacy and anonymous e-mail remailing
services.
[FN27]. Louis Harris & Assoc., Inc. And Alan
F. Westin, supra note 23 (noting that 91% of net users and 96% of those who buy
products or services online call privacy policies "important" or
"very important." For computer users who are not yet online, the
figure was 94%).
[FN28]. A. Westin, "Freebies" and
Privacy: What Net Users Think (visited Sept. 28, 1999)
<http://www.privacyexchange.org/iss/surveys/sr990714.html> (reporting on
a February 1999 poll by Opinion Research Corp. for Privacy & American
Business).
[FN29]. See Online Insecurity, supra note 22
(finding that 62% of respondents would increase their Internet usage).
[FN30]. See id. (finding that 57% of respondents
would increase their amount of purchases).
[FN31]. TRUSTe/Boston Consulting Group Consumer
Survey (visited Oct. 8, 1999) <
http://www.truste.org/webpublishers/pub_bottom.html> states that information
practice policy statements make it two to three times more likely that a
consumer will provide personal information to a website; 56% of users in the
Business Week/Harris Poll, supra note 22, indicated that a privacy statement
would make it more likely for them to register at a website.
[FN32]. Approximately 65% of commercial websites
in March 1999 included some form of information practices statement, in
contrast to only around 14% of commercial websites in the previous year.
Further, virtually all of the top 100 sites include some information practices
statement, with eighty-one sites boasting a more or less comprehensive privacy
policy. The first figure is from Mary J. Culnan, Georgetown Internet Privacy
Policy Survey: Report to the Federal Trade Commission (Mar. 1999), which
evaluated 361 "dotcom" sites selected randomly from the top 7,500
sites. The 14% figure is from Privacy Online, supra note 16, an FTC study of
1400 sites. While these two studies are not direct equivalents, the trend
towards adopting privacy policies is undeniable. The data on the top 100 sites
is from Professor Culnan's study, Privacy and the Top 100 Sites: Report to the
Federal Trade Commission (June 1999) sponsored by the Online Privacy Alliance.
While these upbeat figures mask wide variation in adherence to recognized
privacy principles, they all support the present point that a site without a
policy increasingly stands out from the crowd.
[FN33]. See Lorrie Faith et al., Beyond Concern:
Understanding Net Users' Attitudes About Online Privacy, AT&T Labs-Research
Technical Report TR 99.4.1 (Mar. 25, 1999) <http://
www.research.att.com/library/trs/TRs/99/99.4/99.41/Survey-TR-19990325.htm>
[[hereinafter Beyond Concern] (citing Christine Hine & Juliet Eve, Privacy
in the Marketplace, 14(4) The Info. Soc. 253, 261 (1998) for the proposition
that where a website does not explain the purposes for which it gathers and uses
personal information, consumers are likely to concoct their own unfavorable
opinions about the website's intentions).
[FN34]. See Beyond Concern, supra note 33 (finding
that sharing data with third parties was the most important criterion users
evaluate in deciding whether to reveal information to a website).
[FN35]. Respond.com has even adapted the
reverse-auction model as a "black box"; the buyer fills out a form
specifying the desired product and the desired price, Respond.com sends an
email with this information (absent the buyer's identity) to its list of registered
retailers, collects the replies and forwards them to the buyer. The buyer can
then follow up with a vendor if she wants to accept its offer. The
"middleman" feature not only preserves anonymity, it also enables
Respond.com to collect its fees, which are based not on sales but on the number
of e-mails to which the given vendor replies. See, e.g., (visited Sept. 29,
1999) <http://www.respond.com/overview/index.html> (providing an outline
of the black-box-auction model).
[FN36]. zZzounds.com
<http://www.zzounds.com/discover.music? page=privacy&z=493782266316>.
[FN37]. Welcome to Juno (visited Oct. 25, 1999)
<http://www.juno.com>. A recent Juno advertisement (targeted to online
advertisers, rather than to consumers) states that "nearly 7 million Juno
subscribers have filled out a member profile with more in-depth personal
questions than your mother asks."
[FN38]. See Welcome to The MyPoints Program
(visited Sept. 29, 1999) < http:// www.mypoints.com> (explaining that
MyPoints participants are offered redeemable points-- an Internet version of
trading stamps-- when they participate in MyPoints promotions or buy in
response to MyPoints offers. A recent advertisement claims better than a 20%
response rate to MyPoints e-mail advertising campaigns).
[FN39]. See, e.g., Alex Nash, Yahoo Retracts
Unlisted Home Addresses, CNET News.com (Apr. 25, 1996),
<http://news.cnet.com/news/0-1005-202-311165.html> (describing the
consumer outrage and Yahoo's rapid retreat when it was learned that Yahoo's new
People Search service disclosed some 85 million unlisted home addresses and
telephone numbers).
[FN40]. TRUSTe (visited Sept. 29, 1999)
<http:www.truste.org>.
[FN41]. BBBOnLine (visited Sept. 29, 1999)
<http://www.bbonline.org>.
[FN42]. A "secondary use" is a use of
information for a purpose other than that for which it was originally
disclosed, such as use in a direct-marketing campaign of a mailing address
originally obtained for product shipment.
[FN43]. Child Online Privacy Protection Act of
1998, 15 U.S.C. §§ 6501- 6506 (1998) [hereinafter
COPPA]. See BBBOnLine: The Children's Privacy Seal (visited Sept. 29, 1999)
<http://www.bbbonline.org/businesses/privacy/child_ privacy.htm> (stating
that BBBOnline's seal requirements are based on COPPA); TRUSTe License
Agreement Rev. 5.0 Appendix C (last modified June 25, 1999) <
http://www.truste.org/webpublishers/pub_selfassessment.html> (stating that
TRUSTe's children guidelines are based on COPPA).
[FN44]. See BBBOnLine: Privacy Program
Eligibility Criteria (visited Nov. 2, 1999)
<http://www.bbbonline.org/businesses/privacy/eligibility.html.> (covering
requirements for BBBOnLine Privacy Seals); TRUSTe License Agreement Rev. 5.0
(last modified Aug. 8, 1999) <http://www.truste.org/webpublishers/pub_
agreement.html> (requiring licensees to agree to particular and
comprehensive rules before awarding Privacy Seals).
[FN45]. See BBBOnLine: Privacy Program
Eligibility Criteria, supra note 44 (disclosing requirements to which a
business must agree in order to qualify for a BBBOnLine Privacy Seal).
[FN46]. TRUSTe Approves 1000th Web Site, TRUSTe
press release, January 12, 2000
<http://www.truste.org/about/about_1000th.html>.
[FN47]. Press Release, BBBOnLine's New Privacy
Seal Program Opens for Business (Mar. 17, 1999)
<http://www.bbbonline.org/about/press/3-17-99.htm>.
[FN48]. BBBOnLine Approved Privacy Participants
(visited Jan. 26, 2000) <
http://www.bbbonline.org//businesses/privacy/approved.html>.
[FN49]. Cheskin Research and Studio
Archetype/Sapient, eCommerce Trust Study, at 16 (Jan. 1999)
<http://www.studioarchetype.com/cheskin/html>.
[FN50]. At the time, the BBBOnLine privacy seal program
was not in effect; the seal in question was BBBOnLine's Reliability Seal, which
relates to business practices other than privacy, but it is probably safe to
assume that the organization's privacy seal would garner comparable responses.
[FN51]. Debra Valentine, About Privacy:
Protecting the Consumer on the Global Information Infrastructure, 1 Yale Symp.
on L. & Tech. 4, at para. IV, B.1 (1998).
[FN52]. See Maryann Jones Thompson, Tech Firms
Still Top List of Net Advertisers, The Industry Standard (May 20, 1999)
<http:// www.thestandard.com/metrics/display/0,1283,894,00.html>
[hereinafter The Industry Standard] (ranking advertisers for 1998; Microsoft
was first and IBM second with combined advertising expenditures of $63.4
million).
[FN53]. Kim Girard, IBM To Pull Web Ads Over
Privacy Concerns, CNET News.com (Mar. 31, 1999)
<http://www.news.cnet.com/news/0-1005200-340588.html? tag=st.cn.1fd2>.
[FN54]. Microsoft Pushes Net Privacy Policy
(June 23, 1999) <http:// www.msnbc.com/news/283255.asp>.
[FN55]. Disney and Go Network Institute
Comprehensive New Advertising Policy to Promote Industry Adoption of Online
Privacy Standards (June 29, 1999) < http://
www.info.infoseek.com/press/06-29-99_policy.html>. The Go Network is one of
the top five websites, and The Industry Standard, supra note 52, ranked its
constituent Infoseek as the sixth largest advertiser on other websites in 1998.
[FN56]. Privacy Promise (visited Oct. 2, 1999)
<http://www.the- dma.org/pan7/pripro22.html>.
[FN57]. DMA will help you create your own
Company's Online Privacy Policy (visited Oct. 2, 1999)
<http://www.the-dma.org/pan7/dmers7c1-policy.shtml>.
[FN58]. See Privacy Online: A Report to Congress
at 54 n.73 (visited Oct. 2, 1999)
<http://www.ftc.gov/reports/privacy3/index.htm> (listing 11 associations
that submitted guidelines or principles for the FTC's consideration).
[FN59]. See id. app. E (reporting the submitted
guidelines).
[FN60]. Id. at 7-11. Many other organizations
have modeled their recommended information practices on the FTC list. See,
e.g., Online Privacy Alliance, Guidelines for Online Privacy Policies (visited
Oct. 2, 1999) < http://
www.privacyalliance.org/resources/ppguidelines.html> (including headings of
notice, choice, access, and security); Elements of Effective Self- Regulation
for Protection of Privacy (visited Oct. 2, 1999) <http://
www.ecommerce.gov/staff.htm> (including headings of notice, choice, access,
security, and enforcement).
[FN61]. This simple requirement conceals
difficult questions about the practicality and necessity of disclosing to a
consumer such database-resident information as their clickstream records, or
the inferences drawn from that data by use of analysis programs. Likewise,
questions abound as to the obligation to disclose to consumers information about
them that has been acquired from third-party sources.
[FN62]. On January 21, 2000, the FTC announced
the appointment of a 40- member Advisory Committee on Online Access and
Security to advise the FTC staff on policy issues surrounding the issues of
what constitutes "reasonable access" and "adequate
security." Its charter calls for a final report from the Committee by May
15, 2000, "describing options for the implementation of access and
security online, and the costs and benefits of each option. FTC Press Release,
"Online Privacy Committee Members Named," January 21, 2000
<http:// www.ftc.gov/opa/2000/01/asrev.htm>. Interestingly, the FTC's
COPPA regulations on security and integrity have a Sphinxlike brevity (16 C.F.R. § 312.8), so the
Advisory Committee may well be a harbinger of expanded COPPA regulations on
this point.
[FN63]. The Online Privacy Alliance, a
consortium of over 80 companies and associations involved in e-commerce,
advocates that self-regulation via third party privacy seal programs is
sufficient. However, they take pains to say that complaint-resolution processes
of seal programs should not prevent the consumer from pursuing "other
available legal recourse." Online Privacy Alliance, Effective Enforcement
of Self Regulation (visited Oct. 3, 1999) <http://
www.privacyalliance.org/resources/enforcement.html>.
[FN64]. See discussion infra Part VI.f
(discussing the EU Privacy Directive).
[FN65]. See supra note 5 (discussing the 1973
study).
[FN66]. 5 U.S.C. § 552a (1974).
[FN67]. OECD, GUIDELINES FOR THE PROTECTION OF
PERSONAL DATA AND TRANSBORDER FLOWS OF PERSONAL DATA (1980).
[FN68]. As early as 1905, the Supreme Court of
Georgia had recognized the right to privacy as against misappropriation of
one's likeness. Pavesich v. New England Life Ins. Co.,
122 Ga. 190, 50 S.E. 18 (1905).
[FN69]. See, e.g., Privacy Online, supra note
58, at endnote 160; letter from Ambassador David L. Aaron, Undersecretary of
Commerce for International Trade, to industry representatives on the subject of
proposed Safe harbor principles under the EU Privacy Directive (Nov. 4, 1998)
<http:// www.ita.doc.gov/ecom/aaron114.html>.
[FN70]. OPA White Paper: Online Consumer Data
Privacy in the United States (Nov. 19, 1998)
<http://www.privacyalliance.org/resources>.
[FN71]. Restatement (Second) of Torts § 652D
(1976).
[FN72]. Id. at comment a. This standard is
seldom met in ordinary business transactions. For example, in Tureen v. Equifax, Inc., 571 F.2d 411,
419 (8th Cir. 1978), Equifax's disclosure of the plaintiff's medical
underwriting history to her health insurer, at the insurer's request, was held
not to be sufficiently "public" for an invasion of privacy cause of
action.
[FN73]. McVeigh v. Cohen, 983 F. Supp. 215
(D.D.C. 1998).
[FN74]. Philip Shenon, Navy and America Online
Settle Case on Gay Privacy, N.Y. Times, June 12, 1998, available at <http://
www.nytimes.com/library/tech/98/06/cyber/articles/12navy.html>.
[FN75]. Id. In related litigation, the Navy was
found to have violated both its own "don't ask, don't tell" policy
and the Electronic Communications Privacy Act. McVeigh, 983 F. Supp. at 220-21.
[FN76]. Prepared Statement of the Federal Trade
Commission "Consumer Privacy on the World Wide Web": Hearings Before
the Subcommittee. on Telecommunications., Trade and Consumer Protection of the
House Committee. on Commerce, 105th Cong. n.23 (1998) (statement of Robert M.
Pitofsky, Chairman of FTC): "[The FTC Act] grants the Commission authority
to seek relief for violations of the Act's prohibitions on unfair and deceptive
practices in and affecting commerce, an authority limited in this context to
ensuring that Web sites follow their stated information practices."
[FN77]. Letter from Jodie Bernstein, Director,
Bureau of Consumer Protection, Federal Trade Commission, to Center for Media
Education (July 15, 1997) < http://www.ftc.gov/os/1997/9707/cenmed.html>.
[FN78]. See infra Part IX (discussing Contract
Concepts).
[FN79]. Nonprofit organizations are exempt, just
as they are exempt from the FTC Act.
[FN80]. E.g., by virtue of information entered
in an "age" field in the data-collection screen.
[FN81]. COPPA, supra note 17, §
1303(b)(1)(A)(i).
[FN82]. "Verifiable parental consent"
is defined id. § 1302(9).
[FN83]. Id. § 1303(b)(1)(A)(ii).
[FN84]. Id. § 1303(b)(1)(B)(ii).
[FN85]. Id. § 1303(b)(1)(B)(i), (iii).
[FN86]. COPPA, supra note 17, § 1303(b)(2).
[FN87]. Id. § 1303(b)(1)(C).
[FN88]. Id. § 1303(b)(1)(D).
[FN89]. Id. § 1304. Since the approved programs would
have to mirror the requirements of the law and the underlying factual questions
of compliance would be essentially the same with or without the safe harbor, it
is not immediately obvious what substantive difference the safe harbor makes,
but it does show a willingness by the government to outsource some of its
compliance- enforcement work to industry groups, where the industry groups
would no doubt prefer that it reside.
[FN90]. Id. § 1303(a)(1).
[FN91]. 16 C.F.R. pt. 312, issued October 20,
1999.
[FN92]. 16 C.F.R. § 312.2 defines
"disclosure" as including any means of making personal information
publicly available, such as "public posting through the Internet, or
through a personal home page posted on a website or online service; a pen pal
service; an electronic mail service; a message board; or a chat room."
[FN93]. 16 C.F.R. § 312.5(b)(2).
[FN94]. 16 C.F.R. § 312.4(b).
[FN95]. 16 C.F.R. § 312.4(b)(2).
[FN96]. 16 C.F.R. § 312.4(b)(1).
[FN97]. 18 U.S.C. §§ 2510-2522, 2701-2711 (1994).
[FN98]. Id. § 2510(4).
[FN99]. Id. § 2510(8) (emphasis added).
[FN100]. Id. § 2510(12) (emphasis added).
[FN101]. Id. § 2511(2)(d).
[FN102]. Suppose a website, as a result of
monitoring browser requests to its server, tags an individual as a regular
participant in a closed forum on "Living with a Diabetic." The
explicit communication from the browser is merely to access a page with a
particular address, and the website is a party to that communication with the
presumptive right to disclose it. However, given the known subject-matter of
discussions in the forum, does disclosure to a marketer of the nature of the
page requested constitute an interception and disclosure of the broadly defined
"contents" of the user's communications within the forum,
communications to which the website operator is not a party?
[FN103]. 18 U.S.C. § 2511(2)(d), (3)(b)(ii)
(1994).
[FN104]. See Griggs-Ryan v. Smith, 904 F.2d 112
(1st Cir. 1990) (finding that consent to the recording of telephone
calls is presumed where the landlady informed a tenant that all incoming calls
would be recorded). With privacy policies, the question is: what if the user
claims not to have seen the policy?
[FN105]. 15 U.S.C. §§ 1681-1681t (1994 & Supp. III 1997).
[FN106]. 15 U.S.C. § 1681a(d)
provides that covered information includes information "bearing on a
consumer's credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living."
[FN107]. Id. § 1681b(3).
[FN108]. 15 U.S.C. § 1681a(d)(2)(A)(i).
[FN109]. Id. § 1681a(d)(2)(A)(iii).
[FN110]. This distinction is the subject of Trans Union Corp. v. FTC, 81 F.3d 228
(D.C. Cir. 1996), where the Federal Circuit held that targeted
marketing lists were not necessarily "consumer reports" even though
they were created from data originally gathered to be used in conventional
credit reports, on the dubious grounds that the routine inclusion of this data
in credit reports did not prove that particular data was actually expected to
be used as a factor in credit decisions when it was collected. The court
remanded to the FTC for further factual determinations, and an FTC
Administrative Judge made the required factual determination and held Trans
Union in violation of FCRA. In re Trans Union Corp., No. D-9255 (July 31, 1998)
<http:// www.ftc.gov/os/1998/9808/d9255pub.id.pdf>. Trans Union has appealed
the order to the full Commission.
[FN111]. For a general discussion of the history
of United States-EU discussions over the application of the
"adequacy" test to the United States, see Scott Killingsworth and
Brett Kappel, Safe Harbor in Muddy Waters? Commerce Department Proposes
Voluntary Principles for Compliance with EU Privacy Directive, 1 E-Commerce Law Report 2 (Dec.
1998/Jan. 1999).
[FN112]. United States Department of Commerce,
Draft International Safe Harbor Principles (Apr. 19, 1999)
<http://www.ita.doc.gov/ecom/shprin.html> [[hereinafter "Draft Safe
Harbor"].
[FN113]. It would appear that under the EU
Privacy Directive, affiliates of the collector of the information would be
considered "third parties" if they are not processing the data on
behalf of the collector, which would mean the individual must be given opt-out
privileges to prevent proposed transfers to these affiliates. EU Privacy
Directive, supra note 2, art. 2, §(f). The Draft Draft Safe Harbor does not
adopt the Privacy Directive's definitions, however, and uses the flexible and
undefined term "organization" to describe the collector of data.
[FN114]. Draft Safe Harbor, supra note 112,
(referring to Principle 6 and Note 6). See United States Department of
Commerce, Draft Frequently Asked Questions, Access (April 19, 1999)
<http://www.ita.doc.gov/ecom/access.html> (referring to Questions 1 and 2
and Endnotes 104).
[FN115]. Office of Thrift Supervision News
Release, Thrifts Urged to Post Privacy Policies as Part of Transactional Web
Sites (June 10, 1999) <http:// www.ots.treas.gov/docs/77939.html>.
[FN116]. Office of the Comptroller of the
Currency Advisory Letter 99-6, Guidance to National Banks on Web Site Privacy
Statements (May 4, 1999) <
http://www.occ.treas.gov/ftp/advisory/99-6.txt>.
[FN117]. FDIC Financial Institution Letters,
Electronic Commerce and Consumer Privacy (Aug. 17, 1998) <http://
www.fdic.gov/news/news/financial/1998/fil19886b.html>; FDIC Financial
Institution Letters, Online Privacy of Consumer Personal Information (last
modified July 17, 1999) <http://
www.fdic.gov/news/news/financial/1998/fil19886b.html>.
[FN118]. 15 U.S.C. §§ 1693-1693r (1994), specifically §
1693c(9). The law applies to all accounts with an electronic funds transfer
feature.
[FN119]. 12 C.F.R. § 205.7(b)(9) (1999);
Federal Reserve Board Official Staff Commentary, 12 C.F.R. § 205.7(b)(9)-1 (1999).
[FN120]. S.900, enacted November 12, 1999
(hereinafter "Gramm-Leach- Bliley").
[FN121]. 12 U.S.C. § 377.
[FN122]. What information is considered
"publicly available" is to be defined by implementing regulations,
Gramm-Leach-Bliley § 509(4)(B).
[FN123]. Compare with COPPA, which applies to
information only if it is gathered both online and from a child, but applies to
all information linked to the child's identity.
[FN124]. Gramm-Leach-Bliley includes a number of
exceptions to the third- party-disclosure rule for such practical matters as
using third parties to help fulfill a transaction between the consumer and the
institution, or to market to the consumer on behalf of the institution, in each
case under a confidentiality agreement; to enforce obligations of the consumer;
to protect against fraud; to comply with law or respond to legal process, etc.
[FN125]. Gramm-Leach-Bliley § 502.
[FN126]. In hearings on the bill, the FTC had
testified that the sale by financial institutions of their direct
"transactions and experience" data "raises serious privacy
concerns." Federal Trade Commission, Prepared Statement of the Federal
Trade Commission before the Subcommittee on Financial Institutions and Consumer
Credit Committee on Banking and Financial Services, United States House of
Representatives on Financial Privacy, the Fair Credit Reporting Act, and H.R.
10 (visited July 21, 1999).
[FN127]. Id. § 503.
[FN128]. See the discussion of FCRA supra part
VI.E.. This treatment of financial institution affiliates only seems Byzantine;
in fact it is merely labyrinthine. The provisions of FCRA addressing
disclosures to affiliates (§ 603(d)(2)(A)(iii) of FCRA, 18 U.S.C. §
1681a(d)(2)(A)(iii)) are in the form of exceptions to the definition of a
"consumer report." Hence disclosures permitted by this section would
be otherwise prohibited by FCRA only if, but for these exceptions, the
information would constitute "consumer reports" a definition that
itself partakes not only of the nature of the information included but also the
purposes for which it is gathered or used. Moreover, FCRA's prohibitions apply
principally to "consumer reporting agencies," those who for a fee
regularly furnish consumer reports.
[FN129]. Gramm-Leach-Bliley § 504 requires the
Federal banking agencies, the National Credit Union Administration, the
Secretary of the Treasury, the Securities and Exchange Commission and the FTC
all to prescribe regulations, after consultation with the National Association
of Insurance Commissioners, but by May 12, 2000. Section 504(b) exhorts these
agencies to coordinate their efforts and so far they have done so.
[FN130]. Id. § 509(3).
[FN131]. H.R. 3320, § 502.
[FN132]. Id. § 502(b)(1) and § 508(6).
[FN133]. Id. § 503(a)(4) and (5).
[FN134]. Id. § 508(3).
[FN135]. See, e.g., O.C.G.A. § 24-9-40 (1993) (medical
records generally); O.C.G.A. § 33-21-23 (1992)
(HMO records); O.C.G.A. § 31-8- 114 (1996)
(long-term care facility records); O.C.G.A. § 24-9-47 (1990)
(AIDS records); O.C.G.A. § 37-3-166 (1995)
(mental health records); O.C.G.A. § 31-22-4 (1996)
(sexually transmitted and communicable disease clinical laboratory tests).
[FN136]. See, e.g., Health Insurance Portability
and Accountability Act of 1996, P.L. 104-191, codified
at 29 U.S.C. § 1181 (Supp. III 1997)
(mandating security systems for the electronic transmission of health data); 42 C.F.R., § 482.24 (1998)
(governing hospitals' medical records confidentiality practices); 42 U.S.C. § 290dd-3 (1994)
(relating to alcohol and drug abuse records) (omitted in the general revision
of this part by Pub. L. No. 102-321).
[FN137]. C. Bowman, Uneven State Medical-Record
Laws Offer Potential Pitfalls for Health Plans, BNA Health Law Reporter,
November 11, 1999, at p.1787.
[FN138]. E.g., Medical Information Privacy and
Security Act, H.R. 1057, 106th Cong. (1999) (introduced Mar. 10, 1999); the
Health Information Privacy Act, H.R. 1941, 106th Cong. (1999) (introduced May
25, 1999); Medical Information Protection and Research Enhancement Act of 1999,
H.R. 2470, 106th Cong. (1999) (introduced July 12, 1999).
[FN139]. 64 Fed. Reg. 59918.
[FN140]. Health Insurance Portability and
Accountability Act of 1996, supra note 136.
[FN141]. A heath care clearinghouse is an
organization that translates health care records from nonstandard formats into
standard electronic formats; an example would be a billing intermediary.
[FN142]. One of the more interesting attributes
of these confidentiality agreements is that the patients concerned must be made
express third-party beneficiaries. HIPPA provides no private right of action,
and the question whether a private right of action should be created is among
the major issues that have so far derailed passage of comprehensive health
information privacy legislation, but this bit of regulatory finesse shows that
there is more than one way to create a private right of action.
[FN143]. 64 Fed. Reg. 60053.
[FN144]. 64 Fed. Reg. 60056.
[FN145]. 64 Fed. Reg. 60059.
[FN146]. 64 Fed. Reg. 60060.
[FN147]. Id.
[FN148]. Cable Communications Policy Act of
1984, 47 U.S.C. § 551 (1994).
[FN149]. Video Privacy Protection Act, 18 U.S.C. § 2710 (1994).
Statements that certain types of tranactionstransactions do not occur on the
Internet are often short-lived. In January, 2000, Blockbuster Inc. announced
that it had aqcuiredacquired the exclusive right to distributredistribute the
MGM film library over the internet. MGM, Blockbuster to Develop Internet Movie
Delivery, Reuters, January 18, 2000, accessed via CBS MarketWatch.com. Query
whether pay-per-view streaming video transactions over the Internet would fall
within the protection of the Video Privacy Protection Act, which contemplate
the delivery of "video cassette tapes or similar audio visual
materials.".
[FN150]. The Online Privacy Protection Act of
1999, S. 809, 106th Cong. (1999).
[FN151]. Federal Trade Commission,
Self-Regulation and Privacy Online: A Report to Congress (visited July 21,
1999) <http:// www.ftc.gov/os/1999/9907/privacy99.pdf>. While advocating
continued monitoring of the progress of self-regulation and refusing to rule
out the eventual need for online privacy legislation, the report concluded that
"legislation to address online privacy is not appropriate at this time."
Id. at *12.
[FN152]. See, e.g., Children's Privacy
Protection and Parental Empowerment Act of 1999, H.R. 369, 106th Cong. (1999)
(this bill is not confined to Internet contexts and would generally regulate
use of personal information on children under 16); Electronic Rights for the
21st Century Act, S. 854, 106th Cong. (1999) (an omnibus e-privacy bill that
would, inter alia, amend the ECPA to limit circumstances under which an
electronic communications service can reveal subscriber information); the
Internet Growth and Development Act of 1999, H.R. 1685, 106th Cong. § 201
(1999) (requiring commercial websites to post privacy policies); Personal
Information Privacy Act of 1999, H.R. 1450, 106th Cong. § 7 (1999) (amending
FCRA to prohibit selling "transactions and experience" information
about a person without that person's consent and regulating commercial use of
social security numbers); Social Security On-Line Privacy Act of 1999, H.R.
367, 106th Cong. § 2 (1999) (prohibiting "interactive computer
services" (apparently meaning Internet Service Providers) from disclosing
users' social security numbers and related information).
[FN153]. See supra note 36 and accompanying text
(quoting the zZounds website).
[FN154]. Jeff Partyka, IBM Advises on Online
Privacy (July 16, 1999) < http://
www.pcworld.com/pcwtoday/article/0,1510,11830.00.html>.
[FN155]. A. Lash, Privacy, Practically Speaking,
The Industry Standard (Aug. 2-9, 1999) <www.
thestandard.com/articles/display/0,1449,563,co.html>. The article mentions
three audits costing $200,000 or more, and one program that involves quarterly
follow-up inspections at $20,000 per inspection. For the record, legal costs are
an order of magnitude lower.
[FN156]. For a more complete discussion of audit
methods and procedures, see S. Killingsworth, Making it Legal: A Checklist for
Web Site Privacy Audits, E-Commerce Law Report, Vol. 2, No. 1 (October 1999),
p. 15.
[FN157]. The BBBOnLine privacy program requires
disclosures of whether data gathered on the website is merged with data from
other sources, since this data-matching can multiply both the original data's
usefulness to the website and the sense of intrusion into the user's privacy.
Better Business Bureau, Sample Privacy Notice (visited Oct. 4, 1999)
<http:// bbbonline.org/businesses/privacy/sample.html>.
[FN158]. Compiling sensitive data just because
it is available, with no particular use in mind, is inadvisable since there is
no immediate benefit to having it and there is always a risk of inappropriate
use or disclosure.
[FN159]. Seeding refers to the practice of inserting
into a mailing list fictional or coded names with addresses that lead back to
the party who compiled the list, to provide a practical means for that party to
monitor the use of the list.
[FN160]. For websites directed at children, the
BBBOnLine privacy seal program requires the use of alerts to warn the user when
a link leads out of the website; this exceeds the requirements of COPPA and the
proposed COPPA regulations. Better Business Bureau, supra note 157.
[FN161]. This may have been GeoCities' problem--
the statements cited by the FTC were not in a single, comprehensive privacy
policy, but were scattered among its New Member Application Form, its Free
Member E-mail Program web page, and one issue of its World Report newsletter.
GeoCities, FTC Docket No. C- 3850 (decision and order) (Feb. 5, 1999)
<http:// www.ftc.gov/os/1999/99/9823015d0.htm>.
[FN162]. T. Wolverton, United Sends Mixed
Privacy Messages, CNET News.com (June 4, 1999) <http://news.cnet.com/news/0-1007-200-343254/htm.?
tag=st.cn.1fd2>.
[FN163]. Id.
[FN164]. Id.
[FN165]. Id. At this writing, no explanation for
how this occurred had been made public; it is entirely possible that the
privacy policy was the later and more authoritative expression of United's
intent and that there was simply an administrative oversight in failing to
conform the user agreement to it.
[FN166]. One recent project that included a new
"opt-out" database cost $250,000. Lash, supra note 155.
[FN167]. For example, both BBBOnLine and TRUSTe
regulate use of personally- identifiable information obtained from persons
other than the data subject. Further, on children's sites BBBOnLine requires
either posting an alert when a link leads to another site where the same
privacy rules do not apply, or avoiding altogether links to other
child-directed sites that do not follow "core privacy standards."
Better Business Bureau, supra note 157.
[FN168]. It is intriguing to note that the
BBBOnLine license agreement does not include a "no third-party
beneficiary" clause, so conceivably a consumer-- for whose benefit the
program presumably exists-- might be able to sue for damages under that
agreement if it were advantageous to do so. Better Business Bureau, supra note
157.
[FN169]. Effective June 30, 1999, TRUSTe added
to its license agreement new data security requirements and a requirement that
consumers have the opportunity to correct inaccurate data. Additionally, a
provision for mandatory opt-out for secondary uses and third-party disclosures
was added effective August 30, 1999. Changes In TRUSTe License Agreements,
TRUSTe Reporter (Spring 1999) <http://www.truste.org/newsletter/spring99.html#02>.
[FN170]. As with any legal drafting problem,
there are legitimate questions as to just how detailed and specific a privacy
policy should be, but implementing any policy requires more focus than the fair
information practices formulations provide.
[FN171]. See infra Part IX.d for a detailed
discussion of these issues.
[FN172]. Both BBBOnLine and TRUSTe require that
users be allowed to "opt- out" of disclosure of their information to
third parties for secondary uses. While an "opt-out" is also required
for secondary uses by the website operator, both seal programs allow the
operator some latitude in defining what a "secondary use" is in the
privacy policy. TRUSTe License Agreement Rev. 5.0, § 4.A. (June 25, 1999)
<http://www.truste.org/webpublishers/pub_agreement.html>; BBBOnLine
Eligibility Criteria (visited Oct. 31, 1999) <http://
www.bbbonline.org/businesses/privacy/eligibility.html>. The current EU Safe
Harbor draft seems to offer similar flexibility. Draft Safe Harbor, supra note
112. The FTC's formulation of the Choice principle suggests that consumers
should always have a choice as to secondary uses. Privacy Online, supra note
58.
[FN173]. The scope of the Draft Safe Harbor
exclusion is subject to ongoing debate. Draft Safe Harbor, supra note 112.
[FN174]. The EU Privacy Directive and the Draft
Safe Harbor apply to all information an organization maintains on an
individual, so organizations subject to those rules will not be able to limit
the application of the privacy policy, or of the policy's access rules, to
information gathered through the website.
[FN175]. The online economy leaves no doubt that
user "eyeballs" and data have market value to most websites.
[FN176]. Notably, both BBBOnLine and TRUSTe
require that a website apply to personal data the privacy policies that were in
effect when the data was collected, effectively outlawing "bait and
switch" privacy promises by their licensees. See BBBOnLine Eligibility
Criteria, supra note 172; Privacy Policy Assessment Questionnaire, Section E1
(visited Oct. 31, 1999) <http:// www.bbbonline.org/businesses/privacy/assess-html.html>.
Both the Eligibility Criteria and the Assessment Questionnaire are incorporated
by reference into BBBOnLine's Participation Agreement (visited Oct. 31, 1999)
<http:// www.bbbonline.org/download/license.PDF>. See also TRUSTe License
Agreement Rev. 5.0, supra note 172, at Schedule A, § 4.F (for an additional
example). However, these policies have not prevented some licensees from using
the "implied consent to policy change" techniques outlined in this
article.
[FN177]. BBBOnLine requires a link to the
privacy policy on every page in which data is collected. BBBOnline Eligibility
Criteria, supra note 172, §§ "Eligible Sites." The proposed
regulations implementing COPPA require similar notice on sites aimed at
children. COPPA, Prop. Regs § 312.4(B).
[FN178]. Like shrink-wrap software licenses,
click-wrap agreements have now received express judicial sanction. Hotmail Corp. v. Van Money Pie, Inc.,
47 U.S.P.Q.2d (BNA) 1020 (N.D. Cal. 1998).
[FN179]. See S. Junnarkar, DoubleClick Accused
of Unlawful Data Use, CNET News.com (January 28, 2000)
<http://news.cnet.com/category/0-1005-200- 1534533.html>, quoting Jason
Catlett, the founder of Junkbusters, a resource site for privacy-protection
measures, as follows: "Based on previous experience...these class-action
lawyers follow privacy advocates like ambulance chasers. I think it is
inevitable that we will see more suits filed." The article reports on a
class-action suit arising out of the DoubleClick acquisition of Abacus,
described in note 188 infra.
[FN180]. 105 F.3d 1147 (7th Cir. 1997),
cert. denied 522 U.S. 808 (1997). New
York has also upheld Gateway's shrink-wrap arbitration clause as against a
class action. See Brower v. Gateway 2000, Inc., 676
N.Y.S.2d 569 (N.Y. App. Div. 1998).
[FN181]. For a more detailed discussion of the
Gateway case and its implications for class actions, see J. T. Westermeier, How
Arbitration Clauses Can Help Avoid Class Action Damages, Computer Law
Strategist, Sept. 1997, at 1.
[FN182]. The identification of persons
anonymously posting either false information about a publicly-traded stock, or
inside information, are examples of this exception.
[FN183]. Under the Draft Safe Harbor, supra note
112, and the EU Privacy Directive, supra note 2, affiliates may be considered
"third parties" despite any attempt to characterize them otherwise.
[FN184]. See Wendy Marinaccio, Privacy Advocates
Blast DoubleClick Merger, CNET News.com (June 21, 1999)
<http://www.news.cnet.com/news/0-1005-200- 343915.html? tag=st.cn.1fd2.>
(reporting on the outcry against the acquisition of a market research company
by one of the web's premier advertising companies, allowing DoubleClick's 1,300
advertising websites to potentially exchange data with Abacus's collection of
1,100 catalog companies). The merger closed November 23, 1999, with results
outlined at note 7 supra. It is doubtful, of course, that any privacy policy
provision would have prevented this essentially political reaction.