Return to Privacy Module II




Practicing Law Institute

Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series

PLI Order No. G0-00DZ

September, 2000

eCommerce Strategies for Success in the Digital Economy September 2000




Scott Killingsworth [FN1]


Copyright (c) 1999 - 2000, All Rights Reserved.


*667 Abstract

After a brief excursion into the recent history and business context of Website privacy issues, this paper summarizes the major sources of applicable privacy law within the United States, and offers a methodology for constructing a privacy policy and information practices that are consistent both with one another and with the law.


For e-commerce websites, having a privacy policy is no longer optional. Federal legislation, FTC enforcement, the European Union Privacy Directive, [FN2] economic coercion and consumer demand have all recently converged to create a new environment in which implementing a privacy policy is a business necessity for most, and legally advisable for all.
In principle, privacy policies are simple: if your website collects individually-identifying information about visitors or customers, tell them how and why you collect the information, how it is used and to whom it is disclosed, and give them some choice in the matter. But the short history of personal privacy on the web is already replete *670 with examples of how treacherous the execution of this simple formula can be: Internet icons like Yahoo, DoubleClick, America Online, RealNetworks and GeoCities, and major corporations like United Airlines, have all stumbled on privacy issues. The hazards are many: first, the emerging legal rules, self-regulation models and web-community norms are all moving targets; second, though consistent in thrust, the legal rules differ in important details; and third, there is a noticeable gap between what is legal and what may be necessary to avoid a public-relations disaster. Applying these fragmented, evolving principles to a web-based business that is itself in constant flux can be like trying to thread a needle while roller skating on a boat in choppy seas.
This paper describes how to design a website privacy policy that will be effective both legally and in practice. It addresses specific issues that must be confronted in drafting and implementing a policy, and offers suggestions for avoiding pitfalls. But we begin with context: the business pressures that make a privacy policy necessary and the legal principles that apply.


Scott McNealy's impulsive remark to a roomful of reporters [FN3] could hardly be more politically incorrect, but it mirrors the perceptions of many on both sides of the privacy fence. On the one hand, some website operators *671 have avidly exploited the Internet's special aptitude for harvesting, sifting, and remarketing information about visitors, often surreptitiously, with little if any respect for the wishes of the individuals involved. On the other, awareness of these zero-privacy practices has led many consumers to develop an abiding distrust of "the Internet," [FN4] with consequent misgivings about disclosing personal data or doing business online.
Though concern about computers and privacy is nothing new, [FN5] the Internet offers unique temptations both for collectors of personal information and for individuals who are asked to reveal it. A department store or mail order house may be able to deduce customer interests by tracking purchases, but on the Internet merchants can track not only what customers buy but also what else they look at and for how long. If the customer arrived at the merchant's site in the usual way, via a hyperlink from a referring site, the merchant's server logs will record the *672 identity of the referring site, providing a source of additional clues about the customer's interests or browsing patterns. Instead of relying on hit-or-miss surveys to assess the efficiency of advertising in bringing customers to the store, web merchants can receive a database-ready audit trail detailing which customers clicked on which ads on their way to the site. With the help of web-based advertising networks that deliver cookies with their banner advertisements and thereby track browsing at all sites participating in the network, a website can learn about its visitors' browsing habits elsewhere on the Internet, their employer types (deduced from top-level domain names), the time of day they browse and where they live. [FN6] Combined with personal demographic information gathered in a registration or transaction process-- or purchased from third parties-- and analyzed with sophisticated data-mining and predictive programs, this information can become a powerful marketing tool. [FN7] The *673 process is tempting not only because the data is so valuable, but also because obtaining it is so easy. Virtually every "dotcom" startup's business plan includes a section on the site's ability to construct and exploit demographic and psychographic [FN8] profiles of visitors, blurring the "fine line between good service and stalking." [FN9]
For consumers, the temptations to disclose information are many, from the convenience of ordering products online, to the benefits of registered membership in a free community or portal site (such as user-defined content, public or private discussion forums, etc.), to the personalized buying suggestions, and even third-party advertisements, that arrive as a result of making one's self known to a site. And again, it is so easy to disclose the information. The problem is that once the cat is out of the bag, it may be difficult to stop the resulting onslaught of marketing e-mails, savory and otherwise, and direct mail and telephone solicitations-especially if the website has shared the information with third parties.
As the web has matured into a mainstream business channel, the need to strike a more appropriate balance between business and consumer interests has become plain. The backlash of mistrust provoked by some websites' cavalier treatment of personal information threatens to impede the growth of e-commerce, and so enlightened self-interest dictates that the business community focus on building consumer confidence in the *674 web. Privacy policies have become the centerpiece of this effort.


Of course, adopting a privacy policy is not enough; to protect the public and the website, the policy must be followed. This lesson was driven home by the Federal Trade Commission's (FTC) 1998 GeoCities [FN10] enforcement action, a watershed event that exemplified both the grounds for consumer privacy concerns, and the government's response to them. One of the ten most visited websites, GeoCities was a "virtual community" that hosted members' home pages and provided other services such as free electronic mail (e-mail), clubs and contests to its 1.8 million members. The membership application requested both mandatory and optional personal information, and included options as to whether the member wanted to receive specified marketing information. The site also promoted a club and contests for children, participation in each of which required the child to submit personal information and to establish a GeoCities home page.
The website included statements assuring members that their personal information would be shared with others only in order to provide members the specific advertising they requested, and that optional registration information would not be disclosed without the member's permission. Actually, the members' information had been sold or rented to third parties who used it for other purposes, including targeted advertising. [FN11] As to children, the FTC *675 found that the website created the impression that GeoCities was collecting the contest and registration information, when in fact this was done by third parties hosted on its site. [FN12]
These blunders gave the FTC the platform it needed to make a public example, [FN13] and to put into practice its oft-stated views on how websites should handle personal privacy issues. The case settled with a consent order [FN14] that prohibited GeoCities from misleading consumers about its data collection, use or disclosure practices, and from misrepresenting who was collecting personal information. GeoCities agreed to post a privacy policy explaining what information is collected on the site, its intended use, what third parties might receive it and how the member could access the information and have it erased from GeoCities' computers. In addition, GeoCities was required to obtain express parental consent before collecting personal information from children, and to delete all information previously collected unless the parents agreed otherwise. [FN15] The FTC's timing was politically astute: a week before the case was made public, the FTC had asked Congress to *676 enact legislation protecting children's privacy online; [FN16] before the GeoCities order was officially issued, Congress had passed the Children's Online Privacy Protection Act of 1998 (COPPA). [FN17]
What is most legally interesting about GeoCities is that it is based entirely on misrepresentation. The FTC does not (except under COPPA) have authority either to require websites to post privacy policies, or to prescribe their content, but under Section 5 of the FTC Act it has broad enforcement power over "deceptive acts or practices." [FN18] If instead of saying one thing and doing another, GeoCities had made no promises at all, it might have avoided becoming the most notorious bad example in the history of online privacy.


As GeoCities shows, from a strictly legal perspective [FN19] McNealy's "zero-privacy" remark has much to recommend it as an eight-word privacy policy. As long as one is not catering to children, gathering information from European consumers, [FN20] or in an industry where information practices are already regulated, [FN21] the main source of liability exposure in this area is violating one's *677 own policy, and the McNealy doctrine would be impossible to violate. Why should any business volunteer for potential liability by publicly adopting a higher privacy standard? Quite simply, one can't afford not to.


Every web-based business has a stake in consumer confidence. Even brands that already enjoy solid reputations have an interest in avoiding any taint from consumer fear, uncertainty and doubt concerning the web as a whole. And despite the spectacular growth of e-commerce, much doubt remains. Credible studies indicate that concern for privacy is the number one factor keeping non-Internet users off the net, [FN22] and less than a quarter of all web users have actually purchased anything online. [FN23]
The obvious product of this distrust is that people avoid disclosing personal information by opting against online transactions and website registration. [FN24] Less obvious but equally troubling for online marketers is the "garbage in" syndrome: in two recent surveys, over forty percent of Americans who registered at websites admitted to providing false information some of the time, mainly because of privacy concerns; the figure for European *678 registrants was over fifty-eight percent. [FN25] Meanwhile, the market has responded to user privacy concerns with a variety of products and services designed to provide anonymous surfing and to block meaningful tracking of browsing behavior. [FN26] The message to marketers is clear: if you want useful and accurate data, earn it by assuring consumers that you will use it appropriately.
Posting a privacy policy can make an enormous difference in consumer confidence: in survey after survey, overwhelming majorities of net users say that privacy policies are important, [FN27] or would matter to them in deciding whether to trade information for benefits, [FN28] or would increase their Internet usage, [FN29] purchases, [FN30] or information disclosure. [FN31] Moreover, as privacy policies *679 become nearly universal, [FN32] the implicit message of not posting a policy may be that one should be assumed a "data bandit" until proven otherwise. [FN33]
Just as having no privacy policy can be a handicap, claiming the high ground with a conspicuously consumer-friendly policy can confer competitive benefits. People are especially sensitive about the release of their information by the original recipient to unnamed others. [FN34] Reacting to this sensitivity, many websites have adopted a black-box *680 model that consolidates the marketing function for third-party products in the website so that consumers' identifying information need not be shared with the third-party advertisers. The outside vendor may specify group demographics for the targeted consumers but will not have access to an individual's information until an order is actually placed, and may not receive it even then. [FN35] A website that goes out of its way to identify itself in plain language as the consumer's privacy ally makes a powerful marketing statement - particularly if the contrast with competitors' indiscretions is explicit. Consider these excerpts from a musical instrument retailer's policy:
What you do with zZounds today is nobody else's business. And we promise to keep it that way...Not all businesses respect their customer relationships like we do at zZounds. Many businesses, including other large music instrument retailers, are eager to share the information they have collected about you. Your trust and your privacy is for sale to the *681 highest bidder.... This will not happen when you shop at zZounds. [FN36]
Indeed, taking this idea one step further, a growing market niche has developed around the business model in which the website openly bargains for web users' demographic and psychographic profiles in return for a promise of limited anonymity, coupled with the privilege of sending targeted advertising to the users. The message of companies such as Juno [FN37] and MyPoints [FN38] is: tell us what we need to know to send you ads that will interest you, and we will keep your data confidential. To the extent that the marketing actually reflects the user's interests, advertisements will not be "junk mail" to the user, and they will be far more effective on a per exposure basis for retailers.
Finally, nothing undermines trust like a well-publicized betrayal. It has proven surprisingly easy for marketers, tightly focused on how information can be profitably used and sold, to misjudge (or be oblivious to) consumer reaction to new initiatives. Properly implemented, a privacy policy serves as an internal touchstone for a company's consumer information practices. As the *682 standard for evaluating any change in these practices, the policy can help inoculate against the kind of ill-considered strategies that create public relations meltdowns. [FN39]


"Privacy Seal" programs such as those sponsored by TRUSTe [FN40] or BBBOnLine [FN41] may also win consumer confidence. Privacy counterparts to the Good Housekeeping and Underwriters' Laboratories seals, these programs bring the credibility of third-party assessment, verification, and dispute resolution to a website's information practices. These programs also require adherence to certain minimum standards in areas such as notice of information practices, consumer choice as to secondary uses [FN42] of the information and its transfer to third parties, consumer access to stored data, information security, and data integrity. Both organizations have special rules for sites targeted at children, consistent with those of COPPA.. [FN43]
*683 Both organizations require completion of self-assessment questionnaires that probe the site's information practices in great detail - a useful exercise for anyone preparing a privacy policy - and both impose strict license agreements and provide for ongoing compliance reviews. [FN44] BBBOnLine adds a mandatory, structured dispute resolution mechanism. [FN45] As of January, 2000, TRUSTe had 1000 licensees, including all of the major portals, 15 of the top 20 sites and approximately half of the top 100 sites; [FN46] BBBOnLine rolled out its privacy seal in March of 1999, with approximately 300 applications on file [FN47] and by January, 2000 had over 200 sites enrolled. [FN48]
The potential of these seal programs to win consumer trust was illustrated by a 1999 survey in which web users were shown twenty-seven certification marks used online, and asked to pick the two marks they were familiar with *684 that most increased their trust of a website. [FN49] The BBBOnLine and TRUSTe marks were ranked second and third (behind only the Verisign symbol), with thirty-six percent of respondents ranking BBBOnLine [FN50] in their top two, and thirty-one percent naming the TRUSTe symbol.
For over four years the FTC has consistently encouraged industry self- regulation efforts such as these seal programs, which promise such benefits to the government as avoidance of the First Amendment issues that arise when the government attempts to control the flow of information, and conservation of limited government enforcement resources. [FN51]


As mentioned above, even the most trusted brands have a stake in public confidence in e-commerce generally, and in privacy protection as one of its components. The "800-lb. gorillas" of the net are beginning to weigh in pointedly on the side of privacy policies. Recently the Internet's two largest advertisers, [FN52] IBM [FN53] and Microsoft, [FN54] *685 announced that they would no longer advertise on websites that did not post privacy policies. A week after the Microsoft announcement, Disney's Go Network, which includes, Infoseek,, and, raised the ante by declaring that they would neither advertise on, nor accept advertising from, sites lacking a comprehensive privacy policy. [FN55]
Similar pressures are being exerted by trade associations such as the Direct Marketing Association (DMA), which required its 3,600 members to adopt its "Privacy Promise" [FN56] by July 1, 1999. This policy requires members to inform customers of their right not to have their personal information sold, rented or exchanged; to honor consumer requests not to be contacted again by the member or not to have their information shared with others; and to consistently use the DMA's contact-suppression lists of consumers who have informed the DMA that they do not wish to receive direct-mail or telephone solicitations (an e-mail suppression list is planned as well). In addition, the DMA has created an automated privacy policy generator [FN57] that can be used by *686 its members or others to create a simple privacy policy. A number of other industry associations, [FN58] particularly in the banking and consumer marketing fields, recommend model information practice guidelines to their members. [FN59]
These "gorillas" are not proselytizing privacy wholly out of concern for individual rights or the credibility of the Internet; they see a bigger gorilla on the horizon. A political consensus on appropriate use of consumer information has arrived, and effective self-regulation (at the level of the individual company and of the Internet community as a whole) is probably the only way to head off federal privacy legislation, with its threat of inflexibility and bureaucratization. These companies know that the alternative to adopting a privacy policy is to have the government adopt one for them. The choice is not between whether to volunteer for liability or to avoid it; the choice is whether to define one's own standard or to accept whatever standard the political process may define. We turn now to the "Fair Information Practices" consensus, its history and its gradual transformation into law.


The consensus approach to personal information privacy is a market-based model that allows consumers to participate in decisions on disclosure and use of their personal information, within a framework of data security *687 and integrity. As articulated by the FTC, [FN60] the elements of "Fair Information Practices" are notice, choice, access, security, and enforcement.


Consumers are entitled to clear and accessible notice of a website's practices of collecting, using, and disclosing personal identifying information, before the information is collected. Notice is the foundation on which the other principles operate, and accordingly the notice should address matters such as who is doing the collecting, what data is being collected and how it is being collected, how the data will be used, to whom it will or may be disclosed, and the consequences of refusing to give the information. The notice should also discuss the website's policies on choice, access, and security.


Consumers should be offered choice as to how their information is used beyond the purpose for which it was initially provided (e.g., to gain access to website features or to complete a transaction). Choice may be "opt-in" ("click here if you would like to receive valuable information from carefully selected business partners") or "opt-out" ("click here if you prefer not to receive junk mail from total strangers"). "Opt in" offers the stronger privacy *688 protection because it establishes a default rule against disclosure and use.
The most important choice points are those concerning secondary uses by the website gathering the information (such as inclusion in the company's targeted mailing lists), and disclosure of the information to third parties.


Consumers should have reasonable access to stored information about them [FN61] and an opportunity to correct inaccuracies or to have the data deleted.


Websites should take reasonable steps to protect the security of the data, both internally and vis--vis outsiders, and to ensure its integrity (freedom from alteration) and accuracy. [FN62]


These principles must be enforceable to be effective. The appropriate enforcement apparatus and the minimum standard of what enforceability means are at the heart of a spirited debate over whether self-regulation is sufficient [FN63] or additional federal legislation is needed. Undoubtedly, the FTC has pressed for universal adoption of privacy policies in part to bootstrap itself into GeoCities-style enforcement authority under section 5 of the FTC Act. Also, a key issue in the negotiations between the United States and the European Union (EU) over the EU Privacy Directive [FN64] has been an EU requirement that enforcement include a right to money damages for those injured by privacy violations.
For young children, there is a codicil to the principles of notice, choice and access: Parents must receive the notice and exercise choice on behalf of young children, and parents should have access to the information on file about their children.
These five principles owe their current acceptance to both their considerable history and their flexibility. First presented in a 1973 study by the Department of Health, Education and Welfare, [FN65] they soon became the framework for the Privacy Act of 1974. [FN66] They were *690 adopted as guidelines by the Organization for Economic Cooperation and Development (OECD) [FN67] in 1980, and with some important refinements, formed the basis of the EU Privacy Directive. Lately, they have been strongly advocated by the Commerce Department and the FTC (the GeoCities order is a roadmap of Fair Information Practices) and have found their way into a number of laws and legislative proposals.
The flexibility that makes these principles so widely acceptable to consumer advocates, government, and industry alike could be equally well described as "vagueness," and the specter of endowing these principles with the force of law - to be further defined, refined, and expanded in the American way, through detailed regulations and endless litigation - is enough to make any businessperson an apostle of self-regulation. Self-regulation, after all, is simply the ability to decide for oneself what "reasonable" means.


Though America has recognized enforceable privacy rights in personal information for nearly a century, [FN68] the legal context for website privacy policies is, for the most part, new and rapidly evolving. Drafting a privacy policy means navigating a variety of United States statutes and legal principles of relatively narrow scope-- a situation that has been described euphemistically as a "sectoral" [FN69] or *691 "layered" [FN70] approach and realistically as a "patchwork" or "minefield" -- as well as anticipating where United States and EU law may be headed. Without attempting a complete analysis, this section highlights the major legal issues that impact formulation of a privacy policy.


Although the common law of torts is not currently a major concern for the ordinary business practices of commercial websites, it cannot be ignored. The most relevant common law concept is invasion of privacy by public disclosure of private facts. [FN71] However, this cause of action arises only if the information revealed would be highly offensive or humiliating to a reasonable person, is of no legitimate public concern, and is disclosed widely enough to be "substantially certain to become...public knowledge." [FN72]
The case of naval officer Timothy McVeigh is a cautionary tale for online businesses in this area (although it is by no means clear that the elements of this tort were actually present in that case). [FN73] A Navy investigator duped an America Online (AOL) service representative into confirming that McVeigh was the person behind an AOL *692 user profile that listed the user as being gay; [FN74] the Navy attempted to expel McVeigh from the service on that basis. For AOL, which settled out of court, the incident uncovered a need to redouble its staff education efforts on protection of members' privacy, including "scenario training" aimed at helping customer service representatives deal effectively with attempts to access member information via subterfuge. [FN75]
Looking ahead, website operators should be alert for cases which may lower the threshold of "public disclosure" in light of the ease of wide dissemination of data over the web; but even if this occurs, the likelihood of tort liability for disclosure of ordinary marketing information seems remote. Sites that deal in especially sensitive information such as health status, mental illness, emotional or family problems, and sexual matters are at greater risk. Someday, someone who has ended up on a mailing list targeted at participants in anonymous discussion forums on masochism, obsessive-compulsive disorder, and Ivy League football is going to get mad enough to sue, and just might win.
For purposes of this article, the most important feature of tort law is that consent is a defense. In the tort context, it may be debatable whether submitting information on a website constitutes legally binding consent to the information practices stated in the website's privacy policy, but the argument is at least plausible. Websites that deal with highly sensitive information, including those with anonymous or private discussion forums, typically have a *693 click-wrap user agreement that can be integrated with the privacy policy to ensure valid consent.


As the GeoCities discussion suggests, and the FTC seems to have publicly conceded, [FN76] the FTC's jurisdiction under the FTC Act is effectively limited to ensuring that a website's practices mirror its stated policies, if any. Previously, the FTC staff had asserted that even if no promises are made to the user, some information practices might be "inherently unfair" in the context of collection and release of information from children, [FN77] but this position seems moot in light of COPPA and is unlikely to be asserted as to data collected from adults. There is no private right of action under the FTC Act, so consumers seeking damages for privacy policy violations must find another theory of liability, such as contract. [FN78]


*694 Enacted in October 1998, COPPA applies to commercial [FN79] websites and online services that are targeted at children or that have actual knowledge that information is being collected from a child. [FN80] It codifies the FTC's Fair Information Practices as imposed in the GeoCities Consent Order, starting with the requirement of posting a privacy policy describing what information the site collects and how it uses and discloses that information. [FN81]
The cornerstone of COPPA is prior "verifiable parental consent" [FN82] to the collection, maintenance, and disclosure of information about children twelve and under. COPPA complements this initial parental "opt-in" [FN83] with a continuing "opt-out" right to stop further use or collection of information from the child [FN84] and also gives parents access rights to stored information. [FN85] Exceptions to the "verifiable parental consent" requirement accommodate the practicalities of getting the consent in the first place (how would you know whose parent to contact or how to contact the parents, unless you ask the child?) and allow isolated e-mail contacts and actions necessary to protect the child's safety, to comply with the law, or to deal with website security issues. [FN86]
Covered websites are prohibited from extracting extraneous information from children as a prerequisite for *695 entering an online contest or other activity [FN87] and are required to use "reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." [FN88] Finally, the law provides for a "safe harbor" whereby a website will be deemed in compliance with COPPA if it complies with an industry self-regulatory program approved by the FTC. [FN89]
Enforcement of COPPA depends entirely on its implementing regulations; the only actual offense under the law is violation of the regulations. [FN90] The regulations, [FN91] which take effect April 21, 2000, address such issues as defining when a website is "targeted at children," what is considered "personal information," and how to notify parents and obtain verifiable parental consent. As to the latter, the regulations impose, on a transitional basis, a two-tier scheme for consent depending on the activities involved and the use the website intends to make of the information gathered. Until April 21, 2002, initial parental consent for internal uses of information by the website can be obtained via e-mail, with follow-up confirmation via either e-mail, postal mail or telephone; but for disclosures to third parties and online activities such as personal homepages, message boards and chat rooms *696 which inherently disclose information, [FN92] prior consent must be obtained by more reliable (and burdensome) means such as postal mail, use of a credit card, digital signature technology, a toll-free telephone bank with trained operators, or e-mail containing a password issued by the site. After April 21, 2002, all consents must be obtained by the more rigorous means just listed. [FN93]
Equally important in the present context, the regulations impose specific requirements for the content and placement of the website's privacy policy. [FN94] The content requirements essentially mirror the structure of COPPA itself, requiring the website to disclose what information it collects and what it does with the information, and to advise visitors of their rights under COPPA. [FN95] The placement requirements are designed to ensure that the notice will be prominently displayed where it is most needed: on the site's home page and adjacent to each request for personal information. [FN96]
For most websites, the response to COPPA should be to avoid knowingly collecting information from young children, either by omitting age questions altogether or by providing data fields for age where 0-12 are invalid entries. These measures could be accompanied by a notice that the website does not wish to collect information from children twelve and under. For websites that actively cater to children, the law has ramifications not only for the privacy policy itself but also for site and database design. Like any *697 privacy policy, COPPA sets a behavioral standard that the site operator must design its back-office systems to implement.


Enacted in 1986 and hence not explicitly addressed to the web as it exists today, the ECPA provides both criminal penalties and civil remedies, including punitive damages, for unauthorized interception or disclosure of electronic communications and unauthorized access to stored communications. [FN97] Parsing through the definitions reveals that the ECPA's reach may be greater than first appears. "Interception" means acquisition of the "contents" of a communication, [FN98] and "contents" is expansively defined to include "any information concerning the substance, purport, or meaning of that communication." [FN99] "Electronic communication" includes "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature," [FN100] a definition broad enough to encompass a browser request for a particular web page, the transmission of a cookie, and other browser-server interactions.
The ECPA has obvious application to the monitoring or disclosure of e-mails, or of discussions in private forums or chat rooms, by a site that provides those services. Presumably the statute's exceptions permitting interception and disclosure by "parties to the communication" [FN101] exempt the collection, analysis, and *698 disclosure of clickstream data by websites; however, in some contexts an argument could be made to the contrary. [FN102]
Exceptions also exist for interception and disclosure of electronic communications by third parties with the consent of a party to the communication. [FN103] As with tort law, it may be unclear whether simply posting a privacy policy that warns of monitoring or disclosure will lead to a conclusive presumption of consent. [FN104] Therefore, website operators contemplating monitoring or disclosure that might be questionable under ECPA should consider an auditable click-wrap consent.


The FCRA [FN105] may apply to a website if it regularly collects and furnishes to others certain types of information [FN106] that may be used for purposes such as *699 credit or insurance underwriting, employment decisions, or deciding whether to enter into a transaction with the person in question. These "consumer reports" may be used only for limited purposes, which do not include the marketing of any products other than insurance and credit. Even for the two industries in which consumer reports may be used for marketing, consumers must have an opportunity to opt out of receiving unsolicited insurance and credit offers. [FN107] An exception to FCRA that allows the use and reporting of one's direct "transactions and experience" with the consumer [FN108] would permit the sharing of most transaction information gathered by most websites from their customers. However, where a website merges its own data with data obtained from other sources and discloses the results, the exception would not apply.
Especially relevant to website privacy policies are several provisions requiring express consumer consent to particular disclosures (e.g., disclosures in connection with employment decisions or medical information). Similarly, an exemption for disclosures of consumer reports to company affiliates applies only if the consumer was clearly and conspicuously informed of the possibility of such disclosures and had an advance opportunity to opt out. [FN109]
Because the requirements of FCRA are complex, interpretive problems abound, particularly as to the distinction between a regulated "consumer report" and an unregulated "marketing profile." [FN110] Accordingly, any *700 website that reports consumer information obtained from third parties should evaluate its information practices to determine whether the statute applies. If it does, it will have a significant impact on the website's information practices and privacy policy.


The EU Privacy Directive sets minimum standards for personal information processing within the EU, and prohibits the transfer of this data to non-EU countries that do not provide "adequate" privacy protection. [FN111] Because most European nations have had comprehensive privacy statutes for some time, the United States, with its ad boc or "sectoral" approach, has not been recognized as providing adequate protection.
In 1998, negotiations began between representatives of the EU and the United States Department of Commerce to remedy this discrepancy between the U.S. privacy protectin standards and the EU notion of what protection is "adequate." In March of this year the Commerce *701 Deaprtment and the European Commission reached an agreement on a set of "Safe Harbor" principles [FN112] that American companies could adopt in order to qualify their data protection practices as "adequate," and so ensure continued access to consumer data from Europe. In effect, the Safe Harbor measures "adequacy" largely in terms of conformity to the EU model.
Once EU's adoption of the Safe Harbor has become fully effective, EU data protection officials will treat U.S. entities that comply with the Safe Harbor as being in compliance with the EU Directive itself. U.S. companies may qualify for the Safe Harbor either by adopting their own enforceable privacy policies that comply with the Safe Harbor principles or through membership in a self- regulatory organization that polices compliance with the principles. The Safe Harbor protection (and data handling requirements) will apply from the date the company self-certifies its compliance with the principles to the Commerce Department.
The Safe Harbor standards are similar to the FTC Fair Information Practices, but include important elaborations on those principles. First, the EU considers data concerning union membership, religious and political affiliation, medical condition, sexuality, and racial or ethnic origin to be especially sensitive, and therefore requires an express "opt-in" before this information can be disclosed to third parties or used for any purpose incompatible with that for which it was originally submitted. For all other personal information, there must be an "opt-out" opportunity to prohibit its use in marketing, either by the original recipient or by others to whom the data is *702 transferred. When data is to be disclosed to third parties [FN113] pursuant to a privacy policy notice (as opposed to transfers with the explicit consent of the consumer), the transferor must ensure that the recipient also follows the Safe Harbor rules. [FN114]
Other key provisions of the Safe Harbor principles address access to personal information and enforcement. The principles state that individuals must have access to personal information about them except where the burden or expense of providing access would be disproportionate to the risks to the individual's privscy, or where the rights of other persons would be violated. Enforcement mechanisms must include rigorous sanctions against companies that certify adherence to the principles but then fail to comply with them.
Besides these substantive differences from the FTC Fair Information Practices, a host of additional issues stem from the fact that the EU Privacy Directive is law and the FTC practices are not. Those who question whether effective self-regulation is really any different from government prescription have only to look at the fastidious and rigid implementation by the EU of the broad principles that the Privacy Directive and the Fair Information Practices have in common.
*703 In light of the additional requirements of the Safe Harbor, American websites will have to decide whether it is worthwhile to accept data from the EU at all, and if so, whether to partition one's data and information practices according to national origin, or to allow the EU principles to govern one's entire operation.


1. Internet-Specific Regulations. Reflecting the explosive growth of online banking, the Office of Thrift Supervision, [FN115] the Office of the Comptroller of the Currency, [FN116] and the FDIC [FN117] have all recently issued guidance to institutions under their supervision urging them to post privacy policies on transactional websites. For virtually all web-banking accounts, the Electronic Funds Transfer Act [FN118] and implementing regulations [FN119] already require financial institutions to inform customers of the institution's policy on disclosing account information to third parties, including affiliates.
*704 2. Gramm-Leach-Bliley Act. The 1999 Gramm-Leach-Bliley Act, [FN120] also known as the Financial Services Reform Act, represents a dramatic reshaping of U.S. regulation of financial institutions. Its main thrust is to repeal the Glass-Steagall Act [FN121] and to permit financial institutions to affiliate with securities broker-dealers, merchant banks and insurance companies, as well as with a potentially wide variety of other businesses in financial or "complementary" fields.
Title V of the Act imposes substantive restrictions on the disclosure of personally identifiable financial information acquired by financial institutions, other than publicly available information. [FN122] It applies only to financial information, but applies to that information whether gathered online or offline and whether gathered directly from the consumer or from third parties. [FN123] Generally speaking, [FN124] this information may not be disclosed to unaffiliated third parties unless the consumer has been given notice of the institution's privacy policy, including conspicuous notice of any potential disclosure to third parties, and gives the consumer an opportunity to "opt out" of the third-party disclosures before they are *705 made. [FN125] Notably, this restriction closes the door to banks' sales of their "transactions and experience" data to unaffiliated third parties, which was permissible under FCRA. [FN126] The Act also places restrictions on redisclosure of personal financial information received by third parties from financial institutions. Moreover, institutions are specifically prohibited from disclosing account numbers or access codes to third parties for use in telemarketing, direct mail marketing, or e-mail marketing purposes. Furthermore, Gramm-Leach-Bliley does not pre-empt state laws that grant greater protections to personal information, so institutions and their attorneys formulating privacy policies are not relieved of the necessity of consulting state banking or general privacy laws.
All institutions (whether or not they disclose personal information) are required to formulate privacy policies and to provide them to each customer when the customer relationship is established and at least annually as long as the relationship continues. [FN127] Unlike COPPA, Gramm-Leach-Bliley does not require the institution to divulge the uses to which the information will be put, nor does the law grant the consumer any right of access to the information collected or require the privacy policy to discuss access.
The issue of disclosure to corporate affiliates was a major point of contention during the debates on Gramm-*706 Leach-Bliley, as might be expected in connection with a law that would allow your heath insuror to affiliate with your bank and your broker. For the time being, the affiliates have won this battle: the law imposes no new restrictions on disclosure of information among corporate affiliates. However, the law does not expressly authorize such disclosures and it specifically does not override the provisions of FCRA relating to affiliates. The result would seem to be that financial institutions may exchange "transactions and experience" information with affiliates, as permitted by FCRA, but the exchange with affiliates of information sourced in part from third parties may require prior notice and an opt-out opportunity, if the information would otherwise constitute a "consumer report" and the institution is a "consumer reporting agency" under FCRA. [FN128]
Gramm-Leach-Bliley leaves many questions to be answered by implementing regulations, which because of the wide variety of institutions affected could be promulgated by a handful of different agencies. [FN129] Among *707 the most provocative questions is that of what businesses will be considered "financial institutions." The law [FN130] defines this key term to mean institutions engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956, a section replaced in its entirety by Section 103 of Gramm-Leach-Bliley. The primary function of the new section, which runs some ten single-spaced pages, is to define (and allow federal regulators to further define) the types of activities the new financial holding companies and their affiliates may engage in, and includes such broad terms as "indemnifying against loss," "providing investment advisory services," "providing any device or other instrumentality for transferring money or other financial assets," and "facilitating financial transactions for the account of third parties." That these descriptions, designed to expand the reach of permissible activities for financial institutions, should also serve as a snare for all other businesses engaged in these activities by designating them as "financial institutions," seems more likely a drafting error than an affirmative policy choice on the part of Congress, but only time and implementing regulations will tell whether this will be their effect.
Gramm-Leach-Bliley may be law now, but the privacy battle it spawned has merely changed venue. Before Gramm-Leach-Bliley was signed into law, twenty- three House members introduced H.R. 3320, the Consumer Right to Financial Privacy Act, which is still pending. This bill would rewrite Title V of Gramm- Leach-Bliley to treat affiliates the same as unrelated third parties; [FN131] to require affirmative opt-in for any disclosure to affiliates or third parties of personal financial information, or for any use of that information other than as necessary to effect, *708 administer, or enforce the transaction for which it was gathered; [FN132] and to give consumers access to, and a right to dispute, information maintained about them. [FN133] In addition, the law would broaden (if possible) Gramm-Leach- Bliley's definition of "financial institution" to expressly include those engaging in activities that are "incidental or complementary to financial activities." [FN134]


Medical records have long been recognized as deserving of special confidentiality, a recognition reflected in a longstanding proliferation of special-purpose confidentiality laws at both the state [FN135] and federal [FN136] levels. As medical records have moved wholesale into electronic form and their transmission over data networks has become routine, concern over medical privacy has grown in parallel and has begotten more legislative activity. According to one source, over 300 bills relating to medical records confidentiality were introduced in state legislatures *709 in 1999 alone. [FN137] In the federal arena, several comprehensive healthcare information privacy bills are currently pending in Congress, [FN138] but the most important development is the issuance of proposed privacy regulations [FN139] by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 ("HIPPA"). [FN140] HIPPA required issuance of such regulations if comprehensive federal legislation governing privacy of electronic medical records were not passed by August 21, 1999, and proposed regulations were published November 3.
The proposed regulations will apply directly to all individually-identifiable health information that is, or has been, maintained or transmitted in electronic form by health care providers, health plans, and health care clearinghouses; [FN141] indirectly they will apply to a much broader population, because when the directly-regulated entities disclose healthcare information to business partners such as subcontractors, practice management companies, auditors, accreditation agencies and the like, *710 they are required to obtain confidentiality agreements from these recipients. [FN142]
The regulations restrict disclosure of health information other than for purposes directly related to treatment, payment for treatment, and internal operations of the regulated entity [FN143], unless the patient affirmatively opts in to additional disclosures via a consent meeting seven specified criteria. [FN144] In addition, the regulations grant patients strong rights of access to their data [FN145], including copying rights, along with the right to require correction of inaccurate or incomplete data.. [FN146]
Unique to these regulations is a provision requiring the regulated entities to give an accounting to the patient of when, why, and to whom the patient's information has been disclosed, other than the core disclosures allowed by the regulations. [FN147] Finally, the regulations requires health care providers and plans to provide patients with a privacy policy which recapitulates the major elements of the regulations.
The HIPPA regulations do not establish uniformity in the treatment of medical information; as with Gramm-Leach-Bliley, state statutes and regulations are pre-empted only to the extent that they offer less protection to *711 patients than the regulations. In effect, the regulations establish a lowest common denominator, albeit quite a high one. It remains to be seen whether this failure to establish a uniform regime for the protection of all medical data will give new impetus to the comprehensive bills now languishing in committee; in the meantime, affected entities have two years to adapt their systems and business processes before the HIPPA rules become final. As the increasing migration of healthcare information networks to the web collides with the security, access and correction rights granted by the HIPPA rules, these rules will profoundly shape the future of health-data websites.


Other sector-specific federal laws apply to information which could conceivably be gathered on a website but which today ordinarily is not, such as cable television subscriber records [FN148] and video rental data. [FN149]


This bill [FN150] is not yet law, and the FTC is on record that it may not be needed. [FN151] But it is typical of the bills *712 regulating privacy practices - the sticks to self-regulation's carrot - that are regularly introduced and reflect, to varying degrees, the FTC's Fair Information Practices. [FN152] This proposal would require commercial websites to post privacy policies and to implement the principles of choice, access, and security - essentially COPPA without the special protections for children. Like COPPA, the bill delegates regulatory authority to the FTC and, for industries exempt from FTC jurisdiction, assigns enforcement responsibility to the appropriate federal regulatory agencies (e.g., the Comptroller of the Currency for national banks). This bill and others like it serve as a warning that any site currently avoiding Fair Information Practices merely because none of the existing laws apply to *713 it, may soon face the need to redesign its site, its practices, and its policies.


It doesn't. What is most apparent about this loose assortment of laws is the combinatorial complexity resulting from their inconsistent treatment of every major variable. Some laws regulate only particular types of information, and only in the hands of certain classes of business, while others apply to all personally identifying information gathered from particular classes of person. Under some laws the method of collecting the information is critical; under others it is irrelevant. The boundary between opt-out and opt-in mandates shifts depending on the context. Some laws regulate both disclosure and use, others, only disclosure; some grant access rights and others do not; and some laws afford private remedies while others depend on enforcement by one or more of a gaggle of regulators. And the hoppers are full of proposals for change.
Because of the fragmented and overlapping quality of the laws in this field and the likelihood of equally fragmented, incremental change, it is generally impractical for a website to tailor its practices to applicable law as to each category of information. As a result, complying with the "highest common denominator" - the strictest rule applying to any information processed by the site - is usually necessary as to all information collected. It is enough to make one wonder whether the European model of comprehensive data-privacy laws may have its advantages after all.


*714 If adopting a privacy policy is "doing the right thing," it is no less imperative to "do the thing right." Two recurring points stand out in the discussion so far: first, a valid consent solves many problems; second, the key to avoiding liability is to have practice follow policy. With these principles in mind, and with an eye towards likely changes in one's own organization, a website can seize control of the risks and define the terms of its covenant with the public. For a very simple website, this may not be difficult, but as websites increase in complexity and the boundaries between them become less distinct, implementing a bulletproof policy may not be as easy as it looks.


Plenty of good privacy policies are available on the web for copying, and TRUSTe, the Direct Marketing Association, and even the Organization for Economic Cooperation and Developmental host sites that will generate a customized draft of a privacy policy based on one's answers to a list of questions. Why not just pick one of these policies and be done with it? Comparing any two sophisticated policies, or one generated by TRUSTe and one by the DMA, shows why: they're all different. A policy is functional only to the degree that it matches the business model and activities of the site, and deals with any special legal requirements that may apply. The permutations are as limitless as the creativity of website developers. And from a customer relations viewpoint, policy, practices, and the tone or personality of the notice may need to be tailored to the site's target audience (remember the zZounds example? [FN153]). The issues are *715 complex enough that IBM has announced a new privacy policy consulting service, with basic workshops starting at $15,000, [FN154] and privacy audits (including systems reviews) by Big Five accounting firms can easily run into six figures. [FN155]
The way to create a policy that meets your site's distinctive needs is to use a process that ensures that all the relevant issues will be systematically addressed. Our recommended process includes four steps: (1) an Audit of current practices; (2) Goal Setting; (3) Policy Formulation, Drafting, and Site Design; and (4) Implementation and Maintenance. At each stage, participation and buy-in by each relevant constituency-- marketing and sales, strategic planning, business development, information systems and website design, and legal-- is critical. Experience suggests that none of these groups can reliably describe what the others are doing at any given time, much less predict what they will want to do or why; and hence any marketer who gives a proxy to the information systems department (or vice-versa) on issues of site design or policy probably deserves what they get. We will summarize the steps in this process and then return for a closer look at some important policy and drafting issues.
1. Audit. You can't formulate or document a policy unless you know exactly what your site does. Step one is to analyze how you collect, use, and disseminate information, both within your organization and with affiliates and other third parties. Every place information *716 is collected and each way of collecting it-- registration, contests, special offers, orders, mailing-list subscriptions, notification services and user customizations, as well as passive data-collection methods, such as cookies-- needs to be catalogued, and the information collected should be identified. [FN156]
Once identified, the information must be traced to its destinations, internal and external. The following questions should be answered: How is the data analyzed or combined with data from other sources? [FN157] To whom is it available within your organization (including affiliates), and how are they authorized to use it? How do they actually use it? How do they plan to use it? It is helpful to divide the existing and anticipated uses for the data into primary uses (those necessarily incident to the purpose for which the information was collected), and secondary uses (those related to purposes different from those for which the information was collected).
With respect to primary uses, determine whether you outsource any portion of the function (such as order fulfillment or credit card verification). If you do, you must determine whether there are appropriate restrictions on the outsourcing party's use and disclosure of the data. Is data being collected that is not used, and if so, why? [FN158] *717 This is also a good time to evaluate the physical and technical means used to keep the data secure.
If data is shared with third parties for secondary uses, what are those uses, and is there a contractual prohibition against unrelated uses and further disclosure? Are there means for detecting unauthorized use, such as "seeded" names in the data? [FN159] Do you have the right to remove a user from the third party's list upon request? Are there contracts requiring you to continue to provide any of these parties with data for a specified time, thus limiting your flexibility to implement more conservative data practices?
As web pages become more elaborate and marketing and content partnerships more common, the boundaries within which a privacy policy applies may become indistinct. Therefore, you should review the site for co-branding or other joint marketing sections, frames of third-party content, and other third-party links where it may not be evident who is collecting the information. Then you should consider clarifying this by means of relabeling, alerts, conspicuous links to the relevant party's privacy policy, or a combination of these in order to clearly define your privacy "jurisdiction." [FN160] Where third parties are collecting data directly from your site (as opposed to your disclosing it to them), have you imposed contractual privacy rules in order to avoid guilt by association?
You should also search your site to locate all statements about the use of information collected or about privacy *718 rights-- especially isolated statements that should be folded into a comprehensive policy or eliminated altogether. One "rogue" statement can undo careful drafting elsewhere. [FN161] Be alert, as well, for statements that contradict one another. Last June, United Airlines found itself in a public-relations nightmare on this score when users noticed that what the website's privacy policy gave, the user agreement took away. Although the privacy policy pledged that United would not authorize any use of profile information except by the consumers themselves, the click-wrap "terms and conditions" statement said that by using the site, users gave their "express and unambiguous agreement" [FN162] that they had "no expectation of privacy" [FN163] resulting from the use of United's services. Further, through the click-wrap agreement, users gave their "express and unambiguous approval" [FN164] for United to use their personal information "for purposes of solicitations, promotions, and marketing programs." [FN165]
The audit phase concludes with an analysis of whether any special legal requirements apply as a result of any of three considerations: (1) the type of information collected *719 (e.g., health status), (2) from whom it is collected (e.g., children or Europeans), or (3) how it is used or disclosed (e.g., credit reporting). This analysis lays the groundwork for decisions on how to comply with, or become exempt from, those requirements.
2. Goal Setting. The next step is to consider what you really want to do with the data and with your website in the foreseeable future. This step can be skipped if the site meets your needs, but most audits result in ideas for improvement. If the site will be redesigned, new business models adopted or data practices changed, the privacy policy must reflect or anticipate these changes.
The major issue is the role of information collection and disclosure within the overall business plan; the fact that this exercise concerns data does not mean that the goal must be to collect as much data as possible and to maximize its use and disclosure. Do you want to position your site as a "privacy ally," to take a middle-of-the road stance, or to place emphasis on the other benefits your site offers, while maximizing your freedom to use consumer data? Could you win more business with less trouble by focusing on better customer service instead of emphasizing data mining? Are you willing to make strong commitments, or is your goal to minimize any possible liability?
Redesigns must also pass the practicality test: do you have the technical ability and financial strength to implement a data-management system reflecting the new business model? A potential redesign could include adding tags indicating when information was first collected (to track which version of an amended privacy policy applies) and for what purpose the information was collected (to distinguish between primary and secondary uses for that data), or to segregate data on children or EU residents and process it differently. Likewise, if your *720 business has both online and offline data harvesting operations but uses a single company-wide database, you must either apply the website privacy policy to all data, even that gathered offline, or tag data according to its origin and design your systems to process it accordingly. The cost of redesigning back office data structures can be startling [FN166] and may far outweigh the benefits of a redesign that looks good on paper, especially if you are modifying a "legacy system" that was only recently installed. In that case, it may make more sense to scale back target-marketing ambitions and to adopt conservative data practices.
Finally, any redesign may reopen questions raised in the audit phase: would the new practices trigger special legal burdens, or require cooperation or new assurances from third parties to whom you disclose information?
3. Policy Development, Drafting and Site Design. With the goals defined, the next step is to map out in detail how the website will handle data, and to reflect that map in a privacy policy and a site and data structure design. Again, coordination and feedback among technical, marketing, legal and other constituencies as the design progresses are critical to keep policy and practice from diverging.
The threshold question is whether to join one of the "privacy seal" programs, since doing so will both drive the policy development process and circumscribe the available policy options. These programs have many advantages; in particular they instill confidence without a "need to read" the privacy policy itself. But they also impose additional start-up and maintenance costs and demand certain minimum disclosures and practices that may not be *721 required otherwise. [FN167] These programs have teeth; in addition to expulsion from the program for noncompliance, either BBBOnLine or TRUSTe could sue for breach of the promises in its licensing contract. [FN168] Worse, a failure to comply with BBBOnLine's dispute resolution mechanism may earn you a referral to the FTC. BBBOnLine may conduct an unscheduled inspection of your website, and TRUSTe uses technical means to detect any privacy policy changes you may implement. Be aware that these programs may also ratchet up their membership requirements from time to time. [FN169]
Most other policy issues involve choosing how the site will implement Fair Information Practices, a subject discussed separately below.
4. Implementation and Maintenance. The final step is implementing the new policy and data practices. At this point, human factors may be even more important than technical measures such as testing the database, setting security parameters, and protecting against hackers. The *722 greatest risk of unauthorized use or disclosure comes from employees, and the greatest risk with employees is not malevolence but ignorance. Employees should be trained on the substance and importance of the new policy and held accountable for misuse or improper disclosure. In some cases separate employee-directed policies may be needed to complement the online policy, especially in organizations where there are many sources of personal data other than the website. Where website data is shared with affiliates, both the policy (or contractual restrictions) and employee awareness efforts should follow the data. In general, the more consistent data policies are across such an organization, the less likely a catastrophic mistake becomes.
Implementation may require establishing or amending contractual relationships with third parties. If the privacy policy gives assurances about third-party use of personal data, all existing third-party contracts should be reviewed for restrictions consistent with these assurances, and procedures should be in place to ensure imposition of privacy obligations in all new relationships with third-party users, including support contractors and outsourcers. Of course, if the data is valuable, contractual restrictions on use and further disclosure should be routine, though the "privacy" rubric may not be in evidence. Here the interests of the consumer and the collecting website are aligned because the former's privacy is the latter's confidential business information. Likewise, agreements for links or for framed or embedded third-party content may need to be modified to make sure that it will be obvious when a user has left your privacy policy's "jurisdiction."
Finally, management policies should require that any change to the website structure or data-entry screens, to the privacy policy, to third-party data sharing or partnering *723 arrangements, or to the database structure or access rights, must be checked against the privacy policy considerations mentioned above (including legal review) and authorized by responsible executive management. If applicable, procedures should be established for notifying the privacy seal program of the change.
We turn now to a discussion of policy choices that must be made, and of some drafting opportunities and pitfalls.


The easy generalities of fair information practices must ultimately give way to concrete policies. [FN170] Here are some of the implementation issues to be considered.


A privacy policy should be conspicuous; if your policy is user-friendly, you want users to know it, and if your policy is aggressive, you don't want anyone to be able to claim they didn't see it. Ideally, the home page, every data- entry screen, and every invitation for the user to e-mail information should include a prominent link to the policy. As to alerts or other signals that different policies will apply to linked sites and co-branded areas, a balance must be struck between the likelihood of user confusion in each case and design and clutter considerations. It may be useful to delegate this problem to the third parties involved.
*724 In addition to the question of site boundaries vis--vis unrelated third parties, the notice should address the boundaries of the privacy policy as it relates to corporate affiliates, other operating divisions, and data gathered through sources other than the website. [FN171]
If you want to simplify your legal obligations by excluding data from sources like children or non-United States residents, or if access to parts of the site or special features is conditioned on disclosure of personal data, the notice should so state. If you match data submitted on the site with data from other sources to build a more complete profile, it may be appropriate to disclose this. Certainly, if the merged data is made available to third parties, this should be disclosed. If you intend to purchase supplemental data on consumers, bear in mind that doing so may require disclosing personal information (e.g., a list of names, social security numbers, or other unique identifiers) to the supplemental data vendor, and this will have to be disclosed in your privacy policy.


A major policy consideration is the extent to which user choice will be an all-or-nothing decision. For example, in order to register for special features on your site, must the user agree to secondary uses of the data submitted, or will you allow a user to register and veto secondary uses? [FN172] It *725 may make sense to vary your rule depending on whether the primary use mainly benefits the website or the user; it would be foolish to condition a product sale upon consent to secondary use and third-party disclosure because some sales will be lost as a result, but conditioning contest entries upon such consent is a different story. The rule could also be varied among different secondary uses. For example, allowing use of demographic data for targeted banner ads may be required as a condition of registration, but the user could be permitted to opt out of disclosure to third parties.
Another issue is opt-out versus opt-in choice. The former will yield the most data since data flow continues until the user takes steps to stop it; the latter is best if you want to be perceived as a privacy ally. Opt-in decisions need to be easily reversible.
"Consent" is another word for choice. Where applicable law requires user consent, you must decide whether to rely on the theory that an opt-out scheme affords "implied consent," or whether to require opt-in with an audit trail to be on the safe side. COPPA and the EU Privacy Directive foreclose this issue in some cases by requiring opt-in consent.


A key question is exactly what data the user will have access to, the main distinctions being among data collected on the website, data collected or purchased elsewhere, and preference or profile data derived through analysis of the *726 first two. The EU Privacy Directive contains an exclusion for access to processed data where the processor's trade secrets would be exposed. [FN173] Companies with extensive operations outside of the website are well advised to make it clear that the policy's access provisions apply only to data collected on the website, unless subject to contrary legal requirements. By making this clear, a company avoids the burdensome obligation to seek out and make available all data in the company's possession concerning a particular consumer. [FN174]
With respect to passively collected data such as cookie or log file data, the question is whether to grant access at all, since this data may not be comprehensible without further processing.


Policy questions as to security include how extensive your technical and human-factor security measures will be, and how much detail about those measures should be revealed to the public. An overly detailed description can both compromise the effectiveness of the security measures and unduly commit the website to these particular procedures.


What enforcement mechanisms will you allow or require users to pursue? The privacy seal programs *727 impose their own requirements in this regard but do not limit other remedies for consumers. Limiting users' options for enforcement may be both prudent and achievable, as we will see in the next section.



Considering enforcement leads to the question: what is the legal effect of a privacy policy? As between the website and the user, a privacy policy bears all of the earmarks of a contract, but perhaps one enforceable only at the option of the user. It is no stretch to regard the policy as an offer to treat information in specified ways, inviting the user's acceptance, evidenced by using the site or submitting the information. The website's promise and the user's use of the site and submission of personal data [FN175] are each sufficient consideration to support a contractual obligation. Under this analysis, users would have the right to sue and seek all available remedies for breach of the privacy policy, without the need for private rights of action under such regulatory statutes as the FTC Act.
But for the website, this contract may be a net full of holes, one that the website may get caught in but the user may easily slip through. Many popular websites use contractual concepts by making statements such as, "By using this site you agree to our privacy policy," or even riskier, "We may change our policy at any time, so check back here frequently; your continued use following the posting of a policy change constitutes consent to the new *728 policy." These statements are sometimes contained in a privacy policy accessible only through a tiny link at the bottom of the home page that can be found only by actively scrolling down the page. Any website that relies on the binding effect of such a "contract," for example, by expanding its third-party disclosure of pre-existing customer data, [FN176] is treading on dangerous ground. In such a case there is no independent evidence that the user assented to this "contract." In contrast, if the user wishes to enforce the contract, she has only to affirm that, in fact, she did read and accept the website's offer to protect her information and relied on its assurances when she entrusted the site with her personal information.
Of course, in order to claim the benefits of this contract, the user would have to acknowledge having accepted it, and this gives the website an opportunity to turn contractual obligation to its advantage by including protective provisions. But relying on acknowledgment by the consumer as a condition precedent to a contract claim does not solve the amendment problem mentioned above (where the contract assented to was the original one), nor does it afford protection against tort liability or generate a legally reliable consent when one is required by law.


The more unavoidable the privacy notice, the less opportunity for a disgruntled user to claim that he did not see, read, or understand the privacy policy. At a minimum, links to the privacy notice should be conspicuously placed next to data-collection "submit" buttons. [FN177] But why not go a step further and ensure that a bilateral contract is in force? If a privacy policy is essentially a contract enforceable at the option of the user, there is no downside to making the contract mutual. The express assent manifested by a click-wrap agreement [FN178] offers valuable opportunities for moderating risk.
Click-wrap contracts are regularly formed on websites. When a purchase is made, the user is typically asked to agree to terms and conditions, and sites that allow user postings such as discussion forums and chat rooms usually require member agreements as a condition of registration. By incorporating the privacy policy into a click-wrap user agreement, or turning it into one, the website can potentially limit remedies and damages, exclude consequential damages, provide for notice of and a right to cure any breach, require mandatory dispute-resolution mechanisms such as a negotiation-mediation- arbitration sequence, specify governing law and forum, shorten the statute of limitations, extract representations from the user (e.g., as to nationality or age), provide for contingencies *730 through a force majeure clause, and create clear evidence of binding consents or waivers.
Given the minimal money damages likely to result from any given privacy breach and the probability that most consumer complaints can be resolved with a sincere apology and a promise to do better (or to delete the information), it is fair to ask whether a contractual privacy policy is overkill. The two-word answer is: class actions. In the context of the web, with its computerized user databases and instantaneous communication across a global network, a privacy- policy violation is more likely to involve 10,000 individuals than only one. Wherever individual damages are small, plaintiffs numerous, and fact patterns similar, class action attorneys will soon follow. [FN179] And they are not interested in apologies or data deletions unless they can be translated into fee dollars.
In Hill v. Gateway 2000, Inc., [FN180] the Hills brought a warranty and RICO claim against Gateway and managed to get it certified as a class action. The Gateway product had come with a shrink-wrap contract containing a mandatory arbitration clause, which the trial court refused to enforce. The Seventh Circuit reversed, enforced the arbitration clause and nullified the class action certification. Since most arbitration rules do not *731 accommodate class actions, an alternative dispute resolution clause such as that used by Gateway may effectively neutralize the class action threat. [FN181]
Another advantage of a bilateral contract is that it can provide a meaningful mechanism for amendment, should it ever be necessary to change the privacy policy in ways that might be considered adverse to the user. The example given previously, where the site warns of unilateral amendments and advises the user to check in periodically, might be viewed as less overreaching if a user can be shown to have expressly agreed to it. Also, it seems very likely that amendments would be enforceable if accompanied by a prior e-mail to the user with an opportunity to opt out or delete his/her data rather than accept the change. Privacy expectations seem to be a one-way ratchet-- the more users learn about corporate data practices, the more privacy they demand, and the more the legislative process grants privacy rights-- but there are still many cases in which a user-unfriendly amendment might be desirable. Examples include situations where a privacy-oriented business model did not work, or where the website is acquired by another business with a different privacy policy.


Whether or not a click-wrap agreement is adopted, contract drafting concepts such as coverage, clarity, caution and conciseness should be brought to bear on the privacy policy. The challenge is to be clear and concise, and to use plain language, without making overly broad or *732 absolute promises. There is a difference between promising "your data is secure" and saying, "we use industry-standard security measures to protect your data." From the website's point of view, the former cries out for a protective list of exceptions-- the many ways security can be compromised-- but the latter speaks for itself. Should you say, "Your data will never be released without your consent," or "We will never authorize release of your data without your consent?" Perhaps it depends on how much you trust your systems, your security, and your employees. Confining promises to objective facts within the promisor's control is the heart of the drafting art.
A second important consideration involves identifying the necessary exceptions to the privacy promise. In the preceding example, exceptions would be needed for release under subpoena, search warrant, court order, civil investigative demand, or other compulsory process such as civil discovery. A cautious drafter might also except disclosures necessary to protect the website's rights or to prevent harm to other individuals; to identify persons who may be violating the law, the user agreement, or the rights of third parties; [FN182] and to cooperate with investigations of purported unlawful activities. In some cases routine disclosures to regulatory agencies, such as bank examiners, may also be necessary. Some website owners believe that they cover all of these situations with the statement that they will never willfully disclose personal information without consent.
As this article illustrates, privacy policies divide naturally into two components: fairly simple principles and detailed implementation of those principles. The former tend to be reassuring, the latter stupefying. Many of the *733 better privacy policies take advantage of this division by beginning with the reassuring general principles and referring the reader to a list of "Frequently Asked Questions," or just an expanded discussion, for all of the details, qualifications, examples, explanations and exceptions.


The drafting principles of coverage and of caution can eliminate many legal problems with privacy policies because both principles address the issue of consistency between the written policy and the activities that it describes. We close with an illustration: the issue of boundaries, of where the policy applies and where it does not-- an area where many privacy policies have foundered and where many more are ticking time bombs.
Coverage means identifying every place where a user might mistakenly assume that your privacy policy applies and preempting that false assumption. Using the results of the audit and policy formulation phases, the drafter would make clear who is collecting the data in co-branded or partner areas and whose privacy policy applies, warn users about outward links and framed third-party sites, and identify to what extent, if any, the site has imposed privacy requirements on these third-party sites. The data-gathering activities of banner ad cookies would also be mentioned and excepted.
A site that hosts third-party home pages under a common domain name should certainly mention that those pages are not covered by the host privacy policy, although this is seldom done. Some corporations maintain multiple sites under similar brands or domain names, or linked to one another as a network, but with different privacy policies. Since users would tend to assume that a *734 company's sites would all share the same policy, the drafter would need either to consolidate the policies or to identify the different sites and warn the users that privacy policies may vary. Outsourcers such as employee-leasing companies or web-hosting firms should be mentioned, along with their coverage by the policy or by narrower confidentiality agreements. And if a company wants to allow affiliated entities to use its customer data, it may wish to define the boundaries of its organization to include present and future affiliates [FN183] at the cost of having the policy apply to those as well.
If the privacy policy is intended to apply only to information gathered over the internet, it should specifically exclude data collected through other means, such as data gathered by unrelated brick-and-mortar operations of the company or its affiliates and data purchased or leased from other parties. As mentioned earlier, in some industries (e.g., financial services), for some types of information (e.g., health information), and for some companies (e.g., those subject to the EU Privacy Directive) common legal obligations will apply regardless of how the information was gathered, and for the sake of administrative simplicity it will be necessary to devise a common policy across the entire organization. Where this is not necessary, it may be unwise - at least if the website's privacy policy restricts the use of information meaningfully more than is required by law.
An example of the impact of careful boundary drafting is the RealNetworks incident in November 1999, when it was discovered that the company's RealJukebox software was transmitting to the company information about the users' music collections, unbeknownst to the users, (and *735 possibly unbeknownst to RealNetworks' senior management as well). RealNetworks was a TRUSTe licensee and TRUSTe promptly launched an investigation, ultimately determining that RealNetworks had not violated its online privacy policy because the information in question had not been gathered through its website. This led to the establishment by TRUSTe of a pilot program for privacy policies relating to software products, the first of which was adopted by RealNetworks.
The principle of caution looks to the future and anticipates change. The boundaries of an organization may shift over time, and yet in an environment where acquisitions and divestitures are announced daily, few privacy policies provide for this possibility. [FN184] Sharing information with a new parent, its other subsidiaries, a merged entity, or an acquired entity is not only common, but may be essential to the viability of many business combinations and so should be expressly foreshadowed in the privacy policy. Likewise, it may be wise to reserve the right to disclose or duplicate the customer database in order to sell the assets of an operating division.


An effective privacy policy expresses a delicate balance of marketing, legal, technical, and customer-relations *736 issues, and successfully implementing a policy for a complex site can be challenging. Following the process suggested here should result in a privacy policy and information practices that are mirror images of one another, enabling the website to offer privacy assurances with confidence and to manage confidences with assurance.

[FN1]. J.D., Yale University, 1975; B.A., Yale University, 1972. Mr. Killingsworth is Co-Chair of the Intellectual Property and Technology Group of the Atlanta and Washington firm Powell, Goldstein, Frazer & Murphy, and advises clients on licensing, strategic alliances, e-commerce and other technology- related business matters. He can be reached at (404) 572-6600 or at skilling

[FN2]. Council Directive 95/46, 1995 O.J. (L 281) 31 [hereinafter EU Privacy Directive].

[FN3]. P. Sprenger, Sun on Privacy: 'Get Over It' Wired News (Jan. 26, 1999) <>. McNealy is the Chairman and CEO of Sun Microsystems, which is both the developer of the Java programming language used to implement applets in web browsers and a member of the Online Privacy Alliance.

[FN4]. Because similar personal information may be shared with a number of sites, and because there is a delay between the initial disclosure of information and the onset of such aggravations as unsolicited e-electronic mail (e-mail) messages, the exact source of the privacy invasions is often hidden from the consumer. This disconnection between cause and effect can lead to a "one bad apple" syndrome whereby the actions of a small number of irresponsible websites may be attributed to the Internet as a whole.

[FN5]. Many of the privacy concerns and principles discussed in this article can be traced to a 1973 study by the Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens. According to a 1992 survey, over two-thirds of Americans believed that "the present uses of computers are an actual threat to personal privacy" and that "if privacy is to be preserved, the use of computers must be sharply restricted in the future." Equifax-Louis Harris Consumer Privacy Survey, Equifax Executive Summary 1992 4 (visited Nov. 3, 1999) <>.

[FN6]. See http://> for an explanation of reports available to advertisers subscribing to DoubleClick's "Boomerang" service, including answers to such questions as "What are your customers' interests? Where do your customers work? When are your customers online? and Where do your customers live?" According to DoubleClick, all of this information is collected anonymously <http://>, but see note 7 below. (All sites visited January 29, 2000).

[FN7]. Consumers who voluntarily submit personally-identifying information to websites that participate in DoubleClick's Abacus Alliance may find that this information is disclosed to DoubleClick and then associated with the anonymously-gathered data about their web browsing generally (described above), unless they specifically opt out at each participating site visited <http://> (visited January 29, 2000). DoubleClick apparently offers an opt-out cookie that is effective throughout its network, but on January 29, 2000 the author received only error messages when attempting to activate this feature at <http://>.

[FN8]. This Orwellian-sounding term refers to an analysis of attitudes, interests and opinions as distinct from mere demographic data; such an analysis can bring improvement in predictive success.

[FN9]. Tara Lemmey, President of Narrowline (now Executive Director of the Electronic Frontier Foundation), quoted in Esther Dyson, Privacy Protection: Time to Think and Act Locally and Globally, Release 1.0, (Apr. 1998) <http://>.

[FN10]. In the Matter of GeoCities, a corporation, FTC File No. 9823015 < h ttp://>.

[FN11]. Id.

[FN12]. Id.

[FN13]. The FTC action and proposed settlement were first announced in early June 1998, in SEC filings in connection with GeoCities' upcoming public offering that August. GeoCities, Corp., SEC Form S-1 Registration Statement (June 12, 1998) < 001328.txt>.

[FN14]. GeoCities, FTC Docket No. C-3850 (decision and order) (Feb. 5, 1999) <>.

[FN15]. Regarding children's issues, a similar settlement was reached in May 1999 with Liberty Financial Companies; see In re Liberty Fin. Cos., FTC File No. 9823522 (agreement containing consent order), (visited Sept. 28, 1999) <>.

[FN16]. Privacy Online: A Report to Congress, FTC report (June 4, 1998) <> [hereinafter Privacy Online] was sent to Congress June 4, 1998.

[FN17]. Child Online Privacy Protection Act of 1998, 15 U.S.C. 6501- 6506 (1998) [hereinafter COPPA]. 15 U.S.C. 6501-6506 (1998).

[FN18]. 15 U.S.C. 45 (1998).

[FN19]. In this instance "legal perspective" seems oxymoronic: despite what law school teaches, business is about much more than avoiding every possible risk.

[FN20]. See infra Part VI.f (discussing the EU Privacy Directive).

[FN21]. Industries with regulated information practices include healthcare, banking, video rentals, cable television, and telecommunications.

[FN22]. Detailed results can be viewed at Business Week/Harris Poll: Online Insecurity, Business Week (last modified Mar. 5, 1998) <http://> [hereinafter Online Insecurity].


[FN24]. See Online Insecurity, supra note 22 (finding that despite the benefits of registering at websites, 59% of Internet users never do).


[FN26]. Examples of such products include anonymous proxy servers for browsing privacy and anonymous e-mail remailing services.

[FN27]. Louis Harris & Assoc., Inc. And Alan F. Westin, supra note 23 (noting that 91% of net users and 96% of those who buy products or services online call privacy policies "important" or "very important." For computer users who are not yet online, the figure was 94%).

[FN28]. A. Westin, "Freebies" and Privacy: What Net Users Think (visited Sept. 28, 1999) <> (reporting on a February 1999 poll by Opinion Research Corp. for Privacy & American Business).

[FN29]. See Online Insecurity, supra note 22 (finding that 62% of respondents would increase their Internet usage).

[FN30]. See id. (finding that 57% of respondents would increase their amount of purchases).

[FN31]. TRUSTe/Boston Consulting Group Consumer Survey (visited Oct. 8, 1999) <> states that information practice policy statements make it two to three times more likely that a consumer will provide personal information to a website; 56% of users in the Business Week/Harris Poll, supra note 22, indicated that a privacy statement would make it more likely for them to register at a website.

[FN32]. Approximately 65% of commercial websites in March 1999 included some form of information practices statement, in contrast to only around 14% of commercial websites in the previous year. Further, virtually all of the top 100 sites include some information practices statement, with eighty-one sites boasting a more or less comprehensive privacy policy. The first figure is from Mary J. Culnan, Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission (Mar. 1999), which evaluated 361 "dotcom" sites selected randomly from the top 7,500 sites. The 14% figure is from Privacy Online, supra note 16, an FTC study of 1400 sites. While these two studies are not direct equivalents, the trend towards adopting privacy policies is undeniable. The data on the top 100 sites is from Professor Culnan's study, Privacy and the Top 100 Sites: Report to the Federal Trade Commission (June 1999) sponsored by the Online Privacy Alliance. While these upbeat figures mask wide variation in adherence to recognized privacy principles, they all support the present point that a site without a policy increasingly stands out from the crowd.

[FN33]. See Lorrie Faith et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, AT&T Labs-Research Technical Report TR 99.4.1 (Mar. 25, 1999) <http://> [[hereinafter Beyond Concern] (citing Christine Hine & Juliet Eve, Privacy in the Marketplace, 14(4) The Info. Soc. 253, 261 (1998) for the proposition that where a website does not explain the purposes for which it gathers and uses personal information, consumers are likely to concoct their own unfavorable opinions about the website's intentions).

[FN34]. See Beyond Concern, supra note 33 (finding that sharing data with third parties was the most important criterion users evaluate in deciding whether to reveal information to a website).

[FN35]. has even adapted the reverse-auction model as a "black box"; the buyer fills out a form specifying the desired product and the desired price, sends an email with this information (absent the buyer's identity) to its list of registered retailers, collects the replies and forwards them to the buyer. The buyer can then follow up with a vendor if she wants to accept its offer. The "middleman" feature not only preserves anonymity, it also enables to collect its fees, which are based not on sales but on the number of e-mails to which the given vendor replies. See, e.g., (visited Sept. 29, 1999) <> (providing an outline of the black-box-auction model).

[FN36]. < page=privacy&z=493782266316>.

[FN37]. Welcome to Juno (visited Oct. 25, 1999) <>. A recent Juno advertisement (targeted to online advertisers, rather than to consumers) states that "nearly 7 million Juno subscribers have filled out a member profile with more in-depth personal questions than your mother asks."

[FN38]. See Welcome to The MyPoints Program (visited Sept. 29, 1999) < http://> (explaining that MyPoints participants are offered redeemable points-- an Internet version of trading stamps-- when they participate in MyPoints promotions or buy in response to MyPoints offers. A recent advertisement claims better than a 20% response rate to MyPoints e-mail advertising campaigns).

[FN39]. See, e.g., Alex Nash, Yahoo Retracts Unlisted Home Addresses, CNET (Apr. 25, 1996), <> (describing the consumer outrage and Yahoo's rapid retreat when it was learned that Yahoo's new People Search service disclosed some 85 million unlisted home addresses and telephone numbers).

[FN40]. TRUSTe (visited Sept. 29, 1999) <>.

[FN41]. BBBOnLine (visited Sept. 29, 1999) <>.

[FN42]. A "secondary use" is a use of information for a purpose other than that for which it was originally disclosed, such as use in a direct-marketing campaign of a mailing address originally obtained for product shipment.

[FN43]. Child Online Privacy Protection Act of 1998, 15 U.S.C. 6501- 6506 (1998) [hereinafter COPPA]. See BBBOnLine: The Children's Privacy Seal (visited Sept. 29, 1999) < privacy.htm> (stating that BBBOnline's seal requirements are based on COPPA); TRUSTe License Agreement Rev. 5.0 Appendix C (last modified June 25, 1999) <> (stating that TRUSTe's children guidelines are based on COPPA).

[FN44]. See BBBOnLine: Privacy Program Eligibility Criteria (visited Nov. 2, 1999) <> (covering requirements for BBBOnLine Privacy Seals); TRUSTe License Agreement Rev. 5.0 (last modified Aug. 8, 1999) < agreement.html> (requiring licensees to agree to particular and comprehensive rules before awarding Privacy Seals).

[FN45]. See BBBOnLine: Privacy Program Eligibility Criteria, supra note 44 (disclosing requirements to which a business must agree in order to qualify for a BBBOnLine Privacy Seal).

[FN46]. TRUSTe Approves 1000th Web Site, TRUSTe press release, January 12, 2000 <>.

[FN47]. Press Release, BBBOnLine's New Privacy Seal Program Opens for Business (Mar. 17, 1999) <>.

[FN48]. BBBOnLine Approved Privacy Participants (visited Jan. 26, 2000) <>.

[FN49]. Cheskin Research and Studio Archetype/Sapient, eCommerce Trust Study, at 16 (Jan. 1999) <>.

[FN50]. At the time, the BBBOnLine privacy seal program was not in effect; the seal in question was BBBOnLine's Reliability Seal, which relates to business practices other than privacy, but it is probably safe to assume that the organization's privacy seal would garner comparable responses.

[FN51]. Debra Valentine, About Privacy: Protecting the Consumer on the Global Information Infrastructure, 1 Yale Symp. on L. & Tech. 4, at para. IV, B.1 (1998).

[FN52]. See Maryann Jones Thompson, Tech Firms Still Top List of Net Advertisers, The Industry Standard (May 20, 1999) <http://,1283,894,00.html> [hereinafter The Industry Standard] (ranking advertisers for 1998; Microsoft was first and IBM second with combined advertising expenditures of $63.4 million).

[FN53]. Kim Girard, IBM To Pull Web Ads Over Privacy Concerns, CNET (Mar. 31, 1999) <>.

[FN54]. Microsoft Pushes Net Privacy Policy (June 23, 1999) <http://>.

[FN55]. Disney and Go Network Institute Comprehensive New Advertising Policy to Promote Industry Adoption of Online Privacy Standards (June 29, 1999) < http://>. The Go Network is one of the top five websites, and The Industry Standard, supra note 52, ranked its constituent Infoseek as the sixth largest advertiser on other websites in 1998.

[FN56]. Privacy Promise (visited Oct. 2, 1999) <http://www.the->.

[FN57]. DMA will help you create your own Company's Online Privacy Policy (visited Oct. 2, 1999) <>.

[FN58]. See Privacy Online: A Report to Congress at 54 n.73 (visited Oct. 2, 1999) <> (listing 11 associations that submitted guidelines or principles for the FTC's consideration).

[FN59]. See id. app. E (reporting the submitted guidelines).

[FN60]. Id. at 7-11. Many other organizations have modeled their recommended information practices on the FTC list. See, e.g., Online Privacy Alliance, Guidelines for Online Privacy Policies (visited Oct. 2, 1999) < http://> (including headings of notice, choice, access, and security); Elements of Effective Self- Regulation for Protection of Privacy (visited Oct. 2, 1999) <http://> (including headings of notice, choice, access, security, and enforcement).

[FN61]. This simple requirement conceals difficult questions about the practicality and necessity of disclosing to a consumer such database-resident information as their clickstream records, or the inferences drawn from that data by use of analysis programs. Likewise, questions abound as to the obligation to disclose to consumers information about them that has been acquired from third-party sources.

[FN62]. On January 21, 2000, the FTC announced the appointment of a 40- member Advisory Committee on Online Access and Security to advise the FTC staff on policy issues surrounding the issues of what constitutes "reasonable access" and "adequate security." Its charter calls for a final report from the Committee by May 15, 2000, "describing options for the implementation of access and security online, and the costs and benefits of each option. FTC Press Release, "Online Privacy Committee Members Named," January 21, 2000 <http://>. Interestingly, the FTC's COPPA regulations on security and integrity have a Sphinxlike brevity (16 C.F.R. 312.8), so the Advisory Committee may well be a harbinger of expanded COPPA regulations on this point.

[FN63]. The Online Privacy Alliance, a consortium of over 80 companies and associations involved in e-commerce, advocates that self-regulation via third party privacy seal programs is sufficient. However, they take pains to say that complaint-resolution processes of seal programs should not prevent the consumer from pursuing "other available legal recourse." Online Privacy Alliance, Effective Enforcement of Self Regulation (visited Oct. 3, 1999) <http://>.

[FN64]. See discussion infra Part VI.f (discussing the EU Privacy Directive).

[FN65]. See supra note 5 (discussing the 1973 study).

[FN66]. 5 U.S.C. 552a (1974).


[FN68]. As early as 1905, the Supreme Court of Georgia had recognized the right to privacy as against misappropriation of one's likeness. Pavesich v. New England Life Ins. Co., 122 Ga. 190, 50 S.E. 18 (1905).

[FN69]. See, e.g., Privacy Online, supra note 58, at endnote 160; letter from Ambassador David L. Aaron, Undersecretary of Commerce for International Trade, to industry representatives on the subject of proposed Safe harbor principles under the EU Privacy Directive (Nov. 4, 1998) <http://>.

[FN70]. OPA White Paper: Online Consumer Data Privacy in the United States (Nov. 19, 1998) <>.

[FN71]. Restatement (Second) of Torts 652D (1976).

[FN72]. Id. at comment a. This standard is seldom met in ordinary business transactions. For example, in Tureen v. Equifax, Inc., 571 F.2d 411, 419 (8th Cir. 1978), Equifax's disclosure of the plaintiff's medical underwriting history to her health insurer, at the insurer's request, was held not to be sufficiently "public" for an invasion of privacy cause of action.

[FN73]. McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998).

[FN74]. Philip Shenon, Navy and America Online Settle Case on Gay Privacy, N.Y. Times, June 12, 1998, available at <http://>.

[FN75]. Id. In related litigation, the Navy was found to have violated both its own "don't ask, don't tell" policy and the Electronic Communications Privacy Act. McVeigh, 983 F. Supp. at 220-21.

[FN76]. Prepared Statement of the Federal Trade Commission "Consumer Privacy on the World Wide Web": Hearings Before the Subcommittee. on Telecommunications., Trade and Consumer Protection of the House Committee. on Commerce, 105th Cong. n.23 (1998) (statement of Robert M. Pitofsky, Chairman of FTC): "[The FTC Act] grants the Commission authority to seek relief for violations of the Act's prohibitions on unfair and deceptive practices in and affecting commerce, an authority limited in this context to ensuring that Web sites follow their stated information practices."

[FN77]. Letter from Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Center for Media Education (July 15, 1997) <>.

[FN78]. See infra Part IX (discussing Contract Concepts).

[FN79]. Nonprofit organizations are exempt, just as they are exempt from the FTC Act.

[FN80]. E.g., by virtue of information entered in an "age" field in the data-collection screen.

[FN81]. COPPA, supra note 17, 1303(b)(1)(A)(i).

[FN82]. "Verifiable parental consent" is defined id. 1302(9).

[FN83]. Id. 1303(b)(1)(A)(ii).

[FN84]. Id. 1303(b)(1)(B)(ii).

[FN85]. Id. 1303(b)(1)(B)(i), (iii).

[FN86]. COPPA, supra note 17, 1303(b)(2).

[FN87]. Id. 1303(b)(1)(C).

[FN88]. Id. 1303(b)(1)(D).

[FN89]. Id. 1304. Since the approved programs would have to mirror the requirements of the law and the underlying factual questions of compliance would be essentially the same with or without the safe harbor, it is not immediately obvious what substantive difference the safe harbor makes, but it does show a willingness by the government to outsource some of its compliance- enforcement work to industry groups, where the industry groups would no doubt prefer that it reside.

[FN90]. Id. 1303(a)(1).

[FN91]. 16 C.F.R. pt. 312, issued October 20, 1999.

[FN92]. 16 C.F.R. 312.2 defines "disclosure" as including any means of making personal information publicly available, such as "public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room."

[FN93]. 16 C.F.R. 312.5(b)(2).

[FN94]. 16 C.F.R. 312.4(b).

[FN95]. 16 C.F.R. 312.4(b)(2).

[FN96]. 16 C.F.R. 312.4(b)(1).

[FN97]. 18 U.S.C. 2510-2522, 2701-2711 (1994).

[FN98]. Id. 2510(4).

[FN99]. Id. 2510(8) (emphasis added).

[FN100]. Id. 2510(12) (emphasis added).

[FN101]. Id. 2511(2)(d).

[FN102]. Suppose a website, as a result of monitoring browser requests to its server, tags an individual as a regular participant in a closed forum on "Living with a Diabetic." The explicit communication from the browser is merely to access a page with a particular address, and the website is a party to that communication with the presumptive right to disclose it. However, given the known subject-matter of discussions in the forum, does disclosure to a marketer of the nature of the page requested constitute an interception and disclosure of the broadly defined "contents" of the user's communications within the forum, communications to which the website operator is not a party?

[FN103]. 18 U.S.C. 2511(2)(d), (3)(b)(ii) (1994).

[FN104]. See Griggs-Ryan v. Smith, 904 F.2d 112 (1st Cir. 1990) (finding that consent to the recording of telephone calls is presumed where the landlady informed a tenant that all incoming calls would be recorded). With privacy policies, the question is: what if the user claims not to have seen the policy?

[FN105]. 15 U.S.C. 1681-1681t (1994 & Supp. III 1997).

[FN106]. 15 U.S.C. 1681a(d) provides that covered information includes information "bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living."

[FN107]. Id. 1681b(3).

[FN108]. 15 U.S.C. 1681a(d)(2)(A)(i).

[FN109]. Id. 1681a(d)(2)(A)(iii).

[FN110]. This distinction is the subject of Trans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996), where the Federal Circuit held that targeted marketing lists were not necessarily "consumer reports" even though they were created from data originally gathered to be used in conventional credit reports, on the dubious grounds that the routine inclusion of this data in credit reports did not prove that particular data was actually expected to be used as a factor in credit decisions when it was collected. The court remanded to the FTC for further factual determinations, and an FTC Administrative Judge made the required factual determination and held Trans Union in violation of FCRA. In re Trans Union Corp., No. D-9255 (July 31, 1998) <http://>. Trans Union has appealed the order to the full Commission.

[FN111]. For a general discussion of the history of United States-EU discussions over the application of the "adequacy" test to the United States, see Scott Killingsworth and Brett Kappel, Safe Harbor in Muddy Waters? Commerce Department Proposes Voluntary Principles for Compliance with EU Privacy Directive, 1 E-Commerce Law Report 2 (Dec. 1998/Jan. 1999).

[FN112]. United States Department of Commerce, Draft International Safe Harbor Principles (Apr. 19, 1999) <> [[hereinafter "Draft Safe Harbor"].

[FN113]. It would appear that under the EU Privacy Directive, affiliates of the collector of the information would be considered "third parties" if they are not processing the data on behalf of the collector, which would mean the individual must be given opt-out privileges to prevent proposed transfers to these affiliates. EU Privacy Directive, supra note 2, art. 2, (f). The Draft Draft Safe Harbor does not adopt the Privacy Directive's definitions, however, and uses the flexible and undefined term "organization" to describe the collector of data.

[FN114]. Draft Safe Harbor, supra note 112, (referring to Principle 6 and Note 6). See United States Department of Commerce, Draft Frequently Asked Questions, Access (April 19, 1999) <> (referring to Questions 1 and 2 and Endnotes 104).

[FN115]. Office of Thrift Supervision News Release, Thrifts Urged to Post Privacy Policies as Part of Transactional Web Sites (June 10, 1999) <http://>.

[FN116]. Office of the Comptroller of the Currency Advisory Letter 99-6, Guidance to National Banks on Web Site Privacy Statements (May 4, 1999) <>.

[FN117]. FDIC Financial Institution Letters, Electronic Commerce and Consumer Privacy (Aug. 17, 1998) <http://>; FDIC Financial Institution Letters, Online Privacy of Consumer Personal Information (last modified July 17, 1999) <http://>.

[FN118]. 15 U.S.C. 1693-1693r (1994), specifically 1693c(9). The law applies to all accounts with an electronic funds transfer feature.

[FN119]. 12 C.F.R. 205.7(b)(9) (1999); Federal Reserve Board Official Staff Commentary, 12 C.F.R. 205.7(b)(9)-1 (1999).

[FN120]. S.900, enacted November 12, 1999 (hereinafter "Gramm-Leach- Bliley").

[FN121]. 12 U.S.C. 377.

[FN122]. What information is considered "publicly available" is to be defined by implementing regulations, Gramm-Leach-Bliley 509(4)(B).

[FN123]. Compare with COPPA, which applies to information only if it is gathered both online and from a child, but applies to all information linked to the child's identity.

[FN124]. Gramm-Leach-Bliley includes a number of exceptions to the third- party-disclosure rule for such practical matters as using third parties to help fulfill a transaction between the consumer and the institution, or to market to the consumer on behalf of the institution, in each case under a confidentiality agreement; to enforce obligations of the consumer; to protect against fraud; to comply with law or respond to legal process, etc.

[FN125]. Gramm-Leach-Bliley 502.

[FN126]. In hearings on the bill, the FTC had testified that the sale by financial institutions of their direct "transactions and experience" data "raises serious privacy concerns." Federal Trade Commission, Prepared Statement of the Federal Trade Commission before the Subcommittee on Financial Institutions and Consumer Credit Committee on Banking and Financial Services, United States House of Representatives on Financial Privacy, the Fair Credit Reporting Act, and H.R. 10 (visited July 21, 1999).

[FN127]. Id. 503.

[FN128]. See the discussion of FCRA supra part VI.E.. This treatment of financial institution affiliates only seems Byzantine; in fact it is merely labyrinthine. The provisions of FCRA addressing disclosures to affiliates ( 603(d)(2)(A)(iii) of FCRA, 18 U.S.C. 1681a(d)(2)(A)(iii)) are in the form of exceptions to the definition of a "consumer report." Hence disclosures permitted by this section would be otherwise prohibited by FCRA only if, but for these exceptions, the information would constitute "consumer reports" a definition that itself partakes not only of the nature of the information included but also the purposes for which it is gathered or used. Moreover, FCRA's prohibitions apply principally to "consumer reporting agencies," those who for a fee regularly furnish consumer reports.

[FN129]. Gramm-Leach-Bliley 504 requires the Federal banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the Securities and Exchange Commission and the FTC all to prescribe regulations, after consultation with the National Association of Insurance Commissioners, but by May 12, 2000. Section 504(b) exhorts these agencies to coordinate their efforts and so far they have done so.

[FN130]. Id. 509(3).

[FN131]. H.R. 3320, 502.

[FN132]. Id. 502(b)(1) and 508(6).

[FN133]. Id. 503(a)(4) and (5).

[FN134]. Id. 508(3).

[FN135]. See, e.g., O.C.G.A. 24-9-40 (1993) (medical records generally); O.C.G.A. 33-21-23 (1992) (HMO records); O.C.G.A. 31-8- 114 (1996) (long-term care facility records); O.C.G.A. 24-9-47 (1990) (AIDS records); O.C.G.A. 37-3-166 (1995) (mental health records); O.C.G.A. 31-22-4 (1996) (sexually transmitted and communicable disease clinical laboratory tests).

[FN136]. See, e.g., Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, codified at 29 U.S.C. 1181 (Supp. III 1997) (mandating security systems for the electronic transmission of health data); 42 C.F.R., 482.24 (1998) (governing hospitals' medical records confidentiality practices); 42 U.S.C. 290dd-3 (1994) (relating to alcohol and drug abuse records) (omitted in the general revision of this part by Pub. L. No. 102-321).

[FN137]. C. Bowman, Uneven State Medical-Record Laws Offer Potential Pitfalls for Health Plans, BNA Health Law Reporter, November 11, 1999, at p.1787.

[FN138]. E.g., Medical Information Privacy and Security Act, H.R. 1057, 106th Cong. (1999) (introduced Mar. 10, 1999); the Health Information Privacy Act, H.R. 1941, 106th Cong. (1999) (introduced May 25, 1999); Medical Information Protection and Research Enhancement Act of 1999, H.R. 2470, 106th Cong. (1999) (introduced July 12, 1999).

[FN139]. 64 Fed. Reg. 59918.

[FN140]. Health Insurance Portability and Accountability Act of 1996, supra note 136.

[FN141]. A heath care clearinghouse is an organization that translates health care records from nonstandard formats into standard electronic formats; an example would be a billing intermediary.

[FN142]. One of the more interesting attributes of these confidentiality agreements is that the patients concerned must be made express third-party beneficiaries. HIPPA provides no private right of action, and the question whether a private right of action should be created is among the major issues that have so far derailed passage of comprehensive health information privacy legislation, but this bit of regulatory finesse shows that there is more than one way to create a private right of action.

[FN143]. 64 Fed. Reg. 60053.

[FN144]. 64 Fed. Reg. 60056.

[FN145]. 64 Fed. Reg. 60059.

[FN146]. 64 Fed. Reg. 60060.

[FN147]. Id.

[FN148]. Cable Communications Policy Act of 1984, 47 U.S.C. 551 (1994).

[FN149]. Video Privacy Protection Act, 18 U.S.C. 2710 (1994). Statements that certain types of tranactionstransactions do not occur on the Internet are often short-lived. In January, 2000, Blockbuster Inc. announced that it had aqcuiredacquired the exclusive right to distributredistribute the MGM film library over the internet. MGM, Blockbuster to Develop Internet Movie Delivery, Reuters, January 18, 2000, accessed via CBS Query whether pay-per-view streaming video transactions over the Internet would fall within the protection of the Video Privacy Protection Act, which contemplate the delivery of "video cassette tapes or similar audio visual materials.".

[FN150]. The Online Privacy Protection Act of 1999, S. 809, 106th Cong. (1999).

[FN151]. Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress (visited July 21, 1999) <http://>. While advocating continued monitoring of the progress of self-regulation and refusing to rule out the eventual need for online privacy legislation, the report concluded that "legislation to address online privacy is not appropriate at this time." Id. at *12.

[FN152]. See, e.g., Children's Privacy Protection and Parental Empowerment Act of 1999, H.R. 369, 106th Cong. (1999) (this bill is not confined to Internet contexts and would generally regulate use of personal information on children under 16); Electronic Rights for the 21st Century Act, S. 854, 106th Cong. (1999) (an omnibus e-privacy bill that would, inter alia, amend the ECPA to limit circumstances under which an electronic communications service can reveal subscriber information); the Internet Growth and Development Act of 1999, H.R. 1685, 106th Cong. 201 (1999) (requiring commercial websites to post privacy policies); Personal Information Privacy Act of 1999, H.R. 1450, 106th Cong. 7 (1999) (amending FCRA to prohibit selling "transactions and experience" information about a person without that person's consent and regulating commercial use of social security numbers); Social Security On-Line Privacy Act of 1999, H.R. 367, 106th Cong. 2 (1999) (prohibiting "interactive computer services" (apparently meaning Internet Service Providers) from disclosing users' social security numbers and related information).

[FN153]. See supra note 36 and accompanying text (quoting the zZounds website).

[FN154]. Jeff Partyka, IBM Advises on Online Privacy (July 16, 1999) < http://,1510,11830.00.html>.

[FN155]. A. Lash, Privacy, Practically Speaking, The Industry Standard (Aug. 2-9, 1999) <www.,1449,563,co.html>. The article mentions three audits costing $200,000 or more, and one program that involves quarterly follow-up inspections at $20,000 per inspection. For the record, legal costs are an order of magnitude lower.

[FN156]. For a more complete discussion of audit methods and procedures, see S. Killingsworth, Making it Legal: A Checklist for Web Site Privacy Audits, E-Commerce Law Report, Vol. 2, No. 1 (October 1999), p. 15.

[FN157]. The BBBOnLine privacy program requires disclosures of whether data gathered on the website is merged with data from other sources, since this data-matching can multiply both the original data's usefulness to the website and the sense of intrusion into the user's privacy. Better Business Bureau, Sample Privacy Notice (visited Oct. 4, 1999) <http://>.

[FN158]. Compiling sensitive data just because it is available, with no particular use in mind, is inadvisable since there is no immediate benefit to having it and there is always a risk of inappropriate use or disclosure.

[FN159]. Seeding refers to the practice of inserting into a mailing list fictional or coded names with addresses that lead back to the party who compiled the list, to provide a practical means for that party to monitor the use of the list.

[FN160]. For websites directed at children, the BBBOnLine privacy seal program requires the use of alerts to warn the user when a link leads out of the website; this exceeds the requirements of COPPA and the proposed COPPA regulations. Better Business Bureau, supra note 157.

[FN161]. This may have been GeoCities' problem-- the statements cited by the FTC were not in a single, comprehensive privacy policy, but were scattered among its New Member Application Form, its Free Member E-mail Program web page, and one issue of its World Report newsletter. GeoCities, FTC Docket No. C- 3850 (decision and order) (Feb. 5, 1999) <http://>.

[FN162]. T. Wolverton, United Sends Mixed Privacy Messages, CNET (June 4, 1999) <>.

[FN163]. Id.

[FN164]. Id.

[FN165]. Id. At this writing, no explanation for how this occurred had been made public; it is entirely possible that the privacy policy was the later and more authoritative expression of United's intent and that there was simply an administrative oversight in failing to conform the user agreement to it.

[FN166]. One recent project that included a new "opt-out" database cost $250,000. Lash, supra note 155.

[FN167]. For example, both BBBOnLine and TRUSTe regulate use of personally- identifiable information obtained from persons other than the data subject. Further, on children's sites BBBOnLine requires either posting an alert when a link leads to another site where the same privacy rules do not apply, or avoiding altogether links to other child-directed sites that do not follow "core privacy standards." Better Business Bureau, supra note 157.

[FN168]. It is intriguing to note that the BBBOnLine license agreement does not include a "no third-party beneficiary" clause, so conceivably a consumer-- for whose benefit the program presumably exists-- might be able to sue for damages under that agreement if it were advantageous to do so. Better Business Bureau, supra note 157.

[FN169]. Effective June 30, 1999, TRUSTe added to its license agreement new data security requirements and a requirement that consumers have the opportunity to correct inaccurate data. Additionally, a provision for mandatory opt-out for secondary uses and third-party disclosures was added effective August 30, 1999. Changes In TRUSTe License Agreements, TRUSTe Reporter (Spring 1999) <>.

[FN170]. As with any legal drafting problem, there are legitimate questions as to just how detailed and specific a privacy policy should be, but implementing any policy requires more focus than the fair information practices formulations provide.

[FN171]. See infra Part IX.d for a detailed discussion of these issues.

[FN172]. Both BBBOnLine and TRUSTe require that users be allowed to "opt- out" of disclosure of their information to third parties for secondary uses. While an "opt-out" is also required for secondary uses by the website operator, both seal programs allow the operator some latitude in defining what a "secondary use" is in the privacy policy. TRUSTe License Agreement Rev. 5.0, 4.A. (June 25, 1999) <>; BBBOnLine Eligibility Criteria (visited Oct. 31, 1999) <http://>. The current EU Safe Harbor draft seems to offer similar flexibility. Draft Safe Harbor, supra note 112. The FTC's formulation of the Choice principle suggests that consumers should always have a choice as to secondary uses. Privacy Online, supra note 58.

[FN173]. The scope of the Draft Safe Harbor exclusion is subject to ongoing debate. Draft Safe Harbor, supra note 112.

[FN174]. The EU Privacy Directive and the Draft Safe Harbor apply to all information an organization maintains on an individual, so organizations subject to those rules will not be able to limit the application of the privacy policy, or of the policy's access rules, to information gathered through the website.

[FN175]. The online economy leaves no doubt that user "eyeballs" and data have market value to most websites.

[FN176]. Notably, both BBBOnLine and TRUSTe require that a website apply to personal data the privacy policies that were in effect when the data was collected, effectively outlawing "bait and switch" privacy promises by their licensees. See BBBOnLine Eligibility Criteria, supra note 172; Privacy Policy Assessment Questionnaire, Section E1 (visited Oct. 31, 1999) <http://>. Both the Eligibility Criteria and the Assessment Questionnaire are incorporated by reference into BBBOnLine's Participation Agreement (visited Oct. 31, 1999) <http://>. See also TRUSTe License Agreement Rev. 5.0, supra note 172, at Schedule A, 4.F (for an additional example). However, these policies have not prevented some licensees from using the "implied consent to policy change" techniques outlined in this article.

[FN177]. BBBOnLine requires a link to the privacy policy on every page in which data is collected. BBBOnline Eligibility Criteria, supra note 172, "Eligible Sites." The proposed regulations implementing COPPA require similar notice on sites aimed at children. COPPA, Prop. Regs 312.4(B).

[FN178]. Like shrink-wrap software licenses, click-wrap agreements have now received express judicial sanction. Hotmail Corp. v. Van Money Pie, Inc., 47 U.S.P.Q.2d (BNA) 1020 (N.D. Cal. 1998).

[FN179]. See S. Junnarkar, DoubleClick Accused of Unlawful Data Use, CNET (January 28, 2000) < 1534533.html>, quoting Jason Catlett, the founder of Junkbusters, a resource site for privacy-protection measures, as follows: "Based on previous experience...these class-action lawyers follow privacy advocates like ambulance chasers. I think it is inevitable that we will see more suits filed." The article reports on a class-action suit arising out of the DoubleClick acquisition of Abacus, described in note 188 infra.

[FN180]. 105 F.3d 1147 (7th Cir. 1997), cert. denied 522 U.S. 808 (1997). New York has also upheld Gateway's shrink-wrap arbitration clause as against a class action. See Brower v. Gateway 2000, Inc., 676 N.Y.S.2d 569 (N.Y. App. Div. 1998).

[FN181]. For a more detailed discussion of the Gateway case and its implications for class actions, see J. T. Westermeier, How Arbitration Clauses Can Help Avoid Class Action Damages, Computer Law Strategist, Sept. 1997, at 1.

[FN182]. The identification of persons anonymously posting either false information about a publicly-traded stock, or inside information, are examples of this exception.

[FN183]. Under the Draft Safe Harbor, supra note 112, and the EU Privacy Directive, supra note 2, affiliates may be considered "third parties" despite any attempt to characterize them otherwise.

[FN184]. See Wendy Marinaccio, Privacy Advocates Blast DoubleClick Merger, CNET (June 21, 1999) < 343915.html?> (reporting on the outcry against the acquisition of a market research company by one of the web's premier advertising companies, allowing DoubleClick's 1,300 advertising websites to potentially exchange data with Abacus's collection of 1,100 catalog companies). The merger closed November 23, 1999, with results outlined at note 7 supra. It is doubtful, of course, that any privacy policy provision would have prevented this essentially political reaction.


Go Back to Module II Homepage