FOR EDUCATIONAL USE ONLY
Practicing Law Institute
Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series
PLI Order No. G0-00DZ
eCommerce Strategies for Success in the Digital Economy September 2000
*663 WEBSITE PRIVACY POLICIES IN PRINCIPLE AND IN PRACTICE
Scott Killingsworth [FN1]
Copyright (c) 1999 - 2000, All Rights Reserved.
*669 I. INTRODUCTION
In principle, privacy policies are simple: if your website collects individually-identifying information about visitors or customers, tell them how and why you collect the information, how it is used and to whom it is disclosed, and give them some choice in the matter. But the short history of personal privacy on the web is already replete *670 with examples of how treacherous the execution of this simple formula can be: Internet icons like Yahoo, DoubleClick, America Online, RealNetworks and GeoCities, and major corporations like United Airlines, have all stumbled on privacy issues. The hazards are many: first, the emerging legal rules, self-regulation models and web-community norms are all moving targets; second, though consistent in thrust, the legal rules differ in important details; and third, there is a noticeable gap between what is legal and what may be necessary to avoid a public-relations disaster. Applying these fragmented, evolving principles to a web-based business that is itself in constant flux can be like trying to thread a needle while roller skating on a boat in choppy seas.
II. DEFINING THE PROBLEM: "YOU HAVE ZERO PRIVACY ANYWAY. GET OVER IT."
Scott McNealy's impulsive remark to a roomful of reporters [FN3] could hardly be more politically incorrect, but it mirrors the perceptions of many on both sides of the privacy fence. On the one hand, some website operators *671 have avidly exploited the Internet's special aptitude for harvesting, sifting, and remarketing information about visitors, often surreptitiously, with little if any respect for the wishes of the individuals involved. On the other, awareness of these zero-privacy practices has led many consumers to develop an abiding distrust of "the Internet," [FN4] with consequent misgivings about disclosing personal data or doing business online.
Though concern about computers and privacy is nothing new, [FN5] the Internet offers unique temptations both for collectors of personal information and for individuals who are asked to reveal it. A department store or mail order house may be able to deduce customer interests by tracking purchases, but on the Internet merchants can track not only what customers buy but also what else they look at and for how long. If the customer arrived at the merchant's site in the usual way, via a hyperlink from a referring site, the merchant's server logs will record the *672 identity of the referring site, providing a source of additional clues about the customer's interests or browsing patterns. Instead of relying on hit-or-miss surveys to assess the efficiency of advertising in bringing customers to the store, web merchants can receive a database-ready audit trail detailing which customers clicked on which ads on their way to the site. With the help of web-based advertising networks that deliver cookies with their banner advertisements and thereby track browsing at all sites participating in the network, a website can learn about its visitors' browsing habits elsewhere on the Internet, their employer types (deduced from top-level domain names), the time of day they browse and where they live. [FN6] Combined with personal demographic information gathered in a registration or transaction process-- or purchased from third parties-- and analyzed with sophisticated data-mining and predictive programs, this information can become a powerful marketing tool. [FN7] The *673 process is tempting not only because the data is so valuable, but also because obtaining it is so easy. Virtually every "dotcom" startup's business plan includes a section on the site's ability to construct and exploit demographic and psychographic [FN8] profiles of visitors, blurring the "fine line between good service and stalking." [FN9]
For consumers, the temptations to disclose information are many, from the convenience of ordering products online, to the benefits of registered membership in a free community or portal site (such as user-defined content, public or private discussion forums, etc.), to the personalized buying suggestions, and even third-party advertisements, that arrive as a result of making one's self known to a site. And again, it is so easy to disclose the information. The problem is that once the cat is out of the bag, it may be difficult to stop the resulting onslaught of marketing e-mails, savory and otherwise, and direct mail and telephone solicitations-especially if the website has shared the information with third parties.
As the web has matured into a mainstream business channel, the need to strike a more appropriate balance between business and consumer interests has become plain. The backlash of mistrust provoked by some websites' cavalier treatment of personal information threatens to impede the growth of e-commerce, and so enlightened self-interest dictates that the business community focus on building consumer confidence in the *674 web. Privacy policies have become the centerpiece of this effort.
III. THE IMPORTANCE OF BEING EARNEST
The website included statements assuring members that their personal information would be shared with others only in order to provide members the specific advertising they requested, and that optional registration information would not be disclosed without the member's permission. Actually, the members' information had been sold or rented to third parties who used it for other purposes, including targeted advertising. [FN11] As to children, the FTC *675 found that the website created the impression that GeoCities was collecting the contest and registration information, when in fact this was done by third parties hosted on its site. [FN12]
What is most legally interesting about GeoCities is that it is based entirely on misrepresentation. The FTC does not (except under COPPA) have authority either to require websites to post privacy policies, or to prescribe their content, but under Section 5 of the FTC Act it has broad enforcement power over "deceptive acts or practices." [FN18] If instead of saying one thing and doing another, GeoCities had made no promises at all, it might have avoided becoming the most notorious bad example in the history of online privacy.
IV. WHY VOLUNTEER FOR LIABILITY?
A. THE NEW CONFIDENCE GAME
Every web-based business has a stake in consumer confidence. Even brands that already enjoy solid reputations have an interest in avoiding any taint from consumer fear, uncertainty and doubt concerning the web as a whole. And despite the spectacular growth of e-commerce, much doubt remains. Credible studies indicate that concern for privacy is the number one factor keeping non-Internet users off the net, [FN22] and less than a quarter of all web users have actually purchased anything online. [FN23]
The obvious product of this distrust is that people avoid disclosing personal information by opting against online transactions and website registration. [FN24] Less obvious but equally troubling for online marketers is the "garbage in" syndrome: in two recent surveys, over forty percent of Americans who registered at websites admitted to providing false information some of the time, mainly because of privacy concerns; the figure for European *678 registrants was over fifty-eight percent. [FN25] Meanwhile, the market has responded to user privacy concerns with a variety of products and services designed to provide anonymous surfing and to block meaningful tracking of browsing behavior. [FN26] The message to marketers is clear: if you want useful and accurate data, earn it by assuring consumers that you will use it appropriately.
What you do with zZounds today is nobody else's business. And we promise to keep it that way...Not all businesses respect their customer relationships like we do at zZounds. Many businesses, including other large music instrument retailers, are eager to share the information they have collected about you. Your trust and your privacy is for sale to the *681 highest bidder.... This will not happen when you shop at zZounds. [FN36]
Indeed, taking this idea one step further, a growing market niche has developed around the business model in which the website openly bargains for web users' demographic and psychographic profiles in return for a promise of limited anonymity, coupled with the privilege of sending targeted advertising to the users. The message of companies such as Juno [FN37] and MyPoints [FN38] is: tell us what we need to know to send you ads that will interest you, and we will keep your data confidential. To the extent that the marketing actually reflects the user's interests, advertisements will not be "junk mail" to the user, and they will be far more effective on a per exposure basis for retailers.
B. SEAL APPEAL
"Privacy Seal" programs such as those sponsored by TRUSTe [FN40] or BBBOnLine [FN41] may also win consumer confidence. Privacy counterparts to the Good Housekeeping and Underwriters' Laboratories seals, these programs bring the credibility of third-party assessment, verification, and dispute resolution to a website's information practices. These programs also require adherence to certain minimum standards in areas such as notice of information practices, consumer choice as to secondary uses [FN42] of the information and its transfer to third parties, consumer access to stored data, information security, and data integrity. Both organizations have special rules for sites targeted at children, consistent with those of COPPA.. [FN43]
The potential of these seal programs to win consumer trust was illustrated by a 1999 survey in which web users were shown twenty-seven certification marks used online, and asked to pick the two marks they were familiar with *684 that most increased their trust of a website. [FN49] The BBBOnLine and TRUSTe marks were ranked second and third (behind only the Verisign symbol), with thirty-six percent of respondents ranking BBBOnLine [FN50] in their top two, and thirty-one percent naming the TRUSTe symbol.
For over four years the FTC has consistently encouraged industry self- regulation efforts such as these seal programs, which promise such benefits to the government as avoidance of the First Amendment issues that arise when the government attempts to control the flow of information, and conservation of limited government enforcement resources. [FN51]
C. GORILLA MARKETING
V. FAIR INFORMATION PRACTICES
The consensus approach to personal information privacy is a market-based model that allows consumers to participate in decisions on disclosure and use of their personal information, within a framework of data security *687 and integrity. As articulated by the FTC, [FN60] the elements of "Fair Information Practices" are notice, choice, access, security, and enforcement.
Consumers are entitled to clear and accessible notice of a website's practices of collecting, using, and disclosing personal identifying information, before the information is collected. Notice is the foundation on which the other principles operate, and accordingly the notice should address matters such as who is doing the collecting, what data is being collected and how it is being collected, how the data will be used, to whom it will or may be disclosed, and the consequences of refusing to give the information. The notice should also discuss the website's policies on choice, access, and security.
Consumers should be offered choice as to how their information is used beyond the purpose for which it was initially provided (e.g., to gain access to website features or to complete a transaction). Choice may be "opt-in" ("click here if you would like to receive valuable information from carefully selected business partners") or "opt-out" ("click here if you prefer not to receive junk mail from total strangers"). "Opt in" offers the stronger privacy *688 protection because it establishes a default rule against disclosure and use.
The most important choice points are those concerning secondary uses by the website gathering the information (such as inclusion in the company's targeted mailing lists), and disclosure of the information to third parties.
Consumers should have reasonable access to stored information about them [FN61] and an opportunity to correct inaccuracies or to have the data deleted.
Websites should take reasonable steps to protect the security of the data, both internally and vis-à-vis outsiders, and to ensure its integrity (freedom from alteration) and accuracy. [FN62]
*689 E. ENFORCEMENT
These principles must be enforceable to be effective. The appropriate enforcement apparatus and the minimum standard of what enforceability means are at the heart of a spirited debate over whether self-regulation is sufficient [FN63] or additional federal legislation is needed. Undoubtedly, the FTC has pressed for universal adoption of privacy policies in part to bootstrap itself into GeoCities-style enforcement authority under section 5 of the FTC Act. Also, a key issue in the negotiations between the United States and the European Union (EU) over the EU Privacy Directive [FN64] has been an EU requirement that enforcement include a right to money damages for those injured by privacy violations.
For young children, there is a codicil to the principles of notice, choice and access: Parents must receive the notice and exercise choice on behalf of young children, and parents should have access to the information on file about their children.
These five principles owe their current acceptance to both their considerable history and their flexibility. First presented in a 1973 study by the Department of Health, Education and Welfare, [FN65] they soon became the framework for the Privacy Act of 1974. [FN66] They were *690 adopted as guidelines by the Organization for Economic Cooperation and Development (OECD) [FN67] in 1980, and with some important refinements, formed the basis of the EU Privacy Directive. Lately, they have been strongly advocated by the Commerce Department and the FTC (the GeoCities order is a roadmap of Fair Information Practices) and have found their way into a number of laws and legislative proposals.
The flexibility that makes these principles so widely acceptable to consumer advocates, government, and industry alike could be equally well described as "vagueness," and the specter of endowing these principles with the force of law - to be further defined, refined, and expanded in the American way, through detailed regulations and endless litigation - is enough to make any businessperson an apostle of self-regulation. Self-regulation, after all, is simply the ability to decide for oneself what "reasonable" means.
VI. THE LEGAL LANDSCAPE
A. PRIVACY TORTS
Although the common law of torts is not currently a major concern for the ordinary business practices of commercial websites, it cannot be ignored. The most relevant common law concept is invasion of privacy by public disclosure of private facts. [FN71] However, this cause of action arises only if the information revealed would be highly offensive or humiliating to a reasonable person, is of no legitimate public concern, and is disclosed widely enough to be "substantially certain to become...public knowledge." [FN72]
The case of naval officer Timothy McVeigh is a cautionary tale for online businesses in this area (although it is by no means clear that the elements of this tort were actually present in that case). [FN73] A Navy investigator duped an America Online (AOL) service representative into confirming that McVeigh was the person behind an AOL *692 user profile that listed the user as being gay; [FN74] the Navy attempted to expel McVeigh from the service on that basis. For AOL, which settled out of court, the incident uncovered a need to redouble its staff education efforts on protection of members' privacy, including "scenario training" aimed at helping customer service representatives deal effectively with attempts to access member information via subterfuge. [FN75]
Looking ahead, website operators should be alert for cases which may lower the threshold of "public disclosure" in light of the ease of wide dissemination of data over the web; but even if this occurs, the likelihood of tort liability for disclosure of ordinary marketing information seems remote. Sites that deal in especially sensitive information such as health status, mental illness, emotional or family problems, and sexual matters are at greater risk. Someday, someone who has ended up on a mailing list targeted at participants in anonymous discussion forums on masochism, obsessive-compulsive disorder, and Ivy League football is going to get mad enough to sue, and just might win.
B. THE FTC ACT
The cornerstone of COPPA is prior "verifiable parental consent" [FN82] to the collection, maintenance, and disclosure of information about children twelve and under. COPPA complements this initial parental "opt-in" [FN83] with a continuing "opt-out" right to stop further use or collection of information from the child [FN84] and also gives parents access rights to stored information. [FN85] Exceptions to the "verifiable parental consent" requirement accommodate the practicalities of getting the consent in the first place (how would you know whose parent to contact or how to contact the parents, unless you ask the child?) and allow isolated e-mail contacts and actions necessary to protect the child's safety, to comply with the law, or to deal with website security issues. [FN86]
Covered websites are prohibited from extracting extraneous information from children as a prerequisite for *695 entering an online contest or other activity [FN87] and are required to use "reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." [FN88] Finally, the law provides for a "safe harbor" whereby a website will be deemed in compliance with COPPA if it complies with an industry self-regulatory program approved by the FTC. [FN89]
Enforcement of COPPA depends entirely on its implementing regulations; the only actual offense under the law is violation of the regulations. [FN90] The regulations, [FN91] which take effect April 21, 2000, address such issues as defining when a website is "targeted at children," what is considered "personal information," and how to notify parents and obtain verifiable parental consent. As to the latter, the regulations impose, on a transitional basis, a two-tier scheme for consent depending on the activities involved and the use the website intends to make of the information gathered. Until April 21, 2002, initial parental consent for internal uses of information by the website can be obtained via e-mail, with follow-up confirmation via either e-mail, postal mail or telephone; but for disclosures to third parties and online activities such as personal homepages, message boards and chat rooms *696 which inherently disclose information, [FN92] prior consent must be obtained by more reliable (and burdensome) means such as postal mail, use of a credit card, digital signature technology, a toll-free telephone bank with trained operators, or e-mail containing a password issued by the site. After April 21, 2002, all consents must be obtained by the more rigorous means just listed. [FN93]
D. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)
Enacted in 1986 and hence not explicitly addressed to the web as it exists today, the ECPA provides both criminal penalties and civil remedies, including punitive damages, for unauthorized interception or disclosure of electronic communications and unauthorized access to stored communications. [FN97] Parsing through the definitions reveals that the ECPA's reach may be greater than first appears. "Interception" means acquisition of the "contents" of a communication, [FN98] and "contents" is expansively defined to include "any information concerning the substance, purport, or meaning of that communication." [FN99] "Electronic communication" includes "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature," [FN100] a definition broad enough to encompass a browser request for a particular web page, the transmission of a cookie, and other browser-server interactions.
The ECPA has obvious application to the monitoring or disclosure of e-mails, or of discussions in private forums or chat rooms, by a site that provides those services. Presumably the statute's exceptions permitting interception and disclosure by "parties to the communication" [FN101] exempt the collection, analysis, and *698 disclosure of clickstream data by websites; however, in some contexts an argument could be made to the contrary. [FN102]
E. FAIR CREDIT REPORTING ACT (FCRA)
The FCRA [FN105] may apply to a website if it regularly collects and furnishes to others certain types of information [FN106] that may be used for purposes such as *699 credit or insurance underwriting, employment decisions, or deciding whether to enter into a transaction with the person in question. These "consumer reports" may be used only for limited purposes, which do not include the marketing of any products other than insurance and credit. Even for the two industries in which consumer reports may be used for marketing, consumers must have an opportunity to opt out of receiving unsolicited insurance and credit offers. [FN107] An exception to FCRA that allows the use and reporting of one's direct "transactions and experience" with the consumer [FN108] would permit the sharing of most transaction information gathered by most websites from their customers. However, where a website merges its own data with data obtained from other sources and discloses the results, the exception would not apply.
Especially relevant to website privacy policies are several provisions requiring express consumer consent to particular disclosures (e.g., disclosures in connection with employment decisions or medical information). Similarly, an exemption for disclosures of consumer reports to company affiliates applies only if the consumer was clearly and conspicuously informed of the possibility of such disclosures and had an advance opportunity to opt out. [FN109]
F. THE EU PRIVACY DIRECTIVE
The EU Privacy Directive sets minimum standards for personal information processing within the EU, and prohibits the transfer of this data to non-EU countries that do not provide "adequate" privacy protection. [FN111] Because most European nations have had comprehensive privacy statutes for some time, the United States, with its ad boc or "sectoral" approach, has not been recognized as providing adequate protection.
In 1998, negotiations began between representatives of the EU and the United States Department of Commerce to remedy this discrepancy between the U.S. privacy protectin standards and the EU notion of what protection is "adequate." In March of this year the Commerce *701 Deaprtment and the European Commission reached an agreement on a set of "Safe Harbor" principles [FN112] that American companies could adopt in order to qualify their data protection practices as "adequate," and so ensure continued access to consumer data from Europe. In effect, the Safe Harbor measures "adequacy" largely in terms of conformity to the EU model.
Once EU's adoption of the Safe Harbor has become fully effective, EU data protection officials will treat U.S. entities that comply with the Safe Harbor as being in compliance with the EU Directive itself. U.S. companies may qualify for the Safe Harbor either by adopting their own enforceable privacy policies that comply with the Safe Harbor principles or through membership in a self- regulatory organization that polices compliance with the principles. The Safe Harbor protection (and data handling requirements) will apply from the date the company self-certifies its compliance with the principles to the Commerce Department.
Other key provisions of the Safe Harbor principles address access to personal information and enforcement. The principles state that individuals must have access to personal information about them except where the burden or expense of providing access would be disproportionate to the risks to the individual's privscy, or where the rights of other persons would be violated. Enforcement mechanisms must include rigorous sanctions against companies that certify adherence to the principles but then fail to comply with them.
Besides these substantive differences from the FTC Fair Information Practices, a host of additional issues stem from the fact that the EU Privacy Directive is law and the FTC practices are not. Those who question whether effective self-regulation is really any different from government prescription have only to look at the fastidious and rigid implementation by the EU of the broad principles that the Privacy Directive and the Fair Information Practices have in common.
*703 In light of the additional requirements of the Safe Harbor, American websites will have to decide whether it is worthwhile to accept data from the EU at all, and if so, whether to partition one's data and information practices according to national origin, or to allow the EU principles to govern one's entire operation.
G. FINANCIAL SERVICES REGULATIONS
1. Internet-Specific Regulations. Reflecting the explosive growth of online banking, the Office of Thrift Supervision, [FN115] the Office of the Comptroller of the Currency, [FN116] and the FDIC [FN117] have all recently issued guidance to institutions under their supervision urging them to post privacy policies on transactional websites. For virtually all web-banking accounts, the Electronic Funds Transfer Act [FN118] and implementing regulations [FN119] already require financial institutions to inform customers of the institution's policy on disclosing account information to third parties, including affiliates.
*704 2. Gramm-Leach-Bliley Act. The 1999 Gramm-Leach-Bliley Act, [FN120] also known as the Financial Services Reform Act, represents a dramatic reshaping of U.S. regulation of financial institutions. Its main thrust is to repeal the Glass-Steagall Act [FN121] and to permit financial institutions to affiliate with securities broker-dealers, merchant banks and insurance companies, as well as with a potentially wide variety of other businesses in financial or "complementary" fields.
The issue of disclosure to corporate affiliates was a major point of contention during the debates on Gramm-*706 Leach-Bliley, as might be expected in connection with a law that would allow your heath insuror to affiliate with your bank and your broker. For the time being, the affiliates have won this battle: the law imposes no new restrictions on disclosure of information among corporate affiliates. However, the law does not expressly authorize such disclosures and it specifically does not override the provisions of FCRA relating to affiliates. The result would seem to be that financial institutions may exchange "transactions and experience" information with affiliates, as permitted by FCRA, but the exchange with affiliates of information sourced in part from third parties may require prior notice and an opt-out opportunity, if the information would otherwise constitute a "consumer report" and the institution is a "consumer reporting agency" under FCRA. [FN128]
Gramm-Leach-Bliley leaves many questions to be answered by implementing regulations, which because of the wide variety of institutions affected could be promulgated by a handful of different agencies. [FN129] Among *707 the most provocative questions is that of what businesses will be considered "financial institutions." The law [FN130] defines this key term to mean institutions engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956, a section replaced in its entirety by Section 103 of Gramm-Leach-Bliley. The primary function of the new section, which runs some ten single-spaced pages, is to define (and allow federal regulators to further define) the types of activities the new financial holding companies and their affiliates may engage in, and includes such broad terms as "indemnifying against loss," "providing investment advisory services," "providing any device or other instrumentality for transferring money or other financial assets," and "facilitating financial transactions for the account of third parties." That these descriptions, designed to expand the reach of permissible activities for financial institutions, should also serve as a snare for all other businesses engaged in these activities by designating them as "financial institutions," seems more likely a drafting error than an affirmative policy choice on the part of Congress, but only time and implementing regulations will tell whether this will be their effect.
Gramm-Leach-Bliley may be law now, but the privacy battle it spawned has merely changed venue. Before Gramm-Leach-Bliley was signed into law, twenty- three House members introduced H.R. 3320, the Consumer Right to Financial Privacy Act, which is still pending. This bill would rewrite Title V of Gramm- Leach-Bliley to treat affiliates the same as unrelated third parties; [FN131] to require affirmative opt-in for any disclosure to affiliates or third parties of personal financial information, or for any use of that information other than as necessary to effect, *708 administer, or enforce the transaction for which it was gathered; [FN132] and to give consumers access to, and a right to dispute, information maintained about them. [FN133] In addition, the law would broaden (if possible) Gramm-Leach- Bliley's definition of "financial institution" to expressly include those engaging in activities that are "incidental or complementary to financial activities." [FN134]
H. HEALTHCARE LAWS
Medical records have long been recognized as deserving of special confidentiality, a recognition reflected in a longstanding proliferation of special-purpose confidentiality laws at both the state [FN135] and federal [FN136] levels. As medical records have moved wholesale into electronic form and their transmission over data networks has become routine, concern over medical privacy has grown in parallel and has begotten more legislative activity. According to one source, over 300 bills relating to medical records confidentiality were introduced in state legislatures *709 in 1999 alone. [FN137] In the federal arena, several comprehensive healthcare information privacy bills are currently pending in Congress, [FN138] but the most important development is the issuance of proposed privacy regulations [FN139] by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 ("HIPPA"). [FN140] HIPPA required issuance of such regulations if comprehensive federal legislation governing privacy of electronic medical records were not passed by August 21, 1999, and proposed regulations were published November 3.
The proposed regulations will apply directly to all individually-identifiable health information that is, or has been, maintained or transmitted in electronic form by health care providers, health plans, and health care clearinghouses; [FN141] indirectly they will apply to a much broader population, because when the directly-regulated entities disclose healthcare information to business partners such as subcontractors, practice management companies, auditors, accreditation agencies and the like, *710 they are required to obtain confidentiality agreements from these recipients. [FN142]
The regulations restrict disclosure of health information other than for purposes directly related to treatment, payment for treatment, and internal operations of the regulated entity [FN143], unless the patient affirmatively opts in to additional disclosures via a consent meeting seven specified criteria. [FN144] In addition, the regulations grant patients strong rights of access to their data [FN145], including copying rights, along with the right to require correction of inaccurate or incomplete data.. [FN146]
The HIPPA regulations do not establish uniformity in the treatment of medical information; as with Gramm-Leach-Bliley, state statutes and regulations are pre-empted only to the extent that they offer less protection to *711 patients than the regulations. In effect, the regulations establish a lowest common denominator, albeit quite a high one. It remains to be seen whether this failure to establish a uniform regime for the protection of all medical data will give new impetus to the comprehensive bills now languishing in committee; in the meantime, affected entities have two years to adapt their systems and business processes before the HIPPA rules become final. As the increasing migration of healthcare information networks to the web collides with the security, access and correction rights granted by the HIPPA rules, these rules will profoundly shape the future of health-data websites.
I. OTHER SECTORAL LAWS
Other sector-specific federal laws apply to information which could conceivably be gathered on a website but which today ordinarily is not, such as cable television subscriber records [FN148] and video rental data. [FN149]
J. THE ONLINE PRIVACY PROTECTION ACT OF 1999
This bill [FN150] is not yet law, and the FTC is on record that it may not be needed. [FN151] But it is typical of the bills *712 regulating privacy practices - the sticks to self-regulation's carrot - that are regularly introduced and reflect, to varying degrees, the FTC's Fair Information Practices. [FN152] This proposal would require commercial websites to post privacy policies and to implement the principles of choice, access, and security - essentially COPPA without the special protections for children. Like COPPA, the bill delegates regulatory authority to the FTC and, for industries exempt from FTC jurisdiction, assigns enforcement responsibility to the appropriate federal regulatory agencies (e.g., the Comptroller of the Currency for national banks). This bill and others like it serve as a warning that any site currently avoiding Fair Information Practices merely because none of the existing laws apply to *713 it, may soon face the need to redesign its site, its practices, and its policies.
K. HOW IT ALL FITS TOGETHER
It doesn't. What is most apparent about this loose assortment of laws is the combinatorial complexity resulting from their inconsistent treatment of every major variable. Some laws regulate only particular types of information, and only in the hands of certain classes of business, while others apply to all personally identifying information gathered from particular classes of person. Under some laws the method of collecting the information is critical; under others it is irrelevant. The boundary between opt-out and opt-in mandates shifts depending on the context. Some laws regulate both disclosure and use, others, only disclosure; some grant access rights and others do not; and some laws afford private remedies while others depend on enforcement by one or more of a gaggle of regulators. And the hoppers are full of proposals for change.
Because of the fragmented and overlapping quality of the laws in this field and the likelihood of equally fragmented, incremental change, it is generally impractical for a website to tailor its practices to applicable law as to each category of information. As a result, complying with the "highest common denominator" - the strictest rule applying to any information processed by the site - is usually necessary as to all information collected. It is enough to make one wonder whether the European model of comprehensive data-privacy laws may have its advantages after all.
VII. DOING THE THING RIGHT
A. CAN'T WE JUST COPY A FORM?
The way to create a policy that meets your site's distinctive needs is to use a process that ensures that all the relevant issues will be systematically addressed. Our recommended process includes four steps: (1) an Audit of current practices; (2) Goal Setting; (3) Policy Formulation, Drafting, and Site Design; and (4) Implementation and Maintenance. At each stage, participation and buy-in by each relevant constituency-- marketing and sales, strategic planning, business development, information systems and website design, and legal-- is critical. Experience suggests that none of these groups can reliably describe what the others are doing at any given time, much less predict what they will want to do or why; and hence any marketer who gives a proxy to the information systems department (or vice-versa) on issues of site design or policy probably deserves what they get. We will summarize the steps in this process and then return for a closer look at some important policy and drafting issues.
1. Audit. You can't formulate or document a policy unless you know exactly what your site does. Step one is to analyze how you collect, use, and disseminate information, both within your organization and with affiliates and other third parties. Every place information *716 is collected and each way of collecting it-- registration, contests, special offers, orders, mailing-list subscriptions, notification services and user customizations, as well as passive data-collection methods, such as cookies-- needs to be catalogued, and the information collected should be identified. [FN156]
Once identified, the information must be traced to its destinations, internal and external. The following questions should be answered: How is the data analyzed or combined with data from other sources? [FN157] To whom is it available within your organization (including affiliates), and how are they authorized to use it? How do they actually use it? How do they plan to use it? It is helpful to divide the existing and anticipated uses for the data into primary uses (those necessarily incident to the purpose for which the information was collected), and secondary uses (those related to purposes different from those for which the information was collected).
With respect to primary uses, determine whether you outsource any portion of the function (such as order fulfillment or credit card verification). If you do, you must determine whether there are appropriate restrictions on the outsourcing party's use and disclosure of the data. Is data being collected that is not used, and if so, why? [FN158] *717 This is also a good time to evaluate the physical and technical means used to keep the data secure.
If data is shared with third parties for secondary uses, what are those uses, and is there a contractual prohibition against unrelated uses and further disclosure? Are there means for detecting unauthorized use, such as "seeded" names in the data? [FN159] Do you have the right to remove a user from the third party's list upon request? Are there contracts requiring you to continue to provide any of these parties with data for a specified time, thus limiting your flexibility to implement more conservative data practices?
The audit phase concludes with an analysis of whether any special legal requirements apply as a result of any of three considerations: (1) the type of information collected *719 (e.g., health status), (2) from whom it is collected (e.g., children or Europeans), or (3) how it is used or disclosed (e.g., credit reporting). This analysis lays the groundwork for decisions on how to comply with, or become exempt from, those requirements.
The major issue is the role of information collection and disclosure within the overall business plan; the fact that this exercise concerns data does not mean that the goal must be to collect as much data as possible and to maximize its use and disclosure. Do you want to position your site as a "privacy ally," to take a middle-of-the road stance, or to place emphasis on the other benefits your site offers, while maximizing your freedom to use consumer data? Could you win more business with less trouble by focusing on better customer service instead of emphasizing data mining? Are you willing to make strong commitments, or is your goal to minimize any possible liability?
Finally, any redesign may reopen questions raised in the audit phase: would the new practices trigger special legal burdens, or require cooperation or new assurances from third parties to whom you disclose information?
Most other policy issues involve choosing how the site will implement Fair Information Practices, a subject discussed separately below.
4. Implementation and Maintenance. The final step is implementing the new policy and data practices. At this point, human factors may be even more important than technical measures such as testing the database, setting security parameters, and protecting against hackers. The *722 greatest risk of unauthorized use or disclosure comes from employees, and the greatest risk with employees is not malevolence but ignorance. Employees should be trained on the substance and importance of the new policy and held accountable for misuse or improper disclosure. In some cases separate employee-directed policies may be needed to complement the online policy, especially in organizations where there are many sources of personal data other than the website. Where website data is shared with affiliates, both the policy (or contractual restrictions) and employee awareness efforts should follow the data. In general, the more consistent data policies are across such an organization, the less likely a catastrophic mistake becomes.
We turn now to a discussion of policy choices that must be made, and of some drafting opportunities and pitfalls.
VIII. SELECTED POLICY AND DRAFTING ISSUES: IMPLEMENTING FAIR INFORMATION PRACTICES
The easy generalities of fair information practices must ultimately give way to concrete policies. [FN170] Here are some of the implementation issues to be considered.
A major policy consideration is the extent to which user choice will be an all-or-nothing decision. For example, in order to register for special features on your site, must the user agree to secondary uses of the data submitted, or will you allow a user to register and veto secondary uses? [FN172] It *725 may make sense to vary your rule depending on whether the primary use mainly benefits the website or the user; it would be foolish to condition a product sale upon consent to secondary use and third-party disclosure because some sales will be lost as a result, but conditioning contest entries upon such consent is a different story. The rule could also be varied among different secondary uses. For example, allowing use of demographic data for targeted banner ads may be required as a condition of registration, but the user could be permitted to opt out of disclosure to third parties.
Another issue is opt-out versus opt-in choice. The former will yield the most data since data flow continues until the user takes steps to stop it; the latter is best if you want to be perceived as a privacy ally. Opt-in decisions need to be easily reversible.
"Consent" is another word for choice. Where applicable law requires user consent, you must decide whether to rely on the theory that an opt-out scheme affords "implied consent," or whether to require opt-in with an audit trail to be on the safe side. COPPA and the EU Privacy Directive foreclose this issue in some cases by requiring opt-in consent.
A key question is exactly what data the user will have access to, the main distinctions being among data collected on the website, data collected or purchased elsewhere, and preference or profile data derived through analysis of the *726 first two. The EU Privacy Directive contains an exclusion for access to processed data where the processor's trade secrets would be exposed. [FN173] Companies with extensive operations outside of the website are well advised to make it clear that the policy's access provisions apply only to data collected on the website, unless subject to contrary legal requirements. By making this clear, a company avoids the burdensome obligation to seek out and make available all data in the company's possession concerning a particular consumer. [FN174]
With respect to passively collected data such as cookie or log file data, the question is whether to grant access at all, since this data may not be comprehensible without further processing.
Policy questions as to security include how extensive your technical and human-factor security measures will be, and how much detail about those measures should be revealed to the public. An overly detailed description can both compromise the effectiveness of the security measures and unduly commit the website to these particular procedures.
What enforcement mechanisms will you allow or require users to pursue? The privacy seal programs *727 impose their own requirements in this regard but do not limit other remedies for consumers. Limiting users' options for enforcement may be both prudent and achievable, as we will see in the next section.
IX. CONTRACT CONCEPTS
Of course, in order to claim the benefits of this contract, the user would have to acknowledge having accepted it, and this gives the website an opportunity to turn contractual obligation to its advantage by including protective provisions. But relying on acknowledgment by the consumer as a condition precedent to a contract claim does not solve the amendment problem mentioned above (where the contract assented to was the original one), nor does it afford protection against tort liability or generate a legally reliable consent when one is required by law.
*729 B. MAKING IT LEGAL
In Hill v. Gateway 2000, Inc., [FN180] the Hills brought a warranty and RICO claim against Gateway and managed to get it certified as a class action. The Gateway product had come with a shrink-wrap contract containing a mandatory arbitration clause, which the trial court refused to enforce. The Seventh Circuit reversed, enforced the arbitration clause and nullified the class action certification. Since most arbitration rules do not *731 accommodate class actions, an alternative dispute resolution clause such as that used by Gateway may effectively neutralize the class action threat. [FN181]
C. DRAFTING TECHNIQUES
A second important consideration involves identifying the necessary exceptions to the privacy promise. In the preceding example, exceptions would be needed for release under subpoena, search warrant, court order, civil investigative demand, or other compulsory process such as civil discovery. A cautious drafter might also except disclosures necessary to protect the website's rights or to prevent harm to other individuals; to identify persons who may be violating the law, the user agreement, or the rights of third parties; [FN182] and to cooperate with investigations of purported unlawful activities. In some cases routine disclosures to regulatory agencies, such as bank examiners, may also be necessary. Some website owners believe that they cover all of these situations with the statement that they will never willfully disclose personal information without consent.
As this article illustrates, privacy policies divide naturally into two components: fairly simple principles and detailed implementation of those principles. The former tend to be reassuring, the latter stupefying. Many of the *733 better privacy policies take advantage of this division by beginning with the reassuring general principles and referring the reader to a list of "Frequently Asked Questions," or just an expanded discussion, for all of the details, qualifications, examples, explanations and exceptions.
D. EXAMPLE: BOUNDARY CONDITIONS
The drafting principles of coverage and of caution can eliminate many legal problems with privacy policies because both principles address the issue of consistency between the written policy and the activities that it describes. We close with an illustration: the issue of boundaries, of where the policy applies and where it does not-- an area where many privacy policies have foundered and where many more are ticking time bombs.
[FN1]. J.D., Yale University, 1975; B.A., Yale University, 1972. Mr. Killingsworth is Co-Chair of the Intellectual Property and Technology Group of the Atlanta and Washington firm Powell, Goldstein, Frazer & Murphy, and advises clients on licensing, strategic alliances, e-commerce and other technology- related business matters. He can be reached at (404) 572-6600 or at skilling @@pgfm.com.
[FN2]. Council Directive 95/46, 1995 O.J. (L 281) 31 [hereinafter EU Privacy Directive].
[FN3]. P. Sprenger, Sun on Privacy: 'Get Over It' Wired News (Jan. 26, 1999) < http://www.wired.com/news/politics/story/17538.html>. McNealy is the Chairman and CEO of Sun Microsystems, which is both the developer of the Java programming language used to implement applets in web browsers and a member of the Online Privacy Alliance.
[FN4]. Because similar personal information may be shared with a number of sites, and because there is a delay between the initial disclosure of information and the onset of such aggravations as unsolicited e-electronic mail (e-mail) messages, the exact source of the privacy invasions is often hidden from the consumer. This disconnection between cause and effect can lead to a "one bad apple" syndrome whereby the actions of a small number of irresponsible websites may be attributed to the Internet as a whole.
[FN5]. Many of the privacy concerns and principles discussed in this article can be traced to a 1973 study by the Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens. According to a 1992 survey, over two-thirds of Americans believed that "the present uses of computers are an actual threat to personal privacy" and that "if privacy is to be preserved, the use of computers must be sharply restricted in the future." Equifax-Louis Harris Consumer Privacy Survey, Equifax Executive Summary 1992 ¶4 (visited Nov. 3, 1999) <http://www.privacyexchange.org/iss/surveys/eqfx.execsum.1992.html>.
[FN6]. See http:// www.doubleclick.com/advertisers/network/boomerang/reporting.htm> for an explanation of reports available to advertisers subscribing to DoubleClick's "Boomerang" service, including answers to such questions as "What are your customers' interests? Where do your customers work? When are your customers online? and Where do your customers live?" According to DoubleClick, all of this information is collected anonymously <http:// www.doubleclick.com/advertisers/network/boomerang/privacy.htm>, but see note 7 below. (All sites visited January 29, 2000).
[FN7]. Consumers who voluntarily submit personally-identifying information to websites that participate in DoubleClick's Abacus Alliance may find that this information is disclosed to DoubleClick and then associated with the anonymously-gathered data about their web browsing generally (described above), unless they specifically opt out at each participating site visited <http:// www.doubleclick.net/company_info/about?doubleclick/privacy/> (visited January 29, 2000). DoubleClick apparently offers an opt-out cookie that is effective throughout its network, but on January 29, 2000 the author received only error messages when attempting to activate this feature at <http:// www.douleclick.net/company_info/about_doubleclick/privacy/privacy2htm#optout>.
[FN8]. This Orwellian-sounding term refers to an analysis of attitudes, interests and opinions as distinct from mere demographic data; such an analysis can bring improvement in predictive success.
[FN9]. Tara Lemmey, President of Narrowline (now Executive Director of the Electronic Frontier Foundation), quoted in Esther Dyson, Privacy Protection: Time to Think and Act Locally and Globally, Release 1.0, (Apr. 1998) <http:// www.edventure.com/release1/0498body.html>.
[FN10]. In the Matter of GeoCities, a corporation, FTC File No. 9823015 < h ttp://www.ftc.gov/os/1999/9902/9823015cmp.htm>.
[FN13]. The FTC action and proposed settlement were first announced in early June 1998, in SEC filings in connection with GeoCities' upcoming public offering that August. GeoCities, Corp., SEC Form S-1 Registration Statement (June 12, 1998) <http://www.sec.gov/Archives/edgar/data/1062777/0001017062-98- 001328.txt>.
[FN14]. GeoCities, FTC Docket No. C-3850 (decision and order) (Feb. 5, 1999) <http://www.ftc.gov/os/1999/9902/9823015d0.htm>.
[FN15]. Regarding children's issues, a similar settlement was reached in May 1999 with Liberty Financial Companies; see In re Liberty Fin. Cos., FTC File No. 9823522 (agreement containing consent order), (visited Sept. 28, 1999) < http:www.ftc.gov/os/1999/9905/lbtyord.htm>.
[FN16]. Privacy Online: A Report to Congress, FTC report (June 4, 1998) < http://www.ftc.gov/reports/privacy3/index.htm> [hereinafter Privacy Online] was sent to Congress June 4, 1998.
[FN17]. Child Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501- 6506 (1998) [hereinafter COPPA]. 15 U.S.C. §§ 6501-6506 (1998).
[FN18]. 15 U.S.C. § 45 (1998).
[FN19]. In this instance "legal perspective" seems oxymoronic: despite what law school teaches, business is about much more than avoiding every possible risk.
[FN20]. See infra Part VI.f (discussing the EU Privacy Directive).
[FN21]. Industries with regulated information practices include healthcare, banking, video rentals, cable television, and telecommunications.
[FN22]. Detailed results can be viewed at Business Week/Harris Poll: Online Insecurity, Business Week (last modified Mar. 5, 1998) <http:// www.businessweek.com/1998/11/b3569107.htm> [hereinafter Online Insecurity].
[FN23]. ~LOUIS HARRIS AND ASSOC., INC. & ALAN F. WESTIN, PRIVACY AND AMERICAN BUSINESS AND PRICE WATERHOUSE, INC., E-COMMERCE & PRIVACY SURVEY (JUNE 1998) < HTTP://WWW.PRIVACYEXCHANGE.ORG/ISS/SURVEYS/ECOMMSUM.HTML> (STATING THAT 23% OF INTERNETT USERS HAVE PURCHASED ONLINE, WHEREAS THE BUSINESS WEEK/HARRIS POLL PUT THE FIGURE AT 22%).
[FN24]. See Online Insecurity, supra note 22 (finding that despite the benefits of registering at websites, 59% of Internet users never do).
[FN25]. GEORGIA INSTITUTE OF TECHNOLOGY, GRAPHICS VISUALIZATION AND USABILITY CENTER'S 9TH WWW USER SURVEY (APR. 1998) <HTTP:// WWW.CC.GATECH.EDU/USER_SURVEYS/SURVEY-1998-04/GRAPHS/GENERAL/Q46.HTMM>.
[FN26]. Examples of such products include anonymous proxy servers for browsing privacy and anonymous e-mail remailing services.
[FN27]. Louis Harris & Assoc., Inc. And Alan F. Westin, supra note 23 (noting that 91% of net users and 96% of those who buy products or services online call privacy policies "important" or "very important." For computer users who are not yet online, the figure was 94%).
[FN28]. A. Westin, "Freebies" and Privacy: What Net Users Think (visited Sept. 28, 1999) <http://www.privacyexchange.org/iss/surveys/sr990714.html> (reporting on a February 1999 poll by Opinion Research Corp. for Privacy & American Business).
[FN29]. See Online Insecurity, supra note 22 (finding that 62% of respondents would increase their Internet usage).
[FN30]. See id. (finding that 57% of respondents would increase their amount of purchases).
[FN31]. TRUSTe/Boston Consulting Group Consumer Survey (visited Oct. 8, 1999) < http://www.truste.org/webpublishers/pub_bottom.html> states that information practice policy statements make it two to three times more likely that a consumer will provide personal information to a website; 56% of users in the Business Week/Harris Poll, supra note 22, indicated that a privacy statement would make it more likely for them to register at a website.
[FN33]. See Lorrie Faith et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy, AT&T Labs-Research Technical Report TR 99.4.1 (Mar. 25, 1999) <http:// www.research.att.com/library/trs/TRs/99/99.4/99.41/Survey-TR-19990325.htm> [[hereinafter Beyond Concern] (citing Christine Hine & Juliet Eve, Privacy in the Marketplace, 14(4) The Info. Soc. 253, 261 (1998) for the proposition that where a website does not explain the purposes for which it gathers and uses personal information, consumers are likely to concoct their own unfavorable opinions about the website's intentions).
[FN34]. See Beyond Concern, supra note 33 (finding that sharing data with third parties was the most important criterion users evaluate in deciding whether to reveal information to a website).
[FN35]. Respond.com has even adapted the reverse-auction model as a "black box"; the buyer fills out a form specifying the desired product and the desired price, Respond.com sends an email with this information (absent the buyer's identity) to its list of registered retailers, collects the replies and forwards them to the buyer. The buyer can then follow up with a vendor if she wants to accept its offer. The "middleman" feature not only preserves anonymity, it also enables Respond.com to collect its fees, which are based not on sales but on the number of e-mails to which the given vendor replies. See, e.g., (visited Sept. 29, 1999) <http://www.respond.com/overview/index.html> (providing an outline of the black-box-auction model).
[FN36]. zZzounds.com <http://www.zzounds.com/discover.music? page=privacy&z=493782266316>.
[FN37]. Welcome to Juno (visited Oct. 25, 1999) <http://www.juno.com>. A recent Juno advertisement (targeted to online advertisers, rather than to consumers) states that "nearly 7 million Juno subscribers have filled out a member profile with more in-depth personal questions than your mother asks."
[FN38]. See Welcome to The MyPoints Program (visited Sept. 29, 1999) < http:// www.mypoints.com> (explaining that MyPoints participants are offered redeemable points-- an Internet version of trading stamps-- when they participate in MyPoints promotions or buy in response to MyPoints offers. A recent advertisement claims better than a 20% response rate to MyPoints e-mail advertising campaigns).
[FN39]. See, e.g., Alex Nash, Yahoo Retracts Unlisted Home Addresses, CNET News.com (Apr. 25, 1996), <http://news.cnet.com/news/0-1005-202-311165.html> (describing the consumer outrage and Yahoo's rapid retreat when it was learned that Yahoo's new People Search service disclosed some 85 million unlisted home addresses and telephone numbers).
[FN40]. TRUSTe (visited Sept. 29, 1999) <http:www.truste.org>.
[FN41]. BBBOnLine (visited Sept. 29, 1999) <http://www.bbonline.org>.
[FN42]. A "secondary use" is a use of information for a purpose other than that for which it was originally disclosed, such as use in a direct-marketing campaign of a mailing address originally obtained for product shipment.
[FN43]. Child Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501- 6506 (1998) [hereinafter COPPA]. See BBBOnLine: The Children's Privacy Seal (visited Sept. 29, 1999) <http://www.bbbonline.org/businesses/privacy/child_ privacy.htm> (stating that BBBOnline's seal requirements are based on COPPA); TRUSTe License Agreement Rev. 5.0 Appendix C (last modified June 25, 1999) < http://www.truste.org/webpublishers/pub_selfassessment.html> (stating that TRUSTe's children guidelines are based on COPPA).
[FN44]. See BBBOnLine: Privacy Program Eligibility Criteria (visited Nov. 2, 1999) <http://www.bbbonline.org/businesses/privacy/eligibility.html.> (covering requirements for BBBOnLine Privacy Seals); TRUSTe License Agreement Rev. 5.0 (last modified Aug. 8, 1999) <http://www.truste.org/webpublishers/pub_ agreement.html> (requiring licensees to agree to particular and comprehensive rules before awarding Privacy Seals).
[FN45]. See BBBOnLine: Privacy Program Eligibility Criteria, supra note 44 (disclosing requirements to which a business must agree in order to qualify for a BBBOnLine Privacy Seal).
[FN46]. TRUSTe Approves 1000th Web Site, TRUSTe press release, January 12, 2000 <http://www.truste.org/about/about_1000th.html>.
[FN47]. Press Release, BBBOnLine's New Privacy Seal Program Opens for Business (Mar. 17, 1999) <http://www.bbbonline.org/about/press/3-17-99.htm>.
[FN48]. BBBOnLine Approved Privacy Participants (visited Jan. 26, 2000) < http://www.bbbonline.org//businesses/privacy/approved.html>.
[FN49]. Cheskin Research and Studio Archetype/Sapient, eCommerce Trust Study, at 16 (Jan. 1999) <http://www.studioarchetype.com/cheskin/html>.
[FN50]. At the time, the BBBOnLine privacy seal program was not in effect; the seal in question was BBBOnLine's Reliability Seal, which relates to business practices other than privacy, but it is probably safe to assume that the organization's privacy seal would garner comparable responses.
[FN51]. Debra Valentine, About Privacy: Protecting the Consumer on the Global Information Infrastructure, 1 Yale Symp. on L. & Tech. 4, at para. IV, B.1 (1998).
[FN52]. See Maryann Jones Thompson, Tech Firms Still Top List of Net Advertisers, The Industry Standard (May 20, 1999) <http:// www.thestandard.com/metrics/display/0,1283,894,00.html> [hereinafter The Industry Standard] (ranking advertisers for 1998; Microsoft was first and IBM second with combined advertising expenditures of $63.4 million).
[FN53]. Kim Girard, IBM To Pull Web Ads Over Privacy Concerns, CNET News.com (Mar. 31, 1999) <http://www.news.cnet.com/news/0-1005200-340588.html? tag=st.cn.1fd2>.
[FN55]. Disney and Go Network Institute Comprehensive New Advertising Policy to Promote Industry Adoption of Online Privacy Standards (June 29, 1999) < http:// www.info.infoseek.com/press/06-29-99_policy.html>. The Go Network is one of the top five websites, and The Industry Standard, supra note 52, ranked its constituent Infoseek as the sixth largest advertiser on other websites in 1998.
[FN56]. Privacy Promise (visited Oct. 2, 1999) <http://www.the- dma.org/pan7/pripro22.html>.
[FN58]. See Privacy Online: A Report to Congress at 54 n.73 (visited Oct. 2, 1999) <http://www.ftc.gov/reports/privacy3/index.htm> (listing 11 associations that submitted guidelines or principles for the FTC's consideration).
[FN59]. See id. app. E (reporting the submitted guidelines).
[FN60]. Id. at 7-11. Many other organizations have modeled their recommended information practices on the FTC list. See, e.g., Online Privacy Alliance, Guidelines for Online Privacy Policies (visited Oct. 2, 1999) < http:// www.privacyalliance.org/resources/ppguidelines.html> (including headings of notice, choice, access, and security); Elements of Effective Self- Regulation for Protection of Privacy (visited Oct. 2, 1999) <http:// www.ecommerce.gov/staff.htm> (including headings of notice, choice, access, security, and enforcement).
[FN61]. This simple requirement conceals difficult questions about the practicality and necessity of disclosing to a consumer such database-resident information as their clickstream records, or the inferences drawn from that data by use of analysis programs. Likewise, questions abound as to the obligation to disclose to consumers information about them that has been acquired from third-party sources.
[FN62]. On January 21, 2000, the FTC announced the appointment of a 40- member Advisory Committee on Online Access and Security to advise the FTC staff on policy issues surrounding the issues of what constitutes "reasonable access" and "adequate security." Its charter calls for a final report from the Committee by May 15, 2000, "describing options for the implementation of access and security online, and the costs and benefits of each option. FTC Press Release, "Online Privacy Committee Members Named," January 21, 2000 <http:// www.ftc.gov/opa/2000/01/asrev.htm>. Interestingly, the FTC's COPPA regulations on security and integrity have a Sphinxlike brevity (16 C.F.R. § 312.8), so the Advisory Committee may well be a harbinger of expanded COPPA regulations on this point.
[FN63]. The Online Privacy Alliance, a consortium of over 80 companies and associations involved in e-commerce, advocates that self-regulation via third party privacy seal programs is sufficient. However, they take pains to say that complaint-resolution processes of seal programs should not prevent the consumer from pursuing "other available legal recourse." Online Privacy Alliance, Effective Enforcement of Self Regulation (visited Oct. 3, 1999) <http:// www.privacyalliance.org/resources/enforcement.html>.
[FN64]. See discussion infra Part VI.f (discussing the EU Privacy Directive).
[FN65]. See supra note 5 (discussing the 1973 study).
[FN66]. 5 U.S.C. § 552a (1974).
[FN67]. OECD, GUIDELINES FOR THE PROTECTION OF PERSONAL DATA AND TRANSBORDER FLOWS OF PERSONAL DATA (1980).
[FN68]. As early as 1905, the Supreme Court of Georgia had recognized the right to privacy as against misappropriation of one's likeness. Pavesich v. New England Life Ins. Co., 122 Ga. 190, 50 S.E. 18 (1905).
[FN69]. See, e.g., Privacy Online, supra note 58, at endnote 160; letter from Ambassador David L. Aaron, Undersecretary of Commerce for International Trade, to industry representatives on the subject of proposed Safe harbor principles under the EU Privacy Directive (Nov. 4, 1998) <http:// www.ita.doc.gov/ecom/aaron114.html>.
[FN70]. OPA White Paper: Online Consumer Data Privacy in the United States (Nov. 19, 1998) <http://www.privacyalliance.org/resources>.
[FN71]. Restatement (Second) of Torts § 652D (1976).
[FN72]. Id. at comment a. This standard is seldom met in ordinary business transactions. For example, in Tureen v. Equifax, Inc., 571 F.2d 411, 419 (8th Cir. 1978), Equifax's disclosure of the plaintiff's medical underwriting history to her health insurer, at the insurer's request, was held not to be sufficiently "public" for an invasion of privacy cause of action.
[FN73]. McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998).
[FN74]. Philip Shenon, Navy and America Online Settle Case on Gay Privacy, N.Y. Times, June 12, 1998, available at <http:// www.nytimes.com/library/tech/98/06/cyber/articles/12navy.html>.
[FN75]. Id. In related litigation, the Navy was found to have violated both its own "don't ask, don't tell" policy and the Electronic Communications Privacy Act. McVeigh, 983 F. Supp. at 220-21.
[FN76]. Prepared Statement of the Federal Trade Commission "Consumer Privacy on the World Wide Web": Hearings Before the Subcommittee. on Telecommunications., Trade and Consumer Protection of the House Committee. on Commerce, 105th Cong. n.23 (1998) (statement of Robert M. Pitofsky, Chairman of FTC): "[The FTC Act] grants the Commission authority to seek relief for violations of the Act's prohibitions on unfair and deceptive practices in and affecting commerce, an authority limited in this context to ensuring that Web sites follow their stated information practices."
[FN77]. Letter from Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Center for Media Education (July 15, 1997) < http://www.ftc.gov/os/1997/9707/cenmed.html>.
[FN78]. See infra Part IX (discussing Contract Concepts).
[FN79]. Nonprofit organizations are exempt, just as they are exempt from the FTC Act.
[FN80]. E.g., by virtue of information entered in an "age" field in the data-collection screen.
[FN81]. COPPA, supra note 17, § 1303(b)(1)(A)(i).
[FN82]. "Verifiable parental consent" is defined id. § 1302(9).
[FN83]. Id. § 1303(b)(1)(A)(ii).
[FN84]. Id. § 1303(b)(1)(B)(ii).
[FN85]. Id. § 1303(b)(1)(B)(i), (iii).
[FN86]. COPPA, supra note 17, § 1303(b)(2).
[FN87]. Id. § 1303(b)(1)(C).
[FN88]. Id. § 1303(b)(1)(D).
[FN89]. Id. § 1304. Since the approved programs would have to mirror the requirements of the law and the underlying factual questions of compliance would be essentially the same with or without the safe harbor, it is not immediately obvious what substantive difference the safe harbor makes, but it does show a willingness by the government to outsource some of its compliance- enforcement work to industry groups, where the industry groups would no doubt prefer that it reside.
[FN90]. Id. § 1303(a)(1).
[FN91]. 16 C.F.R. pt. 312, issued October 20, 1999.
[FN92]. 16 C.F.R. § 312.2 defines "disclosure" as including any means of making personal information publicly available, such as "public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room."
[FN93]. 16 C.F.R. § 312.5(b)(2).
[FN94]. 16 C.F.R. § 312.4(b).
[FN95]. 16 C.F.R. § 312.4(b)(2).
[FN96]. 16 C.F.R. § 312.4(b)(1).
[FN97]. 18 U.S.C. §§ 2510-2522, 2701-2711 (1994).
[FN98]. Id. § 2510(4).
[FN99]. Id. § 2510(8) (emphasis added).
[FN100]. Id. § 2510(12) (emphasis added).
[FN101]. Id. § 2511(2)(d).
[FN102]. Suppose a website, as a result of monitoring browser requests to its server, tags an individual as a regular participant in a closed forum on "Living with a Diabetic." The explicit communication from the browser is merely to access a page with a particular address, and the website is a party to that communication with the presumptive right to disclose it. However, given the known subject-matter of discussions in the forum, does disclosure to a marketer of the nature of the page requested constitute an interception and disclosure of the broadly defined "contents" of the user's communications within the forum, communications to which the website operator is not a party?
[FN103]. 18 U.S.C. § 2511(2)(d), (3)(b)(ii) (1994).
[FN104]. See Griggs-Ryan v. Smith, 904 F.2d 112 (1st Cir. 1990) (finding that consent to the recording of telephone calls is presumed where the landlady informed a tenant that all incoming calls would be recorded). With privacy policies, the question is: what if the user claims not to have seen the policy?
[FN105]. 15 U.S.C. §§ 1681-1681t (1994 & Supp. III 1997).
[FN106]. 15 U.S.C. § 1681a(d) provides that covered information includes information "bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living."
[FN107]. Id. § 1681b(3).
[FN108]. 15 U.S.C. § 1681a(d)(2)(A)(i).
[FN109]. Id. § 1681a(d)(2)(A)(iii).
[FN110]. This distinction is the subject of Trans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996), where the Federal Circuit held that targeted marketing lists were not necessarily "consumer reports" even though they were created from data originally gathered to be used in conventional credit reports, on the dubious grounds that the routine inclusion of this data in credit reports did not prove that particular data was actually expected to be used as a factor in credit decisions when it was collected. The court remanded to the FTC for further factual determinations, and an FTC Administrative Judge made the required factual determination and held Trans Union in violation of FCRA. In re Trans Union Corp., No. D-9255 (July 31, 1998) <http:// www.ftc.gov/os/1998/9808/d9255pub.id.pdf>. Trans Union has appealed the order to the full Commission.
[FN111]. For a general discussion of the history of United States-EU discussions over the application of the "adequacy" test to the United States, see Scott Killingsworth and Brett Kappel, Safe Harbor in Muddy Waters? Commerce Department Proposes Voluntary Principles for Compliance with EU Privacy Directive, 1 E-Commerce Law Report 2 (Dec. 1998/Jan. 1999).
[FN112]. United States Department of Commerce, Draft International Safe Harbor Principles (Apr. 19, 1999) <http://www.ita.doc.gov/ecom/shprin.html> [[hereinafter "Draft Safe Harbor"].
[FN113]. It would appear that under the EU Privacy Directive, affiliates of the collector of the information would be considered "third parties" if they are not processing the data on behalf of the collector, which would mean the individual must be given opt-out privileges to prevent proposed transfers to these affiliates. EU Privacy Directive, supra note 2, art. 2, §(f). The Draft Draft Safe Harbor does not adopt the Privacy Directive's definitions, however, and uses the flexible and undefined term "organization" to describe the collector of data.
[FN114]. Draft Safe Harbor, supra note 112, (referring to Principle 6 and Note 6). See United States Department of Commerce, Draft Frequently Asked Questions, Access (April 19, 1999) <http://www.ita.doc.gov/ecom/access.html> (referring to Questions 1 and 2 and Endnotes 104).
[FN115]. Office of Thrift Supervision News Release, Thrifts Urged to Post Privacy Policies as Part of Transactional Web Sites (June 10, 1999) <http:// www.ots.treas.gov/docs/77939.html>.
[FN116]. Office of the Comptroller of the Currency Advisory Letter 99-6, Guidance to National Banks on Web Site Privacy Statements (May 4, 1999) < http://www.occ.treas.gov/ftp/advisory/99-6.txt>.
[FN117]. FDIC Financial Institution Letters, Electronic Commerce and Consumer Privacy (Aug. 17, 1998) <http:// www.fdic.gov/news/news/financial/1998/fil19886b.html>; FDIC Financial Institution Letters, Online Privacy of Consumer Personal Information (last modified July 17, 1999) <http:// www.fdic.gov/news/news/financial/1998/fil19886b.html>.
[FN118]. 15 U.S.C. §§ 1693-1693r (1994), specifically § 1693c(9). The law applies to all accounts with an electronic funds transfer feature.
[FN119]. 12 C.F.R. § 205.7(b)(9) (1999); Federal Reserve Board Official Staff Commentary, 12 C.F.R. § 205.7(b)(9)-1 (1999).
[FN120]. S.900, enacted November 12, 1999 (hereinafter "Gramm-Leach- Bliley").
[FN121]. 12 U.S.C. § 377.
[FN122]. What information is considered "publicly available" is to be defined by implementing regulations, Gramm-Leach-Bliley § 509(4)(B).
[FN123]. Compare with COPPA, which applies to information only if it is gathered both online and from a child, but applies to all information linked to the child's identity.
[FN124]. Gramm-Leach-Bliley includes a number of exceptions to the third- party-disclosure rule for such practical matters as using third parties to help fulfill a transaction between the consumer and the institution, or to market to the consumer on behalf of the institution, in each case under a confidentiality agreement; to enforce obligations of the consumer; to protect against fraud; to comply with law or respond to legal process, etc.
[FN125]. Gramm-Leach-Bliley § 502.
[FN126]. In hearings on the bill, the FTC had testified that the sale by financial institutions of their direct "transactions and experience" data "raises serious privacy concerns." Federal Trade Commission, Prepared Statement of the Federal Trade Commission before the Subcommittee on Financial Institutions and Consumer Credit Committee on Banking and Financial Services, United States House of Representatives on Financial Privacy, the Fair Credit Reporting Act, and H.R. 10 (visited July 21, 1999).
[FN127]. Id. § 503.
[FN128]. See the discussion of FCRA supra part VI.E.. This treatment of financial institution affiliates only seems Byzantine; in fact it is merely labyrinthine. The provisions of FCRA addressing disclosures to affiliates (§ 603(d)(2)(A)(iii) of FCRA, 18 U.S.C. § 1681a(d)(2)(A)(iii)) are in the form of exceptions to the definition of a "consumer report." Hence disclosures permitted by this section would be otherwise prohibited by FCRA only if, but for these exceptions, the information would constitute "consumer reports" a definition that itself partakes not only of the nature of the information included but also the purposes for which it is gathered or used. Moreover, FCRA's prohibitions apply principally to "consumer reporting agencies," those who for a fee regularly furnish consumer reports.
[FN129]. Gramm-Leach-Bliley § 504 requires the Federal banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the Securities and Exchange Commission and the FTC all to prescribe regulations, after consultation with the National Association of Insurance Commissioners, but by May 12, 2000. Section 504(b) exhorts these agencies to coordinate their efforts and so far they have done so.
[FN130]. Id. § 509(3).
[FN131]. H.R. 3320, § 502.
[FN132]. Id. § 502(b)(1) and § 508(6).
[FN133]. Id. § 503(a)(4) and (5).
[FN134]. Id. § 508(3).
[FN135]. See, e.g., O.C.G.A. § 24-9-40 (1993) (medical records generally); O.C.G.A. § 33-21-23 (1992) (HMO records); O.C.G.A. § 31-8- 114 (1996) (long-term care facility records); O.C.G.A. § 24-9-47 (1990) (AIDS records); O.C.G.A. § 37-3-166 (1995) (mental health records); O.C.G.A. § 31-22-4 (1996) (sexually transmitted and communicable disease clinical laboratory tests).
[FN136]. See, e.g., Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, codified at 29 U.S.C. § 1181 (Supp. III 1997) (mandating security systems for the electronic transmission of health data); 42 C.F.R., § 482.24 (1998) (governing hospitals' medical records confidentiality practices); 42 U.S.C. § 290dd-3 (1994) (relating to alcohol and drug abuse records) (omitted in the general revision of this part by Pub. L. No. 102-321).
[FN137]. C. Bowman, Uneven State Medical-Record Laws Offer Potential Pitfalls for Health Plans, BNA Health Law Reporter, November 11, 1999, at p.1787.
[FN138]. E.g., Medical Information Privacy and Security Act, H.R. 1057, 106th Cong. (1999) (introduced Mar. 10, 1999); the Health Information Privacy Act, H.R. 1941, 106th Cong. (1999) (introduced May 25, 1999); Medical Information Protection and Research Enhancement Act of 1999, H.R. 2470, 106th Cong. (1999) (introduced July 12, 1999).
[FN139]. 64 Fed. Reg. 59918.
[FN140]. Health Insurance Portability and Accountability Act of 1996, supra note 136.
[FN141]. A heath care clearinghouse is an organization that translates health care records from nonstandard formats into standard electronic formats; an example would be a billing intermediary.
[FN142]. One of the more interesting attributes of these confidentiality agreements is that the patients concerned must be made express third-party beneficiaries. HIPPA provides no private right of action, and the question whether a private right of action should be created is among the major issues that have so far derailed passage of comprehensive health information privacy legislation, but this bit of regulatory finesse shows that there is more than one way to create a private right of action.
[FN143]. 64 Fed. Reg. 60053.
[FN144]. 64 Fed. Reg. 60056.
[FN145]. 64 Fed. Reg. 60059.
[FN146]. 64 Fed. Reg. 60060.
[FN148]. Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (1994).
[FN149]. Video Privacy Protection Act, 18 U.S.C. § 2710 (1994). Statements that certain types of tranactionstransactions do not occur on the Internet are often short-lived. In January, 2000, Blockbuster Inc. announced that it had aqcuiredacquired the exclusive right to distributredistribute the MGM film library over the internet. MGM, Blockbuster to Develop Internet Movie Delivery, Reuters, January 18, 2000, accessed via CBS MarketWatch.com. Query whether pay-per-view streaming video transactions over the Internet would fall within the protection of the Video Privacy Protection Act, which contemplate the delivery of "video cassette tapes or similar audio visual materials.".
[FN150]. The Online Privacy Protection Act of 1999, S. 809, 106th Cong. (1999).
[FN151]. Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress (visited July 21, 1999) <http:// www.ftc.gov/os/1999/9907/privacy99.pdf>. While advocating continued monitoring of the progress of self-regulation and refusing to rule out the eventual need for online privacy legislation, the report concluded that "legislation to address online privacy is not appropriate at this time." Id. at *12.
[FN152]. See, e.g., Children's Privacy Protection and Parental Empowerment Act of 1999, H.R. 369, 106th Cong. (1999) (this bill is not confined to Internet contexts and would generally regulate use of personal information on children under 16); Electronic Rights for the 21st Century Act, S. 854, 106th Cong. (1999) (an omnibus e-privacy bill that would, inter alia, amend the ECPA to limit circumstances under which an electronic communications service can reveal subscriber information); the Internet Growth and Development Act of 1999, H.R. 1685, 106th Cong. § 201 (1999) (requiring commercial websites to post privacy policies); Personal Information Privacy Act of 1999, H.R. 1450, 106th Cong. § 7 (1999) (amending FCRA to prohibit selling "transactions and experience" information about a person without that person's consent and regulating commercial use of social security numbers); Social Security On-Line Privacy Act of 1999, H.R. 367, 106th Cong. § 2 (1999) (prohibiting "interactive computer services" (apparently meaning Internet Service Providers) from disclosing users' social security numbers and related information).
[FN153]. See supra note 36 and accompanying text (quoting the zZounds website).
[FN154]. Jeff Partyka, IBM Advises on Online Privacy (July 16, 1999) < http:// www.pcworld.com/pcwtoday/article/0,1510,11830.00.html>.
[FN155]. A. Lash, Privacy, Practically Speaking, The Industry Standard (Aug. 2-9, 1999) <www. thestandard.com/articles/display/0,1449,563,co.html>. The article mentions three audits costing $200,000 or more, and one program that involves quarterly follow-up inspections at $20,000 per inspection. For the record, legal costs are an order of magnitude lower.
[FN156]. For a more complete discussion of audit methods and procedures, see S. Killingsworth, Making it Legal: A Checklist for Web Site Privacy Audits, E-Commerce Law Report, Vol. 2, No. 1 (October 1999), p. 15.
[FN157]. The BBBOnLine privacy program requires disclosures of whether data gathered on the website is merged with data from other sources, since this data-matching can multiply both the original data's usefulness to the website and the sense of intrusion into the user's privacy. Better Business Bureau, Sample Privacy Notice (visited Oct. 4, 1999) <http:// bbbonline.org/businesses/privacy/sample.html>.
[FN158]. Compiling sensitive data just because it is available, with no particular use in mind, is inadvisable since there is no immediate benefit to having it and there is always a risk of inappropriate use or disclosure.
[FN159]. Seeding refers to the practice of inserting into a mailing list fictional or coded names with addresses that lead back to the party who compiled the list, to provide a practical means for that party to monitor the use of the list.
[FN160]. For websites directed at children, the BBBOnLine privacy seal program requires the use of alerts to warn the user when a link leads out of the website; this exceeds the requirements of COPPA and the proposed COPPA regulations. Better Business Bureau, supra note 157.
[FN162]. T. Wolverton, United Sends Mixed Privacy Messages, CNET News.com (June 4, 1999) <http://news.cnet.com/news/0-1007-200-343254/htm.? tag=st.cn.1fd2>.
[FN166]. One recent project that included a new "opt-out" database cost $250,000. Lash, supra note 155.
[FN167]. For example, both BBBOnLine and TRUSTe regulate use of personally- identifiable information obtained from persons other than the data subject. Further, on children's sites BBBOnLine requires either posting an alert when a link leads to another site where the same privacy rules do not apply, or avoiding altogether links to other child-directed sites that do not follow "core privacy standards." Better Business Bureau, supra note 157.
[FN168]. It is intriguing to note that the BBBOnLine license agreement does not include a "no third-party beneficiary" clause, so conceivably a consumer-- for whose benefit the program presumably exists-- might be able to sue for damages under that agreement if it were advantageous to do so. Better Business Bureau, supra note 157.
[FN169]. Effective June 30, 1999, TRUSTe added to its license agreement new data security requirements and a requirement that consumers have the opportunity to correct inaccurate data. Additionally, a provision for mandatory opt-out for secondary uses and third-party disclosures was added effective August 30, 1999. Changes In TRUSTe License Agreements, TRUSTe Reporter (Spring 1999) <http://www.truste.org/newsletter/spring99.html#02>.
[FN171]. See infra Part IX.d for a detailed discussion of these issues.
[FN173]. The scope of the Draft Safe Harbor exclusion is subject to ongoing debate. Draft Safe Harbor, supra note 112.
[FN175]. The online economy leaves no doubt that user "eyeballs" and data have market value to most websites.
[FN178]. Like shrink-wrap software licenses, click-wrap agreements have now received express judicial sanction. Hotmail Corp. v. Van Money Pie, Inc., 47 U.S.P.Q.2d (BNA) 1020 (N.D. Cal. 1998).
[FN179]. See S. Junnarkar, DoubleClick Accused of Unlawful Data Use, CNET News.com (January 28, 2000) <http://news.cnet.com/category/0-1005-200- 1534533.html>, quoting Jason Catlett, the founder of Junkbusters, a resource site for privacy-protection measures, as follows: "Based on previous experience...these class-action lawyers follow privacy advocates like ambulance chasers. I think it is inevitable that we will see more suits filed." The article reports on a class-action suit arising out of the DoubleClick acquisition of Abacus, described in note 188 infra.
[FN180]. 105 F.3d 1147 (7th Cir. 1997), cert. denied 522 U.S. 808 (1997). New York has also upheld Gateway's shrink-wrap arbitration clause as against a class action. See Brower v. Gateway 2000, Inc., 676 N.Y.S.2d 569 (N.Y. App. Div. 1998).
[FN181]. For a more detailed discussion of the Gateway case and its implications for class actions, see J. T. Westermeier, How Arbitration Clauses Can Help Avoid Class Action Damages, Computer Law Strategist, Sept. 1997, at 1.
[FN182]. The identification of persons anonymously posting either false information about a publicly-traded stock, or inside information, are examples of this exception.
[FN183]. Under the Draft Safe Harbor, supra note 112, and the EU Privacy Directive, supra note 2, affiliates may be considered "third parties" despite any attempt to characterize them otherwise.