A Primer on Online Privacy
Internet users often disclose (both voluntarily and involuntarily)
large amounts of personal data. Governmental entities, companies, and
consumers have questioned what legal constraints exist to the gathering,
storing, and use of computer users' personal information that is
collected via the Internet. Here is a brief look at how personal data is
collected, distributed, and monitored and the efforts to regulate and
enforce the collectors of such data.
Sidebars:
by John L. Barlament
Over
the past several years, tens of millions of United States citizens have
flocked to the Internet for both personal and business reasons. While
much of the law governing online privacy has yet to be written, some
general principles have emerged.
First, the United States federal government and several states have
taken differing positions on how consumers' online privacy can best be
protected. This jurisdictional conflict could lead to problems for
businesses that collect user data over the Internet.
Second, in contrast to the United States' quiltwork of privacy laws,
the European Union (EU) has implemented a standardized policy for
collecting, distributing, and monitoring consumer information. The EU's
explicit guidelines will force many U.S. companies with European
operations or sales to conform to these guidelines, or at least a "safe
harbor" version of these guidelines.
Finally, the federal government's most significant attempt to
regulate the collection of consumer information over the Internet, the
Children's Online Privacy Protection Act (COPPA), has been ignored by
many companies and has been onerous for those companies that have
attempted to comply with it.
How Data is Collected
When computer users surf the World Wide Web (the Web), they may not
surf alone. Internet service providers (ISPs), advertising companies,
and companies that create and host Web sites use a variety of techniques
to gather consumer information.
Voluntarily provided information. Many ISPs and Web
sites voluntarily request that users provide information about
themselves for purposes of registration, participation in a survey or
contest, or to make purchases. This information often includes the
user's name, postal address, email address, age, and credit card
information.
Clickstream data. Many online services collect
information when a user visits their site or the Web generally. This
information can provide a virtual map of the user's travels through the
Web and often includes information about the sites the user has visited,
purchases the user has made, and the ads to which the user
responded.
IP address. When a user connects to the Internet, the user's
ISP assigns the user's computer an Internet Protocol address (IP
address). The IP address allows the user's computer to communicate with
other computers on the Web. IP addresses often are gathered
automatically by Web sites that the user visits. Thus, most companies
that have a Web site collect some information about a user, although
gathering the IP address does not raise significant privacy concerns
because the IP address typically does not provide personally
identifiable information.
Cookies. "Cookies" are small bits of data that a Web page
requests a "browser" (the software that allows the computer to surf the
Web) to store on a user's computer. Cookies allow a Web site to remember
users by storing files on their computers with a record of prior visits.
This can be useful for consumers, because cookies allow the Web site to
recognize users so that the users do not have to reinput certain data
(such as names and passwords). Generally, cookies are not used to
transmit the actual identity of the user.
Web bugs. So-called "Web bugs" (also known as "clear GIFs")
are a more advanced form of cookie. A Web bug is a nearly invisible
graphic on a Web page or in an email message that is designed to monitor
who is reading the Web page or email message. Some Internet advertising
companies have created a network of Web sites on which to place Web
bugs. The Web bugs can monitor a user as the user moves from site to
site within the network.1 With Web bugs,
once a computer user discloses personal information to any site in the
Web bug network, that personal information could be shared with any
other Web site in the Web bug network. Web bugs raise more privacy
concerns than cookies because users often are unaware that they are
potentially being monitored as they move from site to site. DoubleClick,
a leading Internet advertiser, is said to have placed Web bugs on more
than 60,000 different Web pages.2
John L. Barlament,
Duke 1997, is an associate in the Milwaukee office of Michael Best &
Friedrich LLP. He practices in employee benefits and e-business.
Who Watches the Web Watchers?
The current system of regulating the collection of information online
is a turf war of four competing parties: the federal government,
industry leaders who urge self-regulation, state governments, and
private individuals.
Federal government and industry leaders in harmony.
The Federal Trade Commission (FTC) recently endorsed a set of
advertising industry self-regulatory guidelines developed with the
Network Advertising Initiative, an association that includes most of the
leading online advertising companies.3 The
core principles of these guidelines are:
1) Notice - Data collectors must disclose their information practices
before collecting personal data from consumers;
2) Choice - Consumers must be given options with respect to whether
and how personal information collected from them may be used for
purposes beyond those for which the information was provided;
3) Access - Consumers should be able to review the data collected
about them;
4) Security - Data collectors must take reasonable steps to ensure
that information collected from consumers is accurate and secure from
unauthorized use; and
5) Enforcement - The use of a reliable mechanism to identify and
impose sanctions for noncompliance with these practices.4
These principles have been harshly criticized by two leading privacy
organizations.5 One of the main concerns of
these organizations is that the principles often require individuals to
"opt-out" of online profiling. Opting out of online profiling places a
burden on computer users to affirmatively state that they do not want
their personal information to be monitored or shared. The opt-out
standard often is preferred by online advertising companies. The other
standard, "opt-in," requires Web site operators to receive express
permission from users before gathering or using the users' personal
information.
Even though the FTC has strongly supported industry self-regulation,
the FTC has called for "backstop" legislation to ensure that consumers'
privacy is protected online. Many members of Congress seem to agree that
privacy legislation is needed; several privacy bills have been
introduced recently.6 Until "backstop" (or
broader) legislation is enacted, the scope of federal regulation and
industry self-regulation will remain somewhat unclear.
State and private individuals' efforts. State
efforts to regulate the collection of users' information also is
muddled. Wisconsin, like most states, has not passed laws specifically
designed to protect the gathering and dissemination of personal data
over the Internet. State attorneys general and private citizens have
been eager to categorize certain Internet information-gathering
techniques as violations of existing law. For example, Michigan's
Attorney General has likened the placement of cookies on consumers' hard
drives to "spying and wiretapping" and the use of Web bugs as a
violation of Michigan's Consumer Protection Act.7 Additionally, at least one lawsuit filed by a
private individual has accused Netscape (a subsidiary of America Online)
of "eavesdropping" in violation of the federal Electronic Communications
Privacy Act and the Computer Fraud and Abuse Act by using a cookie and
other software to monitor users' downloads of particular files.8 Other individuals have brought lawsuits based
on trespass, invasion of privacy, consumer protection, and anti-stalking
laws.9
Further action by states, including Wisconsin, could be occurring
shortly. Gov. Tommy Thompson has appointed a task force on privacy that
is reviewing some of the issues relating to online privacy.10 An official report from the task force is
expected in early 2001.
You have zero privacy anyway. Get over it.
- Scott McNealy, CEO, Sun Microsystems (1999).
Toysmart.com raises issues on effectiveness of
regulation. The recent Toysmart.com controversy vividly
illustrates the problems that can arise when industry self-regulation,
federal agencies, and state attorneys general all become involved in the
regulation of Internet privacy. Toysmart was an Internet-based retailer
(with a significant ownership interest by The Walt Disney Company
(Disney)) that sold games, books, and children-related toys. Toysmart
experienced financial difficulty and filed for bankruptcy protection.11 While in business, Toysmart collected a
great deal of personal information from its customers, including names,
addresses, billing information, shopping preferences, and the names and
birth dates of customers (including children). Toysmart's privacy policy
had been approved by TRUSTe, a leader in the self-regulation industry
and an organization that awards licenses to Web sites that satisfy its
privacy policies. Toysmart's privacy policy stated that personal
information would "never" be shared with a third party. Upon filing for
bankruptcy, however, Toysmart quickly found that one of its largest
assets was its customer list. Toysmart proposed to the bankruptcy court
that the customer list be sold as a separate asset to pay creditors,
despite the fact that Toysmart had promised to never sell the data to a
third party.
The FTC, TRUSTe, and attorneys general from 42 states (including
Wisconsin) quickly petitioned the bankruptcy court to stop the sale of
the personal information.12 The FTC
negotiated with Toysmart and reached an agreement, whereby Toysmart
would be allowed to sell the customer data if the data was sold with the
company's name and Web site. The new owner of the data also had to
engage in a similar business and agree to abide by Toysmart's privacy
pledge.13 However, this settlement with the
FTC did not resolve the concerns of the state attorneys general or
TRUSTe.14 The attorneys general filed a
motion with the bankruptcy court, insisting that Toysmart customers be
notified before the sale of the data and given the chance to remove
their information from the list. A subsidiary of Disney offered to
purchase the customer list for $50,000 and then destroy the list.15 It is not clear whether this offer will
satisfy the bankruptcy court, TRUSTe, or the state attorneys
general.
The upside of the Toysmart situation is that it clearly demonstrates
a willingness on behalf of the federal government, states, and the
industry's self-regulation organizations to attempt to protect consumer
information. However, significant issues are raised by the Toysmart
situation. How effective can TRUSTe be in bringing a lawsuit against a
bankrupt corporation? What rights do Web users have to enforce a privacy
policy that they may not even have seen or been aware of? When can
businesses modify their Web site privacy policies? And, finally, should
businesses be required to successfully navigate the laws of all 50
states (not to mention foreign jurisdictions) when they gather customer
information online? Or, should a national, standardized law be
implemented?
The European Union Intervenes
While various entities in the United States argue over who should
regulate consumer data gathered over the Web, the European Union (EU)
has already adopted a strong, standardized position on collecting,
processing, and storing personal data that is transmitted via electronic
means (which includes more than just information that is gathered over
the Internet). European Union Directive 95/46/EC (the "Directive") was
passed to aid and ensure the smooth transmission of personal data across
national borders. The regulations under the Directive include:
1) Personal data must be collected for specified, explicit, and
legitimate purposes;
2) Special categories of data (such as racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union
membership, and health or sex life) require the data subject's explicit
consent before the data can be shared with a third party or used in a
manner for which it was not originally collected;
3) The data collector must provide certain explanatory information to
the data subject when the data is collected; and
4) The data subject must be allowed to review and modify incorrect
data.
United States businesses noted that the Directive's jurisdiction
section was broad enough to include them if they had any operations or
sales in the EU. In an effort to help United States businesses comply
with these requirements, the Commerce Department negotiated a "safe
harbor" agreement with the EU.16 Under the
safe harbor agreement, United States corporations can self-certify that
they will comply with the Directive's requirements. United States
corporations that currently collect or exchange personal data from EU
member states had to comply with the safe harbor provisions by Nov. 1,
2000, or face the possibility that any electronic exchange of personal
data from the EU to the United States will violate the Directive.
It may be difficult for United States corporations conducting
business in the EU to isolate U.S.-derived personal data from EU-derived
personal data. These corporations may decide to adopt data protection
standards for all personal data, not just EU-derived personal data. If
so, the EU will have, in essence, caused many United States companies to
conform to standards it considers adequate.
The Federal Government Gets Serious: COPPA
The right to be left alone - the most comprehensive of rights,
and the right most valued by a free people.
- Justice Louis Brandeis, Olmstead v. U.S., 277 U.S.
438 (1928)(in dissent).
One area in which the federal government has followed the lead of the
EU and passed strong rules is in the collection of children's personal
information. Congress passed the Children's Online Privacy Protection
Act (COPPA) in October 1998 to restrict how commercial Web site
operators gather information from children under age 13. The FTC's rules
implementing COPPA became effective April 21, 2000.
COPPA places significant burdens on Web sites that are directed or
targeted to children (including those that have a portion of their site
targeted to children) and on general audience Web sites that have
"actual knowledge" that they are dealing with a child or that a child is
disclosing personal information.17 If a Web
site falls under COPPA's rules, the Web site operator must obtain
"verifiable parental consent" from the child's parent before collecting,
using, or disclosing the child's personal information.
The FTC has suggested methods for obtaining verifiable parental
consent, including:
1) providing a consent form that can be printed out, signed by the
parent, and returned by postal mail or facsimile;
2) requiring a parent to use a credit card to demonstrate adult
status;
3) having a parent call a toll-free number staffed by trained
personnel to determine if the person is an adult;
4) verifying a parent's digital signature using public key
technology; and
5) email approval accompanied by a PIN or password obtained through
one of the above methods.18 Additionally,
until April 21, 2002, companies that will be using a child's personal
information for internal purposes may obtain consent using a parent's
email address so long as this is coupled with an additional verification
step such as a follow-up telephone call, letter, or email.
COPPA offers limited exceptions to its parental consent requirements.
No parental consent is required if the child's personal information
is:
1) contact information collected for the sole purpose of obtaining
parental consent;
2) contact information used on a one-time basis to respond to a
specific request of the child;
3) contact information used to respond on a repetitive basis to a
single request and not for any other use (for example, if a child merely
signs up for an email newsletter and the child's email address is not
used for any other purpose); or
4) certain other limited exceptions.19
These rules can be costly to comply with, and they carry significant
civil penalties: up to $11,000 per violation. The FTC recently issued a
reminder that children's privacy issues are a "priority" for it.20 An FTC survey of sites that collect
personally identifiable information from children found that one-half of
these sites have "substantial compliance problems."21 The FTC filed a complaint against Toysmart
for its collection of personal information from children, and it is
likely that the FTC will increase its enforcement of COPPA.
Conclusion
The issues surrounding electronic collection, storage, and use of
personal data collected through the Internet will only continue to grow.
While the federal government has taken a strong position on protecting
children's personal data, it remains to be seen whether other personal
data will be regulated by the federal government, states, the computer
or advertising industries, or outside influences such as the EU.
Endnotes
1 Robert O'Harrow Jr.,
"Fearing a Plague of 'Web Bugs,'" Washington Post, http://www.washingtonpost.com/wp-srv/business/feed/a60184-1999nov13.htm
(Nov. 13, 1999); Dave Methvin, "Are You Being Bugged?," Winmag.com, http://www.winmag.com/fixes/webbugs.htm
(Sept. 21, 1999).
2 Electronic Privacy
Information Center, Network Advertising Initiative: Principles Not
Privacy, http://www.epic.org/privacy/internet/NAI_analysis.html
(July 2000).
3 Keith Perine, "FTC Approves
Privacy Plan," The Industry Standard, http://www.thestandard.com/article/display/0,1151,17211,00.html
(July 27, 2000).
4 FTC, Online Profiling:
Report to Congress, Part Two, Recommendations, http://www.ftc.gov/os/2000/07/onlineprofiling.htm
(July 2000).
5 Supra, note 2.
6 The Electronic Privacy
Information Center monitors many of these bills. See http://www.epic.org/privacy/bill_track.html.
7 Chet Dembeck, "Online
Privacy Inside and Out," EcommerceTimes, http://www.ecommercetimes.com/news/articles2000/000425-1a.shtml
(April 25, 2000); Ann Harrison, "Michigan Charges Web Sites with Privacy
Violations," Computer World, http://www.cnn.com/2000/TECH/computing/06/19/mich.web.idg/index.html
(June 19, 2000).
8 Keith Perine, "Lawsuit Says
You Can't Escape Netscape," The Standard, http://www.thestandard.com/article/display/0,1151,16622,00.html
(July 7, 2000).
9 Charles L. Kerr, Oliver
Metzger, "Online Privacy: Emerging Issues," 607 PLI/Pat 29 (June, 2000).
So far, no published cases have reached the merits of these complaints
by private individuals.
10 Governor Announces
Privacy Task Force Members, http://www.wisgov.state.wi.us/news/ap_detail.asp?prid=29
(Aug. 3, 1999).
11 Elizabeth Blakely,
"After the Toysmart Debacle," EcommerceTimes, http://www.ecommercetimes.com/news/articles2000/000725-1.shtml
(July 25, 2000).
12 See In re:
Toysmart.com LLC (Br. Mass.) (Case No. 0013995-CJK), http://www.naag.org/features/Toysmart.htm;
Jennifer Heldt Powell, "Customer Info Fight in Court," Boston
Herald, http://www.bostonherald.com/business/technology/toy07212000.htm
(July 21, 2000); Linda Rosencrance, "Web Privacy Organization Seeks to
Block Toysmart Sale," Computer World, http://www.computerworld.com/cwi/story/frame/0,1213,NAV47_STO46729,00.html
(July 6, 2000).
13 FTC Announces Settlement
With Bankrupt Web Site, Toysmart.com, Regarding Alleged Privacy Policy
Violations. http://www.ftc.gov/opa/2000/07/toysmart2.htm
(July 21, 2000); Heldt Powell, FTC Says Toysmart.com Can Sell Customer
Data, http://www.bostonherald.com/business/technology/toys07222000.htm
(July 22, 2000).
14 Brian Krebs, Newsbytes,
States Formally Object to Toysmart Settlement with FTC, http://www.newsbytes.com/pubNews/00/153220.html
(Aug. 4, 2000).
15 Settlement Made in
Toysmart Case to Protect Customer Names, http://www0.mercurycenter.com/svtech/news/breaking/merc/docs/047839.htm
(Jan. 9, 2001).
16 See International Trade
Administration Electronic Commerce Task Force, http://www.ita.doc.gov/td/ecom/menu.html
(July 27, 2000).
17 16 C.F.R. § 312.3
(1999).
18 See id. at
§ 312.5(b).
19 See id. at
§ 312.5(c).
20 FTC, Web Sites Warned to
Comply With Children's Online Privacy Law http://www.ftc.gov/opa/2000/07/coppacompli.htm
(July 17, 2000).
21 Id.
Wisconsin
Lawyer