A Primer on Online Privacy

Sidebars:

• What are cookies?
• What is the State Bar's Internet privacy policy?

by John L. Barlament

Over the past several years, tens of millions of United States citizens have flocked to the Internet for both personal and business reasons. While much of the law governing online privacy has yet to be written, some general principles have emerged.

First, the United States federal government and several states have taken differing positions on how consumers' online privacy can best be protected. This jurisdictional conflict could lead to problems for businesses that collect user data over the Internet.

Second, in contrast to the United States' quiltwork of privacy laws, the European Union (EU) has implemented a standardized policy for collecting, distributing, and monitoring consumer information. The EU's explicit guidelines will force many U.S. companies with European operations or sales to conform to these guidelines, or at least a "safe harbor" version of these guidelines.

Finally, the federal government's most significant attempt to regulate the collection of consumer information over the Internet, the Children's Online Privacy Protection Act (COPPA), has been ignored by many companies and has been onerous for those companies that have attempted to comply with it.

How Data is Collected

When computer users surf the World Wide Web (the Web), they may not surf alone. Internet service providers (ISPs), advertising companies, and companies that create and host Web sites use a variety of techniques to gather consumer information.

Voluntarily provided information. Many ISPs and Web sites voluntarily request that users provide information about themselves for purposes of registration, participation in a survey or contest, or to make purchases. This information often includes the user's name, postal address, email address, age, and credit card information.

Clickstream data. Many online services collect information when a user visits their site or the Web generally. This information can provide a virtual map of the user's travels through the Web and often includes information about the sites the user has visited, purchases the user has made, and the ads to which the user responded.

IP address. When a user connects to the Internet, the user's ISP assigns the user's computer an Internet Protocol address (IP address). The IP address allows the user's computer to communicate with other computers on the Web. IP addresses often are gathered automatically by Web sites that the user visits. Thus, most companies that have a Web site collect some information about a user, although gathering the IP address does not raise significant privacy concerns because the IP address typically does not provide personally identifiable information.

Cookies. "Cookies" are small bits of data that a Web page requests a "browser" (the software that allows the computer to surf the Web) to store on a user's computer. Cookies allow a Web site to remember users by storing files on their computers with a record of prior visits. This can be useful for consumers, because cookies allow the Web site to recognize users so that the users do not have to reinput certain data (such as names and passwords). Generally, cookies are not used to transmit the actual identity of the user.

Web bugs. So-called "Web bugs" (also known as "clear GIFs") are a more advanced form of cookie. A Web bug is a nearly invisible graphic on a Web page or in an email message that is designed to monitor who is reading the Web page or email message. Some Internet advertising companies have created a network of Web sites on which to place Web bugs. The Web bugs can monitor a user as the user moves from site to site within the network.¹ With Web bugs, once a computer user discloses personal information to any site in the Web bug network, that personal information could be shared with any other Web site in the Web bug network. Web bugs raise more privacy concerns than cookies because users often are unaware that they are potentially being monitored as they move from site to site. DoubleClick, a leading Internet advertiser, is said to have placed Web bugs on more than 60,000 different Web pages.²

Who Watches the Web Watchers?

The current system of regulating the collection of information online is a turf war of four competing parties: the federal government, industry leaders who urge self-regulation, state governments, and private individuals.

Federal government and industry leaders in harmony. The Federal Trade Commission (FTC) recently endorsed a set of advertising industry self-regulatory guidelines developed with the Network Advertising Initiative, an association that includes most of the leading online advertising companies.³ The core principles of these guidelines are:

1) Notice - Data collectors must disclose their information practices before collecting personal data from consumers;

2) Choice - Consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided;

3) Access - Consumers should be able to review the data collected about them;

4) Security - Data collectors must take reasonable steps to ensure that information collected from consumers is accurate and secure from unauthorized use; and

5) Enforcement - The use of a reliable mechanism to identify and impose sanctions for noncompliance with these practices.⁴

These principles have been harshly criticized by two leading privacy organizations.⁵ One of the main concerns of these organizations is that the principles often require individuals to "opt-out" of online profiling. Opting out of online profiling places a burden on computer users to affirmatively state that they do not want their personal information to be monitored or shared. The opt-out standard often is preferred by online advertising companies. The other standard, "opt-in," requires Web site operators to receive express permission from users before gathering or using the users' personal information.

Even though the FTC has strongly supported industry self-regulation, the FTC has called for "backstop" legislation to ensure that consumers' privacy is protected online. Many members of Congress seem to agree that privacy legislation is needed; several privacy bills have been introduced recently.⁶ Until "backstop" (or broader) legislation is enacted, the scope of federal regulation and industry self-regulation will remain somewhat unclear.

State and private individuals' efforts. State efforts to regulate the collection of users' information also is muddled. Wisconsin, like most states, has not passed laws specifically designed to protect the gathering and dissemination of personal data over the Internet. State attorneys general and private citizens have been eager to categorize certain Internet information-gathering techniques as violations of existing law. For example, Michigan's Attorney General has likened the placement of cookies on consumers' hard drives to "spying and wiretapping" and the use of Web bugs as a violation of Michigan's Consumer Protection Act.⁷ Additionally, at least one lawsuit filed by a private individual has accused Netscape (a subsidiary of America Online) of "eavesdropping" in violation of the federal Electronic Communications Privacy Act and the Computer Fraud and Abuse Act by using a cookie and other software to monitor users' downloads of particular files.⁸ Other individuals have brought lawsuits based on trespass, invasion of privacy, consumer protection, and anti-stalking laws.⁹

Further action by states, including Wisconsin, could be occurring shortly. Gov. Tommy Thompson has appointed a task force on privacy that is reviewing some of the issues relating to online privacy.¹⁰ An official report from the task force is expected in early 2001.

Toysmart.com raises issues on effectiveness of regulation. The recent Toysmart.com controversy vividly illustrates the problems that can arise when industry self-regulation, federal agencies, and state attorneys general all become involved in the regulation of Internet privacy. Toysmart was an Internet-based retailer (with a significant ownership interest by The Walt Disney Company (Disney)) that sold games, books, and children-related toys. Toysmart experienced financial difficulty and filed for bankruptcy protection.¹¹ While in business, Toysmart collected a great deal of personal information from its customers, including names, addresses, billing information, shopping preferences, and the names and birth dates of customers (including children). Toysmart's privacy policy had been approved by TRUSTe, a leader in the self-regulation industry and an organization that awards licenses to Web sites that satisfy its privacy policies. Toysmart's privacy policy stated that personal information would "never" be shared with a third party. Upon filing for bankruptcy, however, Toysmart quickly found that one of its largest assets was its customer list. Toysmart proposed to the bankruptcy court that the customer list be sold as a separate asset to pay creditors, despite the fact that Toysmart had promised to never sell the data to a third party.

The FTC, TRUSTe, and attorneys general from 42 states (including Wisconsin) quickly petitioned the bankruptcy court to stop the sale of the personal information.¹² The FTC negotiated with Toysmart and reached an agreement, whereby Toysmart would be allowed to sell the customer data if the data was sold with the company's name and Web site. The new owner of the data also had to engage in a similar business and agree to abide by Toysmart's privacy pledge.¹³ However, this settlement with the FTC did not resolve the concerns of the state attorneys general or TRUSTe.¹⁴ The attorneys general filed a motion with the bankruptcy court, insisting that Toysmart customers be notified before the sale of the data and given the chance to remove their information from the list. A subsidiary of Disney offered to purchase the customer list for $50,000 and then destroy the list.¹⁵ It is not clear whether this offer will satisfy the bankruptcy court, TRUSTe, or the state attorneys general.

The upside of the Toysmart situation is that it clearly demonstrates a willingness on behalf of the federal government, states, and the industry's self-regulation organizations to attempt to protect consumer information. However, significant issues are raised by the Toysmart situation. How effective can TRUSTe be in bringing a lawsuit against a bankrupt corporation? What rights do Web users have to enforce a privacy policy that they may not even have seen or been aware of? When can businesses modify their Web site privacy policies? And, finally, should businesses be required to successfully navigate the laws of all 50 states (not to mention foreign jurisdictions) when they gather customer information online? Or, should a national, standardized law be implemented?

The European Union Intervenes

While various entities in the United States argue over who should regulate consumer data gathered over the Web, the European Union (EU) has already adopted a strong, standardized position on collecting, processing, and storing personal data that is transmitted via electronic means (which includes more than just information that is gathered over the Internet). European Union Directive 95/46/EC (the "Directive") was passed to aid and ensure the smooth transmission of personal data across national borders. The regulations under the Directive include:

1) Personal data must be collected for specified, explicit, and legitimate purposes;

2) Special categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health or sex life) require the data subject's explicit consent before the data can be shared with a third party or used in a manner for which it was not originally collected;

3) The data collector must provide certain explanatory information to the data subject when the data is collected; and

4) The data subject must be allowed to review and modify incorrect data.

United States businesses noted that the Directive's jurisdiction section was broad enough to include them if they had any operations or sales in the EU. In an effort to help United States businesses comply with these requirements, the Commerce Department negotiated a "safe harbor" agreement with the EU.¹⁶ Under the safe harbor agreement, United States corporations can self-certify that they will comply with the Directive's requirements. United States corporations that currently collect or exchange personal data from EU member states had to comply with the safe harbor provisions by Nov. 1, 2000, or face the possibility that any electronic exchange of personal data from the EU to the United States will violate the Directive.

It may be difficult for United States corporations conducting business in the EU to isolate U.S.-derived personal data from EU-derived personal data. These corporations may decide to adopt data protection standards for all personal data, not just EU-derived personal data. If so, the EU will have, in essence, caused many United States companies to conform to standards it considers adequate.

The Federal Government Gets Serious: COPPA

One area in which the federal government has followed the lead of the EU and passed strong rules is in the collection of children's personal information. Congress passed the Children's Online Privacy Protection Act (COPPA) in October 1998 to restrict how commercial Web site operators gather information from children under age 13. The FTC's rules implementing COPPA became effective April 21, 2000.

COPPA places significant burdens on Web sites that are directed or targeted to children (including those that have a portion of their site targeted to children) and on general audience Web sites that have "actual knowledge" that they are dealing with a child or that a child is disclosing personal information.¹⁷ If a Web site falls under COPPA's rules, the Web site operator must obtain "verifiable parental consent" from the child's parent before collecting, using, or disclosing the child's personal information.

The FTC has suggested methods for obtaining verifiable parental consent, including:

1) providing a consent form that can be printed out, signed by the parent, and returned by postal mail or facsimile;

2) requiring a parent to use a credit card to demonstrate adult status;

3) having a parent call a toll-free number staffed by trained personnel to determine if the person is an adult;

4) verifying a parent's digital signature using public key technology; and

5) email approval accompanied by a PIN or password obtained through one of the above methods.¹⁸ Additionally, until April 21, 2002, companies that will be using a child's personal information for internal purposes may obtain consent using a parent's email address so long as this is coupled with an additional verification step such as a follow-up telephone call, letter, or email.

COPPA offers limited exceptions to its parental consent requirements. No parental consent is required if the child's personal information is:

1) contact information collected for the sole purpose of obtaining parental consent;

2) contact information used on a one-time basis to respond to a specific request of the child;

3) contact information used to respond on a repetitive basis to a single request and not for any other use (for example, if a child merely signs up for an email newsletter and the child's email address is not used for any other purpose); or

4) certain other limited exceptions.¹⁹

These rules can be costly to comply with, and they carry significant civil penalties: up to $11,000 per violation. The FTC recently issued a reminder that children's privacy issues are a "priority" for it.²⁰ An FTC survey of sites that collect personally identifiable information from children found that one-half of these sites have "substantial compliance problems."²¹ The FTC filed a complaint against Toysmart for its collection of personal information from children, and it is likely that the FTC will increase its enforcement of COPPA.

Conclusion

The issues surrounding electronic collection, storage, and use of personal data collected through the Internet will only continue to grow. While the federal government has taken a strong position on protecting children's personal data, it remains to be seen whether other personal data will be regulated by the federal government, states, the computer or advertising industries, or outside influences such as the EU.

Endnotes

1 Robert O'Harrow Jr., "Fearing a Plague of 'Web Bugs,'" Washington Post, http://www.washingtonpost.com/wp-srv/business/feed/a60184-1999nov13.htm (Nov. 13, 1999); Dave Methvin, "Are You Being Bugged?," Winmag.com, http://www.winmag.com/fixes/webbugs.htm (Sept. 21, 1999).

2 Electronic Privacy Information Center, Network Advertising Initiative: Principles Not Privacy, http://www.epic.org/privacy/internet/NAI_analysis.html (July 2000).

3 Keith Perine, "FTC Approves Privacy Plan," The Industry Standard, http://www.thestandard.com/article/display/0,1151,17211,00.html (July 27, 2000).

4 FTC, Online Profiling: Report to Congress, Part Two, Recommendations, http://www.ftc.gov/os/2000/07/onlineprofiling.htm (July 2000).

5 Supra, note 2.

6 The Electronic Privacy Information Center monitors many of these bills. See http://www.epic.org/privacy/bill_track.html.

7 Chet Dembeck, "Online Privacy Inside and Out," EcommerceTimes, http://www.ecommercetimes.com/news/articles2000/000425-1a.shtml (April 25, 2000); Ann Harrison, "Michigan Charges Web Sites with Privacy Violations," Computer World, http://www.cnn.com/2000/TECH/computing/06/19/mich.web.idg/index.html (June 19, 2000).

8 Keith Perine, "Lawsuit Says You Can't Escape Netscape," The Standard, http://www.thestandard.com/article/display/0,1151,16622,00.html (July 7, 2000).

9 Charles L. Kerr, Oliver Metzger, "Online Privacy: Emerging Issues," 607 PLI/Pat 29 (June, 2000). So far, no published cases have reached the merits of these complaints by private individuals.

10 Governor Announces Privacy Task Force Members, http://www.wisgov.state.wi.us/news/ap_detail.asp?prid=29 (Aug. 3, 1999).

11 Elizabeth Blakely, "After the Toysmart Debacle," EcommerceTimes, http://www.ecommercetimes.com/news/articles2000/000725-1.shtml (July 25, 2000).

12 See In re: Toysmart.com LLC (Br. Mass.) (Case No. 0013995-CJK), http://www.naag.org/features/Toysmart.htm; Jennifer Heldt Powell, "Customer Info Fight in Court," Boston Herald, http://www.bostonherald.com/business/technology/toy07212000.htm (July 21, 2000); Linda Rosencrance, "Web Privacy Organization Seeks to Block Toysmart Sale," Computer World, http://www.computerworld.com/cwi/story/frame/0,1213,NAV47_STO46729,00.html (July 6, 2000).

13 FTC Announces Settlement With Bankrupt Web Site, Toysmart.com, Regarding Alleged Privacy Policy Violations. http://www.ftc.gov/opa/2000/07/toysmart2.htm (July 21, 2000); Heldt Powell, FTC Says Toysmart.com Can Sell Customer Data, http://www.bostonherald.com/business/technology/toys07222000.htm (July 22, 2000).

14 Brian Krebs, Newsbytes, States Formally Object to Toysmart Settlement with FTC, http://www.newsbytes.com/pubNews/00/153220.html (Aug. 4, 2000).

15 Settlement Made in Toysmart Case to Protect Customer Names, http://www0.mercurycenter.com/svtech/news/breaking/merc/docs/047839.htm (Jan. 9, 2001).

16 See International Trade Administration Electronic Commerce Task Force, http://www.ita.doc.gov/td/ecom/menu.html (July 27, 2000).

17 16 C.F.R. § 312.3 (1999).

18 See id. at § 312.5(b).

19 See id. at § 312.5(c).

20 FTC, Web Sites Warned to Comply With Children's Online Privacy Law http://www.ftc.gov/opa/2000/07/coppacompli.htm (July 17, 2000).

21 Id.

Wisconsin Lawyer