New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

Everything you need to purchase a court bond is just a click away.

Visit the NH Bar Association's Lawyer Referral Service (LRS) website for information about how our trained staff can help you find an attorney who is right for you.
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency

Member Login
username and password

Bar Journal - December 1, 2000

Online Privacy Statements

By:
 
I. OVERVIEW OF PRIVACY ONLINE

As our global and information-based economy becomes more and more dominated by electronic commerce, our ability to maintain personal privacy is increasingly at risk. Traditional notions of privacy protection are often abandoned as information technology provides ever improving means to obtain and process data, and in light of the value that such data has to a host of information users. The debate world wide is whether government regulation is necessary to protect privacy, or if the technology industry will provide its own solutions and successfully self-regulate.

Generally, the United States has adopted an approach to privacy protection with minimal governmental regulation, while Europe has championed a regime of legal rights. To qualify its laissez-faire posture, the U.S. government has intervened in response to particular scandals involving abusive information practices.1  Most notably, in an effort to chill the unauthorized use of personal information collected from online consumers, the Federal Trade Commission ("FTC") has recently asserted its authority over Internet activity by exercising its section 5 powers over unfair and deceptive trade practices. Through the recent GeoCities decision, the FTC has made one thing clear - privacy statements are a must. The following discussion will address the FTC and industry approach to privacy statements, and how your technology clients can protect themselves from sanctions by crafting and adhering to privacy statements.

A. Recent FTC Regulations and Actions

In a recent exercise of its power to regulate unfair and deceptive trade practices,2  the FTC brought a complaint against GeoCities,3  the web operator of an online virtual community (a collection of consumers’ personal home pages grouped into themed "neighborhoods").4  GeoCities was charged with making false and misleading representations to its consumers, the bulk of whom were children, while collecting, marketing and selling their personal information without an adequate privacy statement or parental consent.

Following the GeoCities ruling, the FTC sought sanctions against Touch Tone Information, Inc., an "information broker." The FTC charged Touch Tone with illegally obtaining and selling consumers’ private financial information.5  The complaint, filed in Colorado District Court, alleges that Touch Tone obtained consumer information by "pretexting," a term of art coined by the private investigation industry to describe the practice of getting personal information about others under false pretenses.6  According to the FTC, Touch Tone’s pretexting involved calling banks and using deceptive means to obtain a consumer’s private financial information, often by impersonating the account holder and lying about the circumstances of the inquiry. Pretexting services and the information obtained are then marketed via the Internet to anyone willing to pay. According to FTC Chairman Robert Pitofsky, "Touch Tone’s pretexting is a particularly pernicious invasion of consumers’ privacy – using deception to gain access to sensitive, private financial information… This case should send a strong message to information brokers that the FTC will pursue firms that use false pretenses to profit at the expense of consumers’ privacy... "7  Though the case is still pending, the FTC has affirmed its willingness to exercise enforcement power over those who pirate consumers’ personal information, whether that information belongs to children or adults.

B. Privacy Statements

Through the GeoCities decision, the FTC put the world of web operators and online information collectors on notice. While the case is limited in effect to GeoCities, the weight of its message is clear. A scan of current websites reveals a burgeoning population of privacy statements, in all walks of webs, ranging from corporate8  to charitable in design. But how do you know if your web site needs a privacy statement, and if so, what formalities are necessary?

The GeoCities decision10  is primarily concerned with the online collection of personal identifying information from children. However, as a general rule, any web site collecting personal information should contain a privacy statement. The Commission promulgated the following nonexclusive list of disclosures to be included in the privacy statement:

  1. What information is being collected (e.g., "name," "home address," "e-mail address," "age," "interests");
  2. Its intended use(s);
  3. The third parties to whom it will be disclosed (e.g., "advertisers of consumer products," "mailing list companies," "the general public");
  4. The consumer’s ability to obtain access to or directly access such information and the means by which (s)he may do so;
  5. The consumer’s ability to remove directly or have the information removed from databases and the means by which (s)he may do so; and
  6. The procedures to delete personal identifying information from databases and any limitations related to such deletion.

The decision requires that privacy statements provide clear and prominent notice to consumers, including the parents of children, with regard to collection practices and use of personal information. Adequate notice is achieved by compliance with the following procedure:

  1. placement of a clear and prominent hyperlink labeled PRIVACY NOTICE on the home page which directly links to the privacy notice screen;
  2. placement of the requisite disclosure (A-F listed above) clearly and prominently on the privacy notice screen, followed by a button that must be clicked on to make it disappear; and
  3. at every location on the site where personal identifying information is collected, placement of a clear and prominent hyperlink on the initial screen on which the collection takes place, which links directly to the privacy notice and which is accompanied by the following statement in bold typeface:

NOTICE: We collect personal information on this site. To learn more about how we use your information click here.

In addition to substance and placement of privacy statements, the GeoCities decision delineates procedures by which express parental consent is to be obtained by anyone collecting personal information from children, defined in the case as twelve or under. Express parental consent can be received so long as the web operator:

Collects and retains certain personal information from a child, including birth date and the child’s and parent’s e-mail addresses ("screening information"), to identify the site visitor as a child and to block any attempt to register without parental consent; then

  1. gives notice to the child to have a parent provide express parental consent to register; and/or
  2. sends a notice to the parent’s e-mail address for the purpose of obtaining express parental consent;

Such notice to parent or child shall provide instructions for the parent to:

(i) go to a specific URL on the web site to receive information on the operator’s practices regarding collection and use of personal identifying information from children; and

(ii) provide express parental consent for the collection and use of such information.11 

The screening information collected is to be held in a secure manner, not to be used for purposes other than to effectuate notice, or to block the child from further attempts to register without parental consent. Additionally, if express parental consent is not received within twenty days after collection of the information, the information must be removed except such screening information necessary to block the child from further attempts to register. In a final note, the decision and its guidelines do not contradict permissible collection and use of personal information from children as provided for in the Children’s Online Privacy Protection Act of 1998 (the "Act"),12  regulations or guides promulgated by the Commission, or self-regulatory guidelines approved by the Commission pursuant to the Act.

C. Industry Self-Regulation

In addition to enforcement actions, the FTC has devoted considerable efforts to encourage and facilitate a self-regulatory system.13  Recent private sector initiatives, including non-profit services such as TRUSTe and BBBOnLine, provide viable but largely untested options for protecting privacy on the Internet.14 

TRUSTe15  is a program through which a website operator agrees to disclose its privacy policies and license, for a fee, the right to use an online seal, or "trustmark," to certify its compliance with TRUSTe’s privacy standards. A displayed trustmark signifies to online users that the website will make available collection and use practices concerning personal information collected on that site. As a condition of certification, TRUSTe reserves the right to audit licensees to verify compliance with its privacy policy. TRUSTe will drop an operator if the operator fails to satisfy its conditions. Among the fast growing list of licensees are ABC, Disney, E*TRADE, Yahoo!, eBay, and Microsoft.16 

Similarly, the Better Business Bureau project, BBBOnLine,17  promotes industry self-regulation by offering its own brand of privacy seals including the BBBOnLine Reliability Seal, Privacy Seal and Kid’s Privacy Seal. Like TRUSTe, which also offers a Children’s Privacy Seal, the BBB’s Kid’s Privacy Seal requires licensees to comply with additional requirements based in part on the Children’s Online Privacy Protection Act. Officially launched on March 17, 1999, BBBOnLine also services an expanding clientele, including American Airlines, AT&T, Eastman Kodak, and Nestlé USA.

These self-regulatory initiatives have met with mixed review. Among common complaints are the lack of enforcement mechanisms for privacy disputes, and a general failure to demonstrate accountability of their corporate members for privacy violations and to provide damage remedies in the face of such violations. Critics are concerned that nebulous and loosely defined parameters, such as "individually identifiable information," fail to provide licensees with adequate notice of the depth and scope of their obligations. And recent popularity notwithstanding, there is no guarantee that the online industry will participate on a large enough scale for the TRUSTe-type seal services to work as an effective policing mechanism. Additionally, as one might imagine, seal services are presented with a potential conflict of interest when faced with the task of disciplining a non-compliant corporate sponsor.

D. The European Approach

In contrast to the largely self-regulating U.S. approach to data protection, the European Union ("EU") adopted a comprehensive legal rights regime to address what is, by all accounts, a global privacy problem. The 1995 Directive on Data Protection18  was adopted in October of 1998 by the fifteen EU Member States.19  Accordingly, each Member State is responsible for enacting legislation with regard to collecting, processing and disseminating personal data in compliance with the terms of the Directive.

One of the most significant aspects of the Directive is the prohibition on the transfer of personal data to non-Member States whose data protection standards do not provide adequate levels of protection. This, incidentally, includes the United States. To maintain the free and uninterrupted flow of information between Europe and the U.S., an EU-adopted provision suspends this rule for the time being. Meanwhile, considerable efforts are underway between EU officials and the U.S. Department of Commerce to establish a data protection regime to serve as a "safe harbor" for U.S. Internet companies to continue conducting electronic commerce transactions with the EU community.20 

E. Drafting A Privacy Agreement

Various boilerplate privacy statements are available online through organizations such a TRUSTe21  or the Direct Marketing Association.22  Whether subscribing to a seal service or not, due care must be exercised when creating a privacy statement to avoid making inaccurate representations regarding private practices.

Drafting a privacy policy requires a thorough examination of the website’s current and expected data collection and use practices. Drafters should be mindful of both short-term marketing objectives and long-term risk management and business development projections. The best guidance for drafting a Privacy Statement comes from the GeoCities decision. Follow its procedures for disclosure and proper placement of notice. Also, consider various x-factors that could compromise security before making absolute promises regarding privacy, for example, hackers, fraudulent or criminal activity by outsiders or company employees, unintentional privacy breaches by information handlers or collectors. Consider internal and technological safeguards to protect against such breaches. If information is collected by independent contractors, they too must comply with adopted procedures. Further, if information is collected from children, a privacy agreement must meet the additional requirements discussed in GeoCities, in compliance with the Children’s On-line Privacy Protection Act.

II. CONCLUSION

Whether the caveat emptor, notice and consent approach taken in the U.S. will provide adequate online privacy protection remains to be seen. In the meantime, the increase in industry self-regulation and the threat of FTC scrutiny makes disclosure a must. In the GeoCities aftermath, it is clear that privacy statements are necessary to guard against the potential liability of online information collectors.

Drafting Privacy Statements:

Checklist

  1. Has a thorough examination been conducted to determine the website’s current and expected practices concerning the collection and use of personal information so that a true and accurate privacy statement can be drafted?
  2. Does the statement describe what particular information is being collected?
  3. Does the statement describe why the information is being collected?
  4. Does the statement specify who will have access to the collected information?
  5. Does the statement provide the procedure by which a consumer may access, alter or remove provided information?
  6. If the ability to access, alter or remove provided information is qualified, does the statement disclose such limitations?
  7. Is a hyperlink labeled PRIVACY NOTICE clearly and prominently located on the website’s homepage which directly links to the privacy notice screen?
  8. Is the hyperlink located at every location on the site where information is collected and accompanied by the following statement: "NOTICE: We collect personal information on this site. To learn more about how we use your information click here"?
  9. If information is collected from children under 13, does the statement satisfy the additional requirements for parental notification and consent?
  10. Are there any procedural safeguards to ensure employee compliance with the privacy policy?
  11. Are there any technological safeguards to protect the information from unauthorized access?

ENDNOTES

1. See e.g. Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection 10 (1996).
2. Section 5 of the Federal Trade Commission Act, 15 U.S.C. 45.
3. See http://www.geocities.com
4. In the Matter of GeoCities, a corporation, Docket No. C-3850 (1999); 1999 FTC LEXIS 17 (Feb. 5, 1999).
5. In the Matter of Touch Tone Information, Inc. Civil Action No. 99-WM-783 (1999); 1999 FTC LEXIS 112 (April 22, 1999); see also http://www.ftc.gov/os/1999/9904/majoritystatement.htm.
6. See Consumers’ Private Financial Information Obtained And Sold Illegally; FTC Alleges, Federal Trade Commission News Release (April 22, 1999); http://www.ftc.gov/opa/1999/9904/touchtone.htm.
7. Id.
8. See e.g. http://www.ibm.com.
9. See e.g. http://www.charityweb.net.
10. See also http://www.ftc.gov/os/1998/9808/go-ord.htn for a copy of the GeoCities Decision and Order.
11. See GeoCities, Decision and Order at § V for a complete list of requirements.
12. 15 U.S.C. § 6501 et seq.
13. See e.g. "Privacy Online: A Report to Congress," Federal Trade Commission Report, June 1998; http://www.ftc.gov/reports/privacy3/toc.htm; "Electronic Commerce: Privacy in Cyberspace," Hearings on H.R. 2368 before the Subcommittee on Telecommunications, Trade and Consumer Protection of the House Committee on Commerce, 105 Cong., 2nd Sess., July 21, 1998; http://www.ftc.gov/os/1998/9807/privac98.htmn.
14. See e.g. Remarks of Commerce Secretary William Daley at Press Conference on E-Commerce (Feb. 5, 1999); http://www.doc.gov/opa/Speeches/ecommerceremarks.htm.
15. http://www.truste.org (visited Feb. 2, 2000).
16. For a complete list of licensees, visit the TRUSTe website at http://www.truste.org/users/users_lookup.html.
17. http://www.BBBOnLine.com.
18. See Directive on the Protection with Regard to the Processing of the Personal Data and on the Free Movement of Such Data, No. 95/46/EC, Oct. 1995, 1995 O.J. (L 281) 31.
19. See Council of Europe, Chart of Signatories and Ratifications, for list of countries that have ratified the treaty on data privacy; http://www.coe.fr/tablconv/108t.htm.
20. For related materials, see U.S. Department of Commerce, International Trade Administration; http://www.ita.doc.gov/media/mog.html.
21. See http://www.truste.org/wizard.
22. See http://www.the-dma.org/policy.html.

The Author

Attorney Courtney J. Merrill is an Associate at the firm of Orr & Reno P.A., Concord, New Hampshire.

NHLAP: A confidential Independent Resource

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer