New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

Providing innovative litigation support services in business valuation, financial analyses and forensic accounting to attorneys and clients alike throughout the New England.

NH Bar's Litigation Guidelines
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency

Member Login
username and password

Bar Journal - December 1, 2000

Online Privacy: Federal Legislation and the Role of the FTC

By:
 
INTRODUCTION

The Internet is unique among communications media in the variety and detail of personal information generated by its use. Before the development of new interactive technologies, an individual’s principal source of privacy was not the law, but the physical inability of the private sector to capture and compile the multiple bits of information that encompass each individual’s daily life. Participation in a digitally interconnected economy, however, requires placing personal information in the hands of others. In this setting, privacy—or, as Justice Brandeis termed it over a century ago, "the right to be let alone"—mandates that individuals have control over how that information is distributed and used by others.

Traditionally, privacy protection law in the United States has been fragmented at best. The most comprehensive privacy schemes are provided by the common law, specifically the four invasion of privacy torts delineated by Prosser, and by the various sections of the U. S. Constitution, including the Fourth Amendment’s safeguard against unreasonable searches. Application of the common law to online privacy issues is uncertain, however, and the Constitution restricts only "state action." No overarching federal statute governing informational privacy in the private sector exists.

In a May 2000 report to Congress, the Federal Trade Commission (FTC) concluded that, despite laudable efforts by industry leaders in developing self-regulatory initiatives, legislation is necessary to assure wholesale implementation of consumer privacy protections in the online marketplace.2  The FTC’s report points out that the exponential growth of this marketplace creates a significant threat to consumer privacy:

"While American businesses have always collected some data from consumers in order to facilitate transactions, the Internet allows for the efficient, inexpensive collection of unprecedented amounts of data that can be used for myriad subsequent purposes. It is the prevalence, ease, and relatively low cost of such information collection and use that distinguishes the online environment from more traditional means of commerce and information collection and thereby raises significant consumer privacy concerns."3 

Not addressed in the FTC’s report is how national legislation would impact companies attempting to do business on a global scale. Due to the global nature of the Internet, national legislation may be effectively unenforceable as well as unduly burdensome for businesses attempting to create a worldwide marketing strategy.

MARKET FORCES DRIVING CONSUMER PRIVACY INITIATIVES

The Internet’s ability to provide one-to-one marketing, irrespective of the type of product or service, promises enormous value to online retailers. The business community is aware, however, that the full potential of the Internet will never be reached unless consumers feel secure in the electronic marketplace. In a 1999 study surveying users’ attitudes about online privacy, an overwhelming 87 % of respondents indicated a concern that personal privacy is threatened by use of the Internet.4  More interesting is survey data indicating that, among consumers who designate themselves as not generally concerned about the misuse of their personal information by businesses, 76 % admit fear of privacy intrusions on the Internet.5  It is a small step from apprehension over online privacy to a refusal to engage in online commerce. Indeed, recent studies suggest such apprehension could be responsible for lost online sales ranging from $2.8 billion in 1999 to a projected $18 billion by 2002.6 

An additional force pushing privacy initiatives is the European Union Data Protection Directive, effective in 1998. The Directive has the potential to stall e-commerce in the U. S. because it provides that electronically-stored information about European citizens may flow only to those countries outside the Union that provide "adequate" data protection. Adequate data protection under the Directive requires that European citizens be told: how their personal data will be used; be granted access to information about themselves in companies’ files; be given an opportunity to correct false information; and be given notice and an opportunity to opt out before personal information is transferred to a third party. Most commentators believe that the present state of privacy law in the U. S. does not meet this requirement.7 

THE FTC's ROLE

Under § 5 of the FTC Act, the FTC is empowered to commence proceedings to prevent persons from using unfair or deceptive acts or practices in commerce.8  Because the FTC has used this power most recently to police privacy violations on the Internet, a reporter for The Wall Street Journal has dubbed the agency "the main U. S. marshal in cyberspace." Although the FTC can pursue an online business for deceiving consumers by failing to follow its own privacy policy or for adopting a policy that is inherently unfair, the FTC lacks authority to require e-commerce players to adopt privacy policies in the first instance, unless their sites target children. Recent investigations and actions by the FTC illustrate the agency’s emergence as a key player in the, as yet, minimal governmental regulation of the Internet.

GeoCities operates a popular Internet site that hosts personal home pages and offers free e-mail service to its over 2 million members. To become a member, applicants were asked to fill out a form that requests such information as e-mail and postal addresses, demographics including income, education, gender, marital status and occupation. Applicants were told that the information would be used only to provide them with specific advertising offers in which they had indicated an interest and that the demographic information would be held in confidence. The minimal privacy policy on the website indicated nothing to the contrary. In 1998, the FTC charged that GeoCities misrepresented the purposes for which it was collecting such information and that it had released the demographic information to third party marketers. The charges were settled shortly thereafter with GeoCities’ agreement to place a prominent revised privacy policy on its web site and to obtain parental consent before collecting personal information from children 12 years and under.10 

Liberty Financial Companies, Inc., is a large asset management company that operates the Young Investor web site, directed to children and teens and focussing on issues relating to money and investing. The site offered a survey area where children were invited to provide financial information anonymously, including the child’s: weekly allowance; types of financial gifts received such as stocks, bonds, and mutual funds; spending habits; part time work history; plans for college; and family finances. The site also requested identifying personal information, such as name, age, and e-mail and postal addresses, in order to provide the children with a newsletter and eligibility to win prizes. In 1999, the FTC charged that Liberty Financial falsely represented anonymity because the company had the ability to match specific individuals to their responses in the survey. Liberty Financial settled the charges almost immediately by agreeing to comply with the notice and parental consent requirements that form the basis of the Children’s Online Privacy Protection Act, which had not yet become effective.11 

DoubleClick, the Internet’s leading advertising firm, merged recently with Abacus Direct to obtain the direct marketer’s database of consumer names and addresses. Originally, DoubleClick planned to cross-reference the database with clickstream data it had generated to create detailed consumer profiles. Shortly after the merger, the advertiser’s profiling activities became the subject of inquiries by the FTC, the New York State Attorney General’s Office, the Michigan Attorney General’s Office. The company became the defendant in at least six privacy-related lawsuits. DoubleClick came under scrutiny for its online profiling activity because it collected personal information, for the most part, without the knowledge of the consumers in question and marketed that information to third parties without notice to or consent from the profiled consumers.

Online profiling can be defined as the collection and analysis of consumer data (e.g., interests and purchases) obtained by tracking user movement on the Internet. One way in which such tracking occurs involves the placement of unique identifiers, or cookies, in a text file on the computer of any user that accesses the subject sites. Cookies may be planted by the site accessed or by a third party advertising firm under contract with the individual sites. The cookies are then used to track individual users as they browse the Internet, allowing the advertising firms to accumulate data that reflect the user’s path or clickstream and reveal the user’s interests, tastes, and online associates. From this clickstream data, firms create user profiles which, if anonymous, can be used to create advertising targeted for a particular web site or, if merged with personally identifiable information, can be used to create advertising targeted to individual users.

In response to the FTC’s concerns about online profiling, the leading Internet network advertisers, including DoubleClick, formed a consortium—the Network Advertising Initiative (NAI)—to develop a framework for self-regulation of the online profiling industry.12  NAI has submitted to the FTC a plan for self-regulation of online profiling which has since been endorsed by the agency. The plan sets three major industry standards: consumers may opt out of the collection of anonymous data on the Internet; they may decline to allow merger of previously collected anonymous data with personally identifying information; and they may control the collection of personally identifying information at the time and place it is gathered on the Internet.13 

CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)

Recently, Congress authorized the FTC to enforce COPPA, aimed at protecting the privacy and safety of children under 13 years of age on the Internet.14  The statute, effective April 21, 2000, applies to operators of commercial web sites directed to children and to operators of general audience web sites that knowingly collect personal information from children. To determine whether a web site is directed to children, the FTC will consider several factors: the subject matter; visual or audio content; age of models on the site; language; whether a site uses animated characters or other child-oriented features; whether advertising on the site is directed to children; and information regarding the age of the actual or intended audience. Affected web site operators must comply in the following ways.

  1. Operators must post a privacy policy that includes: types of personal information to be collected; how the site will use the information; whether the information is forwarded to advertisers or other third parties; and a contact at the site.
  2. Operators must obtain parental consent before collecting, using or disclosing personal information about a child. Parental consent by return e-mail to the operator is allowed only where the site does not intend to share personal information with third parties. If the company does intend to share the information, parental consent must be obtained by return postal mail or fax to the operator or by an equally reliable method. Consent is not required when collecting an e-mail address to respond to a one-time request from the child, to provide notice to the parent, to ensure the safety of the child or the site, or to send a newsletter or other information on a regular basis. New parental consent is required if the site changes its information practices in any material way.
  3. Operators must allow requesting parents to review personal information collected from their children (web site operators must verify the identity of the requesting parent).
  4. Operators must allow parents to revoke their consent and request deletion of information collected from their children.

Industry groups or other interested parties may create self-regulatory programs to govern compliance with COPPA but the programs must be approved by the FTC and they must include independent monitoring and disciplinary procedures. Participation in such a program will serve as a "safe harbor" in any enforcement action for violations of the statute.

ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)

The only other piece of federal legislation aimed directly at protecting privacy in the online environment is the ECPA. The ECPA, enacted in 1986, extends the federal wiretap law beyond aural transmissions to electronic data transmissions.15  The purpose of the ECPA is to protect electronically stored and transmitted information from intrusion by private parties while balancing that privacy interest against necessary law enforcement surveillance. The ECPA imposes duties on information service providers and custodians of information as well as imposing duties on intruders and eavesdroppers. Violations of the obligations created by the statute constitute felonies.

First, the ECPA prohibits intentional interception of electronic communications or disclosure or use of the contents of electronic communications one knows or has reason to know were intercepted without authorization of the sender. Second, the legislation prohibits intentional unauthorized access to information stored in any facility through which electronic communications are transmitted. Note that this prohibition extends not only to accessing such a facility to begin with but also to exceeding one’s authorization if authorized access has been granted. Finally, the ECPA prohibits the intentional sending of worms and viruses over public networks. Traditional notions of interception and eavesdropping don’t really apply to viruses or worms. Viruses or worms are programs that are transmitted through a computer network causing malfunctions in computer systems or causing the systems to crash by rampant replication that overburdens memory.16 

INDUSTRY SELF-REGULATION

The rapidly evolving nature of the Internet and computer technology lead many e-commerce observers to argue that self-regulation is the most efficient and least intrusive means of protecting privacy online at present. The major efforts at self-regulation are discussed below.

For the past quarter century, government agencies in the U. S., Canada, and Europe have issued a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices.17  Common to all these efforts are five core principles:

  1. notice/awareness—Consumers should be given notice of an entity’s information practices before any personal information is collected from them.
  2. choice/consent—Consumers should be given options as to how any information collected about them will be used.
  3. access/participation—Consumers should be able both to access information about them held by others and to contest that data’s accuracy and thoroughness.
  4. integrity/security—Collectors must take reasonable managerial and technical measure to ensure reliability and security of consumer data.
  5. enforcement/redress—An enforcement mechanism must be implemented to ensure compliance with the guidelines and to make appropriate remedies available to consumers for violations of the guidelines.

Although most e-commerce businesses now include a privacy policy on their web sites, which satisfies the first core principle, and they may use encryption to secure credit card information, which partially satisfies the fourth core principle, they have been slow to embrace the remaining core principles.

Privacy seal programs, which work much like the Good Housekeeping Seal of Approval, have recently emerged as an e-commerce tool. The seals, or trustmarks, are awarded only to sites that adhere to established privacy principles and that agree to comply with ongoing oversight by the licensor and to submit to the licensor’s alternative dispute resolution process. TRUSTe, launched nearly two years ago, currently has more than 500 licensees representing a variety of industries.18  BBBOnLine, a subsidiary of the Council of Better Business Bureaus, which launched its privacy seal program for online businesses last March, currently has 42 licensees and more than 300 applications for licenses.19  Several new programs are emerging, including PrivacyBot.com which is seeking FTC approval to act as a safe harbor under COPPA.20 

Most e-commerce businesses agree that a secure online medium is necessary in order to engender consumer confidence in the routine transmission of sensitive data, particularly medical or financial information. For this reason, privacy-enhancing technologies that facilitate consumer anonymity can play a useful role in expanding e-commerce. Online businesses can either incorporate these technologies into their web sites or render their sites compatible with such technologies if they are used by consumers. Several examples of such technologies are described below.

Encryption ensures business and individual privacy because: it ensures integrity by detecting alterations in digital messages; it authenticates the identity of a party to a communication; it evidences that a party to a communication either transmitted or received a particular message; and, it prevents eavesdropping or intrusion on a private communication. Pretty Good Privacy, or PGP, is an excellent example of freely-available encryption technology which can be used by online businesses and consumers alike.21 

Commercial sites that allow users to make purchases anonymously using digital cash or smart cards could reduce the amount of personally identifiable information that such sites collect unnecessarily.22  Digital cash is a system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on paper cash, digital cash numbers are unique; each number is issued by a bank and represents a specified sum of money. Smart cards resemble credit cards but have an embedded microprocessor chip that allows the holder to transact online business anonymously.

A software product that assigns a different pseudonym for each separate activity a consumer engages in while browsing the Internet is in the testing phase at present.23  Pseudonymous browsing frustrates the ability of a marketer to match profile data to a specific individual.

The Platform for Privacy Preferences Project, or P3P, is a project of the World Wide Web Consortium, aimed at enabling users’ browsers to automatically understand a web site’s privacy practices and to respond automatically according to preferences preset by the user.24  For example, a user may want to preset the browser to provide shipping information when encountering an e-commerce site or to provide demographic information when encountering a survey, but to do so anonymously. The technology would aid users in situations where they would have to enter basic information repeatedly.

As a final matter, major advertisers as well as major advertising firms have begun to exercise their influence over smaller players to push them to conduct online business with the consumer’s privacy in mind. For example, the Association of National Advertisers acknowledged that "[a] number of major marketers, including IBM, Disney, Microsoft and others, have announced that they will not place advertising on any websites that do not have strong privacy policies."25  The hope is that pressure from major marketers coupled with increasing sophistication of net users will create a marketplace solution to the problem of privacy protection for consumers using the Internet. Additionally, the FTC’s endorsement of the NAI’s plan regarding online profiling requires that the members of the NAI obtain contractual agreement from their online clients that they will adopt the standards set forth in the plan as well.26 

CONCLUSION

E-commerce observers urge that the commercial viability of the Internet hinges on the ability of advertisers to collect and analyze detailed information about the preferences, habits and demographics of online consumers. After all, the quid pro quo for free content on the Internet is the enormous value of consumer information generated by the medium’s use. At the same time, participation in this medium should not mandate abandonment of an individual’s right to control with whom personal information is shared and for what purposes. What does emerge from the push and pull of the electronic marketplace is a clear indication that, if online businesses fail to respond to privacy concerns, the FTC and/or consumers themselves will force the issue.

ENDNOTES

1. Professor of Law, Franklin Pierce Law Center, Concord, NH 03301.
2. "Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress," Federal Trade Commission (May 2000) (hereinafter "FTC Report").
3. Id. at 33.
4. AT&T Labs-Research Technical Report, Cranor, Reagle & Ackerman, "Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy" (1999).
5. "IBM Multi-National Consumer Privacy Survey," Louis Harris & Associates, Inc. (Oct. 1999).
6. Christopher M. Kelley, Forrester Research, Inc. "The Privacy Best Practice" (Sept. 1999); Sandeep Junnarkar, "Report: Half of Net Users Mistrust Sites," CNET News.com (Aug. 17, 1999)(citing results of study by Jupiter Communications, Inc.).
7. See, e.g., Halpern and Mehrotra, "The Tangled Web of E-Commerce: Identifying the Legal Risks of Online Marketing," 17 The Computer Lawyer 8 (Feb. 2000).
8. 15 U.S.C. § 45.
9. Simpson, "FTC Emerges as Chief Enforcer of the Web," Wall St. J. (Feb. 29, 2000).
10. GeoCities, Docket No. C-3849 (Feb. 12, 1999)(Final Decision and Order available at http://www.ftc.gov/os/1999/9902/9823015do.htm (accessed Oct. 30, 2000)).
11. Liberty Financial, Case No. 9823522 (Proposed Consent Agreement available at http://www.ftc.gov/os/1999/9905/lbtyord.htm (accessed Oct. 30, 2000)).
12. "Online Profiling: Benefits and Concerns," Prepared Statement of The Federal Trade Commission Before the Committee on Commerce, Science, and Transportation, U. S. Senate (June 13, 2000).
13. Simpson and Guidera, "Online Ad Firms Reach Privacy Pact," Wall St. J. (July 28, 2000).
14. Title XIII of Pub. L. No. 105-277 (Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999), 112 Stat. 2681.
15. 18 U.S.C. §§ 2510-2522, 2701-2710, 2711.
16. The primary difference between the two types of programs is that viruses usually attach themselves to the programs that they infect whereas worms do not.
17. See http://www.ftc.gov/reports/privacy3/fairinfo.htm (accessed Oct. 30, 2000).
18. See http://www.truste.org (accessed Oct. 30, 2000).
19. See http://www.bbbonline.com (accessed Oct. 30, 2000).
20. See http://www.privacybot.com (accessed Oct. 30, 2000).
21. See http://www.pgp.com (accessed Oct. 30, 2000).
22. See, e.g., http://www.ecommerce1.com (accessed Oct. 30, 2000).
23. See, e.g., http://www.freedom.net (accessed Oct. 30, 2000).
24. See http://www.w3.org/P3P/p3pfaq.htm (accessed Oct. 30, 2000).
25. Jaffe, Online Profiling Project-Comment, P994809/Docket No. 990811219-9219-01 (Oct. 18, 1999)
26. Simpson and Guidera, supra.

The Author

Susan M. Richey, Professor of Law, Franklin Pierce Law Center, Concord, New Hampshire.

Click for directions to Bar events.

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer