Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

immediate privacy concerns that domestic

advertisement 
IMMEDIATE PRIVACY CONCERNS THAT DOMESTIC
COMMERCIAL WEB SITES SHOULD CONSIDER WHEN
CONDUCTING BUSINESS IN ELECTRONIC COMMERCE
MARK ISHMAN
A company that manufactures puzzles and postcards for
consumers, including children, decides to expand its business to include
electronic commerce by creating a World Wide Web (Web) site. It offers
to its’ consumers the opportunity to purchase these items by either a Visa
or MasterCard transaction. In doing so, the company requires the
consumer to provide his or her name, Visa or MasterCard account
number and its corresponding expiration date, the requested item, mailing
address, home and business telephone number, e-mail address and what
type of puzzles and postcards that they typically prefer. However, the
company’s Web site does not address how the information provided will
be used or whether it will be made available to third parties.
Moreover, the company’s Web site is capable of having access to
information about its’ consumers that is traditional counterpart, i.e., the
mall, does not have, unless the consumer provides it voluntarily.
Depending on the software, this company can track its’ consumer’s
identity and, by following the consumer’s “clickstream,” link puzzles and
postcards that the consumer considered before deciding which one to buy.
This gives the on-line company access to information about its’
consumer’s preferences, interests and lifestyle – even if the consumer does
not buy anything. Yet again, the company’s Web site fails to address
whether the information obtained will be used or whether it will be
disclosed to third parties.
I.
INTRODUCTION
The relatively new and exciting marketplace for businesses is the Web.1 It offers
not only low barriers of entry as compared to other forms of commerce,2 but it also serves
as the most efficient means of communicating a company’s goods, services and
information to a global market.3 To the consumer, the Web is attractive because it
provides comprehensive information on a wide variety of goods and services.4 However,
a number of frightening scenarios are developing as the utilization of the Web for
commercial purposes continues to prosper. Commercial Web sites are collecting their
consumer’s “personal information”5 through a variety of different means, e.g., order
forms, registration pages, application forms, user surveys and online contests.6
1
Furthermore, Web sites collect personal information through “cookies”7 and other means
that are not so obvious to its consumers.8
For example, if a small or uninformed businesses rushes to sell merchandise on
the Web, they could unintentionally expose their customer’s information, including their
names, addresses and full credit-card numbers on their insecure Web pages. According
to an April 1999 CNET News.com report, if a user conducts an Web search using key
search terms such as “order,” “index,” “log,” and “parent,” the search will return more
than 100 Web sites that unintentionally reveals their customer’s personal and confidential
information.9 This technical error is widespread, which not only affect small companies
but large companies as well.10
Privacy concerns on the Web became prominent in 1998 when the European
Union (E.U.) implemented the E.U. Data Privacy Directive.11 The directive establishes
strict privacy standards that bind not only governments but also private corporations.12
The directive is enforced in each member country of the E.U. by a national privacy
commissioner whereby individuals have legal recourse to enforce the directive where
they feel their privacy rights have been violated.13
Domestically, the U.S. response to the data directive has been the promotion of
self-regulation initiatives. There are over seventy global corporations and associations
working together to foster improved privacy protections online without government
interference.14
At the governmental level, the U.S. Working Group on Electronic Commerce
issued its First Annual Report on November 30, 1998.15 The report stated: “The U.S.
government believes that private sector-developed and enforced codes of conduct are an
2
effective way to protect privacy online without creating a bureaucracy which could stifle
the growth of electronic commerce.”16
This governmental group reasoned that the first step in protecting the privacy of
personally identifiable information is to provide a privacy policy on every Web site. This
statement should give a conspicuous notice of the company’s general privacy practice.
Additionally, at each point were personal data is collected, additional information may be
needed to give users specific information about what data is collected, how it will be
used, third parties to whom it will be disclosed, if any, and allowing the choice of
whether to proceed.
This Comment provides an assessment of the privacy concerns raised when
companies create a domestic commercial Web site. First, this Comment presents an
overview on Web sites, methods of data collection and privacy law addressing data
collection. Second, this Comment presents a summary of recent findings from Web site
surveys addressing consumer privacy concerns.
Third, this Comment analyzes the
government’s role in protecting consumer privacy rights as well as the current
effectiveness of the electronic commerce industry’s self-regulation as a means of
protecting consumer privacy on the Web. Last, this Comment sets forth a draft privacy
policy that companies should utilize when operating a domestic commercial Web site.
II.
THE VALUE OF A WEB SITE
Before identifying the various ways in which a Web site can violate its user’s
privacy rights, it is first important to understand the various business models that are
utilized on the Web, as well as how investors and potential advertisers evaluate Web
sites. Generally, there are five business models that are currently being utilized on the
3
Web. These models include: (1) the Internet Presence Model, which is utilized by
businesses to raise consumer awareness of its’ name and products but contains no direct
sales or advertising; (2) the Advertiser Supported or Sponsored Model, which derives all
of its revenue from advertisement on the Web site where the content on the site is
provided for free and nothing on the site is for sale; (3) the Free Based or Subscription
Model, which charges the user a fee before accessing content; (4) the Efficiency or
Effective Gains Model, which businesses, in order to decease its operating costs, chooses
to utilize a Web site; and (5) the Online Storefront Model, which consumers purchases
goods or services directly through the Web site.17
Irrelevant of which business model a Web site utilizes, its’ ability to attract and
retain customers over time is the most critical factor investors and potential advertisers
evaluate for determining the success or potential success of a Web site.18 Electronic
commerce experts have identified this factor as “traffic.”19 Web sites have found that the
best way to stimulate traffic is to offer some content on its site for free, which most Web
sites practice.20 Another factor that investors and potential advertisers use to determine
the success or potential success of a Web site is “flow.”21 As one electronic commerce
expert explained, “[f]low’ describes an online experience in which the user is completely
engaged and focused while browsing or surfing the Web, has a sense of control over the
experience, and has a proper mix of skills and challenges.”22
If the user’s flow
experience is fulfilling, then the user will return and increase the Web site’s traffic that
will in return increase the value of the Web site.23
Advertisers are also concerned with the Web site’s targeted audience. Typically,
the advertisers would like to know the Web sites user’s interests, background, age group,
4
and level of education and income.
Consequently, Web sites attempt to collect
information that identifies its audience through various means that also raises significant
privacy issues.
III.
METHODS OF COLLECTING INFORMATION
A.
DATA COLLECTION
The most significant privacy issue that arises in electronic commerce is the
growing practice of data collection. As electronic commerce prospers, it is increasingly
dependent upon specific and detailed data about Web consumer habits. Consequently, a
substantial amount of the Web sites are using “cookies” and other technology to track the
activities of the users who visit their sties.
1.
Click Stream Data
While the user utilizes and “surfs” the Web, each Web site that the user visits, and
each Web page that is viewed within a Web site, is typically logged by the user’s Internet
Service Provider (ISP).24
Many ISPs maintain a record of its user’s e-mail
communications and other online activities, including Web sites visited, ads viewed and
purchases made.25 Moreover, Web sites can also maintain a record of its user’s Web
movement both within its Web site and externally.26 This record that ISPs and Web sites
use to maintain a log of the user’s travel through the Web is called “click stream data.”27
5
2.
Cookies
Individual Web sites may also track user’s activities with “cookie” technology.
Cookies allow a Web server to remember what the user did when he or she visited the
site, e.g., when the last visit occurred and which pages or frames in advertisements were
viewed at the time.28 The cookie may also recall the name and password the server
assigned to the recipient computer during the last visits.29 While a cookie identifies an
individual user’s computer in the sense it can distinguish one from another, it does not
know the actual identity of the users (though many can identify what server the user came
through, e.g. American Online or other ISPs).30
a.
Technology
“Cookies” are small data text files that are sent from a server’s computer to a
recipient computer during a browsing session.31 The cookie labels one’s Web browser
with an electronic serial number that identifies the user each time her or she connects to
the site that originated the cookie.32 The cookie is stored on the recipient computer’s
hard drive and sent back to the server computer when an HTML file request is made.33
Cookies are designed to be read only by the originating server, although that may be the
originator of a banner ad as well as, separately, the content on a page. 34 Some cookies
last for one session, but most are configured to be stored on the recipient’s hard drive for
use during subsequent sessions.35 Generally, cookies do not pose a threat to either
destroy or compromise a computer system.36
b.
Value
Cookies enhance the browsing experience by sending the server a list of the user’s
selected preferences from earlier visits, which “personalizes” the site for the user’s
6
repeated visits.37 On the other hand, cookies also allow Web sites to develop profiles of
visits (“hits”) to the Web site (important to advertisers on the Web) as well as the
preferences of individual users.38
c.
Are Cookies an Invasion of Privacy?
Unless a browser’s preferences are configured to notify the recipient computer
when a cookie is sent, cookies enter the user’s computer unannounced an uninvited.39
However, both Netscape Navigator and Microsoft Explorer allow the user to set a
preference that causes an alert to be given each time a Web site wishes to send a cookie,
which in turn allows the user to refuse the cookie and still enter the Web page. 40 In
addition, various companies offer software that stops cookies or allows the user to set
parameters as to which will be accepted (e.g., Pretty Good Privacy’s Cookie Cutter at
http://www.pgp.com).
Given the limited nature of the information cookies obtain, it is unlikely cookies
as presently designed constitute an actionable intrusion into one’ privacy. 41 Moreover,
given the options available to block cookies, courts likely would find users implicitly (or
expressly if their notification preference is set) consent to the cookie’s entry, acquisition,
and transmission of information back to the originating server.42
3.
Security Breaches
Computer software programs that are utilized to set up Web sites and enables
users to browse the Web site also contain security flaws that can be exploited by third
parties (i.e., hackers) to steal or corrupt information contained in the Web site.43
Additionally, if a Web site offers e-mail communication to its users, then it is quite
possible for a hacker to interpret the data and invade the user’s privacy.44 Consequently,
7
security breaches of a Web site may violate user’s privacy rights under the theories of
public disclosure of private facts, intrusion and false light and hold the Web site
vicariously liable for a third parties tortious act.45 Therefore, any communication of
confidential information needs reliable and secure transmissions and storage to prevent
any violation of consumer’s privacy rights.46
4.
Collection of Personal Information of Children
A number of consumer groups have focused on limiting the collection and
disclosure of information of children on the Web. In 1997, the Children’s Advertising
Review Unit (CARU) of the Council of Better Business Bureaus issued specific
guidelines for advertising to children under the age of 12 on the Web, including
guidelines for gathering and using information from children.47 Generally, the CARU
Guidelines urge advertisers to use all reasonable means to obtain parental permission
before collecting personal information about children.48 The Guidelines also recommend
advertisers give notice if any information collected about a child will shared, sold or
distributed, and provide opportunity to “opt-out” of receiving any direct e-mail
advertising.49
In July 1997, the Federal Trade Commission (FTC) issued an open letter
regarding its investigation of the advertising practices of KidsCom, an interactive Web
site targeted at children ages 4 to 15.50 KidsCom collected data from its minor users
related to their preferences about specific products and then provided aggregated,
anonymous information to private companies.51 In its letter of finding, the FTC set out
guidelines regarding the collection of personal information from children, that included:
(1)
It is a deceptive practice to represent that a Web site is collecting
personally identifiable information from a child for a particular
8
purpose (i.e., participating in a quiz) when the information will
also be used for another purpose (i.e., marketing) which parents
would find material, absent a clear and prominent disclosure to that
effect;
(2)
Any disclosure regarding the collection and use of children’s
personally identifiable information must be made to the parent; and
(3)
An adequate notice to parents should disclose: who is collecting
the personally identifiable information, what information is being
collected, its intended uses, to whom and in what form it will be
disclosed to third parties, and the means by which parents may
prevent the retention, use or disclosure of information.52
Consequently, the FTC drafted the Children’s Online Protection Privacy Act of
1998 that was eventually enacted to regulate the online collection of personal information
from children.53 The Act requires that online companies obtain parental permission
before soliciting information from children under the age of 13 who visit their Web site.54
The Act protects the following information: first and last name, home or other physical
address, e-mail address, telephone number, Social Security number, and any other
information that would enable the information seeker to locate or contact and
individual.55
Additionally, the Act requires commercial Web sites to get parental
approval before collecting information from children.56
IV.
THE LAW ON PRIVACY RIGHTS IN DATA INFORMATION
A.
PUBLIC DISCLOSURE OF PRIVATE FACTS
A defendant invades another’s privacy when he or she publicly discloses private
facts about the plaintiff, the disclosure of which is highly offensive to the reasonable
person.57 Offensive private facts typically encompass family, sexual, medical, financial
or other intensely personal topics.
9
The principal defense to this privacy claim is the argument that the information at
issue was newsworthy and hence its disclosure was not actionable.
The test for
newsworthiness is whether the matter disclosed was of legitimate public interest, which is
determined in turn by the social value of the facts disclosed, the depth of intrusion into
ostensibly affairs of the plaintiff, and the extent to which the plaintiff voluntarily acceded
to a position of public notoriety.58
Unlike defamation, there are not yet any significant cases filed raising public
disclosure of private facts claims arising out of statements “published” over the Web.
However, as the quantity of speech increases due to the explosive growth of the Web,
coupled with the lack of operator awareness of legal boundaries, it is inevitable there will
be an increase in claims.
B.
INTRUSION
Traditionally, the privacy tort of intrusion arises from the physical or visual
intrusion into the personal or private “space” of the plaintiff. 59 It typically arises where
one has been improperly spied upon, taped or their home entered into without their
consent. Cyberspace intrusion claims will likely be premised on conduct such as hacking
and spamming.60
For instance, there have been several lawsuits based on “spamming” conduct. In
Cyber Promotion, Inv. V. American Online, Inc.,61 Cyber Promotions was an advertising
agency that sent unsolicited e-mail advertising to American Online (AOL) subscribers.62
When subscribers complained, American Online blocked messages originating from
Cyber Promotions.63 Cyber Promotions sued, seeking a ruling that it had the right to send
its e-mail advertisements through the Web without AOL’s interference.64 The trial court
10
rejected Cyber Promotions argument that it had a First Amendment right since the Web
was not run by the government, American Online did not perform a traditional
government function, and Cyber Promotions had other available channels of distributing
its material.65
Similarly, in CompuServe v. Cyber Promotions, Inc.,66 an Ohio Federal District
Court granted a preliminary injunction barring Cyber Promotions from inserting any false
reference to plaintiff in any e-mail, falsely causing any e-mail to appear as if it were sent
by or originated from plaintiff or one of plaintiff’s accounts, and using CompuServe’s
services in connection with the transmission of e-mail.67 In American Online, Inc. v.
Over the Air Equipment,68 a Virginia Federal District Court granted a preliminary
injunction barring Over the Air Equipment from sending spam to plaintiff’s subscribers.69
Likewise, there have been several cases based on hacking conduct. In American
Online, Inc. v. TSF Marketing,70 American Online sought an injunction against the
defendant spammers alleging computer fraud and abuse and trespassing. 71 Similarly,
Hotmail Corporation v. Van$ Money Pie,72 was an “forged header” suit seeking
injunctive relief and damages against the defendant spammers alleging Lanham Act
claims, computer fraud and abuse claims, and trespassing.73
C.
FALSE LIGHT
False light is analogous to a defamation claim and in several states it is treated as
the same.74 It is most commonly pled where a false impression derives from something
other than an express statement. A frequent example arises from the juxtaposition of a
particular photograph to an unrelated statement, giving rise to the impression that the
statement is about the pictured plaintiff.75
11
V.
PRIVACY CONCERNS OF CONSUMERS THAT UTILIZE THE WEB
Obviously, as electronic commerce prospers, consumers are concerned about
participating in it.76 As indicated by recent surveys, increasing numbers of consumers are
concerned about how their personal information is being utilized in the electronic
industry because users value their privacy.77
Consumers believe, as they should, that Web sites can invade their privacy in
numerous ways, as well as unauthorized persons, i.e. hackers, penetrating into a Web site
and also invading their privacy by stealing their personal information.78 Accordingly,
consumers are becoming resistant towards participation in electronic commerce because
of vulnerability of security breaches and invasions of consumer privacy.79
In November of 1998, AT&T conducted a survey in order to obtain an
understanding of consumer privacy concerns when utilizing the Web, entitled AT&T
Labs-Research Technical Report TR 99.4.3.80 This report targeted active Web users, and
provided the following major findings:
(1) Web users are more likely to provide
information when they are not identified; (2) some types of data are more sensitive than
others; (3) many factors are important is decisions about information disclosure; (4)
acceptance of the use of persistent identifiers varies according to their purpose; (5) Web
users dislike automatic data transfer; (6) Web users dislike unsolicited communications;
and (7) a joint program of privacy policies and privacy seals seemingly provides a
comparable level of user confidences as that provided by privacy laws.81 In addressing
consumer privacy concerns, this Comment will examine the seven major findings from
the AT&T survey.
12
1.
Web Users Are More Likely To Provide Information When They Are Not
Identified.
The AT&T survey provided two scenarios where the Web site requested
information either with or without personally identifiable information.82 In the first
scenarios, the requesting Web site provided financial analysis to its consumers. 83 Fiftyeight percent of the respondents explained that “they would provide information about
their income, investments, and goals in order to receive customized investment advice.”84
However, when these respondents where asked to provide the same information but with
personally identifiable information, only thirty-five percent explained that they would.85
In the second scenario, the requesting Web site provided articles regarding news,
weather and sports.86 Eighty-four percent of the respondents explained that “they would
provide their zip code and answer questions about their interests in order to receive
customized information.”87 Like the first scenario, when the respondents where asked to
provide the same information but with personally identifiable information, only fortynine percent of the respondents said that they would.88
Both of these scenarios provide the respondents a service without a fee.89
However, when Web sites requests personal identifiable information, a significant
amount of the respondents begin to have concerns over the collection and potential
misuse of their personal information.90
Such a request raises privacy concerns to
consumers. Consumers realize that the Web provides full information on a wide variety
of products and services, but they also realize that the Web provides the means that
allows another to invade their privacy.91 With this knowledge, many consumers will not
allow information with their personal identification to be collected because the possibility
begins for another to misuse this information and invade their privacy.92
13
2.
Sensitivity of Data
The AT&T survey asked their respondents how comfortable they where with: (1)
providing twelve specific pieces of information to Web sites; as well as (2) providing the
same information about a child in their care between the ages of eight to twelve.93 Both
clusters “held similar views about which types of data were the most and least
sensitive.”94 Most of our respondents said they would never or rarely feel comfortable
providing their phone number but would usually or always feel comfortable providing
their e-mail address.95 The comfort level for postal mail address fell somewhere in
between because of the different levels of annoyance related to unsolicited
communications in each medium as well as the availability of coping strategies to deal
with this annoyance.96
The AT&T report also noted that its respondents were aware of problems
associated with divulging different types of information may affect the level of concern.97
Publicity surrounding identity theft and credit card fraud may have raised awareness
about the dangers of social security numbers and credit card numbers falling into the
wrong hands.98 But there has been less publicity about the dangers associated with
disclosure of medical records.99 This may account for the fact that the concern reported
about credit cards and social security numbers is significantly higher than that for
medical records – which could be argued to be just as sensitive.100
3.
Factors Are Important In Decisions About Information Disclosure
The AT&T respondents rated the sharing of their information with other
companies and organizations as the most important factor in determining whether to
disclose information to a Web site.101 The next three criteria that also emerged as highly
14
important factors were: (1) whether information is used is an identified way; (2) the kind
of information collected; and (3) the purpose for which the information is collected.102
Additionally, the AT&T survey also found three other criteria’s that were also very
important facts: (1) whether a site is run by a trusted company or organization; (2)
whether a site will allow people to find out what information about them is stored in their
databases; and (3) whether the site will remove someone from their mailing lists upon
request.103
4.
Acceptance of the Use of Persistent Identifiers Varies According To Their
Purpose
Some Web users are concerned that their online activities may be tracked over
time.104
This can be accomplished using persistent identifiers stored on a user's
computer.105 These are often referred to as cookies. When asked about Web cookies,
52% of our respondents indicated they were concerned about them (and another 12% said
they were uncertain about what a cookie is).106 Of those who knew what cookies were,
56% said they had changed their cookie settings to something other than accepting all
cookies without warning.107
After further questions of hypothetical scenarios, the AT&T survey concluded
that most of their respondents were not opposed to the use of persistent identifiers or state
management mechanisms such as cookies, however, many have misconceptions about
these technologies and concerns about some of their uses.108
5.
Web Users Dislike Automatic Data Transfer
Although most of the AT&T respondents were interested in tools that would make
using the Web more convenient, most do not want these tools to transfer information
about them to Web sites automatically.109
15
Almost all of the AT&T respondents were interested in some form of an “autofill” feature that would allow users to click on their browsers and have information that
they had already provided to another Web site automatically filled into the appropriate
fields in a Web form.110 However, almost all of the AT&T respondents had not interest
in features that would automatically send information to Web sites without any user
intervention.111
6.
Web Users Dislike Unsolicited Communications
Web users do not want to receive unsolicited communications resulting from the
provision of information to Web sites.112 The AT&T respondents indicated a clear
dislike for unsolicited communications, but were less concerned (but not unconcerned)
about unsolicited e-mail.113 The AT&T respondents were more comfortable providing
their e-mail address than they were their postal address of their phone number.114
Furthermore, they expressed less concern about unsolicited e-mail and about Web sites
collecting e-mail addresses for marketing lists then they were about Web sites collecting
personal information from children, or someone tracking what Web sites people visit and
using that information improperly.115
VI.
RESTRICTING THE
PERSONAL DATA
GOVERNMENT’S
RIGHT
TO
COLLECT
In order to strictly limit the user’s information that ISPs may disclose to the
government, Congress enacted the Electronic Communications Privacy Act of 1986
(ECPA).116 However, the Act is limited because it does not prohibit disclosure of user
information to non-government entities.117 Generally, a government entity must provide
a subpoena, warrant or court order to obtain information about a user that is stored by the
ISP.118 For example, in McVeigh v. Cohen,119 the U.S. District Court for the District of
16
Columbia held that the ECPA applied to Navy’s review of sailor’s e-mail and contacted
the sailor’s ISP (i.e., American Online) for his customer profile, and found that the Navy
violated the ECPA by failing to obtain a warrant for this personal information.120
VII.
THE FEDERAL TRADE COMMISSION ROLE IN ADDRESSING
CONSUMER PRIVACY RIGHTS
In order to promote an efficient functioning marketplace, Congress created the
Federal Trade Commission (FTC).121 The primary function of the FTC is to enforce the
Federal Trade Commission Act,122 which prohibits unfair methods of competition and
unfair or deceptive acts or practices in or affecting commerce.123 In fulfilling its function,
the FTC responsibilities are fare reaching.124 The FTC Act provides the FTC with broad
law enforcement authority over virtually every sector of our economy, including
electronic commerce.125
As soon as commerce existed on the Web, the FTC began its involvement in
protecting consumer privacy rights.126 In its effort to regulate electronic commerce, the
FTC has encouraged self-regulation of businesses on the Web.127 In doing so, the FTC
has offered various workshops, and has meet with, and encouraged industry leaders to
adopt effective self-regulatory programs.128 Two fundamental principals have driven the
FTC in protecting consumer privacy rights on the Web.129 First, the known fact that the
Web provides the means to collect and disseminate personal information with relative
ease.130 Secondly, the FTC believes that if there is a higher standard of consumer privacy
protection on the Web, then consumers would be assured that their personal privacy of
the Web would be protected which would ultimately increase their participation in
electronic commerce.131
17
In June of 1998, the FTC issue a comprehensive report entitled, “Privacy: A
Report To Congress,” that analyzed a survey that it conduct of over 1,400 commercial
Web sites.132 The survey revealed that over eighty-five percent of these Web sites
collected personal information from its consumers.133 Moreover, only fourteen percent of
the surveyed Web sites provided notices of their practice of collecting personal
information, and only two percent provided a comprehensive privacy policy.134 Perhaps
even more disturbing result of the FTC’s survey revealed that eighty-nine percent of the
children’s Web sites collected personal information from the children and few Web sites
take steps to ensure that the child has parental permission to give such information.135
After analyzing the survey’s results, the FTC reported that self-regulation by the
electronic commerce industry has not yet been established and that additional incentives
are required in order to ensure that self-regulation is effective and consumer privacy is
protected.136 The FTC concluded in it report that there are four necessary elements to
protecting consumer privacy: (1) notice to consumers about how personal information
collected online is used; (2) choice for consumers about whether and how their personal
information is used; (3) security of personal information; and (4) access for consumers to
their own personal information to ensure accuracy. 137
A.
FTC ACT
Companies that violate their stated information practice codes are also subject to
FTC enforcement under section 5 of the FTC Act.138 The first Web privacy case that the
FTC addressed was In re GeoCities, Inc.139 In this case, the defendants, GeoCities, was a
Web site that operated a “virtual community” consisting of members’ personal home
pages organized into theme areas, called neighborhoods.140 At the time of the FTC
18
complaint, GeoCities had over two million members and was the third most frequently
visited Web site accessed from home computers.141
GeoCities provided numerous services to it members, including personal home
pages and free e-mail service.142 To gain access to these services, individuals must
complete an online application form, which requests certain personal identifying
information.143 The application from designates certain information as mandatory and
other information as “optional.”144 The form also asked applicants to select whether they
wished to receive specific “special offers” from advertisers, and specific products or
se4rvices from individual companies.145
GeoCities used this information to create a database that included e-mail and
postal address, member interest areas, and demographic information, including income,
education, gender, martial status and occupation.146 This information was then used to
create target markets for advertisers, and the personal identifying information of children
and adults was disclosed to and used by third-party markets.147
On August 18, 1998, the FTC filed an action against GeoCities for violating the
FTC Act.148 First, the FTC alleged that GeoCities misrepresented that the personal
identifying information that it collected through its application form would be used only
to provide members the specific advertising offers and products or services that they
requested.149 The FTC believed the “optional” information (education level, income,
marital status, occupation and interests) in GeoCities application form was disclosed to
third parties, who used it to target GeoCities members for solicitations beyond the terms
agreed to by its members.150
19
The FTC also alleged that GeoCities engaged in deceptive practices relating to its
collection of information from children.151 According to the FTC, GeoCities promoted
the Official GeoCities GeoKidz Club and contests forms that solicited personal
identifying information of children.152
The complaint alleges that GeoCities
misrepresented that GeoCities itself operated the GeoKidz Club and certain contests, and
that the information collected online through the club and contest was maintained by
GeoCities, when, in fact, the Club and contests were run by third-party “community
leaders” hosted on the GeoCities Web site, who collected and maintained the
information.153
In its February 5, 1999 order, the FTC prohibited GeoCities from collecting or
using personal identifying information from or about consumers, including children.154
The order required GeoCities to: (1) place a prominent privacy notice on its Web site
that informs users what information is being collected and for what purposes; (2)
establish a system to obtain parental consent before collecting personal information from
children; and (3) notify individuals from whom it previously collected personal
information and offer them an opportunity to have the information deleted.155
Additionally, the FTC order permits GeoCities to collect or use personal information
from children only to the extent permitted by the Children’s Online Privacy Act of 1998,
or by regulations or guides issued under the Act.156
B.
FTC: A SOURCE FOR CONSUMER PRIVACY
Not only does the FTC protect privacy rights, but the FTC also is the leading
source of privacy and legal information.157 The FTC’s privacy page features several
reports on consumers and children’s privacy, transcripts from privacy conferences
20
sponsored by the FTC, as well as congressional testimony from the FTC officials. The
Web site also provides a link to the Children’s Online Privacy Protection Act of 1998, a
new privacy statute that provides increased privacy protection to the narrow but
important issue of children’s privacy.
As the privacy debate attracts increased attention, the best sources of current
information are a series of privacy groups that illustrate the power of Web-based
advocacy. Leading the way is the Electronic Privacy Information Center (EPIC), a
Washington, D.C. privacy group that stands at the forefront of numerous privacy
issues.158 A staunch advocate of a legislative solution, EPIC’s Web site features an
exhaustive collection of materials devoted all aspects of the privacy issue. The Web
site’s privacy archive contains special sections on children’s privacy, cookies and
network privacy. EPIC is also the best source of information on state privacy laws with
the site featuring links and information on every state’s privacy legal framework.
EPIC provides two free updating services of interest.
EPIC’s Bill Tracker,
available at its’ Web site, tracks pending congressional legislation impacting privacy.
The EPIC also has a regular e-mail newsletter service that is free, which contains
information on the latest privacy law developments.159
The Direct Marketer’s Association ( DMA), which was under fire by many Web
users for unwanted commercial e-mail, or spam, has also entered into the privacy arena
by offering assistance to companies anxious to develop their own privacy policies.160
The DMA Web site maintains a free “Privacy Policy Creator” that allows users to quickly
answer a series of questions on their collection and use of private data and then generates
a privacy policy that reflects the company or Web site’s particular practices. Additional
21
Web sites the provide information about the current debate involving consumer privacy
issues on the Web are Boycott Intel Campaign at http://www.bigbrotherinside.com,
Electronic
Frontier
Foundation
at
http://www.eff.org,
Intel
Press
Room
at
http://www.intel.com/pressroom and The Privacy Page at http://www.privacy.org.
VIII. SELF-REGULATION
As previously explained, the FTC believes that self-regulation by the electronic
commerce industry is failing to protect consumer privacy rights. In order to obtain the
necessary volume in electronic commerce to succeed, consumers must trust that their
privacy is protected when engaging in electronic commerce transactions. As previous
surveys demonstrated, consumers currently believe electronic commerce systems are
vulnerable to privacy invasions. Yet, the federal government is still waiting to see
whether self-regulation in the electronic commerce will be effective in protecting
consumer privacy.
Today, there are several reasons to doubt the suitability of self-regulation as a
substitute for government regulation.
First, effective self-regulation requires
participation by the entire electronic commerce industry. Given the great diversity o this
industry, universal participation is unlikely. However, the electronic banking industry
has adopted voluntary guidelines,161 and it appears that other industries may soon follow
the banking industry lead and adopt privacy guidelines. Yet, there are many other
industries in electronic commerce that are not represented by any associations that issue
consumer privacy guidelines. Moreover, nothing assures that new companies entering
into the electronic commerce will agree to self-regulation. Today, it appears, as stated by
the FTC Commissioner Varney, “[S]elf-regulation tends to capture the good guys that are
22
doing the right thing to begin with.”162 Senator Hatch (R-UT) believes that it is only a
matter of time before Congress enacts laws to protect consumer’s right to privacy
because of the strong legislator support for such laws and the current failure of selfregulation by the electronic commerce industry.163
As of this writing, there are fifty bills that are being debated in Congress that seek
to protect consumer privacy rights on the Web.
For example, the Online Privacy
Protection Act of 1999 (S. 809), seeks to require the FTC to prescribe regulations to
protect the privacy of personal information collected from and about private individuals
who are not covered by the Children’s Online Privacy Protection Act of 1998 on the
Web, to provide greater individual control over the collection and use of that information,
and for other purposes.164 Also, the Consumer Internet Privacy Protection Act of 1999
(H.R. 313) seeks to regulate the use by interactive computer services of personally
identifiable information provided by subscribers to such services.165 Lastly, the Social
Security Online Privacy Protection Act of 1999 (H.R. 367), seeks to regulate the use by
interactive computer services of Social Security account numbers and related personally
identifiable information.166
IX.
IF YOU CAN’T BEAT’EM, JOIN’EM
Whether to prevent the FTC or consumer litigation, every commercial Web site
should have a privacy policy. Moreover, because of the current failure of industry selfregulation, consumer privacy legislation is inevitable. Therefore, every Web site should
have a privacy policy that addresses the privacy concerns of its users.
First, a good privacy policy should be easy to find, read and comprehensively
explains all of the Web sites information practice.167 The policy should also provide to
23
Web users an opportunity to make informed decisions about the collection and use of
their information.168
More importantly, a privacy policy is a promise. As a promise, it is not enough to
just post a privacy policy, but the policy must be fully implemented. Therefore, when
creating a privacy policy, there should be a careful analysis of the type of privacy issues
that arise when operating a particular Web site business model169 because a privacy
policy must accurately reflect the desired practice and guarantee its faithful adherence to
its provisions.170
In analyzing a privacy policy, a Web site must consider, if not include: (1) broad
coverage; (2) notice of consumers of the kinds of consumer information collected, how it
is collected, and from whom it is collected; (3) notice and explanation of a company’s
policy and practice regarding dissemination of consumer information to others; (4) the
right to access information collected by a company, and notice of that right and how the
consumer can exercise it; (5) the right to correct inaccurate or incomplete information in
the consumer’s files, notice of that right, and how the consumer can exercise it; (6)
consumer control and choice, including the ability to opt-in to permit companies to use,
store, and disseminate information, rather than opt-out which requires consumers to act
affirmatively to prevent use, storage, and dissemination; (7) procedures and structures to
prevent unauthorized use of information by employees and service providers; and (8)
procedures to ensure that information is disseminated only to proper third parties. In
addition, Web sites that utilize electronic signatures and encryption should include
provisions to ensure reasonable levels of security regarding authentication and the
transmission of information.
24
For the most part, the privacy requirements proposed in this comment are
identical to or closely parallel the guidelines and principals proposed by major
participants in electronic commerce. Currently, many firms already adhere to several of
the proposed procedures. In light of the industry’s very public embrace of the principles
and guidelines, many more firms will likely adhere to them in the near future. Therefore,
if you can’t beat’em, join’em.
A.
SCOPE
First, and foremost, the privacy policy should be made known to its customers.171
Notification of the privacy policy should be written in laymen terms (i.e., clear and easily
understood language), displayed prominently and made available before Web users are
asked to relinquish information to the Web site.172
A consumer privacy policy should incorporate all of the Web sites electronic
commerce activities. The privacy policy should be broadly defined, as well as the types
of information covered in the policy. Consumers regard privacy as part of their unique
identity, not just a commodity that businesses can use and sell at will.173 The disturbing
escalation of identity theft174 demonstrates that consumers are correct in their belief that
information collected by industry, especially when aggregated and disseminated
electronically, constitutes a crucial aspect of each consumer’s identity in today’s
electronic world. Even if one accepts the premise that privacy and information should be
broadly defined, drafting definitions is a difficult task. Firms generally agree that certain
personal identifying information, including Social Security numbers, mothers’ maiden
names, prior addresses, and birth dates should be included in the definition of protected
information.175 However, there is a lack of consensus over whether other information
25
should also be included.176 In any event, a privacy policy should define all relevant terms
according to the Web site’s business model, including the information covered,
companies’ collection, retention, use, and dissemination of its user’s information.
B.
CONSUMER INFORMATION
All interests are best served by companies offering electronic commerce products
in a competitive environment. Regulation should not interfere with free market except to
the extent necessary. Therefore, consumers need a notice that explains what information
is being collected about them, from whom it is collected, and how it is collected. For
example, consumers using the Web should have the right to be informed whether
cookies177 are being used when first visiting a site and before divulging any personal
information. The consumer should be informed of whether and, if so, how their personal
information is disseminated to others.
Another provision of the privacy policy should addresses children online privacy
rights. In doing so, the policy should state that it does not collect or use information from
children. However, if the Web site desires children users, then the policy should state
that it only collects or use information from children that is permitted in the Children’s
Online Privacy Protection Act of 1998 or other acts or guidelines that currently address
children’s online privacy rights.178
Information that is collected by a Web site should be accessible to its consumers.
If a Web site collects, stores and disseminates information about consumers, then it
should provide notice to its users informing them of their right to know what information.
Additionally, a Web site should allow consumers the right to correct erroneous and
incomplete information.179 If users have access and the opportunity to improve the
26
quality of information, electronic commerce as well as the users benefits will be
enhanced because the industry thrives only if it has accurate and complete information.
C.
CONSUMER CONTROL AND CHOICE
The Web site privacy policy should also allow consumer the ability to opt-in
because a choice to opt-in gives consumers, as in the first instances, greater control over
their personal information. However, if a Web sites decides not to include the opt-in
mechanism, then the Web site should carefully consider the opt-out mechanism whereby
the Web site can collect and disseminate information however it wants unless the
consumer takes an affirmative step to inform the company not to engaged in those
practices.180 The opt-out approach can be justified if one views consumer privacy as a
minor issue and not a right to be zealously protected. However, users may fail to opt-out
for a variety of reasons that have little to do with whether they truly want a company to
collect and disseminate information about them. For example, they may not understand
the nature of the information for its internal purposes, the nature of third parties to whom
the data may be distributed, or what those third parties may do with the data. Companies
now have “the combination of computing and database power, multiple database sources,
and a very low cost distribution and the ability to distribute information and use it in
ways which were not fully intended.”181 Consequently, the opt-out method is easy for
companies to abuse. The opt-in approach is far more consistent with consumer control182
because it assumes consumers do not want their privacy invaded. Therefore, consumers
automatically are protected from invasions. If consumers are willing to give away their
privacy or to trade it in return for a benefit they desire, they have the ability to do so.
27
Also included in a Web sites privacy policy, the site should disclose to the user
what type of technology that they are utilizing, such as cookies, and inform their users
how they can block their use by activating software that blocks cookies, and inform their
users how they can block their use by activating software that blocks cookies which is
available free of charge. This will allow users the option in determining the levels of
privacy protection that they desire.
D.
RESTRICTED INTERNAL AND EXTERNAL ACCESS
The Web site privacy policy should also include procedures in restricting the
internal access of its user’s information to those employees and ISPs to only the
necessary agents that need to know. Therefore, the policy should regulate the access to
each type of data to only appropriate parties.
Furthermore, the privacy policy should adopt policies and procedures that are
designed to ensure that the third parties whom information is disseminated to, use that
information for permissible purposes and takes appropriate measures to safeguard the
user’s privacy.
E.
SECURITY
The Web site privacy policy should also set a minimum level of security in regard
to the authentication and transmission of information. The electronic commerce industry
and the government are presently considering various approaches for authenticating
identity in online transactions.
Available technology permits the use of electronic
signatures, but there are many possible alternative approaches. For example, a bill
introduced by Congressman Baker would establish a national certification authority to
license entities that would be the only firms permitted to provide electronic authentication
28
services.183 In addition, several states have already adopted digital or electronic signature
statutes, and many more are currently considering such legislation.184
Security in the transmission of information can be achieved through encryption.
In order to prevent unwanted accessibility to files or e-mail messages, encryption
scrambles a file or e-mail message so that its is unreadable to anyone that does not know
how to unscramble it.185 However, the implementation of encryption has been hampered
by the government’s insistence on key recovery, in which the government would have the
ability to engage in electronic surveillance.186
Meanwhile, the electronic commerce
industry has been developing encryption standards. The primary movers are Visa and
MasterCard, who have won widespread adoption of their Secure Electronic Transaction
(SET) protocol.187 Because electronic signatures and encryption involve a host of issue
that go well beyond consumer privacy,188 this Comment will not address these matters.
X.
SAMPLE PRIVACY POLICY FOR A DOMESTIC COMMERCIAL WEB
SITE
For the most part, the sample privacy policy in this Comment is identical to or
closely parallel the guidelines and principles proposed by major participants in electronic
commerce (e.g., the Federal Trade Commission, Better Business Bureau Online, etc.).
The following policy describes the basic privacy practices for a single commercial Web
site that is directed to U.S. residents.
[Company’s Name] Privacy Policy
Effective month/day/year
Our Commitment to Privacy
Your privacy is important to us. To better protect your privacy we provide this
notice explaining our online information practices and the choices you can make about
the way your information is collected and used. To make this notice easy to find, we will
29
make it available on our homepage and at every point where personally identifiable
information may be requested.
Definitions:
1.
“Personal identifying information” shall include, but is not limited to, first and
last name, home or other physical address (e.g., school), e-mail address, telephone
number, or any information that identifies a specific individual, or any information which
when tied to the above becomes identifiable to a specific individual.
2.
“Disclosure” or “disclosed to third part(ies)” shall mean (a) the release of
information in personally identifiable form to any other individual, firm, or organization
for any purposes or (b) making publicly available such information by any means
including, but not limited to, public posting on or through home pages, pen pal services,
e-mail services, messages, message boards, or chat rooms.
3.
“Clear(ly) and prominent(ly)” shall mean in a type size and location that are not
obscured by any distracting elements and are sufficiently noticeable for an ordinary
consumer to read and comprehend, and in a typeface that contracts with background
against which it appears.
4.
“Archived” database shall mean [company’s name] off-site “back-up” computer
tapes containing member profile information.
5.
“Child” or “Children” shall mean a person of age twelve (12) or under.
6.
“Parents” or “Parental” shall mean a legal guardian, including, but not limited to,
a biological or adoptive parent.
7.
“Electronically verifiable signature” shall mean a digital signature or other
electronic means that secures a valid consent by requiring: (1) authentication (guarantee
that the message has come from the person who claims to have sent it); (2) integrity
(proof that the message contents have not been altered, deliberately or accidentally,
during transmission); and (3) non-repudiation (certainty that the sender of the message
cannot later deny sending it).
8.
“Express parental consent” shall mean a parent’s affirmative agreement that is
obtained by any of the following means: (1) a signed statement transmitted by postal
mail or facsimile; (2) authorizing a charge to a credit card via a secure server; (3) e-mail
accompanied by an electronically verifiable signature; (4) a procedure that is specifically
authorized by statute, regulation, or guideline issued by the Commission; or (5) such
other procedure that ensures verified parental consent and ensures the identity of the
parent, such as the use of a reliable certifying authority.
9.
“Commerce” shall mean as defined in Section 4 of the Federal Trade Commission
Act, 15 U.S.C. § 44.
30
The Information We Collect:
This notice applies to all information collected or submitted on the [company’s
name] Web site. On some pages, you can order products, make requests, and register to
receive materials. The types of personal identifying information collected at these pages
are:
Name
Address
E-mail address
Telephone number
Credit/Debit Card Information
[Etc.]
The Way We Use Information:
We use the information that you provide about yourself when placing an order
only to complete that order. We do [not] share this information with outside parties[,
except to the extent necessary to complete that order].
We use the information you provide about someone else when placing an order
only to ship the product and to confirm delivery. We do [not] share this information with
outside parties[, except to the extent necessary to complete that order].
We offer gift-cards by which you can personalize a product you order for another
person. Information you provide to us to create a gift-card is only used for that purpose,
and it is only disclosed for that purpose, and it is only disclosed to the person receiving
the gift.
We use gift-cards by which you can personalize a product you order for another
person. Information you provide to use to create a gift-card is only used for that purpose,
and it is only disclosed for that purpose, and it is only disclosed to the person receiving
the gift.
We use return e-mail addresses to answer the e-mail we receive. Such addresses
are [not] used for [any other] (this) purpose and are [not] shared with outside parties.
You can register with our Web site if you would like to receive our catalog as
well as updates on our new products and services. Information you submit on our Web
site will not be used for this purpose unless you fill out the registration form.
We use non-identifying and aggregate information to better design our Web site
and to share with advertisers. For example, we may tell an advertiser that X number of
individuals visited a certain area on our Web site, or that Y number of men and Z number
of women filled out our registration form, but we do not disclose anything that could be
used to identifying those individuals.
31
Finally, we never use or share the personally identifiable information provided to
use online in ways unrelated to the ones described above without also providing you an
opportunity to opt-out or otherwise prohibit such unrelated uses.
Our Commitment to Data Security
To prevent unauthorized access, maintain data accuracy, and ensure the
appropriate use of information, we have put in place appropriate physical, electronic, and
managerial procedures to safeguard and secure the information we collect online.
Our Commitment to Children’s Privacy:
Protecting the privacy of the very young is especially important. For that reason,
we never collect or maintain information at our Web site from those we actually know
are under 13, and no part of our Web site is structured to attract anyone under 13.
How You Can Access or Correct Your Information
You can access all your personally identifiable information that we collect online
and maintain by [description of the company’s access procedure]. We use this procedure
to better safeguard your information.
You can correct factual errors in you personally identifiable information by
sending us a request that credibly shows error.
To protect your privacy and security, we will also take reasonable steps to verify
your identity before granting access or making corrections.
How to Contact Us
Should you have other questions or concerns about these privacy policies, please
call us at [phone number] or send us an e-mail at [e-mail address].
XI.
CONCLUSION
A Web site’s consumer privacy policy offers companies many opportunities to
develop creative and innovative approaches to market their products while protecting
consumer privacy. Additionally, an online policy would also allow companies to develop
imaginative approaches to provide privacy protection.
32
Electronic commerce will be successful only to the extent of consumer
confidence, which is gained only if the systems protect consumers’ privacy. Although
self-regulation contains inherent limitations which prevent such confidence, it is
inevitable that legislation will soon be enacted that should establish consumer
confidences. In the interim, a clear and easily privacy policy represents a sound public
policy independent of the financial needs of electronic commerce. As businesses and
government agencies increase the amount of personal information contained in vast
databases and as technology permits these institutions to develop more sophisticated
ways to aggregate and use data, the potential for serious social harm increases
enormously. The model privacy policy in this Comment attempts to ensure that users are
accorded meaningful enforceable privacy rights. While industry self-regulation is an
inadequate substitute for legislation, it nevertheless can play an important role in
developing techniques that promote industry objectives while preserving the consumer
privacy rights.
Every Web sites first step in protecting the privacy of personally identifiable
information is to provide a privacy policy statement. This statement should give notice
of the company’s general privacy practice. In addition, at each point personal data is
collected, additional information may be needed to give users specific information about
what data is collected, how it will be used, third parties to whom it will be disclosed, if
any, and allowing the choice of whether to proceed.
1
See Susan E. Gindin, Lost and Found In Cyberspace: Informational Privacy In The Age Of The
Internet, 34 SAN DIEGO L. REV. 1153, 1156 n.9 (1997) (explaining that the Web, or World Wide Web, “is
an information service that makes collections of information available across the Web through hypertext
links”); see also Am. Civil Liberties Union v. Reno, 31 F. Supp. 2d 473, 486 (E.D. Pa. 1999) (explaining
33
that “there are 3.5 million Web sites globally on the Web, and approximately one third of those cites are
commercial”). It is estimated that the total revenue from all commercial transactions that are conducted on
online “will reach $1.4 to $3 trillion” by the year 2003. Id.
2
See id..
3
See FEDERAL TRADE COMMISSION, Online Privacy: A Report to Congress (June 1998)
<http://www.ftc.gov/reports/privacy3/exeintro.htm>.
4
See Am. Civil Liberties Union v. Reno, 31 F. Supp. 2d at 486.
5
See Laurence Tribe, American Constitutional Law § 15-16 (2d ed. 1988) (explaining that personal
information encompasses any information which identifies or concerns a specific individual).
6
See FEDERAL TRADE COMMISSION, supra note 3, at <http://www.ftc.gov/reports/privacy3/
history.htm> Growth of the Online Market.
7
See id. at <http://www.ftc.gov/reports/privacy3/endnotes.htm> n.4. “Cookie” technology allows a
Web site’s server to place information about a consumer’s visits to the site on the consumer’s computer in a
text file that only the Web site’s server can read. Id. Using cookies a Web site assigns each consumer a
unique identifier (not the actual identity of the consumer), so that the consumer may be recognized in
subsequent visits to the site. Id. On each return visit, the site can call up user-specific information, which
could include the consumer’s preferences or interests, as indicated by documents the consumer accessed in
prior visits or items the consumer clicked on while in the site. Id. Web sites can also collect information
about consumers through hidden electronic navigational software that captures information about site visits,
including Web sites’ Internet addresses. Id.
8
See id. at <http://www.ftc.gov/reports/privacy3/history.htm> Growth of the Online Market.
9
See Troy Wolverton, Privacy at risk is e-commerce rush, CNET NEWS.COM (visited Apr. 22,
1999) <http://www.news.com/News/Item/0%2C4%2C35451%2C00.html?dd.ne.txt.0421.03>.
10
See id.
11
See THE PRIVACY PAGE, European Union Data Privacy Directive (visited Mar. 3, 1999)
<http://www.privacy.org/pi/intl_orgs/ec/final_EU_Data_Protection.html>.
12
See id.
13
See id.
34
14
See id. at <http://www.privacyalliance.org/who>.
15
See DEPARTMENT OF COMMERCE, NATIONAL TECHNICAL INFORMATION SERVICES, U.S.
Government Working Group on Electronic Commerce. Annual Report (1st) (Nov. 1998)
<http://www.ntis.gov/yellowbk/1nty800.htm>.
16
See id.
17
See Am. Civil Liberties Union, et al. v. Reno, 31 F. Supp. 2d 473, 486 (E.D. Pa. 1999).
18
See id. at 487.
19
See id.
20
See id.
21
See id.
22
See id.
23
See id.
24
See Myrna L. Wigod, 19 Pace L. Rev. 95, 100 (1998)
25
See id.
26
See id.; see also Chris Oakes, Is Microsoft Tracking Visitors? (Mar. 12, 1999)
<http://www.wired.com/news/news/technology/story/18405.html>. Both Intel and Microsoft have the
technology to identify users and track their movement throughout the Web. See id.
27
See Wigod, supra note 26, at 100.
28
See id. at 101.
29
See id.
30
See id.
31
See id.
32
See id.
33
See Richard P. Klau, Is a Cookie a Treat or a Threat? Is a Code Chip a Friend or a Foe?
Internet Privacy Issues Are Complex, ABA STUDENT LAWYER, May 1999, at 13.
34
See Wigod, supra note 26, 101.
35
See id.
36
See id.
35
37
See Klau, supra note 35, at 13.
38
See id.
39
See id.
40
See id. at 13-14.
41
See id. at 14.
42
See id.
43
See Curtis E.A. Karnow, Computer Network Risks: Security Breaches and Liability Issues, 15
COMPUTER L. STRATEGIST 1 (Feb. 1999).
44
See id.
45
See id. at Internet-Specific Attacks.
46
See id.
47
See Brown Raysman, New Media, The Internet, and the Law: Staying Interactive In the Hi-Tech
Environment, ABA, Oct. 22, 1998, available in WESTLAW, N98RHTB ABA-LFLED I-39.
48
See id.
49
See id.
50
See In re KidsCom, FTC (Mar. 3, 1999) <http://www.ftc.gov/os/1997/9902/973472d%34o.htm>.
51
See id.
52
See id.
53
See Jon Baumgarten, et al., Washington Watch, 3 CYBERSPACE L. 27 (Oct. 1998).
54
See S. 2326, 105th Cong. (1998).
55
See id.
56
See id.
57
See Sipple v. Chronicle Publishing Co., 154 Cal. App. 3d 1040 (1984).
58
See id.
59
See Dietemann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971); Miller v. NBC, 187 Cal. App. 3d 1463
(1986).
60
See Cyber Promotions, Inc. Am. Online, Inc., 948 F. Supp. 436 (E.D. Pa. 1995). Spamming is the
mass distribution of unsolicited and unwanted e-mail, often advertisements. See id.
36
61
Cyber Promotions, Inc., 948 F. Supp. 436.
62
See id.
63
See id.
64
See id.
65
See id. at 447.
66
CompuServe v. Cyber Promotions, Inc., 962 F. Supp. 1015 (S.D. Oh. 1997).
67
See id. at 1027.
68
Am. Online, Inc. v. Over the Air Equip., No. 97-1547-A (E.D. Va., filed Oct. 31, 1997).
69
See id.
70
Am. Online, Inc. v. TSF Mktg., et al., No 98-001-A (E.D. Va., filed Jan. 7, 1998).
71
See id.
72
Hotmail Corp. v. Van$ Money Pie, et al., No. C-98-20064 (N.D. Cal. Jan. 26, 1998).
73
See id.
74
See Kapellas v. Kofman, 1 Cal. 3d 20 (1969).
75
See id.
76
See FEDERAL TRADE COMMISSION, supra note 3, at <http://www.ftc.gov/reports/privacy3/
history.htm> Privacy Concerns.
77
Id.
78
See Mark E. Budnitz, Privacy Protection For Consumer Transactions In Electronic Commerce:
Why Self-Regulation Is Inadequate, 49 S.C.L. REV. 847, 848-49 (1998).
79
See id. at 849.
80
See Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users’ Attitudes About
Online Privacy, AT&T LABS-RESEARCH TECHNICAL REPORT TR 99.4.3 (Apr. 14, 1999)
<http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm>.
81
See id. at <http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm> Major
Findings.
82
See id.
83
See id.
37
84
See id.
85
See id.
86
See id.
87
See id.
88
See id.
89
See id.
90
See id.
91
See id.
92
See id.
93
See id.
94
Id.
95
See id.
96
See id.
97
See id.
98
See id.
99
See id.
100
See id.
101
See id. Ninety-six percent of the respondents said that this factor was very or somewhat
important, including seventy-nine percent who said it was very important. See id.
102
See id. All of these criteria were rated as very important by at least sixty-nine percent of
respondents and had the same level of importance substantially. See id.
103
See id. All of these criteria were rated as very important by at least sixty-nine percent of the
respondents and had the same level of importance substantially. See id.
104
See id.
105
See id.
106
See id.
107
See id.
108
See id.
38
109
See id.
110
See id. Sixty-one percent of the respondents said that they would be interested in such a feature,
while 51% said that they would be interested in a similar feature that would automatically fill out forms at
sites that have the same privacy policies as other sites the user had provided information to (no button click
would be necessary to activate the auto-fill). See id. Both of these features would require a user to click a
submit button before any information was actually transferred to a Web site. See id. Thirty-nine percent of
respondents said that they would be interest in a feature that automatically sent information that they had
provided to a Web site back on a return visit. See id.
111
See id. A feature that notified the user that it had sent the information was of interest to 14% of
respondents, and a feature that provided no indication that it had transferred data was of interest to only
6%. See id. Thus, 86% of the respondents reported no interests in features that would automatically
transfer their data to Web sites without any user intervention. See id.
112
See id.
113
See id.
114
See id.
115
See id.
116
See 18 U.S.C. §§ 2701 et seq.
117
See Nicole A. Wong, Responding To Subpoenas: A Sysop’s Primer for Protecting User Privacy
Under the ECPA, CYBERSPACE LAWYER, Jan. 1998.
118
See 18 U.S.C.§ 2703.
119
McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998).
120
See id. at 222.
121
See FEDERAL TRADE COMMISSION, Consumer Privacy On The World Wide Web (July 21, 1998)
<http://www.ftc.gov/os/1998/9807/privac98.htm> FTC Law Enforcement Authority.
122
See FEDERAL TRADE COMMISSION ACT, 15 U.S.C. § 45(a). The FTC also has responsibilities
under approximately 40 additional statutes, e.g., the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.,
that provides privacy protections for consumer’s financial information; the Truth in Lending Act, 15 U.S.C.
§§ 1601 et seq., that requires the disclosure of credit terms; and the Fair Credit Billing Act, 15 U.S.C. §§
39
1666 et seq., that requires billing errors to be corrected on credit accounts. See FEDERAL TRADE
COMMISSION (visited Mar. 12, 1999) <http://www.ftc.gov>. The FTC also enforces over 30 rules
governing specific industries and practices. See id.
123
See FEDERAL TRADE COMMISSION, supra note 123, at <http://www.ftc.gov/os/1998/9807/
privac98.htm> FTC Law Enforcement Authority.
124
See id.
125
See id.
126
See id. at <http://www.ftc.gov/os/1998/9807/privac98.htm> The Commission’s Role In Online
Privacy.
127
See id.
128
See id.
129
See id.
130
See id.
131
See id.
132
See FEDERAL TRADE COMMISSION, supra note 3, at <http://www.ftc.gov/reports/privacy3/
exeintro.htm> Executive Summary.
133
See id.
134
See id.
135
See id.
136
See id.
137
See FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information
Infrastructure, Dec. 1996.
138
See FEDERAL TRADE COMMISSION, supra note 123, at <http://www.ftc.gov/os/1998/9807/
privac98.htm> The Commission’s Role In Online Privacy.
139
See Complaint, In re GeoCities, FEDERAL TRADE COMMISSION (Aug. 18, 1998)
<http://www.ftc.gov/1998/9808/geo-cmpl.htm>.
140
See GEOCITIES (visited Feb. 17, 1999) <http://www.geocities.com>.
141
See Complaint, supra note 141, at <http://www.ftc.gov/1998/9808/geo-cmpl.htm>.
40
142
See id.
143
See id.
144
See id.
145
See id.
146
See id.
147
See id.
148
See id.
149
See id.
150
See id.
151
See id.
152
See id.
153
See id.
154
See Decision and Order, In re GeoCities, No. c-3850, FEDERAL TRADE COMMISSION (Feb. 5,
1999) <http://www.ftc.gov/os/1999/9823015&o.htm>.
155
See id.
156
See id.
157
See FEDERAL TRADE COMMISSION (Apr. 3, 1999) <http://www.ftc.gov/privacy/index.html>.
158
See Electronic Privacy Information Center (visited Mar. 22, 1999) <http://www.epic.org>.
159
Subscriptions can be obtained at the Web site or by sending e-mail message to epic-
news@epic.org with subject line “subscribe.”
160
See Direct Marketer’s Association (visited Mar. 21, 1999) <http://www.dma.org/
framesets/pan/dmersframeset.html>.
161
See Conference Materials, Banking Industry Unites on Consumer Privacy (Sep. 18, 1997), in
Financial Services in an Electronic World (released to press on Nov. 18, 1997). The American Bankers
Association, the Consumer Bankers Association, The Bankers Roundtable, and the Independent Bankers
Association of America agreed on principals set forth in the Press Release. See id. at 1.
162
Public Workshop on Consumer Information Privacy: Hearings Before the Federal Trade
Commission 158 (June 10, 1997).
41
163
See Patrick Thibodeau, Hatch: Internet Privacy “Inevitable,” COMPUTERWORLD.COM (Apr. 23,
1999) <http://www.computerworld.com/home/news.nsf/idgnet/99042317rules2a>.
164
See Online Privacy Protection Act of 1999, S. 809, 106 th Cong. (1999).
165
See Consumer Internet Privacy Protection Act of 1999, H.R. 313, 106 th Cong. (1999).
166
See Social Security Online Privacy Protection Act of 1999, H.R. 367, 106 th Cong. (1999).
167
See BBBONLINE, Sample Privacy Notice (visited Apr. 27, 1999) <http://www.bbbonline.org/
businesses/privacy/sample.html>.
168
See id.
169
See supra section II.
170
See BBBONLINE, supra note 169, at <http://www.bbbonline.org/businesses/privacy/sample.html>.
171
See DEPARTMENT OF COMMERCE, Elements of Effective Self-Regulation for Protection of Privacy
(visited Apr. 22, 1999) <http://www.doc.gov/ecommerce/staff.htm>.
172
See id.
173
See William J. Clinton & Albert Gore, Jr., A Framework for Global Electronic Commerce (visited
Apr. 25, 1998) <http://www.whitehouse.gov/WH/New/Commerce/read-pain.html> II.5.
174
See generally, Report of the President’s Commission on Critical Infrastructure Protection, ONLINE
BANKING NEWSL., Nov. 17, 1997.
175
See generally, Board of Governors of the Federal Reserve System, Concerning the Consumer
Identifying Information and Financial Fraud (Mar. 1997).
176
See id.
177
See supra section III.A.2.
178
See supra section III.A.4.
179
See ELECTRONIC PRIVACY INFORMATION CENTER, Surfer Beware: Personal Privacy and the
Internet (June 1997) <http://www.epic.org/reports/surfer-beware.html> Access To Ones Own Data.
180
See Public Workshop on Consumer Information Privacy: Hearings Before the Federal Trade
Commission 253 (June 10, 1997).
181
Id. at 78.
42
182
See ELECTRONIC PRIVACY INFORMATION, supra note 182, at <http://www.epic.org/reports/surfer-
beware.html> Access To Ones Own Data.
183
See Reps. Baker, Dreier Introduced Legislation to Ease Acceptance of Electronic Signatures,
Banking Rep. 742 (Nov. 17, 1997).
184
See BAKERS & COLES, Summary of Electronic Commerce and Digital Signature Legislation (Apr.
22, 1999) <http://www.mbc.com/ds_sum.html> (listing all legislation and legislative proposals).
185
See Barry Fraser, Rules of the Road For Navigating the Information Superhighway, 26 WRT
HUM. RTS. 17, 20 (1999).
186
See Encryption: Government Pursues Encryption Policy with Showcase of Key Recovery
Projects, 69 BANKING REP. 748 (Nov. 17, 1998).
187
See Jerry Ashworth, Visa, MasterCard Extend Certificates: Banks Can Continue SET 0.0 Project,
Report on Smart Cards, Nov. 24, 1997, at 7.
188
See generally, 17.3 J. MARSHALL J. COMPUTER & INFO. L. (Spring 1999) (dedicated to analyzing
the legal issues associated with electronic signatures and encryption).
43
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
New Patient Information Form
New Patient Information Form
Download
advertisement