Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The Federal Trade Commission (FTC) has been monitoring the data collection practices of popular Web sites and issuing reports about the status of online privacy. Until last month, the agency favored industry self-regulation as opposed to new legislation governing online privacy. Self-regulation is a system made up of voluntary compliance with industry guidelines, membership in privacy seal-of-approval programs, and other practices that facilitate the protection of personal information. But on May 23, the FTC reversed its position and announced that it was recommending that Congress enact legislation to “ensure a minimum level of privacy protection for the on-line consumer.” This accompanied the FTC’s latest report on the data collection practices of popular Web sites. In the report, the agency stated that 20 percent of popular Web sites have failed to implement the fair information practices recommended by the agency and that industry self-regulation does not adequately protect consumers’ online privacy. Although online companies and advertisers have generally opposed new privacy legislation, it seems inevitable that Congress will pass some sort of online privacy law. Although the FTC proposed the general outline of new privacy legislation, the details of such a law have yet to be crafted and online companies and advertisers can play an active role in shaping the law. In this article, we look at the FTC’s legislative recommendation and how it will affect companies that collect and use personal information from Internet users. We also look at how companies have been complying with the Children’s Online Privacy Protection Act of 1998 (COPPA) that took effect in April. An examination of these sites provides examples of how companies might comply with a federal online privacy law. We also look briefly at the safe harbor principles adopted by the United States and the European Union that provide a way for U.S. companies to comply with the E.U.’s strict data protection directive. FEDERAL PRIVACY LAW LIKELY Although Congress is not likely to enact any new online privacy legislation before the current session ends this summer, some form of such legislation is probably inevitable. The FTC reported that 99 percent of the Web sites it surveyed collect personal information through registration forms, order forms, surveys, contests or other means. While 62 percent of sites post a privacy policy, only 20 percent implement all four fair information practices. The agency also reported that 92 percent of respondents stated that they do not trust online companies to keep their personal information confidential, and 82 percent agreed that government should regulate how online companies use personal information. These numbers reflect consumers’ increasing concerns about privacy and are mirrored by other developments. State attorneys general have launched investigations into the data collection practices of numerous online and offline companies, and several of them have announced settlement agreements with companies over data collection practices that purportedly violate state consumer protection laws. Individuals are also taking action: DoubleClick, RealNetworks and Amazon.com have all been named as defendants in suits involving the collection of personal information. Although online companies favor self-regulation and argue that new privacy laws may impede innovation, it seems that the tide has turned and that some kind of privacy law is likely. However, for such companies, a federal privacy law that supercedes state law may be the lesser of two evils: an eBay executive testified before Congress that a federal online privacy law is better than 50 different state privacy laws. FTC LEGISLATIVE PROPOSAL The FTC’s approach to privacy rests on the fair information practices established by government agencies in the U.S., Canada and Europe over the last 25 years. The core principles are notice, choice, access, security and enforcement. In its May report, titled Privacy Online: Fair Information Practices in the Electronic Marketplace(available online at www.ftc.gov), the FTC states that the proposed legislation would establish basic standards for collecting personal information online and would provide an implementing agency with the authority to promulgate more detailed standards (after receiving public comments) including the authority to enforce those standards. Specifically, all consumer-oriented commercial Web sites that collect personal information would be required to comply with the following fair information practices. Notice.Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide consumers with choice and access regarding their personal information, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site. Choice.Web sites would be required to offer consumers choices regarding how their personal information is used beyond the use for which the information was provided (e.g, if a Web site collects personal information such as name and mailing address to complete a transaction, consumers could choose whether to allow the site to use this information for other uses such as marketing). At this point it is unclear whether a new privacy law would require an “opt-in” or an “opt-out” provision. Consumer groups favor an opt-in approach, in which commercial Web sites would not be allowed to use personal information unless a consumer opted in to such use. online companies and advertisers generally favor on opt-out approach, in which commercial Web sites could use personal information unless the consumer affirmatively opted out of such use. Access.Web sites would be required to offer consumers reasonable access to the information they collect, including a reasonable opportunity to review the information and to correct inaccuracies or delete information. Security. Web sites would be required to take reasonable steps to protect the security of the information they collect. The FTC recommends that the legislation be phrased in general terms and be technologically neutral, and that rules and regulations be promulgated that provide definitions and guidance for complying with the law. For example, rules and regulations could explain what constitutes “reasonable access” and when choice may not be necessary (e.g., when a Web site expressly provides discounts to consumers in exchange for their personal information). The FTC continues to support self-regulation and has indicated that self-regulatory programs would continue to play an essential role under the proposed statutory scheme. Industry’s primary self-regulatory program has been online privacy seal programs. Although the agency supports these programs (in which a Web site complies with certain data collection guidelines and agrees to be monitored for compliance in order to display a seal on the site), it reported that only 8 percent of sites in a random survey, and 45 percent of the most popular sites, participate in a seal program. INFORMATION FROM CHILDREN Two years ago, the FTC conducted a similar survey of Web sites and issued a similar report. The agency recommended that Congress enact legislation to govern the online collection of information from children and the following year Congress enacted COPPA. As of April 21, 2000, Web sites that are directed to, or that knowingly collect personal information from, children under 13 must comply with the Act (15 U.S.C. � 6501 et seq.) and the rule implementing it (16 C.F.R. 312). The Act requires operators of Web sites and online services that are directed to children under 13 t � post a privacy policy outlining its information collection practices, � provide notice to parents of its information collection practices, � get parental consent if the operator collects personal information from children under 13, and � provide access to the information collected and the opportunity to delete it. The Act applies to commercial Web sites or online services, or any portion thereof, that are targeted to children under 13. This includes sites that provide e-mail and chat room services designed for kids, Web sites that offer contests for kids or where they can play online games, online newsletters that are intended for children that require registration, and general audience Web sites that have a special kids section. BUSINESS, LEGAL ISSUES Online companies and advertisers were faced with a variety of business and legal considerations when COPPA was enacted. Complying with the Act required developing a privacy policy and posting it where required. It also required developing manual or automated ways to provide notice to parents and to obtain verifiable parental consent. This might mean licensing software that automatically sends a notice to parents when a child registers for a game or contest and that sends a consent form to a parent by e-mail that the parent can print and return to the operator. Or it might mean hiring or training employees to obtain parental consent by telephone or by processing written consent forms received by the operator. Web site operators also reviewed their agreements with affiliates, co-branded partners and advertisers, and reviewed their own advertising strategies, to determine if they were hosting or placing banner ads or cookies on sites that could be collecting personal information from children. For some companies and individuals, the cost of complying with the Act required re-thinking the benefits of collecting personal information from children. Some Web site operators chose to limit certain services or promotions to children 13 and over in order to avoid complying with COPPA, while others instituted the required notice and consent provisions. The following are examples of how some sites are complying with COPPA. MamaMedia.com.This site has a link to its privacy policy on its home page and on the registration page. The policy explains why it asks kids to register, what information it collects, tells parents that members can change information or cancel an account, allows members to opt out of receiving e-mail from MamaMedia, explains its use of cookies, provides the name, phone number, postal address and e-mail address of someone to contact regarding its privacy policy, and asks parents to provide a parental e-mail address on the kids registration page. Disney.com. This site has a link to its privacy policy on its home page. The privacy policy has three sections — for those under 13, 14-18, and over 18. For children under 13, the policy explains that no personal information is shared with third parties and that no direct marketing communications are sent to children under 13. Other parts of the privacy policy explain how cookies are used and how members can opt out of having information collected. Children’s Television Workshop/Sesame Street.com. Its privacy policy says that it currently does not collect any personal information from children under 13 and therefore has no parental consent provision. The policy says that if in the future it does collect information from children, it will require parental consent beforehand. The site allows users to choose passwords and nicknames to participate in certain activities but does not tie such passwords or nicknames to personally identifiable information. The policy explains that it does collect some information from users over 18 and allows users to opt out of this practice. eCrush.com.This site limits its service to children over 13. Its privacy policy states that “This Web site is designed for participation by those who are 13 years of age or older. CHILDREN UNDER 13 MAY NOT PARTICIPATE.” If Congress enacts a new online privacy law, online companies will need to make similar decisions regarding their data collection practices. They should first consider the cost of complying with such a law; some online companies reportedly spent over $100,000 to comply with COPPA. A new law may also have a safe harbor provision similar to that in COPPA, under which an operator that complies with approved guidelines will be considered to be in compliance with the Act. Although a new privacy law may not take effect for one to two years, online companies and advertisers should begin thinking about their data collection practices and about how they can shape such a law. EUROPEAN UNION DIRECTIVE Even if the U.S. does not enact new privacy laws, companies that collect personal information from residents of the European Union are developing privacy policies that comply with the European Union’s strict data protection directive. The Directive, which took effect in late 1998, regulates how personal information is collected and used within the European Union and prohibits the transfer of personal information to non-E.U. countries that lack “adequate” data protection. Because the U.S. does not have a comprehensive privacy law, the E.U. stated that the U.S. lacked adequate data protection. Accordingly, officials from the E.U. and the U.S. spent two years negotiating and drafting safe harbor privacy principles which the E.U. approved in late May. Adherence to the principles is voluntary, but U.S. companies that do adhere to them will meet the E.U.’s adequacy standard for privacy protection. There are several ways that U.S. companies can comply with the principles. They can join a self-regulatory privacy program that complies with them. They can also create their own self-regulatory privacy policies. Companies that are already subject to statutory, administrative or regulatory privacy laws can self-certify to the U.S. Department of Commerce that they are in compliance with the privacy principles. And companies can pay an annual fee and cooperate with established E.U. Data Protection Authorities that provide information and advice to companies and a dispute resolution service. The safe harbor privacy principles and Frequently Asked Questions are online at www.ita.doc.gov. CONCLUSION State and federal legislators and state attorneys general are paying more attention to privacy online and new privacy laws are probably inevitable. Online companies and advertisers should examine their data collection practices and how those practices might be affected by new privacy legislation. They should also examine how Web sites are complying with the Children’s Online Privacy Protection Act and at the costs and benefits associated with such compliance. Terri J. Seligman and James D. Taylor are partners in the advertising group and the iLaw group Loeb & Loeb LLP in New York. Jill Westmoreland, an associate with the firm, assisted in the preparation of this article.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.