Privacy Laws
Know your rights and responsibilties under privacy law
Privacy law is constantly developing. Learn the basics with this handy summary from Harwell, Howard, Hyne, Gabbert and Manner, PC.

Internet Privacy Protection
Ninety-two percent of Internet users admit they are concerned about the misuse of personal information (1). Consumers are increasingly exposed to stories of privacy breaches, such as the one published in the Washington Post reporting that a top health insurer accidentally emailed to others confidential information concerning members using the insurer's website (2). It has also been reported that one-third of ecommerce businesses have failed to invest in basic security measures such as firewalls (3). At this point, 82 percent of users believe the government should regulate how personal information is used by online companies (4). This public request for increased privacy protection is creating an interest on the part of both the federal and state governments to provide privacy protection for individuals by enacting laws to control the collection and use of information gathered from consumers during their online activities.

So far Internet companies have relied on self-regulation, with help from online seal programs such as BBBOnline and TRUSTe (5). Initially the Federal Trade Commission ("FTC") endorsed self-regulation as an alternative to government regulation, but now the FTC is lobbying Congress to pass a comprehensive privacy law to give the FTC control over the protection of online consumer privacy rights (6). Congress has considered several bills offering broad privacy protection for Internet users; however, it has not yet passed a comprehensive law designed to provide privacy protection. The year 2000 was slated to be the year of privacy legislation with more than 50 privacy bills introduced (7). Now, as it appears that such efforts are losing steam, it is unlikely that a comprehensive privacy bill will be passed before next year (8).

As noted by the FTC in its 1998 report to Congress, privacy rights are currently protected on a limited level by "a handful of disparate statutes directed at specific industries that collect personal data and none which specifically covers the collection of all personal information online (9)." Federal and state privacy law is piecemeal and protects certain consumers or covers specific industries. Further, individuals who are unable to find privacy protection in a specific federal or state statute resort to common law protections such as trespass to chattel/personal property and invasion of privacy. In addition to the confusing collage of privacy related laws in the U.S., businesses face international controls on the gathering of personal information from online users outside the U.S. For example, the European Union ("EU") and Canada have comprehensive laws to protect Internet users. These international laws impose strict controls on businesses gathering information from international online consumers and generally require consumers to opt-in to information gathering.

The following are examples of the patchwork of legislation relevant to businesses whose customers submit their personal information over the Internet. The list is not exhaustive, but gives an outline of current and proposed law (10).

Children's Online Privacy Protection Act of 1998 ("COPPA") (15 U.S.C. 6501) COPPA's application is limited to an operator of a website or online service that either directs its site to children under age 13 or has actual knowledge that it is collecting information from a child. To comply with COPPA, the operator must post a notice on its website about its collection, use and disclosure of information from children. In addition, the operator must obtain parental consent in order to collect, use or disclose the personal information submitted by the child online. Regulations addressing the notice requirement and the parental consent requirement can be found at 16 C.F.R. Part 312.

Gramm-Leach Bliley Financial Services Modernization Act (Pub. Law 106-202; 113 Stat. 1338)
This Act requires financial institutions to disclose their privacy policies to their consumers. It allows consumers to opt-out of sharing of personal information, in addition to restricting the institutions from sharing account numbers with non-affiliated telemarketers and direct marketers. Regulations for the privacy of consumer information have been issued and can be found at 16 C.F.R. 313.

Health Insurance Portability and Accountability Act ("HIPAA")
HIPAA required that Health and Human Services ("HHS") issue regulations addressing privacy concerns for health privacy if a health privacy law was not enacted by August 21, 1999. No health privacy law was passed by the deadline, and HHS responded with proposed regulations that restrict the disclosure of protected health information. The HIPAA regulations apply only to health information that is transmitted electronically. In addition, the regulations apply solely to "covered entities" such as health plans, health care providers and health care clearinghouses and, under some circumstances, business partners of covered entities. The regulations have been issued and can be found at 64 Fed. Reg. 59918.

Federal Trade Commission Act Section 5 (15 U.S.C. 45(a))
This Act authorizes prosecution of companies that use unfair or deceptive acts or practices. Although not specifically designed to protect Internet consumers, this broad power has been used by the FTC to attack the information use and collection practices of certain Internet companies such as Geo Cities, Toys R Us, and Young Investors. This information is available on the FTC's website at www.ftc.gov.

Cable Communications Policy Act (47 U.S.C. 551)
This Act may impact cable companies providing Internet connections through cable modems. Subject to certain exceptions, this Act prohibits service providers from disclosing personally identifiable information without subscriber consent. Specifically, it requires cable operators to provide written notices that "clearly and conspicuously" inform the consumer of the type of information that will be collected and how it will be used.

Electronic Communications Privacy Act
("ECPA") (18 U.S.C. 2510-2522, 2701-2709, 3121-3126)
ECPA added electronic communications to the federal wiretapping act. ECPA may apply to Internet privacy litigation because it makes it illegal to knowingly intercept, use and disclose electronic communications that are in transit or while they are in storage.

Federal Videotape Privacy Protection Act ("FVPPA") (18 U.S.C. 2710)
The FVPPA prohibits a videotape service provider from disclosing to any person "personally identifiable information concerning any consumer." 18 U.S.C. 2710(b). Personally identifiable information means " information which identifies a person as having requested or obtained specific video material or services from a video tape service provider." 18 U.S.C. 2710(a)(4). Any time a consumer requests a video online, the request is subject to protection.

Computer Fraud and Abuse Act ("CFAA") (18 U.S.C.1030)
The CFAA is the first law to specifically address computer crime. A U.S. senate report stated that the statute "prohibits forms of computer abuse which arise in connection with and have a significant effect on interstate commerce (11)." The CFAA has been successfully used by American Online against a defendant who inappropriately obtained information about AOL members through the use of an AOL account and sent the members unsolicited email messages (12).

Proposed Consumer Internet Privacy Enhancement Act (S.2928 proposed)
This proposed bill would make it unlawful for a commercial website operator to collect personally identifiable information online from a user unless it provides notice about collection practices and opportunity to limit disclosure. The proposed bill provides a safe harbor for website operators complying with self-regulatory guidelines of an online seal program or other person approved by the Federal Trade Commission. Under the proposed bill, a state cannot impose liability through laws that are inconsistent or more restrictive than the Act. Civil penalties could be imposed up to $500,000.

State Initiatives
In addition to the protection afforded by the federal government, some states, including New York, Virginia, Massachusetts, California, Florida, South Carolina, Wisconsin, and Michigan, have shown an interest in protecting the privacy rights of consumers using the Internet. For example, the Attorney General of New York has announced a new effort to increase individual control over the use and disclosure of personal information while balancing this control with the need to encourage technological development. In addition, the Attorney General of Virginia has announced his office is working with the state's Secretary of Technology to develop a Cyber Bill of Rights addressing privacy of personal information on the Internet. The growing concern of state governments is evidenced by a statement of the National Association of Attorneys General that the gathering of personally identifiable information from online consumers poses "one of the biggest threats to the long term vitality of electronic commerce (13)."

International Law
Privacy protection for online consumers is an important issue for the international community. Both the EU and Canada have comprehensive privacy legislation and other countries have privacy protection on their agendas. In 1995 the EU adopted a directive addressing privacy requirements for member states (the "Directive") (14). The Directive is intended to ensure that member states pass privacy laws maintaining standards outlined by the Directive. Specifically, the Directive allows the collection of personal data only for "specific explicit and legitimate purposes and only if the person to whom the information refers has unambiguously given consent (15)." The EU provides a safe harbor for U.S. businesses that wish to collect information from individuals in EU member states (16). The safe harbor permits U.S. businesses meeting certain minimum standards to ensure businesses continue to receive the personal data from Europe needed for their business operations (17).

Canada's Personal Information Act provides that personal information can be collected, used and disclosed only with the informed consent of the person from whom the information is collected (18). In addition, the Personal Information Act requires businesses to develop and enforce privacy policies and procedures for online data collection. Customer lists, normally considered a significant asset, should be reviewed in light of a vendor's privacy statement to ensure that the list and information can be transferred (19). Therefore, businesses interested in Canadian e-commerce should ensure their privacy statements and policies require informed consent.

Beyond the requirements presently in place in the U.S., EU and Canada, privacy protection is also a priority in other countries (20). Businesses not only need to be aware of current privacy protections required in the various countries which they conduct business, they also need to remain attuned to new privacy initiatives which could significantly impact future business operations.

By Mary Beth Fortugno

(1) Alan F. Westin, Personalized Marketing and Privacy on the Net: What Consumers Want, Privacy and American Business at 11 (Nov. 1999).

(2) Kaiser Permanente recently said that it releases confidential information accidentally through email to the wrong members. See Sensitive Kaiser E-Mails Go Astray, August 10, 2000 Washington Post.

(3) Scott Berinato and Renee Boucher Ferguston, The Care and Feeding of Internet Security, September 15, 2000.

(4) Surveys Shows Few Trust Promises of Online Privacy, April 17, 2000 N.Y. Times (citing recent Odyssey Survey).

(5) For more about these privacy certification programs see BBB Online at www.bbbonline.com, TRUSTe, at www.truste.org.

(6) Privacy Online Fair Information Practices in the Electronic Marketplace, A FTC report to Congress May 2000.

(7) See Privacy Protection Efforts Losing Steam, Scripps Howard News Service, The Tennesseean, September 16, 2000.

(8) Id.

(9) 1998 FTC Report to Congress at 40n.160.

(10) See also prohibitions against the government releasing information under the Freedom of Information Act ("FOIA") (5 U.S.C. 552) and The Privacy Act (5 U.S.C. 552a). The FOIA applies to government agencies and requires federal governmental agencies to make most records available. However, "personnel and medical files and similar files the disclosure of which would constitute a clearly unwanted invasion of personal privacy are exempted." (5 U.S.C. 552 (b)(6)). The Privacy Act is also limited to governmental agencies and restricts an agency from disclosing "any record regarding an indiviudal to any person or another agency except pursuant to a written requrest with the prior written consent of the individual to whom the records pertain." (5 U.S.C. 552a(b)(2)).

(11) S.rep. 101-544.

(12) AOL v. LCGM, Inc. (E.D. Va. 1998).

(13) A copy of this statement can be found at http://www.naag.org.

(14) Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the "protection of individuals with regard to the processing of personal data and on the free movement of such data."

(15) Id.