It is important to realize that the internet is still in its infancy, and we are all just beginning to blaze the trail of this new frontier. The internet has exploded with growth, leaving lawmakers and courts scrambling to catch up. States like California have taken it upon themselves to pass state laws concerning privacy, but the internet is larger than any single state, and I expect to see many federal regulations concerning Privacy and Privacy Policies in the months and years ahead.
A Brief History Lesson
Privacy itself is a philosophical concept most associated with Anglo-American culture. Indeed, many cultures around the world do not even have a word for the concept of privacy. In the U.S. there is no guarantee of privacy in our constitution, yet, the Supreme Court has aligned the concept of privacy with that of free speech and have expanded the guarantee of privacy in many of their decisions (i.e. Roe v Wade – Not many people know that Roe v Wade was decided on the basis of a woman’s right to privacy. The Court asserted that “the right of privacy, whether it be founded in the Fourteenth Amendment’s concept of personal liberty and restrictions upon state action, as we feel it is . . . is broad enough to encompass a woman’s decision whether or not to terminate her pregnancy.”
Privacy Laws in Western Europe are far more advanced and comprehensive than they are in the United States. However, the concept of privacy protection in Western Europe was not important until after the Second World War. Before the war local governments compiled all sorts of information on their residents, and kept them in a central location. However, the people of Western Europe were terrorized by the Nazi’s who used the local government’s lists to confiscate property, and even people’s lives through the development of concentration camps. As a result of the atrocities committed by governments in the Second World War, the people of Western Europe demanded stricter laws concerning privacy, and their governments responded with Article 8 of the European Convention on Human Rights which guarantees the citizen’s right to respect for private and family life, one’s home and correspondence.
In 1995 both the EU and the FTC began addressing Internet privacy specifically. The EU passed the Data Protection Directive and the FTC published their Fair Information Principles which provided guidelines for companies to institute privacy policies on how they handle collected data.
In the U.S., our government is currently still promoting a free market system of industry self-regulation and is trying to rely on fewer laws. However, I see this system being usurped by more and more new U.S. laws being passed every month.
The FTC’s Fair Information Principles identify five critical issues concerning website privacy. We can expect these principles to be codified and regulations promulgated in the near future:
1. Notice and Awareness – Consumers should be given notice of an entity’s information practices before any personal information is collected from them.
2. Choice and Consent – choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information — i.e., uses beyond those necessary to complete the contemplated transaction.
3. Access and Participation – an individual’s ability both to access data about them (i.e., to view the data in an entity’s files) and to contest that data’s accuracy and completeness.
4. Integrity and Security – Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. (The FTC is currently focusing on data breaches in a big way!)
5. Enforcement and Redress – core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.
Data protection is by far the most important part of Internet privacy. How data is stored and protected is every web master’s recurring nightmare!
Recently, the FTC has been prosecuting companies who have had data breeches under Section 5 of the FTC Act as “deceptive practices” – that is they did not guard their data security as they said they would. It is interesting to note that the complaints filed by the FTC in this area all say that the firms who had their data breeched should have had better security in place. As they are looking at the security breech in hindsight, they can list all the things the offending firm should have thought of, and because they did not, they must not have been vigilant enough. This philosophy shifts the burden of proof from the FTC to the web site operator to prove they had acceptable data security measures in place.
To overcome this argument, I recommend that you have written SOP’s (Standard Operating Procedures) which show the steps you have taken to secure your data, and written documents proving compliance with your SOP’s. Written SOP’s are a great way to win the argument that you were adequately guarding the site’s data.
- The Children’s Online Privacy Protection Act (COPPA) affects websites that knowingly collect information about children under the age of 13. The COPPA regulations are incredibly complicated – if your web site is available to children under the age of 13 it is our recommendation that you contact a knowledgeable attorney to review your compliance with COPPA. Further, as of July 1, 2013, the COPPA regulations have been expanded and web sites will need to adhere to the new regulations. I will post a blog about this in the near future.
- Health Insurance Portability and Accountability Act (HIPPA) establishes the rules and regulations for the storage and dissemination of Protected Health Information. Obama-Care has required medical records to be computerized and shared, and recently the office of Health and Human Services (HHS) has expanded the HIPPA rules and regulations regarding the storage and sharing of medical information. If your company keeps health information on file about your customers (i.e. prescription orders) it is our recommendation that you contact a knowledgeable attorney to review your compliance with HIPPA.
As California is a significant portion of the U.S. market, it was the California Online Privacy Protection Act which provided the driving force prompting firms to provide privacy policies. However, with the FTC now prosecuting firms with data breeches, and with Congress ready to act, Privacy Policies are pre-requisites for every web site.
Currently, I believe Privacy is the most contentious issue on the Internet today. Laws and regulations are constantly changing. I am sure you will be hearing from me about Privacy many times in the months to come.
As I understand it, the hardest thing about starting a blog is getting an audience to read it. If you enjoy my blog please remember to bookmark it for your return, and please tell your friends if you think they will enjoy it too.
Thanks for stopping by, I hope to see you here again soon.