Every web site needs a Privacy Policy describing the types of information it collects, how it is used, how it is shared, how it is stored and how it is protected.  While there is currently no Federal law directly regulating the Privacy Policy, the regulations contained in other laws affect your web site and will be discussed below.

It is important to realize that the internet is still in its infancy, and we are all just beginning to blaze the trail of this new frontier. The internet has exploded with growth, leaving lawmakers and courts scrambling to catch up. States like California have taken it upon themselves to pass state laws concerning privacy, but the internet is larger than any single state, and I expect to see many federal regulations concerning Privacy and Privacy Policies in the months and years ahead.

A Brief History Lesson

Privacy itself is a philosophical concept most associated with Anglo-American culture.  Indeed, many cultures around the world do not even have a word for the concept of privacy.  In the U.S. there is no guarantee of privacy in our constitution, yet, the Supreme Court has aligned the concept of privacy with that of free speech and have expanded the guarantee of privacy in many of their decisions (i.e. Roe v Wade – Not many people know that Roe v Wade was decided on the basis of a woman’s right to privacy.  The Court asserted that “the right of privacy, whether it be founded in the Fourteenth Amendment’s concept of personal liberty and restrictions upon state action, as we feel it is . . . is broad enough to encompass a woman’s decision whether or not to terminate her pregnancy.”

Privacy Laws in Western Europe are far more advanced and comprehensive than they are in the United States. However, the concept of privacy protection in Western Europe was not important until after the Second World War. Before the war local governments compiled all sorts of information on their residents, and kept them in a central location.  However, the people of Western Europe were terrorized by the Nazi’s who used the local government’s lists to confiscate property, and even people’s lives through the development of concentration camps.  As a result of the atrocities committed by governments in the Second World War, the people of Western Europe demanded stricter laws concerning privacy, and their governments responded with Article 8 of the European Convention on Human Rights which guarantees the citizen’s right to respect for private and family life, one’s home and correspondence.

In 1995 both the EU and the FTC began addressing Internet privacy specifically.  The EU passed the Data Protection Directive and the FTC published their Fair Information Principles which provided guidelines for companies to institute privacy policies on how they handle collected data.

The EU has passed many specific laws concerning the collection and handling of Internet data. Further the EU recently passed a directive that visitors to a web site must approve the use of cookies.  This directive affects those U.S. web sites that regularly see visitors from the EU.

In the U.S., our government is currently still promoting a free market system of industry self-regulation and is trying to rely on fewer laws.  However, I see this system being usurped by more and more new U.S. laws being passed every month.

To date, only California has passed an Internet Privacy Policy law, and consequently, the Privacy Policies you see on the web are now all fashioned to follow California’s law.  It is my personal belief that a comprehensive Internet Privacy Law will be passed by the U.S. Congress with-in the coming year.

U.S. Privacy Policy Laws

The FTC’s Fair Information Principles identify five critical issues concerning website privacy. We can expect these principles to be codified and regulations promulgated in the near future:

1.  Notice and Awareness – Consumers should be given notice of an entity’s information practices before any personal information is collected from them.

2.  Choice and Consent – choice means giving consumers options as to how any personal information collected from them may be used.  Specifically, choice relates to secondary uses of information — i.e., uses beyond those necessary to complete the contemplated transaction.

3.  Access and Participation – an individual’s ability both to access data about them (i.e., to view the data in an entity’s files) and to contest that data’s accuracy and completeness.

4.  Integrity and Security – Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.  (The FTC is currently focusing on data breaches in a big way!)

5.  Enforcement and Redress – core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.

Data protection is by far the most important part of Internet privacy.  How data is stored and protected is every web master’s recurring nightmare!

Recently, the FTC has been prosecuting companies who have had data breeches under Section 5 of the FTC Act as “deceptive practices” – that is they did not guard their data security as they said they would.  It is interesting to note that the complaints filed by the FTC in this area all say that the firms who had their data breeched should have had better security in place. As they are looking at the security breech in hindsight, they can list all the things the offending firm should have thought of, and because they did not, they must not have been vigilant enough. This philosophy shifts the burden of proof from the FTC to the web site operator to prove they had acceptable data security measures in place.

To overcome this argument, I recommend that you have written SOP’s (Standard Operating Procedures) which show the steps you have taken to secure your data, and written documents proving compliance with your SOP’s.  Written SOP’s are a great way to win the argument that you were adequately guarding the site’s data.

While there is no Federal comprehensive Privacy Policy law, each of the following acts have Privacy Policy implications:

  1. The Children’s Online Privacy Protection Act (COPPA) affects websites that knowingly collect information about children under the age of 13. The COPPA regulations are incredibly complicated – if your web site is available to children under the age of 13 it is our recommendation that you contact a knowledgeable attorney to review your compliance with COPPA.  Further, as of July 1, 2013, the COPPA regulations have been expanded and web sites will need to adhere to the new regulations.  I will post a blog about this in the near future.
  2. The Gramm-Leach-Biley Act contains The Financial Privacy Rule which requires firms to provide a privacy policy which communicates the data sharing practices of the firm. It also requires an opt-out mechanism for the customer as required by the Fair Credit Reporting Act. If you have a web site that keeps a copy of the customer’s payment information (i.e. credit card number) on file, it is our recommendation that you contact a knowledgeable attorney to review your compliance with The Gramm-Leach-Biley Act.
  3. Health Insurance Portability and Accountability Act (HIPPA) establishes the rules and regulations for the storage and dissemination of Protected Health Information.  Obama-Care has required medical records to be computerized and shared, and recently the office of Health and Human Services (HHS) has expanded the HIPPA rules and regulations regarding the storage and sharing of medical information. If your company keeps health information on file about your customers (i.e. prescription orders) it is our recommendation that you contact a knowledgeable attorney to review your compliance with HIPPA.

Some states have passed their own privacy laws. The most significant of these is the California Online Privacy Protection Act. This law requires operators of commercial web sites or online services that collect personal information on California residents to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information.

As California is a significant portion of the U.S. market, it was the California Online Privacy Protection Act which provided the driving force prompting firms to provide privacy policies. However, with the FTC now prosecuting firms with data breeches, and with Congress ready to act, Privacy Policies are pre-requisites for every web site.

Privacy Policies Problems Web Site Owners Create for Themselves – Many web site owners have simply copied someone else’s privacy policy and are unaware of what it says, or the responsibilities the site owner has agreed to comply with. This is a very dangerous practice. Especially when the person you copied it from likely copied it from someone else’s website.

  1. Site owners are bound by what their privacy policies state, and without using flexible terms they could be in violation of their own privacy policy and not realize it.
  2. Many site owners do not realize proper formatting of the privacy policy is a matter of law regardless of what it says.
  3. Laws regarding privacy policies often change, and without continually updating your privacy policy what was once a sound document two years ago is now outdated and potentially dangerous.

Currently, I believe Privacy is the most contentious issue on the Internet today.  Laws and regulations are constantly changing.  I am sure you will be hearing from me about Privacy many times in the months to come.

As I understand it, the hardest thing about starting a blog is getting an audience to read it.  If you enjoy my blog please remember to bookmark it for your return, and please tell your friends if you think they will enjoy it too.

Thanks for stopping by, I hope to see you here again soon.