United States: A Practical Guide To Online Privacy Policies

If you do business on the World Wide Web, change is your only constant. Even the most loyal online customers are a fickle lot, and no one can predict the "Next Big Thing" in e-commerce. While navigating the cyber-minefields has always been a dangerous and shifting challenge, the concept of data privacy has been taking on particular significance recently as a potential pitfall for the unwary. In the United States, the approach Internet businesses have adopted has traditionally been driven by the market, with many individuals and businesses demanding to see "privacy policies" before patronizing online vendors. More recently, new laws and legal decisions have begun to appear, adding to the considerations online businesses must weigh in deciding what level of privacy should be promised to visitors and customers.

Unlike Europe, which has imposed comprehensive legal restrictions on the collection, dissemination and use of personal information of virtually every kind, the United States has adopted a more piecemeal approach. There is no uniform requirement in the United States that individuals even be informed that personal information is being collected about them as they surf from website to website. Moreover, the information that is collected can generally be used, sold or disseminated without permission or restriction. However, a constellation of laws exists which provide protection for particular groups of individuals, and imposes restrictions on specific industries. Failure to comply with applicable Federal rules and associated regulations can result in hefty civil and criminal penalties, as well as the elimination of exit strategies and alternative revenue streams.

One example of such a law is the Children's Online Privacy Protection Act ("COPPA"), which was discussed in detail in a previous Lucash, Gesmer & Updegrove mailing. Under COPPA, the Attorney General can seek an injunction and monetary damages for the mishandling of information collected from children under the age of 13. If a company intends to collect information from children under the age of 13, or has knowledge that it is doing so, restrictions under COPPA apply. The company must provide appropriate notice to users that it is collecting personal information from children, it must generally obtain verifiable parental consent prior to use or disclosure of personal information, it must provide parents reasonable access to the personal information and it must implement measures to protect the confidentiality, security and integrity of the personal information. An impacted company's privacy policy can address all of these requirements. The privacy policy must include careful detail as to the nature of the information being collected, how the information will be used, to whom the company will disclose the information, and how parents can access the information about their child and the procedures for requesting that such information be deleted. Indeed, even companies that do not target children are sufficiently concerned about the law that they often include provisions in their privacy policies specifically indicating that their sites are not intended for children less than 13 years of age.

Unlike COPPA, which is concerned with the kinds of individuals from whom data is collected, the Health Insurance Portability and Accountability Act ("HIPAA") focuses on a particular group of data collectors. Specifically, HIPAA protects all medical records and individually identifiable health information used or disclosed by health plans, health care clearinghouses, and health care providers conducting electronic financial and administrative transactions. Although in most cases compliance with the privacy rules implemented under the act is not required until April 2003, the consequences of non-compliance are steep -- monetary penalties reach $250,000 and beyond and prison terms can be up to 10 years for obtaining or disclosing health information with the intent to sell it for commercial advantage. To ensure the security of such personal health information, entities subject to the act must adopt written privacy procedures outlining who has access to the protected information, how the information will be used, and to whom the information will be disclosed. HIPAA also dictates certain terms of privacy policies. Patient consent must be obtained prior to release of information. Health information may not be used for any purpose not related to health care, and disclosure must be limited to the minimum amount of information necessary for the purpose of the disclosure. While many individuals take the privacy of their health information for granted, the April 2003 deadline will mark a dramatic shift from what is currently expected of health care entities to what will be legally required.

Another privacy statute, the Gramm-Leach-Bliley Act ("GLB Act"), requires action well before 2003. Indeed, the beginning of this month marked the deadline for various privacy disclosures for parties covered under the act, and it is the GLB Act which is largely responsible for the spate of privacy statements consumers have received in the mail in recent months from their banks and credit card companies. At its core, the GLB Act requires financial and insurance institutions to create and adhere to written policies and procedures with respect to the collection and sharing of individual customer information. These policies and procedures enable customers to prevent their non-public information from being shared with non-affiliated third parties without consent. While the GLB Act is not limited to the collection of information on the Internet, online activity is certainly not immune from its reach, and the GLB Act therefore has potentially significant impact for the website privacy policies of covered entities.

Perhaps more important than any of the civil or criminal penalties the government can impose, consumers have come to expect an online privacy policy from companies they patronize on the World Wide Web. While use of such policies has been spotty in the past, they are becoming more prevalent and users will increasingly notice if a site on which they are asked for personal information does not have one.

Typically, an online privacy policy may be regarded as a contract between the company and each individual user patronizing the website to which it applies. In exchange for the valuable information a company receives from its customer, the company agrees to protect the information and treat it in a particular way. Implemented poorly, however, the privacy policy may turn into a one-way instrument, in which some customers can point to the privacy policy to require certain treatment of their personal information, but other customers can claim not to be bound by certain disclaimers or other protective language the policy may contain. For instance, if the policy is not prominently displayed, some users may claim not to have agreed to its terms, while others may claim reliance on it and require strict conformance.

In addition, the Federal Trade Commission ("FTC") appears to be particularly concerned with ensuring that promises made in online privacy policies are promises kept. Under the Federal Trade Commission Act, the FTC can block the sale of personal user data if the sale violates posted privacy policies. If an online privacy policy states that user information will not be sold or shared with third parties, the FTC can stop the company from selling the asset to any third party, including a buyer acquiring the entire company. The FTC can also stop the company from selling or sharing the information with a strategic partner. In one famous case, FTC v. Toysmart.com LLC, et al., the FTC sued to prevent a bankrupt Internet company from selling its list of customers to satisfy its debts, because the company's website privacy policy had promised that the information would not be shared with third parties. A settlement was finally reached whereby the company agreed not to sell the list as a stand-alone asset. Companies which ignore the promises made in their posted privacy statements also risk exposure under a breach of contract theory. Many companies neglect to exercise sufficient caution in the wording of their privacy policies, and over-promise the level of confidentiality they will give the personal information of their customers, thus risking their most precious asset, invoking the ire of their customers, or exposing themselves to substantial liability.

Key provisions of an online privacy policy typically include:

1. Description of the personally identifiable information collected. This is a brief summary of the information the company collects that is unique to each user. A good place to start is a list of the fields in the site registration form.
2. Description of what the company may do with the personally identifiable information. This is a statement as to whether or not and under what circumstances the company will disclose personally identifiable information to third parties. Sale or sharing of user lists and other information with third parties should be addressed. To stay out of trouble with the FTC, it should be made clear that the company may sell, transfer or merge particular businesses and their assets (including user lists) to a third party. Special rules may apply if the personally identifiable information relates to children under the age of 13 or includes health information and/or medical records or financial information. How the company plans to comply with those rules is usually outlined in this section of the online privacy policy. Some companies choose to give users an opportunity to "opt-out" of having their information shared with third parties by sending an email or calling a designated telephone number. It is important for the company to consider the administrative costs of such an opt-out provision. If the company includes an opt-out provision it is legally bound to honor it. That means keeping track of individuals who have opted out and making sure their information is not disclosed to third parties.
3. Description of non-personally identifiable information collected. This is a summary of the information the company collects about its users in general, including aggregate information about site usage, traffic patterns and user statistics.
4. Description of what the company may do with non-personally identifiable information. This is a statement describing the circumstances under which the company will disclose non-personally identifiable information to third parties. Laws and regulations are typically less strict about the protection of this kind of information and most consumers are less concerned about non-personally identifiable information.
5. Cookies. This is notification to the user that during use of the site, certain files will be placed on the user's computer hard drive or in memory. It helps put users at ease if the company points out that the company cannot use these cookies to retrieve personal information from the user's computer.
6. Disclaimer about Links. This is a warning to users that the rules change when they leave the company's site. The company is not responsible for the privacy of the information the user submits to linked sites. The privacy of that information is the responsibility of the site to which they have linked.
7. Security Disclaimer. This provision is generally a disclaimer for the company. It is a reminder to the users that while the company uses reasonable efforts to protect the privacy of their information, no server or software is 100% secure.
8. Use of the Site is Acceptance of the Privacy Policy. In order for the terms of the policy to be binding, there must be evidence that the parties agreed to the terms. In the online world, this sometimes takes the form of a "click-wrap" agreement, whereby the user clicks on an "I Agree" button to signify acceptance of contract terms. In many instances, however, companies shy away from such a formality and opt for a less rigorous approach. At the very least, the online privacy policy should assert that use of the website by the user is evidence of acceptance of the terms, the equivalent of a signature.
9. Modification of Online Privacy Policy. The Internet is a rapidly changing environment. The privacy terms that are acceptable today may not be acceptable to the company as its business plan and the market change. To provide room to change the terms of the online privacy policy, a statement should be included making users aware that the online privacy policy may change. Such a provision does not necessarily give a company free reign to insert any terms into the policy at any time, but notice that the policy is not a static document is an important step in preserving flexibility in the way customers and their data are treated in the future.

A company that carefully defines the agreement it intends to strike with users from whom it collects information has gone a long way in protecting itself legally and advancing its standing in the eyes of the market. By incorporating the appropriate provisions discussed in this article and taking into account laws and regulations that may restrict the way data is collected and used, a company with an online presence can walk the fine line between providing less than the market and the law require and promising more than prudence may allow.