by Eric Goldman, Esq.
Cooley Godward LLP
Privacy policies have recently become the drafting project du jour for cyberspace law practitioners. This new wave of enthusiasm can be attributed to at least three recent phenomena.
First, in June, the FTC released a report entitled "Privacy Online: A Report to Congress" <http://www.ftc.gov/reports/privacy3/toc.html>, proposing congressional regulation of the collection of information from children. The associated din from the press has been deafening.
Second, consumers seem to be increasingly aware and concerned about their lack of control over their online private information. Ironically, "off-line" risks (such as from magazines, charities and companies that request warranty registration cards) may be far higher but get far less press.
Beware One-Way Binding Obligations. For reasons that are not entirely clear, most companies that have announced privacy policies are posting the policy to the website but not trying to use industry-standard practices to form an agreement with users. While there remains some doubt about the enforceability of mandatory clickthrough agreements, it remains the preferred way to try to form a user agreement online.
Beware Absolute Guarantees. For maximum marketing benefit, websites like to make absolute statements regarding privacy. However, there are at least 3 unavoidable situations that preclude such guarantees.
First, since no security system is perfect, users’ privacy can be breached by hackers. For example, in 1995 Kevin Mitnick hacked into Netcom and stole a database containing over 20,000 user credit card numbers. Had Netcom promised that these numbers would never be disclosed to a third party, Netcom would have been in breach of its promise.
Second, rogue or malevolent employees can deliberately disclose personal information.
These risks create serious problems for a claim such as "we never willfully disclose individually identifiable information about our customers to any third party without first receiving permission." While a security hack probably does not breach this promise, disclosures by rogue employees and clueless/gullible employees could be a breach.
Beware the ECPA. Many websites are or may be subject to the Electronic Communications Privacy Act (the "ECPA"), 18 U.S.C. §§ 2510-2521 and 2701-2710. Generally, the ECPA regulates the interception of private communications and the accessing and disclosure of stored communications and associated transactional information. The ECPA is a complicated and poorly drafted statute, making compliance difficult, and violations can lead to both civil and criminal remedies. Therefore, entities that might be subject to the ECPA usually attempt to contractually waive application of the statute.
Beware the Kids. To the extent that any trends regarding the protection of user privacy have emerged, we have clearly seen that collection of data from children will be given special attention. In addition to the FTC’s call on Congress to regulate this (as mentioned above), there have been at least 2 well-publicized incidents in this area.
First, in 1997, the FTC considered bringing an enforcement action against KidsCom, a children-oriented website that collected information from children. Although the FTC decided not to bring an enforcement action <http://www.ftc.gov/os/9707/cenmed.htm>, to avoid the enforcement action, KidsCom made the following changes: (a) it emails parents when children register at the site, providing notice of its collection practices, and it gives parents the option to opt out of aggregated information disclosure to third parties, (b) it does not disclose personally identifiable information to third parties without prior parental approval which has been faxed or sent by regular mail, (c) it discloses to users the purposes for which information is collected, and (d) it distinguishes more explicitly between editorial content and advertising.
More recently, the FTC entered into a consent order with GeoCities regarding GeoCities’ collection and use of personal information <http://www.news.com/News/Item/0,4,23130,00.html>. The FTC accused GeoCities of disclosing members’ personal information to third parties in contravention of its stated practices, of failing to disclose how it would use member information (including information from children), and of implying an affiliation with a children's club operated by a GeoCities "community leader" which led children to believe that they were supplying their personal information to GeoCities and not the leader. To avoid further action, GeoCities agreed to: (a) notify users about GeoCities’ information and disclosure practices, (b) provide users the ability to delete their personal information from GeoCities’ databases, (c) clearly identify its affiliation with third parties that may collect information or sponsor activities on GeoCities, and (d) obtain parental consent before collecting and using personal information obtained by children under 13.
While children deserve special protection, effectuating this is problematic for at least 2 reasons.
First, it is impractical to segregate children because there are few good ways to authenticate for age. Most sites do little or no authentication of their users generally, and even fewer authenticate for age (except for the pornography-oriented sites, many of whom now have affiliated with a pay adult verification system such as AdultCheck). As the U.S. Supreme Court stated in 1997, while websites can verify age using a credit card number or an adult password, due to expense and hassle such verification was effectively unavailable to a substantial number of websites. American Civil Liberties Union v. Reno, 117 S. Ct. 2329 (1997). Therefore, in other contexts websites have not been forced by the government to authenticate for age, and it is no more reasonable to do so in the privacy context.
However, as part of a registration process, many websites ask members their age. While this information is not authenticated, users who self-report their age as being below 18 presumably should be given special treatment. Because categorizing users imposes extra costs on the website, some websites will probably choose not to ask users their age to avoid putatively knowing about minors on the site.
Second, children are not capable of forming a legally binding contract. Therefore, while a user agreement may contain restrictions on use by children, under contract law this contract is not enforceable against the child. Ironically, most government entities have sought greater website disclosure directed to children, although presumably these same children cannot enter into a contract that would restrict their behavior on the website.
Beware the Europeans. Although there are few U.S. privacy laws on the books, the European Union has adopted the Council Directive 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data <http://www.privacy.org/pi/intl_orgs/ec/dp_directive_final.txt> (the "Privacy Directive"). The Privacy Directive, scheduled to take full effect in October 1998, places meaningful restrictions on the collection and use of personal data (not just online, but as collected from all sources) and effectively requires express user consent in most situations before websites can legally collect and use such data. Many U.S. companies have chosen not to try to comply with the Privacy Directive, considering themselves outside the scope of the law. However, any company that has a connection to the European Union (such as a physical presence or substantial business in Europe) must consider the effects of the law and, in most cases, should comply with the law enterprise-wide.
To try to mitigate this problem, some sites announce that changes to the policy are automatically effective against users under specified circumstances. As discussed above, this is probably not legally binding against users in the one-way binding situation, and it may not comply with TRUSTe’s rules either.
About the author: Eric Goldman (formerly Eric Schlachter) is an attorney practicing cyberspace law with Cooley Godward LLP, Palo Alto, CA. He also is an adjunct professor of Cyberspace Law at Santa Clara University School of Law. Cooley Godward’s web page is located at http://www.cooley.com, and Eric’s personal home page is located at http://eric_goldman.tripod.com/. Eric can be reached at firstname.lastname@example.org.