|
A.
INTRODUCTION
|
|
Recent
surveys have indicated that privacy ranks as the most important
concern of Internet shoppers. On-line consumers constantly
worry about an unknown entity having access to personal information
that is beneficial to advertisers and other third parties.
Indeed, without careful analysis of the risks of gathering
and disseminating customer information, e-businesses can easily
find themselves in hot water – with both regulators and customers.
However,
by providing a safe and secure site for consumers, e-businesses
can build and sustain customer trust and loyalty, providing
themselves with a competitive advantage.
This week’s
discussion will take a look at the pitfalls of collecting
and using personal information, and provide recommendations
for managing on-line privacy.
|
| Return
to Top |
|
B.
COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
|
| Many
countries, including the United States, have regulations that
govern the collection, use and disclosure of personal information.
Cataloguing all of them is beyond the scope of this discussion
but e-businesses as well as more traditional "bricks and mortar"
companies should consider the following: |
| Return
to Top |
| 1.
FTC’s FAIR INFORMATION PRACTICES |
a.
PROPOSED LEGISLATION
The
FTC has noted that self-regulatory initiatives have, to
date, not been effective in providing standardized privacy
protection on-line. It has recommended to Congress that
it enact legislation that will ensure adequate protection
of consumer privacy online.
The
proposed legislation will require consumer-oriented commercial
Web sites that collect personal identifying information
from or about consumers online to comply with four widely-accepted
fair information practices:
Notice
- Web sites would be required to provide consumers
clear and conspicuous notice of their information
practices, including what information they collect,
how they collect it (e.g., directly or through non-obvious
means such as cookies), how they use it, how they
provide choice, access, and security to consumers,
whether they disclose the information collected to
other entities, and whether other entities are collecting
information through the Web site.
Choice
- Web sites would be required to offer consumers choices
as to how their personal identifying information is
used beyond the use for which the information was
provided (e.g., to consummate a transaction). Such
choice would encompass both internal secondary uses
(such as marketing back to consumers) and external
secondary uses (such as disclosing data to other entities).
Access
- Web sites would be required to offer consumers reasonable
access to the information a Web site has collected
about them, including a reasonable opportunity to
review information and to correct inaccuracies or
delete information.
Security
- Web sites would be required to take reasonable steps
to protect the security of the information they collect
from consumers.
b.
CONSENT AGREEMENTS
E-businesses
should be aware that there is a trend of increasing FTC
involvement in the computer and internet industries. Recent
FTC actions have involved the investigations of computer
and chip manufacturers, such as Gateway and Dell and direct
marketers such as E4L Inc. (formerly known as National
Media Corp.) regarding statements these companies have
made on their websites. These investigations have resulted,
in some cases, in settlement or consent agreements, which
do not constitute an admission that the company has violated
the law, but which typically require the company to pay
a fine and to modify its business practices. In addition,
when finalized, the consent order carries the force of
law with respect to future violations. Each violation
of such an order may result in civil penalties.
For example,
the FTC had alleged that Gateway had made false statements
in advertising its refund policy and its on-site warranty
service. Gateway entered a consent agreement with the FTC,
under which it agreed to pay a fine of $290,000. Prior to
this action, the FTC entered into a similar arrangement with
Dell regarding its sales practices.
In the
case of E4L Inc., the FTC had charged that E4L had produced
and placed deceptive infomercials for the Motor Up Corp.,
and in so doing had violated a 1993 commission order arising
from allegations of deceptive infomercial advertising for
other products. The FTC recommended that the department file
a proposed consent decree that would provide for an injunction
against future order violations and a civil penalty of $100,000.
Comment:
It is prudent for a company not only to establish and
maintain an appropriate privacy policy, but also to review
its advertising and marketing practices, to ensure that they
are in compliance with FTC’s fair information practice requirements.
|
| Return
to Top |
|
2.
EUROPEAN UNION (EU) DIRECTIVE
|
|
The EU
Directive provides the most comprehensive legislation to date,
on the protection of personal data on the online marketplace.
The EU Directive provides that:
When personal
data is collected, the subjects must be provided with
- notice
of the processing of their personal information and
- an
opportunity to make decisions about how their personal information
is used
Requires
generally that, when personal data is to be collected from
an individual, he or she must be informed of
- the
identity of the "controller" of the data,
- the
purposes for which processing of the data is intended, and
- any
other information that guarantees "fair processing"
of the data.
- individuals
have a right of access to such personal data
Critical
Provision for countries doing business with EU member states
(including the US) are found in Article 25:
Requires
member states to permit the "transfer to a third country
of personal data which are undergoing processing or are intended
for processing after transfer ... only if ... the third country
in question ensures an adequate level of protection.
Exception:
- where
the controller of the data demonstrates
- "adequate
safeguards,"
- such
as appropriate contractual provisions for protecting the
privacy and fundamental rights of individuals.
- The
EU member states approved the "safe harbor" data
privacy accord in May, 2000. It will now be reviewed for
approval by the European Parliament and EU’s executive body.
- The
"safe harbor" provisions are intended for use
solely by U.S. organizations receiving personal data from
the European Union for the purpose of qualifying for the
safe harbor and the presumption of "adequacy" it creates.
- Companies
that agree to the safe harbor principles of notice, choice,
and access must notify consumers of the purpose of data
collection. They must also give users access to their personal
information and allow them to not share their data with
third parties.
Comment:
If a company has offices or strategic partners in the European
Union, the information exchanged between the company’s offices
or between the company and its strategic partners, will be
subject to the provisions discussed above. If the US company
does not comply with the safe harbor provisions, or if data
protection provided by the US company is not adequate, it
will be in violation of the provisions under the EU Directive
and will be subject to the remedies available under the Directive.
|
| Return
to Top |
|
3.
UNITED KINGDOM DATA PROTECTION ACT
|
|
The Act,
which came into force on March 1, 2000, requires any business
which processes data about living individuals to be registered
with the Data Protection Commissioner. Failure to comply with
the Act in some instances brings not only civil liability
but also criminal liability. Directors and officers may also
be held personally liable. The Act also requires that in processing
the data, the business must put in place suitable policies
and procedures to deal with data protection compliance and
data security.
Entities
processing personal data must comply with the following eight
principles:
- Data
must be fairly and lawfully processed;
- Data
can only be processed for limited purposes
- Data
must be adequate, relevant and not excessive;
- Data
maintained must be accurate;
- Data
must not be kept longer than necessary;
- Data
must be processed in accordance with the subject’s rights;
- Data
must be maintained securely;
- Data
cannot be transferred to countries without adequate protection.
Personal
data includes both facts and opinions about the individual.
If the information involved is "sensitive personal information"
(the subject’s race or ethnic origin, his or her political
opinions, religious beliefs, physical or mental health or
condition, sexual orientation, and the commission or alleged
commission by him or her of any offense and any related proceedings)
additional restrictions apply. To process sensitive data,
one of the following conditions must have been met:
- There
must be explicit consent by the subject;
- The
processing must be necessary for exercising or performing
any right or obligation conferred or imposed by law on the
data controller in connection with employment;
- The
processing is necessary to protect the interests of the
subject or another person;
- The
processing is necessary for the purpose of, or in connection
with legal proceedings;
- The
processing is necessary for the administration of justice;
- The
information has been made public due to acts taken by the
subject;
- The
processing is necessary for medical purposes and is undertaken
by a health professional.
Comment:
The concerns expressed above regarding European Union offices
and strategic partners are equally applicable to the UK because
of this Act. In particular, it is important to note that "sensitive
personal information" about employees may be covered by the
UK Act. Hence, if employee information is collected or processed
in the UK, compliance with the more stringent requirements
of the Act may be necessary, including obtaining explicit
consent from the employee.
|
| Return
to Top |
|
4.
CANADA'S PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS
ACT
|
|
The Act,
which will become effective on January 1, 2001, applies both
on and off line to personal information that (i) an organization
collects, uses or discloses in the course of commercial activities,
or (ii) is about an employee of an organization that it collects,
uses or discloses in connection with the operation of a federal
work, undertaking or business.
The Act
requires that an organization obtain the consent of the individual
to collect, use or disclose his/her personal information for
commercial activities. The subject should be the source of
his/her own personal information, unless he/she agrees otherwise
or under certain restricted circumstances.
An organization
must provide the personal information subject with a right
of access to and correction of his/her personal information
and protect such information with appropriate safeguards.
Comment:
It is important to note that the Canadian Act applies not
only to information collected during the course of conducting
business, but also to information about an employee.
|
| Return
to Top |
|
5.
UNITED STATES - CHILDREN'S ONLINE PRIVACY PROTECTION ACT
|
|
This is
the first federal law in the United States that governs privacy
in cyberspace. It became effective on April 21, 2000.
The Act
requires:
- all
websites that gather personal information from children
under 13 to have clearly posted privacy policies stating
how that data is used.
- must
obtain "verifiable" parental consent before gathering
any information.
- websites
are required to use reliable methods of getting consent
from parents, such as through postal mail, fax, credit-card
numbers or tamper-resistant "digital signatures"
before children can participate in chat rooms or give personal
information that will be made available to third parties.
- For
information that is used internally by the web site that
collects it, operators can accept a simple e-mail from a
parent, as long as the companies take additional steps to
confirm the parent’s identity, like a follow-up e-mail message
or telephone call.
Comment:
It may be difficult to verify that a parent has given
consent, even under the guidelines provided by the Act. The
"parent consent" provided via emails may have been
sent by the minor or a friend. Other methods of getting parental
consent, such as postal mail, fax, credit card number verification
and tamper-resistant "digital signatures" may likewise
be duplicated, albeit with a little more difficulty.
Suggestions
for companies that do not market to users under 13:
- request
that all visitors to their site that are under 13 not disclose
or provide any personal information on their web site.
- if
the company discovers that a child under the age of 13 has
provided such information, it should immediately delete
the child’s personal information.
- indicate
that the company does not provide any personally identifying
information from its visitors under 13, regardless of its
source, to any third party, for any purpose
- indicate
that the company does not allow visitors under 13 to be
listed in any member directory or to receive direct marketing
communications from the company, or to be sent third-party
offers.
|
| Return
to Top |
|
C.
ADDITIONAL PITFALLS - LINKS
|
|
Links
to other sites from a company’s web page can take users to
sites that are beyond the company’s control. This includes
links from advertisers, sponsors, and strategic partners that
may include the company’s logo as part of a co-branding or
co-marketing agreement. These sites may collect information
or solicit personal information from users directed to their
sites.
A company
should post a disclaimer or notice regarding such situations,
indicating that the company cannot guarantee the security
and/or privacy of any information users disclose while visiting
other sites.
|
| Return
to Top |
|
D.
GROUND RULES FOR MANAGING PRIVACY
|
|
1. Establish
a privacy policy and ensure that it is followed. Make sure
that the policy is easy to understand and highlight the policy
in all customer interactions.
2. Do
not ask for more private information than you need.
3. Tell
site visitors what information about them will be stored and
state what the information will be used for.
4. Provide
visitors with reasonable access to information collected about
them, including a reasonable opportunity to review and correct
the information.
5. Give
individuals the opportunity to exercise choice regarding how
information collected may be used when such use is unrelated
to the purposes for which the information was collected. Provide
the user with the ability to opt out of allowing you to share
information with other parties.
6. Associate
your site with an organization that certifies Web sites and
the business and audit processes behind them.
7. State
whether the company intends to pass on the information to
third parties.
8. Take
reasonable precautions to protect personal information from
loss, misuse or alteration.
9. Take
appropriate measures to assure that personal information is
accurate, complete and timely for the purposes used.
10. Determine
if you are doing business or if you have strategic partners
in foreign countries. If so, make sure that you comply with
their information protection laws.
11. If
your site markets to users under 13, make sure that you obtain
parental consent before gathering information about them.
12. Post
a disclaimer or notice regarding links to other web sites
that are beyond your company's control.
|
| Return
to Top |
|
E.
CONCLUSION
|
|
Doing
business online involves providing the customer with a positive
experience. A company that understands and addresses its customer’s
privacy concerns will win the loyalty of online shoppers.
The starting point for doing business online is to be clear
about the relationship that your company is looking to build
with its customers. Once that is established, customers will
feel at ease transacting business online.
|
| Return
to Top |
|
|
