Internet privacy is one of the top policy issues facing Congress, state legislatures and regulators. At the federal level, several bills are pending. Additionally, a growing number of state legislators have concluded that industry self-regulation fails to protect consumers' online privacy. The National Association of Attorneys General has issued a report on the subject that recommends new national legislation that preempts state law enforcement efforts and imposes an opt-in paradigm. Internet companies, as well as brick and mortar companies operating online, face a bewildering range of scrutiny of their online data collection and disclosure practices. This survey summarizes the major privacy issues as they stand in Q1 2002.
Internet privacy is one of the top policy issues facing Congress, state legislatures and regulators. At the federal level, several bills are pending. Additionally, a growing number of state legislators have concluded that industry self-regulation fails to protect consumers' online privacy. The National Association of Attorneys General has issued a report on the subject that recommends new national legislation that preempts state law enforcement efforts and imposes an opt-in paradigm. Internet companies, as well as brick and mortar companies operating online, face a bewildering range of scrutiny of their online data collection and disclosure practices. This survey summarizes the major privacy issues as they stand in Q1 2002.
To date, regulators have primarily been concerned about deceptive privacy practices, specifically:
Both the Federal Trade Commission ("FTC") and state Attorneys General ("AGs"), individually and often collectively, have pursued actions against companies that have engaged in such deceptive practices. There have also been many law suits filed by private parties.
To avoid such allegations, privacy polices should disclose:
The Children's Online Privacy Protection Act ("COPPA") and the implementing FTC trade regulation rule require that a Web site that collects information from children under thirteen must generally:
The Gramm- Leach-Bliley Act of 1999 ("GLBA") governs the collection and dissemination by "financial institutions" of consumers' "non-public personal financial information." Under GLBA and the FTC's implementing trade regulation rule, "financial institutions" (generally, companies that issue credit) must:
The following principles, proposed by the Network Advertising Initiative ("NAI") and endorsed by the FTC, apply to the merging of consumers' personal information with cookies or other data that provide information on consumers' online habits:
Employers must be aware of restrictions on monitoring employee e- mail and Internet use, and the provisions of the Electronic Communications Privacy Act ("ECPA"), which prohibit unauthorized use, disclosure or interception of electronic communications. Generally, an employer may intercept electronic communications if:
Employers are advised to reduce their risk of liability for monitoring employee e- mail usage by requiring all employees to acknowledge and sign an e-mail and Internet use policy. Employers can also reduce their risk of liability for defa mation, transmission of obscene materials, sexual harassment, and discrimination committed by employees on workplace computers by requiring compliance with such a policy.
In addition, employers should be mindful of a recent California statute, which requires businesses to ensure the privacy of a customer's personal information contained in records by destroying or arranging for the destruction of the records by shredding, erasing or otherwise modifying the customer record to make information contained therein unreadable or undecipherable through any means. See CA CIVIL CODE §§ 198.80-198.82. Failure to comply with this statute could make an employer liable for damages, injunctive relief or other remedies. Id. This statute will likely apply to employers that monitor their employees e- mail usage because they inevitably become privy to and collectors of their employees personal information contained in electronic communications.
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and HHS's implementing trade regulation rule ("HIPAA Rule") generally:
HIPAA and the HIPAA Rule may also affect employers - not just health care providers - because employers often offer health benefits to employees, and data related to such benefits is included under the law.
Section 222 of the Telecommunications Act of 1934, codified at 47 U.S.C. § 222, provides protection for certain personal information collected by telecommunications carriers about their customers. Specifically, carriers must obtain their subscribers' "approval" before using or disclosing "customer proprietary network information" ("CPNI") for any reason other than providing or billing for the type of telecommunications service from which the CPNI was derived.
CPNI is defined as "information that relates to the quantity, type, destination and amount of use of a telecommunications service" that carriers receive as a result of their relationship with subscribers. Thus, for example, CPNI includes the telephone numbers called by subscribers and the length of such calls. CPNI excludes subscribers' name, address and telephone number; aggregate, non-personally- identifiable information; and data from other sources such as non- telecommunications services and data purchased from third parties.
In its implementing rules, the FCC took the position that "approval" means affirmative, opt-in consent following consumers' receipt of notice of their rights to CPNI data. In 1999, however, the Tenth Circuit Court of Appeals vacated the FCC's rules, holding that the requirement of an affirmative, opt-in consent violated the First Amendment to the United States Constitution by restricting protected commercial speech.
The FCC has not yet acted on remand, but it has stated publicly that it will continue to enforce the remainder of Section 222, such as the requirement that telecommunications carriers at least provide consumers with notice and a means of opting out of the use or disclosure of their CPNI information.
In the international arena, the European Union ("EU"), the Organization for Economic Cooperation and Development ("OECD"), Canada, Hong Kong and New Zealand, among others, have taken steps to restrict data collection and, particularly, transborder flow of personal data. The EU Directive particularly affects United States ("U.S.") companies because the EU has determined that U.S. privacy protections did not provide an adequate level of protection, and therefore member states must prohibit transfe r of data to U.S.-based companies. In order to allow U.S.-based companies to avoid regulation, companies may self-certify under the Safe Harbor agreement negotiated by the U.S. Department of Commerce ("DOC") or make use of EU-approved contract clauses. The other international initiatives also focus on security, and the familiar requirements of notice to consumers, choice provisions, and access. Additionally, Canada's new laws impose limitations on use ("that which is reasonably necessary"), accuracy, and retention of data.
Internet companies generally engage in deception by either: (1) failing to abide by their stated privacy policies; or (2) failing to disclose certain data collection that occurs at their Web sites. At both the federal and state levels, regulators are increasingly bringing actions for deceptive misuse of consumer information.
In its first online privacy case, the FTC charged GeoCities with:
ii. FTC v. Toysmart.com: Sale of Customer Data in Connection with Bankruptcy Proceedings.
The FTC alleged that Toysmart.com violated the FTC Act when it promised in its privacy statement to never share information collected from consumers with a third party, and then, in connection with its bankruptcy proceedings, offered the information for sale to a third party.
The FTC shed light on its view of how customer data collected with a promise never to share it with third parties should be handled in bankruptcy. The sale of customer data, as part of a bankrupt company's assets, may only be sold to a qualified buyer (generally an entity that is in the same business as the seller) that is approved by the bankruptcy court. The qualified buyer must agree to treat the customer information in accordance with the seller's privacy statement. In addition, if the qualified buyer makes any material change to the privacy statement, the change:
iii. FTC Online Pharmacy Cases: Misrepresenting Security of Personal Information.
In May 2000, the FTC obtained settlements with several corporations and individuals engaged in promoting online pharmacies. The FTC alleged that the Web sites misrepresented the security and encryption used to protect consumers' information and that the defendants used information in a manner contrary to their stated purpose.
i. Combined State Action: DoubleClick: Failing to Disclose Use of Cookies.
New York, Connecticut, Vermont and Michigan have investigated DoubleClick's use of the Abacus Direct database to allegedly tie together consumers' online habits with personally- identifiable information, in spite of DoubleClick's promise not to merge these types of data.
ii. Illinois: Clearstation and DoubleClick: Failing to Disclose Duration and Use of Cookies.
The Cook County State's Attorney filed suit against Clearstation and DoubleClick regarding its allegations that the companies misrepresented the duration of cookies, failed to disclose third- party cookies and misrepresented that cookies do not collect personal information. In the case of DoubleClick, the cookies that were sent appeared to contain only generic information about consumers, but according to the allegations in the State's Attorney's Complaint, the cookies actually contained lengthy information in an alphanumeric data stream.
iii. Missouri: More.com: Misrepresenting Promises not to Share Information.
Missouri's Attorney General filed suit against Internet health and beauty retailer More.com, charging that the company violated its stated privacy policy by sharing customer data with a third party. More.com's privacy policy states the company "does not give, sell or rent your personal information to third parties for purposes other than fulfilling your request." The Missouri Attorney General alleged that this statement is false because a third party solicited a state agent who provided More.com with personally- identifying information.
iv. New Jersey: Toys "R" Us, Inc.: Undisclosed Sharing of Information with a Third Party Agent.
The New Jersey Attorney General and Division of Consumer Affairs Department recently reached a settlement with Toys R Us that requires the company to pay a $50,000 fine and change its privacy policy. Toys R Us was investigated after sharing information collected through cookies with third party marketer, Coremetrics. As part of the settlement, all data that was transferred to Coremetrics must either be returned to consumers or destroyed.
The New Jersey Attorney General and the Divisio n of Consumer Affairs filed suit against Internet service provider DirectWeb, Inc., charging, among other things, that the company violated its privacy policy by selling its customer data to a third party without obtaining customer consent. DirectWeb's privacy policy states that it will not share personal information with third parties.
vi. New York: InfoBeat: Misrepresenting Promises not to Share Information with Third Parties.
The New York Attorney General obtained a settlement with e- mail service provider InfoBeat regarding allegations that InfoBeat violated its privacy policy by disclosing confidential information about its customers to advertisers. The privacy policy states that InfoBeat will not share personally identifiable information with third parties.
The Electronic Communications Privacy Act ("ECPA") (18 U.S.C. § 2511 (2000), available at http://www4.law.cornell.edu/uscode/18/ch119.html) prohibits the unauthorized use, disclosure, or interception (whether through an electronic, mechanical or other device) of any wire, oral, or electronic communication. 18 U.S.C. § 2511(1) (2000). In addition, any person or entity that provides an electronic communication service to the public is forbidden from intentionally divulging the contents of any communication to anyone other than the intended recipient or an agent of the intended recipient while that communication is being transmitted. Id. § 2511(3)(a). There are several exceptions to these prohibitions. Id. §§ 2511(2)(a)-(h) and (3)(b)(i)-(iv). In particular, if a party to the communication provides consent, the communication may be intercepted or divulged. Id. §§ 2511(2)(d) and (3)(b)(ii). It is also important to note that the ECPA forbids unauthorized access to stored electronic communications. Id. § 2701. Subject to certain exceptions discussed below under Section III, the ECPA provides protection for employees that do not wish to have their employers access their electronic communications.
The Electronic Funds Transfer Act ("EFTA") (15 U.S.C. § 1693(c) (2000), available at http://www4.law.cornell.edu/uscode/15/ch41.html) requires a financial institution to provide a consumer with the terms and conditions associated with their electronic fund transfers at the time the consumer contracts for an electronic fund transfer service. 15 U.S.C. § 1693(c) (2000). The terms and conditions must include several items, including a statement setting forth under what circumstances the financial institution will disclose information concerning the consumer's account to third parties. Id. § 1693(c)(9). The financial institution must also provide a consumer with written documentation at the time he/she initiates an electronic transfer, which must contain the amount, date, and type of transfer; the identity of the consumer's account with the financial institution from which or to which the funds are transferred; the identity of any third party to whom or from whom the funds are transferred; and the location or identification of the electronic terminal involved. Id. § 1693(d).
The Computer Fraud and Abuse Act ("CFAA") (18 U.S.C. § 1030 (2000), available at http://www4.law.cornell.edu/uscode/18/1030.html) prohibits:
A "protected computer" is defined as a computer that is used by or for a financial institution or the United States Government or that which is used in interstate or foreign commerce or communication. Id. § 1030(e)(2). The terms of the CFAA are extremely important, because as seen in the six class action cases against DoubleClick, plaintiffs have raised challenges that the transmission of "cookies" constitutes intentional and unauthorized access to a protected computer.
On June 6, 2000, several class action lawsuits brought against Amazon.com's subsidiary, Alexa Internet, were consolidated in the United States District Court for the Western District of Washington. The lawsuits alleged that Amazon.com's Alexa Internet Software gathered consumers' personal information in violation of its privacy policy by "shadowing" consumers' Internet activities to collect the consumers' names, home addresses, e- mail addresses, URLs from visited Web sites, personal information entered on those Web sites, and information regarding online purchases (including credit card information). On April 23, 2001, Judge Marsha J. Pechman vacated the trial date for the consolidated cases after the case settled. As part of the settlement, Alexa Internet will pay up to $40 to each class member whose personally identifiable information is found in the company's database. The total payment may not exceed $1.9 million.
v. DoubleClick: Failing to Disclose Use of Cookies.
On May 10, 2000, eleven federal class action lawsuits brought against DoubleClick, Inc. ("DoubleClick), were consolidated in the United States District Court for the Southern District of New York. Subsequently, two other federal class action lawsuits brought against DoubleClick were also added to the consolidation for pretrial proceedings, bringing the total to thirteen. The members of the classes had sued DoubleClick to challenge its use of "cookies" as well as its use of the Abacus Direct database to match users' personal information with their Internet surfing habits.
On March 28, 2001, Judge Naomi Re ice Buchwald dismissed the federal claims brought by the class members, finding that (1) the Electronic Communications Privacy Act ("ECPA") does not apply to conduct authorized by "users," and that because DoubleClick's affiliated Web sites - not the individual consumers - constituted the "users," their authorization met the ECPA's requirements; (2) the Wiretap Act does not apply because only one party's consent is necessary to access a communication, and DoubleClick's affiliated Web sites, which were parties to the communications, gave the necessary consent to DoubleClick; and (3) the Consumer Fraud and Abuse Act does not apply because the individual class members could not prove that they had each suffered $5,000 in damages, and the $5,000 threshold may only be aggregated if the conduct at issue consists of a single act. Judge Buchwald also dismissed the state claims brought by the class members for lack of jurisdiction.
On June 11, 2001, Judge Lynn O'Malley Taylor of the Superior Court of California in Marin County, denied DoubleClick's demurrer in the class action lawsuit Judnick v. DoubleClick. This lawsuit also challenged Doubleclick's alleged failure to disclose its use of cookies. In denying Doubleclick's demurrer, Judge Taylor determined, among other things, that the plaintiffs' allegations were sufficient to show a serious invasion of privacy, in violation of the California Constitution.
vi. Real Networks: Transfer of Personal Information to Third Parties Without Consent
Six class action lawsuits have been filed against RealNetworks alleging that the company collected plaintiffs' personal information for its own use and/or transferred that information to third parties without plaintiffs' consent in violation of the ECPA and other federal and state statutes.
Internet companies have been accused of engaging in deceptive practices by failing to disclose that they are sharing consumers' personal information with third parties, or by planting cookies, Web bugs, and spyware to track consumers' Internet activities.
The State of New York obtained a settlement with Chase Manhattan Bank and resolved its concerns regarding the Bank's alleged undisclosed sharing of consumers' personal information with third party marketers.
Thirty-eight states and the District of Columbia announced a settlement with U.S. Bank in connection with their allegations that the bank sold its customers' personal and confidential financial information to telemarketers without disclosing this practice.
iii. New York: Alta Vista: Undisclosed Transfer of Consumers' Personal Information to Third Parties
The New York Attorney General obtained a settlement with Alta Vista that requires the company to pay $70,000 in penalties, and to inform consumers in the future if, and with whom, it intends to share their collected personal information. The New York Attorney General had investigated Alta Vista after it learned that the company had transferred personal information to Internet marketers in violation of its privacy policy. Alta Vista maintained that it was not aware of the transfer, which resulted from a technical flaw in its online Yellow Pages Directory.
i. Chance v. Avenue A, Inc.: Failing to Disclose Use of Cookies.
Plaintiffs brought a class action against Avenue A as a result of Avenue A's alleged undisclosed placement of cookies on users' computers, which allowed Avenue A to track users' Internet activities and compile personal information for commercial purposes.
ii. Rivera v. MatchLogic: Failing to Disclose Use of Cookies.
Plaintiffs filed a class action law suit to challenge the advertising network's alleged use of cookies.
iii. Dearman v. Toys "R" Us, Inc.: Undisclosed Sharing of Information with Third Party Agent.
Plaintiffs brought a class action against Toys "R" Us, Inc., Toys "R" Us.com and Coremetrics, Inc., alleging that Toys "R" Us.com collected confidential information in an unauthorized manner and disclosed the information to Coremetrics.com - an agent working for the defendants - in contravention of Toys "R" Us.com's privacy policy.
iv. Stewart v. Yahoo: Undisclosed Use of Cookies.
A class action is pending that challenges Yahoo's Broadcast.com's alleged undisclosed use of cookies. By using these cookies, the Defendants were able to obtain confidential information from consumers without their awareness or consent.
The controversial use of "spyware" has prompted consumer complaints, lawsuits and proposed legislation to regulate its use. "Spyware" refers to those programs that are incorporated into consumer software to secretly trace consumers' Internet activities. By using spyware, Internet companies are able to collect and transmit consumers' personal information, without consumer awareness, to advertisers in exchange for more advertising.
See http://www.zdnet.com/zdhelp/stories/main/0%2C5594%2C2612053%2C00.html.
Senator John Edwards (D) of North Carolina has proposed legislation, the "Spyware Control Act," that would require software manufacturers to clearly and conspicuously notify consumers at the time of installation that their products include spyware. See http://grc.com/spywarelegislation.htm. Under this proposed legislation:
The bill would exempt any spyware that is used to gather information that would only be used to provide technical support for the software, or to determine if the user is a licensed user of the product.
i. eGames, Inc.: Undisclosed Use of Spyware.
The Michigan Attorney General announced that it settled its dispute with eGames, Inc., a software vendor that failed to provide adequate warning that some of its gaming software contained spyware that allegedly enabled third parties to covertly interact with eGames' customers' computers and monitor the customers' browsing behaviors at the eGames Web site. As part of the settlement, eGames, Inc., agreed not to produce software that contains spyware, to obtain consumers' consent before collecting their personal information and to provide a privacy policy on its Web site that discloses how it uses customer data. In addition, eGames has developed a free software "patch" to remove existing spyware from its consumers' computers.
Plaintiffs filed a class action against Netscape and AOL, which alleged that AOL illegally tracks Internet users by using Netscape's SmartDownload software (distributed to users of Netscape's Communicator software) to secretly monitor downloads of .exe and .zip files from websites.
iii. Radiate: Undisclosed Use of Spyware.
Radiate, a company that develops technology for incorporating ad-banners in third party software, agreed to settle a class action lawsuit that charged the company with creating spyware and not disclosing its privacy practices. As part of the terms of the settlement, Radiate agreed to post a privacy notice on the home page of its Web site that discloses how its ad-serving technology works and pay attorney fees.
In April, 2000, the FTC issued it final Children's Online Privacy Protection Rule (the "COPPA Rule") for implementing The Children's Online Privacy Protection Act ("COPPA"). COPPA establishes legal requirements for collecting information from children, including the need for disclosure and consent.
Rule: http://www.ftc.gov/os/1999/9910/64fr59888.pdf
Business Guides: http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm
The Federal Trade Commission's ("FTC") trade regulation rule implementing COPPA (the "COPPA Rule") sets forth in detail (1) how an operator of a web site directed to children must provide online notice of its privacy practices with respect to the treatment of information collected from children under 13 years of age, (2) what information an operator must include in its online notice, (3) how an operator must notify parents of children under 13 of its privacy practices, and (4) what information an operator must include in the parental notice. See 16 C.F.R. § 312.4.
i. The Children's Privacy Notice
Operators of web sites directed to children must provide a link to a COPPA-compliant privacy notice on the home page of web sites targeted to children or from which they knowingly collect personal information from children, and on each web page where personal information is collected from children. These links must be clearly labeled and placed in close proximity to each request for personal information. See 16 C.F.R. § 312.4(b)(1).
The COPPA Rule requires operators of covered web sites to include specific information in their children's privacy notices, including:
See 16 C.F.R. § 312.4(b)(2).
Operators of web sites directed to children must make reasonable efforts to ensure that parents of children under 13 receives notice of the operators' practices with regard to the collection, use, and disclosure of children's information, as well as notice of any material changes to information practices to which parents previously consented. See 16 C.F.R. § 312.4(c).
The COPPA Rule further requires operators to include specific information in their parental notices, including:
See 16 C.F.R. § 312.4(c)(1).
b. Verifiable Parental Consent
The COPPA Rule further provides that operators of covered web sites directed to children must obtain verifiable parental consent ("VPC") before collecting, using, and/or disclosing personal information from children, subject to certain exceptions. See 16 C.F.R. § 312.5. Operators must also obtain VPC to any material change to their collection, use, and/or disclosure practices to which the parent previously consented. See 16 C.F.R. § 312.5(a)(1). Parents must also be given the option to consent to the collection and use of their child's personal information, without consenting to disclosure of their child's personal information. See 16 C.F.R. § 312.5(a)(2).
i. Exceptions to Obtaining VPC
Operators do not need to obtain VPC under the following circumstances:
See 16 C.F.R. § 312.5(c).
ii. Mechanisms for Obtaining VPC
The COPPA Rule provides a "sliding scale" that allows operators to use different mechanisms to obtain VPC based on how they intend to treat information collected from children under 13. If operators intend to collect information from children under 13 and to disclose that information to third parties, they must need to use a he ightened mechanism for obtaining VPC. The FTC assumes that this disclosure presents a heightened risk to children. These methods include:
See 16 C.F.R. § 312.5(a)(2).
If, however, an operator only intends to use collected information for internal purposes, such as to monitor its web site and market back to children based on their preferences, the operator may obtain VPC via e- mail, provided that it takes certain additional steps to ensure that the person providing consent is the parent. See 16 C.F.R. § 312.5(a)(2).[1] The approved additional steps include sending a confirmatory e- mail to the parent following receipt of the consent, or obtaining a postal address or telephone number from the parent and confirming consent by letter or telephone call. See 16 C.F.R. § 312.5(a)(2).
Before the COPPA Rule was implemented, the FTC addressed children's privacy in a lawsuit against Liberty Financial Companies, Inc., the operator of the Young Investor Web site. The FTC alleged that the Web site falsely represented that personal information collected from children in a survey would be maintained anonymously. The FTC alleged that Liberty Financial did not maintain the information it collected via the survey anonymously and that it maintained information about the child and the family's finances in an identifiable manner.
Following enactment of the COPPA Rule, the FTC settled a case against Toysmart.com. Toysmart.com was an online toy retailer that collected family profiles, including the names and birth dates of children, which triggered application of COPPA. Toysmart.com promised in its privacy statement to never share information collected from consumers with a third party. However, the company subsequently filed a motion in bankruptcy court seeking to sell its assets, including its database of personal information.
The FTC charged that selling the database would constitute a violation of COPPA because Toysmart.com collected names, e- mail addresses, and ages of children under thirteen without notifying parents or obtaining parental consent. The FTC demanded that Toysmart.com be prohibited from selling the database as a stand-alone asset, but agreed to allow its sale within one year to a "qualified buyer" that agrees to the terms of the original privacy policy.
In April 2001, the FTC announced settlements with three Web site operators charged with violations of COPPA. The FTC charged Monarch Services, Inc. and Girls' Life, Inc.,[2] operators of www.girlslife.com; Bigmailbox.com,[3] operator of www.bigmailbox.com; and Looksmart Ltd.,[4] operator of www.insidetheweb.com, with collecting personally identifiable data from children under the age of 13 without parental consent. As part of the settle ments, the companies were required to pay a total of $100,000 in civil penalties, comply with COPPA in connection with any future online collection of personally identifiable data from children under the age of 13, and delete all personally identifiable data collected online from children since the effective date of the COPPA Rule.
In October 2001, the FTC announced a settlement with Lisa Frank, Inc., maker of popular girls' toys and school supplies that the company advertised and sold at the Web site www.lisafrank.com. In its complaint, the FTC alleged that the company failed: (1) to provide notice to parents that it wished to collect information form their children; (2) to obtain parental consent for the collection of their children's information; and (3) to accurately disclose in its privacy policy the company's informati on collection, use and disclosure practices. As part of the settlement, Lisa Frank, Inc. is required to pay a civil penalty of $30,000 and is prohibited from violating the provisions of COPPA.
In December 2000, Congress passed the Children's Interne t Protection Act. The Children's Internet Protection Act requires public schools to use filtering technology to block a minor's ability to obtain Internet access to images and pictures that are obscene, harmful to minors, or which constitute child pornogr aphy. Public schools that do not use filtering services will not qualify for federal money for Internet endeavors.
[1] The FTC's "sliding scale" approach, which enables operators who only use collected information from children for internal purposes, is set to expire on April 21, 2002. The FTC, however, has proposed to extend the time-frame for the "sliding scale." For more information on the FTC's proposal, please visit http://www.privacylawplaybook.com/documents/PRIV_COPPA_Article.htm.
[2] United States v. Monarch Services, Inc. and Girls' Life Inc., Civil Action No. AMD 01 DV 1165 (D. Md. Apr. 2001).
[3] United States v. Bigmailbox.com and Nolan Quan, Civil Action No. 01-605-A (E.D. Va. Apr. 2001).
[4] United States v. looksmart, Ltd., Civil Action No. 01-606-A (E.D. Va. Apr. 2001).
The Fair Credit Reporting Act ("FCRA") governs the use of consumer reports, which are defined as:
any written, oral or other communication of any information by a consumer reporting agency [1] bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which [2] is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for --
(A) credit or insurance to be used primarily for personal, family, or household purposes;
(B) employment purposes; or
(C) any other purpose authorized under Section 1681b of this title (listing "permissible purposes" for use of consumer reports).
These "permissible purposes," as set forth in Section 1681b of the FCRA, allow a consumer reporting agency to furnish a consumer report:
It should also be noted that the D.C. Circuit's decision in Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), may result in a more expan sive interpretation of the FCRA by the FTC and the courts, as the court reaffirmed its statement in an earlier opinion that the terms "general characteristics" and "mode of living" could be interpreted to include almost anything about consumers.
The Gramm- Leach Bliley Act ("GLBA") imposes three general privacy obligations: (1) providing a notice of a financial institution's non-public personal information handling practices; (2) providing individuals with the right to opt-out before information can be shared with non- affiliated third parties for a non-exempted purpose; and (3) instituting data security and integrity mechanisms to protect non-public personal information. The GLBA directed the FTC and other federal agencies with jurisdiction over "financial institutions" to develop rules to implement these requirements. The FTC announced its final trade regulation rule implementing the GLBA in May 2000 (the "GLBA Rule"), which went into effect on July 1, 2001.
a. Who and what are covered by the GLBA Rule?
The GLBA Rule regulates financial institutions, which generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information. The FTC's GLBA Rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.
The GLBA Rule protects "non-public personal information," which the FTC has broadly defined to include all information a financial institution obtains from consumers in connection with providing a financial product or service that is not publicly available.
b. What is required under the GLBA Rule?
Regardless of whether financial institutions are engaged in information sharing, the GLBA Rule requires financial institutions to provide an understandable notice of their privacy practices, including their basic handling of "non-public personal information," to their customers (defined as those who purchase a financial product or service from or through a financial institution, which is to be used primarily for personal, family, or household purposes[5]) when the customer relationship is established, and at a minimum on an annual basis thereafter. A privacy notice must also be provided to all consumers (defined as all customers and non-customers who have submitted personal information to a financial institution relating to a financial product or service), if the financial institution is going to share that information with a non-affiliated third party for a non-exempted purpose.[6]
Although the GLBA Rule does not require financial institutions to have a particular type of privacy policy, they must provide the following information in their privacy notices in a clear and conspicuous manner:
Financial institutions may freely share consumers' non-public personal information with affiliates or with non-affiliate third parties for an exempted purpose. (It should be noted, however, that to the extent that "financial institutions" under GLBA also meet the definition of "consumer reporting agencies" under the Fair Credit Reporting Act, they would be required to offer consumers an opt-out of the sharing of certain information with affiliates.)
Before disclosing non-public personal information about any consumer to a non-affiliated third party for a non-exempted purpose, the financial institution must notify the consumer and give the consumer the ability to opt-out of this disclosure. It is important to note that the GLBA Rule prohibits non-affiliated third parties from re-disclosing non-public personal information obtained from financial institutions, unless they are otherwise permitted by law to do so, or unless the financial institution would, itself, be permitted to do so.
iii. Exceptions For Joint Marketers And Service Providers
The GLBA Rule provides that financial institutions need not comply with the opt-out requirements when they provide nonpublic personal information to certain third-party service providers and joint marketers, if they provide these third parties with an initial privacy notice and enter into a contractual agreement with them that prohibits them from disclosing or using the information other than for the purposes specified in the contract.[7]
In addition, financial institutions do not need to comply with the notice and opt-out requirements for service providers and joint marketers to whom they disclose non-public personal information (1) in order to service or process transactions or accounts at consumers' requests; and (2) who are necessary to effect, administer or enforce such transactions.[8] There are other cases in which financial institutions will not have to comply with the notice and opt-out requirements for service providers and joint marketers with whom they share nonpublic personal information, including if: (1) they have the consent of the consumer; (2) they are doing so in order to protect the confidentiality or security of their records; (3) they are doing so to protect against fraud; (4) they are doing so in connection with a sale, merger, or transfer of all or a portion of their business; (5) they are doing so to resolve consume r disputes or inquiries; and (6) they are doing so as required by law.[9]
Any financial institution that collects or maintains non-public personal information must institute measures for protecting the security and integrity of that information. The banking regulatory agencies have issued security guidelines pursuant to GLBA. The FTC is likely to issue similar guidelines for "financial institutions" under its jurisdiction.
The GLBA requires the FTC and other federal agencies [10] to create standards regarding the administrative, technical, and physical security measures for customer information. Specifically, the GLBA instructs the FTC and these other agencies to create security standards [11] that:
On July 30, 2001, the Federal Trade Commission ("FTC") announced its proposed Standards for Insur ing the Security, Confidentiality, Integrity and Protection of Customer Records and Information ("Proposed Security Standards"). [12] The FTC's Proposed Security Standards apply not only to all "financial institutions," which the FTC has interpreted extremely broadly, but also to financial institutions' affiliates that handle or maintain the customer information, and would require "financial institutions" to establish a comprehensive, written information security program.[13] Comments on the FTC's proposal are due by October 8, 2001.
Specifically, under the FTC's proposal, financial institutions would be required to:
The detailed FTC proposal lies in stark contrast to a similar rule issued by the SEC under GLBA. The SEC's financial privacy safeguards rule, Regulation S-P, [14] does not mandate exact procedures to ensure security of consumers' personal information, but rather allows companies subject to the SEC's jurisdiction under GLBA to adopt their own procedures, provided that they are reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer, as required under GLBA.
The FTC sought comments on its Proposed Security Standards from businesses, professional associations, consumers, and others. Comments were due by October 9, 2001. The requests for comment likely to generate the most responses are printed below:
In October 2001, the FTC announced that Triad Discount Buying Services Inc., its affiliated companies and their operator, Ira Smolev, had settled charges brought by the FTC and state Attorneys General that they had misled consumers into purchasing trial buying club memberships and obtained consumers' credit card information from telemarketers without consumers' knowledge or consent. As part of the settlement, the defendants are prohibited from obtaining consumers' billing information from third parties or disseminating this information without permission.
b. Sears, Roebuck and Co.: Alleged Unauthorized Sale of Customers' Credit Card Data To Third Party
Two Sears credit card holders have filed suit against Sears in Cook County Circuit Court, alleging that the company sold their credit card data in violation of its privacy policy. Sears maintains that it sold the information to direct marketing firm Memberworks, Inc., and that the sale was not a violation of its privacy policy because Memberworks is a licensee of Sears and therefore a "member of the Sears family of business." The plaintiffs are seeking class action status.
In November 2001, the FTC announced that New Millennium Concepts, Inc., d/b/a/ rhinoPoint, and their principal Karl V. Kay had settled charges that the company violated section 5 of the FTC Act by collecting, using, and disclosing personal information, including credit card information, obtained through misrepresentations. In its complaint the FTC alleged that New Millennium promised that consumers who signed up as members of rhinopoint.com, paid an initial set up fee, and disclosed personal information by completing a member form would received monthly marketing surveys and be reimbursed for monthly Internet access charges. The FTC maintained that New Millennium did not provide the surveys or reimburse the charges as promised. As a part of the settlement, New Millennium agreed not to collect, use, or disclose personal information obtained through misrepresentations and within 30 days to delete or destroy the information it has already collected.
The Minnesota Attorney General recently filed a suit against Fleet Mortgage Corp., cha rging that the company violated its privacy policy by disclosing names, contact information, and mortgage information to telemarketing firms, thereby exceeding its promise to only provide the minimum amount of information necessary for a company to offer its product or service to Fleet customers. These telemarketing firms then used the pre-acquired account information to telemarket free trial offers to Fleet customers, and informed these customers that a monthly fee would be added to their mortgage accounts if they did not affirmatively cancel the offer during the trial period. The case is currently in litigation in the district court of Minnesota.
[5] A notice need not be given to individuals or companies that obtain products or services for business, commercial, or agricultural purposes.
[6] If the financial institution does not intend to share the personal information of these individuals (who are not customers because there is no established customer relationship) with a non-affiliated third party for a non-exempted pur pose, then no privacy notice must be provided.
[7] See 66 Fed. Reg. 33686 (May 24, 2000).
[8] See 66 Fed. Reg. 33686-33687 (May 24, 2000).
[9] See 66 Fed. Reg. 33687 (May 24, 2000).
[10] The other federal agencies that must establish these standards include: the Office of the Comptroller of Currency ("OCC"); the Board of Governors of the Federal Reserve System ("Board"); the Federal Deposit Insurance Corporation ("FDIC"); the Office of Thrift Supervision ("OTS"); the National Credit Union Administration ("NCUA"); the Secretary of the Treasury ("Treasury"); and the Securities and Exchange Commission ("SEC"). The Commodity Futures Trading Commission ("CFTC") was added to this list by amendment on December 21, 2000.
[11] Although the GLBA permits most agencies to simply issue security guidelines, the FTC and the SEC must implement a specific security rule .
[12] See 66 Fed. Reg. 41162 (Aug. 7, 2001).
[13] The program does not need to be set forth in a single document, as long as all parts of the program are coordinated and can be easily accessed and identified.
[14] See Final Rule: Privacy of Consumer Financial Information (Regulation S-P), 17 C.F.R. Part 248.
In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act of 1998 (the "Identity Theft Act") to address the problem of identity the ft. Specifically, the Act amended 18 U.S.C. §§ 1028 to make it a federal crime when anyone:
Federal investigative agencies such as the U.S. Secret Service, the FBI, and the U.S. Postal Inspection Service may investigate violations of the Identity Theft Act. The Department of Justice may also prosecute these violations.
In FTC v. Martinez, the FTC charged the defendant with providing a Web site that afforded visitors the capability to produce high-quality "fake id's." The FTC alleged that the fake id's could be used to promote identity theft and underage drinking. In its complaint, the FTC claimed that the injury experienced by the victims of identity theft was unavoidable and therefore the defendant's practice was unfair. The FTC also alleged that by providing the means and instrumentalities to violate the law, the defendant's practice was deceptive.
3. R & R Consultants, Inc. Allegedly Fraudulent Credit Card Loss Protection Scheme
In October 2001, the FTC announced that it was taking action against R & R Consultants, Inc., a company that promoted an allegedly fraudulent credit card loss protection program. As part of this program, the defendants promised consumers that they could remove all of their personal information from the Internet to protect them from identity theft.
In early 2000, the FTC began examining "online profiling," which is the practice of surreptitiously collecting data about the Internet activities of consumers in order to target them with advertising. The FTC is concerned about profiling because it is often conducted without consumers' awareness that their Internet use is being tracked. In order to avoid potential federal regulation of online profiling, the Network Advertising Initiative ("NAI") provided a proposal to self-regulate advertisers' online profiling practices through a seal program. The FTC approved and endorsed this initiative. Although the NAI proposal was framed in the context of the creation of consumer profiles by third party advertising networks, the current regulatory environment suggests that it is prudent to follow these practices even when a Web site intends only to create profiles on its own customers.
The following principles, proposed by the NAI and endorsed by the FTC, apply to the merging of consumers' personal information with cookies or other data that provide information on their online habits:
In addition to endorsing the NAI proposal, the FTC called for Congress to enact legislation to provide privacy protection for consumers with regard to online profiling practices. The proposed legislation would mimic the NAI Proposal, and center around the basic principles discussed above. The FTC stated that such legislation would complement the NAI self- regulatory structure by guaranteeing compliance by non- member network advertising companies. The proposed legislation would provide the implementing agency with the authority to grant safe harbors to self-regulatory principles. The FTC stated that it believes the NAI proposal would qualify for such a safe harbor, but that other industry groups or individual firms would be free to apply for safe harbor approval as well. Under the proposed legislation, all network advertising companies and all consumer-oriented commercial Web sites that permit the collection of information from or about consumers by network advertising companies would be required to comply with the fair information practices described above.
Online profiling is often accomplished by placing tracking files such as "cookies" and "web bugs" on consumers' computers when they access certain Web sites. Cookies collect information that is used to develop a market profile of individual computer users. Web bugs are graphics on a Web site that monitor who is viewing the Web site and are usually invisible because they are typically only 1-by-1 pixel in size. Cookies and web bugs cause concern because they trace consumers' online movements without consumers' awareness that their Internet activities are being tracked. The FTC and state Attorneys General have brought lawsuits to prevent the use of cookie s and web bugs by Internet companies.
The Michigan Attorney General recently published Notices of Intended Action against several companies in connection with their alleged undisclosed use by third party advertising networks of Web bugs.
The Michigan Attorney General recently reached a settlement with Esurance regarding allegations of the company's undisclosed use by third party advertisers of cookies to track Internet activities and compile demographic information. As part of the settlement, Esurance agreed to post a privacy policy on its site with links to these companies.
The Missouri Attorney General recently announced a law enforcement action against More.com alleging the undisclosed use of Web bugs by third parties to receive or share information about consumers' visits to More.com's Web site.
On May 10, 2000, eleven federal class action lawsuits brought against DoubleClick, Inc. ("DoubleClick), were consolidated in the United States District Court for the Southern District of New York. Subsequently, two other federal class action lawsuits brought against DoubleClick were also added to the consolidation for pretrial proceedings, bringing the total to thirteen. The members of the classes had sued DoubleClick to challenge its use of "cookies" as well as its use of the Abacus Direct database to match users' personal information with their Internet surfing habits.
On March 28, 2001, Judge Naomi Reice Buchwald dismissed the federal claims brought by the class members, finding that (1) the Electronic Communications Privacy Act ("ECPA") does not apply to conduct authorized by "users," and that because DoubleClick's affiliated Web sites - not the individual consumers - constituted the "users," their authorization met the ECPA's requirements; (2) the Wiretap Act does not apply because only one party's consent is necessary to access a communication, and DoubleClick's affiliated Web sites, which were parties to the communications, gave the necessary consent to DoubleClick; and (3) the Consumer Fraud and Abuse Act does not apply because the individual class members could not prove that they had each suffered $5,000 in damages, and the $5,000 threshold may only be aggregated if the conduct at issue consists of a single act. Judge Buchwald also dismissed the state claims brought by the class members for lack of jurisdiction.
On June 11, 2001, Judge Lynn O'Malley Taylor of the Superior Court of California in Marin County, denied Doubleclick's demurrer in the class action lawsuit Judnick v. DoubleClick. This lawsuit also challenged Doubleclick's alleged failure to disclose its use of cookies. In denying Doubleclick's demurrer, Judge Taylor determined, among other things, that the plaintiffs' allegations were sufficient to show a serious invasion of privacy, in violation of the California Constitution.
A private enforcement class action law suit was brought against Avenue A as a result of Avenue A's alleged undisclosed placement of cookies on users' computers that allowed Avenue A to track users' Internet activities and compile personal information for commercial purposes.
Plaintiffs filed a class action challenging the advertising network's allegedly undisclosed use of cookies.
Plaintiffs brought a class action against Toys "R" Us, Inc., Toys "R" Us.com and Coremetrics, Inc. alleging that Toys "R" Us.com collected confidential information in an unauthorized manner and disclosed the information to Coremetrics.com - an agent working for the defendants - in contravention of Toys "R" Us.com's privacy policy.
This pending class action challenges Yahoo's Broadcast.com's alleged undisclosed use of cookies. By using these cookies, the Defendants were allegedly able to obtain confidential information from consumers without their awareness or consent.
The FTC has charged one Internet company with failing to comply with agreed-to third party privacy policies.
The FTC alleged that ReverseAuction.com violated eBay's User Agreement and Privacy Policy after affirmatively indicating acceptance of the policy's terms. (ReverseAuction.com had agreed to comply with the User Agreement and Privacy Policy when it registered with eBay by clicking the "I Agree" button.) The FTC's intervention suggests that it will use the full power of the U.S. Government to enforce User Agreements and Privacy Policies between private entities, at least on behalf of major Web sites, and when it perceives widespread consumer injury.
As the "dot.com" market declines, many Internet privacy issues arise when online companies file for bankruptcy and attempt to sell their assets -- particularly information databases collected under privacy policies that state that the companies will not sell consumer information.
Following enactment of the COPPA Rule, the FTC settled a case against Toysmart.com. Toysmart.com was an online toy retailer that collected family profiles, including the names and birth dates of children, which triggered application of COPPA. Toysmart.com promised in its privacy statement to never share information collected from consumers with a third party. However, the company subsequently filed a motion in bankruptcy court seeking to sell its assets, including its database of personal information.
The FTC charged that this constituted a violation of COPPA and Section 5 of the FTC Act because Toysmart.com collected names, e- mail addresses, and ages of children under thirteen without notifying parents or obtaining parental consent. The FTC demanded that Toysmart.com be prohibited from selling the database as a stand-alone asset, but agreed to allow its sale within one year to a "qualified buyer" that agrees to the terms of the original privacy policy.
The Texas Attorney General announced a settlement with Living.com, which like Toysmart.com, was insolvent and considering the sale of its customer information. Under the terms of the settlement, Living.com was required to destroy its customer financial records, including bank accounts, credit card and social security numbers. Living.com will be allowed to sell customer names and email addresses, but only after customers are given the opportunity to "opt out" of the proposed sale. Living.com had provided in its privacy policy that it might share personal information with third parties in the future, but that it would no do so if a consumer did not consent.
The Massachusetts Attorney General recently reached an agreement with Essential.com, which, similarly to Toysmart.com, wished to sell its customer database of roughly 70,000 customers as part of a bankruptcy proceeding. The Massachusetts Attorney General sought to block this sale because Essential.com's privacy policy stated that customer data would only be sold to accomplish the company's business objectives. To resolve this matter, Essential.com agreed to provide its customers with notice and an opportunity to decide whether they wish to have the entity that buys Essential.com's business to continue their service. If any customer chooses not to have their service continued by the purchaser, Essential.com agreed to destroy that customer's personal data.
The Electronic Communications Privacy Act ("ECPA") (discussed in further detail above in Section I) provides protection for employees that are subject to workplace e- mail monitoring. However, in addition to the exception for party consent, there are several other exceptions that narrow the scope of the ECPA in the workplace and which allow employers to monitor their employees e-mail activities under certain circumstances:
To reduce risk of liability for monitoring employee e-mail usage, each employer should require all employees to acknowledge and sign an e-mail and Internet use policy. An employer also can reduce its risk of liability for defamation, transmission of obscene materials, sexual harassment and discrimination committed by employees on workplace computers by requiring compliance with such a policy.
Connecticut enacted a statute specifically directed to workplace privacy. The statute provides that employe rs that are engaged in electronic monitoring must give prior written notice to their employees, informing them of the types of monitoring that may occur. CONN. GEN. STAT. § 31- 48d(3)(b)(1) (2001). Electronic monitoring includes collection of employees' activities or communications by any means other than direct observation, including through a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems (electronic monitoring does not include monitoring for security purposes in common areas of the employer's premises). Id. § 31-48d(3). However, employers do not have to provide prior written notice to any employee that the employer has reasonable grounds to believe is engaged in conduct that violates the law, violates the legal rights of the employer or other employees, or creates a hostile work environment. Id. § 31-48d(3)(b)(2).
The California legislature tried twice to pass legislation similar to that of Connecticut, but both times California Governor Gray Davis vetoed the bill.[15]
Employers should also be mindful of a recent California statute, which requires businesses to ensure the privacy of a customer's personal information contained in records by destroying or arranging for the destruction of the records by shredding, erasing or otherwise modifying the customer record to make information contained therein unreadable or undecipherable through any means. See CA CIVIL CODE §§ 198.80-198.815. Failure to comply with this statute could make an employer liable for damages, injunctive relief or other remedies. Id. This statute will likely apply to employers that monitor their employees e-mail usage because they inevitably become privy to and collectors of their employees personal information contained in electronic communications.
[15] See http://www.wired.com/news/privacy/0,1848,42029,00.html
The practice of monitoring of employees' e- mail communications is a highly charged issue that has resulted in litigation over whether such a practice is an invasion of employees' privacy. Generally, courts have found that employees do not have a reasonable expectation of privacy in their workplace email communications.
Despite the fact that employee filed email messages in a "personal folders" application on his office computer that was password-protected, the employee did not have a reasonable expectation of privacy that would prevent the company from viewing the files. The court determined that the employee's email messages were not personal property, but were part of the office environment. In addition, the company's need to prevent inappropriate use of its email system outweighed the employee's privacy interest. Accordingly, the company had a legitimate right to access the data stored in the "personal folders."
The court determined that the employee did not have a reasonable expectation of privacy in using the internal email system to communicate with his supervisor, even though the company previously stated that email communications would remain confidential. Accordingly, the court found that it was not unlawful for the company to intercept the employee's email and terminate him for transmitting inappropriate communications over the company's email system.
Employee challenged his termination, alleging that he was terminated because his employer learned that he worked as a gay stripper in his off- hours through print-outs of email messages that he left in a printer tray and that the employer had no right to misuse information contained in an email. The court found that the employee had no reasonable expectation of privacy in the fact that he was a stripper, because a publicity photograph of him was posted outside the theater where he performed. The employer did not violate the employee's right to privacy by using information included in an email as grounds for dismissal.
Employee challenged her termination after her employer dismissed her for insubordination for crit icizing the company's practice of monitoring employee email. (Flanagan v. Epson America, Inc., No. BC007036 (Cal. Suoer. Ct. Los Angeles County, Jan. 4, 1991), a related class action suit brought by approximately 700 employees whose email was read, was dis missed when the court rejected the class certification.)
Employees had no reasonable expectation of privacy in their e- mail messages, despite the fact that the messages were password-protected, because they were aware that their employer was monitoring the email messages. The employer began monitoring the employees' emails after an email system trainer randomly accessed an employee's email message and noted that it was of a personal and sexual nature. In addition, the court noted that the employees had a signed a statement that said "It is company policy that employees and contractors restrict their use of company-owned computer hardware and software to company business."
HIPAA was enacted on August 21, 1996, and directed the Department of Health and Human Services ("HHS") to issue rules (the "HIPAA Rules") to govern the protection of "individually identifiable health information." On December 28, 2000, HHS issued the HIPAA Rules, which protect all medical records and other individually identifiable health information held or disclosed by health insurance agencies and other "covered entities" and their "business associates." Although the Bush Administration initially wavered about whether it would allow the implementation of the HIPAA Rules, they went into effect on April 14, 2001.[16] Compliance with the HIPAA Rules is required by February 26, 2003.
The HIPAA Rules apply to "health plans," "health care clearinghouses," and most "health care providers," which are collectively referred to as "covered entities." The compliance requirements also apply to "business associates"[17] that receive or are exposed to individually identifiable health information while providing services for covered entities. Health insurance agents and brokers that sell health insurance policies[18] are considered "business associates" of health insurers, and are therefore considered covered entities under the HIPAA Rules.
The HIPAA Rules protect all forms of individually identifiable health information (whether electronic, on paper, or oral), which are held or disclosed by covered entities. Individually identifiable health information is information that:
[16] HHS has indicated, however, that it may make changes to the rules on a going forward basis. See http://www.cnn.com/2001/HEALTH/04/12/medical.privacy/index.html?s=2.
[17] Business associates are any people or entities that perform certain activities or functions on behalf of a covered entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).
[18] It should be noted that not all insurance benefits are covered by the HIPAA rules, and are therefore exempt from regulation. These benefits include workers' compensation, life, disability, property and casualty, and automobile insurance. Entities that provide health insurance plans and other exempt benefits need only comply with the HIPAA rules with respect to the information gathered in the sale of the health insurance plans.
Covered entities must maintain a privacy policy notice and provide that notice to recipients of health care and health insurance benefits. The not ice must inform individuals of the uses and disclosures that may be made of their protected health information, and of the individuals' rights and the covered entities' duties with respect to this protected health information. A covered entity must act consistently with its privacy policy. Notice must also be provided within sixty days of any revisions to a privacy policy, and once every three years, the covered entity must remind individuals of the availability of the privacy notice and how to obtain it.
In order to use or disclose protected health information, a covered entity must obtain affirmative consent from the individual ("opt- in") or determine that no opt- in is required. As a general matter, no opt-in is required for "treatment, payment, and health care operations." Treatment refers to the provision of health care by a provider. Payment refers to activities undertaken by a covered entity to determine or fulfill its responsibility for coverage and provision of benefits, or to obtain or provide reimbursement for the provision of health care. Health care operations refers to a variety of insurance-related activities, including the use of protected information for creating, renewing, or replacing a contract of health insurance or health benefits. Opt-in is generally required for uses and disclosures for purposes other than treatment, payment or health care operations.
If an individual does opt- in to the use or disclosure of his/her protected health information for a particular purpose, this opt- in must be obtained through a document that is separate from the covered entity's privacy notice. The authorization must at a minimum include:
Depending on what type of authorization is requested, the covered entity may have to include additional elements in the authorization.
A covered entity must allow individuals to access, inspect, copy, and amend their protected health information. If the covered entity does not possess the information, it must inform individuals of where they may access the information. Individuals also have the right to receive a written "accounting of disclosures" of protected health information made by a covered entity for the six years prior to the date of the request. The accounting does not need to include disclosures made to carry out treatment, payment, or health care operations.
Covered entities must designate both a privacy compliance officer as well as an individual to receive and respond to complaints and inquiries about the entity's privacy policies and practices. Policies and procedures must also be implemented to enable the covered entities to verify the identity of an individual or entity that requests protected information, and to ensure that the information only discloses the "minimum amount necessary" to fulfill the purpose for which the information was requested.
Export controls on commercial encryption products are administered by the Bureau of Export Administration in the U.S. Department of Commerce (the "BEA"). The rules governing the export of encryption are found in the Export Administration Regulations (the "Export Rules"), 15 C.F.R. Parts 730-774, which were recently changed. (See http://www.bxa.doc.gov/Encryption/Default.htm). The BEA is committed to ensuring that U.S. exporters will not be disadvantaged by steps taken by the EU to create a "free-trade zone." The major change to the Export Rules tracks the recent regulations adopted by the EU that permit most encryption products to be exported to the fifteen EU member states and Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland under a license exception. Further, the change to the Export Rules:
In addition, the BEA revised the Guidance section of the Export Rules to provide additional information and clarification on how to submit notifications, commodity classification requests, and licenses. Finally, the BEA updated the chart explaining the licensing mechanisms for the export of encryption technology.
Section 222 of the Telecommunications Act of 1934, codified at 47 U.S.C. Section 222, provides protection for certain personal information collected by telecommunications carriers about their customers. Specifically, carriers must obtain their subscribers' "approval" before using or disclosing "customer proprietary network information" ("CPNI") for any reason other than providing or billing for the type of telecommunications service from which the CPNI was derived.
CPNI includes both "information that relates to the quantity, type, destination and amount of use of a telecommunications service" that carriers receive as a result of their relationship with subscribers. Thus, for example, CPNI includes the telephone numbers called by subscribers and the length of the calls. CPNI excludes subscribers' name, address and telephone number; aggregate, non-personally- identifiable information; and data from other sources such as non- telecommunications services and data purchased from third parties.
In its implementing rules, 47 C.F.R, Part 64.2001 et seq., the FCC argued that "approval" means affirmative, opt-in consent following consumers' receipt of notice of their rights to CPNI data. In U.S. West v. FTC, 182 F.3d 1224 (10 th Cir. 1998), however, the Tenth Circuit Court of Appeals vacated the FCC's rules, arguing that the requirement of an affirmative, opt- in consent violated the First Amendment to the United States Constitution by restricting protected commercial speech.
The FCC has not yet acted on remand, but it has stated publicly that it will continue to enforce the remainder of Section 222, such as the requirement that telecommunications carriers at least provide consumers with notice and a means of opting out of the use or disclosure of their CPNI information.
The EU Data Protection Directive (the "Directive") took effect on October 25, 1998. The Directive requires EU Member States to adopt regulations that forbid the transfer of data to non- member countries, if those non- member countries fail to provide an "adequate level of protection" for this data under EU standards. Pursuant to the Directive, in order for data collectors in non- member countries to be deemed to be providing an "adequate level of protection," individuals or entities providing data to data collectors must be able to:
In addition, the data collector must provide its subjects with:
There are exceptions to the prohibition against transferring data to countries that do not provide an "adequate level of protection." Under Article 26 of the Directive, even if there is not adequate data protection, a transfer is permissible if:
EU officials had generally determined that U.S. privacy protections would not provide an "adequate level of protection," unless one of the above-mentioned exceptions were satisfied. The EU's determination that U.S. privacy protections were "inadequate" was significant because it would have hindered certain transfers of personal data to the U.S. However, in July 2000, the U.S. Department of Commerce negotiated the Safe Harbor[19] to the Directive (the "Safe Harbor" to provide a means for U.S.-based companies to avoid interruption of their business operations with the EU and avoid regulation and prosecution by EU authorities under the Directive. By certifying with the Safe Harbor, EU organizations may be assured that U.S. companies have "adequate" privacy protection, as detailed under the Directive (as provided above).
Compliance with the Safe Harbor provides U.S. companies with the following benefits: (19) the 195 European Member States must abide by the European Commission's finding of adequacy; (2) companies that comply with the Safe Harbor will be considered to provide "adequate" privacy protections and data flows to these companies will continued uninterrupted; (3) the requirement for Member States prior approval of data transfers will either be automatically granted or waived; and (4) charges brought against U.S. companies by E.U. citizens will be heard in the U.S., subject to certain exceptions.
The list of companies that have chosen to comply with the Safe Harbor may be found at the Department of Commerce's Web site, http://www.export.gov/safeharbor.
[19] Id.
The Organization for Economic Cooperation and Development (the "OECD") developed guidelines (the "OECD Guidelines") governing the protection of privacy and transborder flows of personal data. The OECD Guidelines apply to personal data in both the private and public sectors of Member countries and generally provide that:
The OECD Guidelines also provide that Member countries should make efforts to ensure that the transborder flow of personal data is uninterrupted and secure. Furthermore, Member countries should only restrict the flow of data to countries that do not abide by the above- mentioned principles. Finally, the OECD Guidelines encourages Member countries to adopt appropriate domestic legislation in light of the OECD Guidelines, support self-regulation, provide a reasonable means for individuals to exercise their rights, and provide sanctions and remedies for noncompliance.
If you are is considering conducting business in the following countries, please consult with the legal department before doing so because the rules in these countries differ from those of the United States.
Canada's Personal Information Protection and Electronic Documents Act ("Bill C6") became effective on January 1, 2001. Bill C6 will initially apply to organizations that are under the federal government's direct regulatory power, but will be extended to all organizations (except those government organizations subject to a separate Privacy Act) on January 1, 2004. However, if provincial governments pass their own privacy legislation before January 1, 2004, Bill C6 will not necessarily apply to all organizations (for instance, the province of Quebec already has its own privacy legislation). Under Bill C6, organizations must abide by the "Ten Privacy Principles" that were originally proposed by the Canadian Standards Associations. The "Ten Privacy Principles" are:
The Hong Kong Personal Data (Privacy) Ordinance (the "Ordinance") provides that a data user may not engage in any act or practice that contravenes a data protection principle that is set forth in the Ordinance. Schedule 1 of the Ordinance details the data protection principles that govern the collection of personal data, and includes the following provisions:
New Zealand's Privacy Act 1993 (the Privacy Act) governs the collection, use and disclosure of personal information and access to such information in both the public and private sectors. The Privacy Act sets forth twelve specific principles with which data collectors must comply (See http://www.privacy.org.nz/search.html). There is also proposed legislation to amend the Privacy Act that may be enacted by mid-2001. This amendment would qualify New Zealand's Privacy Act as providing an "adequate level of protection" under the EU Directive (See http://www.privacy.org.nz/news3.html). The amendment would remove the requirement that in order to make an access or correction request, the individual making the request must be a New Zealand citizen, New Zealand permanent resident, or in New Zealand at the time of the request. In addition, the amendment would prohibit the transfer of personal information from New Zealand to another jurisdiction if that jurisdiction does not provide comparable safeguards, if the proposed transfer may circumvent laws of the jurisdiction from where the information originated, and if the transfer is likely to breach the principles set out in the OECD Guidelines.