As the Internet becomes a larger part of people.s lives, companies are collecting greater volumes of personal information about existing and prospective customers online. Because data privacy law in many jurisdictions is still in its formative stages, there is no single standard to which companies are held in using and protecting the personal information obtained from users of these companies. products and services. This Alert sets forth a general overview of privacy law relating to the collection of personal data over the Internet under United States, European Union (EU), and Japanese law.
Currently, there are no federal statutes or regulations which directly prohibit the collection or remarketing of personal information collected online, either individually or in the aggregate. Trends indicate that there will soon be privacy requirements in the United States which will limit the use companies can make of consumer information received over the Internet. For example, the Communications Privacy and Consumer Empowerment Act [H.R. 1964, 105th Cong, 1st Sess. (June 19, 1997)], would require the Federal Trade Commission (FTC) to announce rules ensuring that consumers (a) have knowledge that consumer information is being collected about them; (b) receive conspicuous notice that such information could be used for purposes unrelated to the transaction in which it is given or sold to third parties; and (c) be allowed to exercise control over the collection of personal information. The proposed Data Privacy Act [H.R. 2368, 105th Cong., 1st Sess. (July 30, 1997)], is specifically targeted at Internet data collection and calls for the interactive computer service industry (a) to develop voluntary guidelines for notifying customers before collecting personal information; (b) to advise customers of any third party recipients of their data; and (c) to allow customers access to their personal data for verification purposes and to allow them the opportunity to prohibit disclosure of such data to any third parties. Internet data privacy may also be impacted by other proposed federal privacy laws related to online use of social security numbers, online "lookup" services, data gathered by online service providers incident to customer enrollment, and health-related online privacy issues, as well as individual state laws regarding data privacy, but such topics are beyond the scope of this Alert.
Even in the absence of specific privacy legislation, the FTC has recently shown a willingness to police the collection and use of consumer information over the Internet through its authority over "unfair" or "deceptive" commercial practices pursuant to Section 5 of the FTC Act. A December 1996 FTC Staff Report entitled "Public Workshop on Consumer Privacy on the Global Information Infrastructure" (the FTC Report) provides a useful overview of the likely development of online privacy requirements in the United States, summarizing the views of participants in the FTC.s June 1996 workshop on consumer privacy (a similar workshop was held in June of 1997, but no report has yet been issued). The FTC Report describes a general consensus among industry representatives, privacy advocates and the FTC itself about the importance, if not the specifics, of the following four principles of privacy:
1. Notice. When consumers are asked to provide personal data online, they should be provided with the following information: the identity of the collector, the intended uses of the information, and the means by which consumers may limit disclosure of the information given.
2. Choice. Consumers should be able to "exercise choice with respect to whether and how their personal information is used."
3. Security. Data collectors should be able to ensure the security of the collected data by taking reasonable steps to guard against loss or misuse of personal information provided by consumers.
4. Access. Consumers should have
access to the information they provide, and the opportunity to update their information where necessary.
Whatever the result of the debate over how to regulate the use of consumer information online, it is likely that compliance with some or all of the above noted principles will be necessary.
One area where we may expect to see particularly close scrutiny of Internet data collection is that associated with children. The FTC has taken an active role in attempting to protect children in the online world. On July 15, 1997 the FTC issued an open letter responding to a 1996 complaint from the Center for Media Education against the KidsCom Web site. While refraining from pursuing any enforcement action against the site, the FTC used the letter as an opportunity to set forth several broad principles which the FTC believes apply generally to online information collecting from children. Specifically, the FTC took the position that "[I]t is a deceptive practice to represent that a Web site is collecting personally identifiable information from a child for a particular purpose. when the information will also be used for another purpose which parents would find material, in the absence of a clear and prominent disclosure to that effect." The FTC found the occasional posting of notices requesting that children seek parental permission before inputting their age, e-mail address, and hobbies to be inadequate notice and stated that an adequate notice to parents should disclose: who is collecting the personally identifiable information, what information is being collected, its intended use, to whom and in what form it will be disclosed to third parties, and the means by which parents may prevent the retention, use or disclosure of the information. The FTC has continued its efforts in this area. It recently performed an impromptu "Mini-Surf," as it termed it, auditing the privacy policies employed by 126 child-oriented Web sites, and on December 15, 1997, announced the results of "Kids Privacy Surf Day," stating that Web sites need to more broadly implement privacy guidelines developed by industry associations.
On February 26,1998, the FTC announced that it would survey 1,200 commercial Web sites to determine the extent to which these sites, including sites directed to children, are disclosing how they collect and use personal information online.
Some self-regulatory standards to the privacy problem are beginning to develop. While these standards are not statutory, it may become important for companies to comply with these standards to maintain customer trust. For example, on May 27, 1997 Netscape, Firefly and VeriSign cosponsored the "Open Profiling Standard" (OPS), a standard format designed to give users more control over the personal information they deliver to Web sites. This standard has been endorsed by a wide spectrum of organizations, including the Electronic Frontier Foundation. Netscape, Firefly and VeriSign have also announced their formation of an alliance to use OPS to help protect the privacy of consumer information on the Internet. With OPS, computer users could specify on their browser software what information they are willing to release to participating Web sites, and what information they prefer to keep private. More recently, commercial entities, including Netscape, AT&T, Entrust Technologies, the Electronic Frontier Foundation, and Pretty Good Privacy, sponsored "TRUSTe," an independent, nonprofit privacy initiative intended to popularize the "trustmark." "Trustmark" is designed to enhance and simplify disclosure of the information-handling policies of participating Web sites and thereby forestall governmental regulation.
The FTC is currently preparing a report to Congress on the effectiveness of self-regulatory approaches to protecting consumer.s privacy online and is formally requesting public comment on the topic.
Data privacy is primarily governed in the EU by the EU Council of Ministers. 1995 Directive on Personal Data (the 1995 Directive), which all member nations are required to implement by October 1998. Reports in the popular press indicate that the EU may either modify the 1995 Directive before the required October 1998 implementation date or adopt a different directive which would supersede the 1995 Directive. While the starting point for European online data privacy law is the 1995 Directive, the specifics of each member state.s implementing legislation is beyond the scope of this Alert, and companies are encouraged to engage local counsel to ascertain the status of any specific member state.s implementation of the 1995 Directive.
The 1995 Directive requires that no personal data be collected from Data Subjects (i.e., the person responding to an online request for data) unless the company soliciting personal information from a Data Subject discloses certain information (roughly equivalent to the requirements of the FTC Report) to that Data Subject and that the Data Subject gives its unambiguous informed consent to such collection. "Personal data" is defined as "information relating to an identified or identifiable natural person." In addition, the 1995 Directive sets out broad protections for the "processing of personal data." "Processing" is defined as any "set of operations performed on personal data, such as collection, recording, or disclosure." Subject to some limited exceptions, personal data can be "processed" only "if the Data Subject has unambiguously given his consent" to the processing.
The Directive contains heightened protections for certain sensitive classes of data, and prohibits the processing of personal data regarding race or ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, sex life or health without "explicit consent" of the Data Subject. There are some very narrowly drawn exceptions where "explicit consent" is not required for this sensitive data, such as in the case of incapacity of the Data Subject, or where the Data Subject has "manifestly" made the data public himself, but "explicit consent" is not defined in the Directive, and member states may enact legislation which prohibit waiver of privacy rights to such data, even if the Data Subject has provided explicit consent.
Controller Disclosure Requirements
The Directive obligates the "Controller" of the data, who is defined as the "person.or body which determines the purposes and means of the processing of personal data," to provide certain information to the Data Subject at the point personal data is collected, including:
(a) the identity of the Controller;
(b) the purposes for which the information is being gathered; and
(c) any further information necessary to ensure that, in each individual transaction, the collection of personal data is processed fairly.
Controllers are required to provide this information to Data Subjects even where the personal data is collected from third parties rather than directly from the Data Subjects. The Directive also provides Data Subjects with a right of access to their personal data, as well as the right to correct inaccuracies and block the transmission of personal data not processed in accordance with the requirements of the Directive.
The 1995 Directive will have significant extraterritorial effect because it requires member states to prevent the transmission of personal data to any country outside the EU which does not "ensure an adequate level of protection" for personal data. The extraterritorial impact of the EU Directive is demonstrated by the fact that the EU and United States are presently in discussions regarding the differences in their approaches to the protection of data transmitted over the Internet. The EU approach favors more government regulation of Internet transmissions whereas the United States. approach relies more heavily on private regulation of the Internet. A joint statement on world electronic trade signed in Washington on December 5 by the EU and the United States did not resolve such differences, but the EU and the United States have pledged to work towards a solution.
There are currently no laws in Japan which impose penalties on parties that release personal information to third parties, such as advertisers or direct marketers, and no laws regulating privacy of consumer information generally. However, recent developments suggest that legislation may be expected. In March 1997, the Ministry of International Trade and Industry ("MITI") announced that it would work with the private sector and other governmental offices to draft legislation on privacy, security and other issues surrounding electronic commerce. Draft legislation is expected in the near future. In addition, the Electronic Commerce Promotion Council of Japan is expected to release a set of guidelines arguing that companies collecting personal data online should not solicit race, ethnic or religious information without the clear consent of the consumer.
In conclusion, while neither the United States, EU, nor Japan has yet enacted laws which deal specifically with the privacy requirements for personal data collected electronically, each jurisdiction has shown both a willingness to step into the arena and an openness to accept input from industry leaders. The keystone of all approaches to privacy protection appears to be adequate disclosure of the purposes of data collection and use and unambiguous consent to such use. While no "magic language" exists to define the sufficiency of such disclosure or consent language, explicit and accurate representation as to the use of information which is reasonably related to the business ends of the collector may pass muster under any of the presently anticipated privacy regimes.
For additional information concerning data privacy law, we recommend the following online resources:
(i) Several foundations and clearinghouses have outposts on the Web with privacy-related information that can help keep current on the state of privacy initiatives:
The Electronic Privacy Information Center.www.epic.org
The Privacy Rights Clearinghouse.www.privacyrights.org
Center for Democracy and Technology.www.cdt.org/privacy
(ii) For a discussion and analysis of many of the legal issues implicated in the online privacy arena, please see Susan E. Gindin.s "Lost and Found in Cyberspace.Informational Privacy in the Age of the Internet," which can be found at www.info-law.com/lost.html.
(iii) The FTC.s Public Workshop on Consumer Privacy on the Global Information Infrastructure is available at the FTC site in HTML or Acrobat PDF formats, at www.ftc.gov/reports/privacy/privacy.html and .pdf, respectively, and the FTC has other privacy-related resources, including the recently released report to Congress regarding online individual reference services (such as Lexis. P-Trak service) at www.ftc.gov/os/9712/irs.pdf.
The FTC.s press release regarding the Kids.com action may be found at www.ftc.gov/opa/9707/kidscom.htm, and includes reference to the full text of the Kids.com letter. The press release regarding the "Kids Privacy Surf Day" may be found at www.ftc.gov/op/9712/kids.htm.
(v) A discussion of MITI.s (Japan) Guidelines for the Protection of Personal Data may be found at www.gip.jipdec.or.jp/~hirai/fujimori/digital05-e.html.