Why Your Company Should Develop a Consumer Privacy Policy for Website Collection or Dissemination of Personally Identifying Consumer Information

The rapid growth of online commerce has spurred federal regulators into action to protect consumer privacy rights. Companies that use their websites for collection or dissemination of consumers' personal information should be aware of standards imposed by newly-enacted federal law and the Federal Trade Commission ("FTC") to regulate such practices.

The FTC, which regulates commercial advertising and marketing practices,(1) has taken an active role in protecting on-line consumer privacy. In a report to Congress, the FTC concluded that the industry had failed to provide sufficient self-regulation of consumers' online privacy.(2) The FTC surveyed 1400 websites and determined that only two percent provided for a comprehensive privacy policy. Most troubling to the FTC, eighty-nine percent of the 212 children's sites collected personally identifiable information from children and fewer than ten percent of such sites provided for any form of parental control over collection of information from their kids.

In a complaint against GeoCities,(3) the FTC alleged that the Company's website collected personally identifying information from consumers, including minors, and distributed it to others. GeoCities was alleged to have misrepresented the use of personal information by statements in application materials that such information would be used only for specific mail offers and services requested by consumers.

Settlement of the case included a court approved order with the following terms:(4)

  • Prohibitions on future misrepresentations concerning the use of collected consumer information;

  • Notice on the website that information is being collected, the intended collection purpose, and consumer rights concerning access and changes to personal information;

  • Express parental consent before collecting information from children;

  • Notice to prior users of data collection practices and instructions concerning methods to delete collected personal information.

In addition to FTC privacy regulation, Congress enacted the Children's Online Privacy Protection Act of 1998 (the "Act").(5) The Act applies to website operators and online services directed to children, as well as to those with knowledge that they are collecting personal information from children. The Act makes it a violation of federal law to obtain personal information from children under 13 years of age except as provided.

As set forth in Section 6502(b), the Act calls for the FTC to promulgate regulations addressing the following children's privacy issues:

  • Notice of the type of information collected and its intended use;

  • Verifiable parental consent prior to collection and use;

  • Parental access to the information collected and the ability to refuse further use or collection of information;

  • Prohibitions on conditioning a child's participation on a prize offering or upon disclosure of more personal information than is reasonably necessary to participate in the activity;

  • Maintenance of procedures to protect the confidentiality, security, and integrity of collected information.

The Act contains a "safe harbor," which envisions self-regulation by compliance with FTC-approved online industry standards. Violation of the Act is defined as an unfair and deceptive practice under the Federal Trade Commission Act.(6) In addition, the Act empowers state Attorney Generals to bring civil actions against online operators to enjoin violations and enforce compliance.(7)

More recently, the Senate has prepared a discussion draft of the Online Privacy Protection Act of 1999. This proposal would essentially apply the same privacy protection that is now provided to children to all consumers. The Consumer Internet Privacy Protection Act of 1999, introduced in the House of Representatives, would prohibit disclosure of "personally identifiable information" provided by a consumer without written consent.

In conclusion, we strongly recommend that clients operating websites that collect personal data should, at a minimum, comply with the provisions of the Children's Online Privacy Protection Act and should consider a broader online privacy policy which includes the following:

Notice. Privacy policies should be posted on the company's website.

Compliance. The company's actual use of personal information should adhere to stated policies.

Consumer Access. Consumers should be made aware of procedures to access or correct collected information.

Contracts with Third Parties. Website owners should consider contractual provisions with third party advertisers and marketers that may use consumer information to ensure compliance with privacy policies.

1. See www.ftc.gov.

2. Privacy Online: A Report to Congress, FTC (June 1998).

3. In the Matter of GeoCities, File No. 9A23105 (FTC, Aug. 12, 1998).

4. Id.

5. 15 U.S.C. §. 6501, et seq.

6. § 6502(b) & 15 U.S.C. § 57(a)(1)(B).

7. § 6504(1).

Copied to clipboard