Internet Law Update: Developments in Privacy Law: 1999


CONTENT

I. Federal Privacy Legislation

II. Children's Online Privacy Protection Act

III. European Union Privacy Directive

IV. Privacy and Financial Institutions

V. Healthcare Information Privacy

VI. Judicial Decisions

Conclusion

For Additonal Information

The last several years have witnessed an increasingly intense debate over the rights of individuals to protect the privacy of their personal data. That debate is fueled in part, but not exclusively, by growing concern over the privacy of visitors to Internet web sites. During 1999 this debate continued, with privacy proposals being made in Congress, by the Clinton administration, by regulatory agencies, and in the European Union. The courts also had occasion to weigh in on privacy issues. This Thelen Reid Internet Law Update will provide a brief report on some of the more significant developments of 1999 in connection with privacy law and regulation. These issues are especially important for any entity using personal data on the Internet.


I. FEDERAL PRIVACY LEGISLATION

No general online privacy legislation was passed in the first session of the 106th Congress although such legislation was introduced, including the Electronic Rights for the Twenty First Century Act introduced by Senator Leahy of Vermont and the Online Privacy Protection Act introduced by Senators Burns of Montana and Weyden of Oregon. Consideration of those bills will recommence in January 2000. Financial privacy provisions were included in the sweeping legislation to reform regulation of the banking system which was signed into law by President Clinton on November 12 (see below). In addition, Congress was active in opposing the adoption by banking regulators of "know your customer" rules which would have required banks to gather information about individual depositors for the purpose of preventing money laundering.

When Congress reconvenes the question will be whether the groundswell of support for sweeping legislation to regulate online privacy at the federal level has abated in favor of self regulatory measures. In its 1999 report to Congress, the Federal Trade Commission expressed satisfaction with the existing trend toward more voluntary disclosure of privacy policies by web site sponsors and concluded that the growth of self-regulatory initiatives reflects a substantial commitment by industry to promote acceptance of fair information practices. As a result, the FTC declared that sweeping Internet privacy legislation at the federal level was not warranted. This marks a change from the end of the 1998 legislative season, when the FTC was actively advocating adoption of federal legislation to protect children's privacy online and was threatening to recommend adoption of general Internet privacy legislation.
On November 8, 1999 the FTC and Department of Commerce held a workshop on online profiling at which privacy advocates urged the adoption of new regulations to limit the gathering and use of personal data online. Neither the Commerce Department nor FTC supported legislation in this area, however. Secretary of Commerce William M. Daley urged industry to take the lead in self-regulation and stressed the progress already being made in the private sector to voluntarily regulate the gathering of such data.


II. CHILDREN'S ONLINE PRIVACY PROTECTION ACT

In 1998 Congress passed the Children's Online Privacy Protection Act ("COPPA"), the only major piece of Internet privacy legislation passed that year. COPPA established general principles for children's online privacy, including the principle that information should not be gathered from children under 13 without actual parental consent. Congress delegated to the FTC the task of drafting regulations to implement these general principles, and gave the agency a one-year deadline to do so. On October 20, 1999, the FTC promulgated its final COPPA regulations, which are of interest to any business operating a web site that may attract young visitors. The regulations will go into effect on April 21, 2000, and will require many companies to revise their online privacy policies.

Pursuant to COPPA and the new regulations, verifiable parental consent must be obtained before collecting information online from a child known to be under 13, or from a web site "targeted" to children under 13. The question of what constitutes adequate evidence of parental consent dominated the FTC's rulemaking considerations. Industry sought a way to document parental consent through online procedures, while privacy advocates urged the FTC to require some form of offline confirmation to prevent children from circumventing the consent provisions by impersonating an adult.

In the end, the FTC adopted a compromise position. Web site operators using information from children for their own internal purposes, but not selling it to third parties, will be allowed to obtain parental consent via email, and will be allowed to verify that the consent was in fact from a parent with relatively easy and inexpensive procedures such as sending a delayed email back to the site visitor confirming that the consent has been received. Alternatively, consent can be verified with a follow-up phone call or letter. Web site operators who want to transfer children's personal data to third parties, or who sponsor chat rooms, must take additional steps to verify that parental consent has been received, including a non-electronic letter or fax from the parent, disclosure of a credit card number, a call to a toll-free number, digital signature, or an e-mail accompanied by a PIN or a password.

The rules also provide for the online disclosure of website privacy policies and for parents to have the opportunity to view the information collected and prevent further collection of such data. Site operators are warned not to solicit information in connection with games or contests beyond what is necessary to such events. Finally, site operators are required to ensure that information is maintained in a secure and confidential manner.

Support for self-regulation: The rule also contains a "safe harbor" provision pursuant to which web site operators participating in industry-sponsored self-regulatory programs can obtain a certification of compliance with the statute which will eliminate the risk of FTC enforcement action. Entities participating in approved safe harbor programs will be subject to the review and disciplinary actions associated with those programs. This scheme of private industry self-regulation backstopped by the threat of government regulatory action is the model for online privacy regulation favored by the Clinton administration in general.


Conclusion. The FTC stated that these regulations would remain in place for two years on a trial basis while the ability of more advanced technology to provide verifiable parental consent in a cost effective manner is assessed. Web site operators and online service-providers should be familiar with the new rule, which may be viewed at: www.ftc.gov/os/1999/9910/childrensprivacy.pdf. Operators should carefully review their information-gathering, storage, use, and notice procedures to ensure compliance.


III. EUROPEAN UNION PRIVACY DIRECTIVE

In 1995, in the interest of establishing uniformity among EU member nations, the European Commission ("EC") and European Parliament adopted Directive 95/46/EC, "On the protection of individuals with respect to processing of personal data and the free movement of such data." The Directive outlines a scheme of data protection far stricter, more sweeping and more bureaucratic than anything existing or likely to exist in the United States. Each EU member state is required to adopt legislation implementing the Directive. The Directive is of significance to US business because it provides that entities in the EU may not export personal data to nations outside the EU that do not provide a level of protection analogous to that provided by the Directive. The EU initially took the position that the hodgepodge of privacy laws and regulations on the books in the US would not constitute adequate protection, raising the specter that multinational firms might be sanctioned for sharing data between their EU and US operations. Throughout 1998 and 1999 discussions were held between the Clinton administration and the EU in which the administration attempted to convince the EU negotiators that self-regulatory efforts by US industry could, on a case by case basis, be deemed adequate protection sufficient to allow data flows to continue between the EU and the US.

In April 1999, and again on November 15, 1999 the US, through the Department of Commerce, issued proposed "safe harbor" principles pursuant to which individual companies could qualify to receive data exchanges from EU sources if they participated in industry self-regulatory programs. To qualify, industry groups would be required to publish and enforce privacy rules and respect certain basic privacy principles similar to those set out in the Directive. The self-regulatory effort would be backstopped by government enforcement in that any company purporting to abide by self-regulatory rules but failing to do so could be the subject of unfair trade practice enforcement by the FTC or state regulators. The Department of Commerce requested that the EU accept the "safe harbor" principles as a means of satisfying the requirements of the Directive.

The EU has objected to the US "safe harbor" proposal for various reasons, including the lack of clarity regarding how self- regulatory guidelines will be enforced and a general desire that the US proposals be tightened up and made more comprehensive. Hopes ran high for a while in the fall of 1999 that a US/EU agreement on privacy issues would be announced at the US/EU Summit which took place on December 17, 1999. However, no such agreement was reached and summit participants fell back on predicting that an agreement would be reached some time in the spring of 2000.

Conclusion: Every company doing business in Europe, and especially those engaged in data transfers with European entities, needs to monitor the way the EU and its member nations implement the Directive to avoid its potential anticompetitive impact. Those companies should review their data collection, usage, and protection practices. They should consider documenting their compliance with privacy principles through participation in a self-regulatory organization or by contractual commitment with their EU counterparts to honor such principles. Regardless of the outcome of negotiations between the US and EU, businesses with a European presence may be subject to enforcement actions brought by a member state or the EU.


IV. PRIVACY AND FINANCIAL INSTITUTIONS

On November 11, 1999 President Clinton signed sweeping legislation to reform the regulation of the banking industry. As a result, new "financial holding companies" will be able to engage in a world of financial activities, including insurance and securities underwriting, merchant banking, and insurance company portfolio investment activities. The Act also includes provisions for the protection of personal financial information.

Major privacy provisions: The Act states that when a financial institution establishes a relationship with an individual, the institution must clearly disclose its privacy policy. In particular, the institution must disclose how it shares non-public, personal information with both third parties and affiliates. The institution must make this disclosure at least annually for the duration of the relationship.

The Act also requires financial institutions to provide consumers an opportunity to opt out of the sharing of their information with nonaffiliated third parties. The opt-out provision does not, however, prevent the financial institution from sharing the consumer's information with the financial institution's affiliated entities. The lack of an affiliate opt-out measure has been severely criticized by privacy advocates.
Moreover, the opt-out provisions do not prohibit a financial institution from sharing consumer information through joint marketing arrangements between financial institutions. This loophole was inserted to address the competitive imbalance that might otherwise exist between large and small institutions. Instead, it has led to criticism that such programs will nullify the effectiveness of the opt-out provisions between non-affiliated entities, thereby leaving consumers susceptible to the use or disclosure of non-public information among the financial institution, affiliated entities, and non-affiliated entities.
Monitoring and Enforcement: The Act requires that a study on financial institutions' information-sharing practices be conducted eighteen months from the date of enactment. The Act provides the Federal Trade Commission, federal banking agencies, the National Credit Union Administration, the Securities and Exchange Commission, and the states with jurisdiction over enforcement of the Act. As a concession to consumer privacy advocates, states are allowed to adopt more stringent privacy regulations than are provided for in the Act.

The Act also criminalizes pretext calling, which occurs when a caller obtains private customer financial information through fraudulent or deceptive means. The text of the Act may be viewed at: http://thomas.loc.gov/. (see bill S.900 TitleV.)

Conclusion: Entities in the financial services sector should be alert to the new restrictions on the use of personal data contained in this legislation. In addition, in signing this legislation President Clinton explicitly stated that it does not go far enough in protecting bank customer privacy. Legislation will be considered in 2000 to extend customer's opt-out rights to transfers of personal data to entities affiliated with the bank holding such information, and to consider adoption of an opt-in, as opposed to opt-out, scheme for certain data transfers.


V. HEALTHCARE INFORMATION PRIVACY

On October 29, 1999, President Clinton, through the Department of Health and Human Services ("HHS"), proposed new regulations to protect the privacy of medical records. Comments on the proposed rules were due by November 26, 1999. The new rules will apply to three different categories of entities, including health-care providers who transmit health information electronically, health plans, and health-care clearinghouses. Under the rules, such entities must ensure that any electronic information or printouts that could identify an individual are protected. These proposed rules implement Section 264 of the Health Insurance Portability and Accountability Act ("HIPAA") which was enacted in August, 1996. Section 264 provided Congress with a three-year deadline to pass a law establishing privacy provisions for medical information, and provided that if Congress failed to act the Secretary of HHS should promulgate such regulatory regulations.

General provisions: The proposed rules are sufficiently general to allow a covered entity to devise its own internal procedures to satisfy them. Entities with specific authorization from the concerned individual may use or disclose protected health information for almost any lawful purpose. The guiding principle behind the rules is that a covered entity should disclose only the minimum amount of medical data necessary, subject to practical and technological considerations. Entities cannot condition treatment or payment on the individual's agreeing to disclose information for other purposes. Individuals have the power to revoke an authorization and obtain a written review of the covered entity's uses and disclosures of their personal information.

Covered entities may still use and disclose information for certain priority activities, including health-care system oversight, public health, research, judicial and administrative proceedings, and law enforcement. An entity sharing medical data can also comply with the rule by stripping off any personal identifying information.

If the entity has affiliates or subsidiaries, the entity must create barriers to prevent inappropriate misuse/disclosure. Where the covered entity enters into a contract with another entity, the contract must include terms to ensure confidentiality, unless disclosure is necessary for treatment consultation or referral under the contract. Finally, providers and third parties must also follow certain administrative procedures, such as maintaining documentation to demonstrate compliance with the rule and appointing an in-house privacy official. HHS may enforce the rules through action against healthcare providers, suppliers, and practitioners.

Conclusion: When these rules take effect, health-care providers, health plan administrators, and health-care clearinghouses will need to review and maintain an ongoing audit of their information gathering, sharing, and retention practices. They should give special attention to the terms of any contacts with third parties with which they share data and should review their employee education procedures. The proposed rules may be viewed at: http://aspe.hhs.gov/admnsimp.


VI. JUDICIAL DECISIONS

Despite the failure of Congress to adopt any overarching privacy protection scheme this year the trend toward increasing government regulation of privacy seems inevitable. Such regulatory schemes as adopted will generally take the form of limitations on the freedom for business enterprises to collect, use and sell personal data. The federal courts will be required to interpret such statues and pass on their constitutionality.

"Opt-in" Privacy Regulations by the FTC

On August 18, 1999 the Court of Appeals for the Tenth Circuit overturned certain privacy regulations promulgated by the Federal Communications Commission which limited the ability of phone companies to use information about individuals' calling patterns for marketing purposes. U.S. West, Inc. v. Federal Communications Commission, 182 F.3d 1224 (10th Cir. 1999). Those regulations essentially prohibit the use of such information absent "opt-in" consent from customers. In adopting regulations with an "opt-in" requirement the FCC believed that it was implementing the intent of Congress as reflected in the Telecommunications Act of 1996.

The court acknowledged that the government has a substantial interest in protecting personal privacy, but found that the FCC regulations in question were not narrowly tailored enough. One of the main flaws in the FCC rulemaking, according to the court, was that the agency did not consider whether a less burdensome "opt -out" scheme would have been adequate to protect individuals' privacy interests. The court found that the regulations infringed the constitutional right of U.S. West to engage in protected commercial speech, i.e., to solicit further business from its existing customers.

To the extent the federal courts constitutionalize privacy regulation it will have a substantial impact on future legislative and regulatory schemes and will result in a much larger role for the courts in the ongoing privacy debate. The FCC has sought rehearing en banc from the full court of appeal. Presumably review in the Supreme Court will be sought by whichever party loses in the Tenth Circuit.
The Drivers Privacy Protection Act

On November 10, 1999 the Supreme Court heard argument in the case of Reno v. Condon, concerning whether the Drivers Privacy Protection Act of 1994 is constitutional. The Act mandates that state drivers license bureaus limit the dissemination of personal data obtained from drivers license holders. The Act has been held unconstitutional by several lower courts on states rights grounds not directly related to privacy concerns.

Massachusetts v. Source One Associates

The seriousness with which some courts and regulators are starting to address privacy issues was highlighted in 1999 by a civil penalty action brought by the State of Massachusetts against Source One Associates, an "information broker." The Massachusetts Attorney General accused Source One of obtaining personal information from banks and other sources through pretext calls, in which the caller would misrepresent his identity or purpose to induce a bank employee to disclose otherwise nonpublic information. On October 14, 1999, the court ordered the broker to pay $500,000 in civil penalties. The Clinton administration and others will certainly point to this decision and other pending prosecutions under state or federal law as evidence that existing U.S. law privacy law has teeth, despite the lack of an overall regulatory scheme to protect privacy at the federal level.


CONCLUSION

While 1999 did not see the enactment of sweeping Internet privacy legislation at the federal level, significant changes did take place in privacy regulation in several areas. Any business with an online presence should review its existing privacy policies in light of those new developments. Companies doing business online should also consider whether it is in their interest to participate in an industry self-regulatory organization devoted to privacy concerns.


FOR ADDITIONAL INFORMATION

Click here for more information on Thelen Reid & Priest LLP's Internet Law Group.

For more information about online privacy law, contact any member of the Internet Law Group or one of the authors of this article directly:

Karl D. Belgum (San Francisco) kbelgum@thelenreid.com

Brian Lowinger (Washington, D.C.) blowinger@thelenreid.com


This legal update from Thelen Reid & Priest LLP is published as an information service to clients and friends. Please recognize that the information is general in nature and does not constitute legal advice. The attorneys listed above would be pleased to discuss in greater detail the information in this report and its application to your specific situation. We welcome your comments and suggestions.

Copied to clipboard