The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Have you noticed the newest links that have been popping up on some web pages? Little blue words at the bottom of the page beckoning you to click and read about this web site's privacy policy. The statements describing web sites' privacy policies are indeed one of the newest additions to the world wide web, and their existence can be attributed to the battle among privacy advocates, the Internet community, the Federal Trade Commission ("FTC") and Congress about the protection of personal information on the Internet. If you don't already have a privacy policy statement on your web site, read on to find out why you should add one right away. If you are a web user, read on to find out where this new scenery along the information superhighway came from, and where it is going.
Of late much of the attention that the public and the press have focused on the Internet and the world wide web has been devoted to concerns about the privacy of the users of the web, and the abilities of web users to seek out personal information about third parties, whether those third parties are web users or not. These concerns can be broken down into two broad categories. The first is about information held in electronic databases which may be of a sensitive or personal nature, such as a person's social security number, date of birth, or medical, financial or criminal history. A second concern relates to the exchange of information arising out of interactions between web users and operators of web sites, chat rooms, and other forums.
The users of the web seek a certain degree of anonymity analogous to that attained when walking down a busy street; the likelihood is that the average person can look into store windows and make purchases without having people take note of what he or she is looking at and buying. Yet, based on information provided by your web browser, it is quite easy for web site operators to track your identity, your likes and dislikes, which web pages you are visiting, and which sites you have visited recently. Web browsers provide much of this information to web site operators as a matter of necessity, because such information is used by the web server to send you information you request by clicking on web links. Nevertheless, this information has potential value to marketers of products and services, despite the fact that customers may wish to avoid the circulation of such information.
In Europe, the responses to these concerns have been legislative: The European Data Protection Directive (the "Directive") will be phased in this year. Due to the limits it places on persons who process any personal information, many are concerned that the Directive will seriously limit the use of computers overall. In the United States, there have been calls for Congress to enact laws that would similarly protect individuals' personal information, but doing so might stifle development of the online universe. Additionally, the FTC has weighed in on the issue; their position advocates self-regulation in the Internet community.
The FTC's approach, if it works, would be the least harmful to the Internet community, and may even have positive effects. It charges businesses who have an Internet presence to act reasonably in the way they deal with personal information, and it provides guidelines to help businesses self-regulate successfully. This approach is preferable to the legislative one taken in Europe and advocated by some in the U.S., because, to be effective, legislation has to be backed by enforceable and meaningful remedies. Yet by giving these laws teeth, legislators would effectively place a burden upon companies that operate in cyberspace. Since companies tend to be risk-averse, such teeth would produce a chilling effect on companies' use of information technology. Thus, such companies may prefer to eliminate web or Internet-based services rather than risk penalties arising from the very complex questions of privacy in cyberspace. Alternatively, web-based businesses may be forced to raise their prices for their web-based services to compensate them for the increased risks.
The privacy guidelines that the FTC has suggested focus on four key points:
Notice . The FTC believes that users of web or Internet sites should be provided with information about how their personal information may be obtained, what their personal information may be used for, and what they can do to limit the use of their personal information.
Access . The FTC has argued that individuals should have the ability to find out what information a given company has about themselves. Similarly, individuals should have the right to request changes to incorrect entries about them.
Choice . The FTC believes that individuals should have the ability to prevent, or opt-out, of the use or availability of their personal information.
Security . The FTC has stated that databases which contain certain sensitive personal information should not be subject to search by persons who have neither the consent of that person, nor a valid reason to access such data.
Different approaches have been used in different sectors of cyberspace to address these points. Look-up services such as Lexis-Nexis have been asked to, and have agreed to, limit the availability of particularly sensitive information. Web sites that do utilize the personal information of their users have taken the approach of disclosing to their users the kinds of data that they collect, along with the purposes to which such data will be put. The vehicle for such disclosure by web site operators is the privacy policy statement ("Privacy Statements") that you may have recently noticed on some web sites.
To be effective, Privacy Statements should contain a clear and concise explanation about the personal information that is collected. Included in the disclosure should be a list of the types of information that the web site operator collects, an explanation of the ways the information is collected, and a description of the way the information will be used. Additional information that is strongly favored is an explanation of the use of cookies and procedures that users can use to opt-out of the site operator's information use. Cookies are small files that some sites save on its users' computers to allow the site operator to recognize individual users when they visit the site. Cookies are also used to keep track of users' passwords, users' preferences for configuration of information displayed by a particular site, and other similar functions. The opt-out option should allow users to have their names and other personal information removed from a web-operator's database. The opt-out approach is favored because it is a compromise between marketers and privacy advocates. Privacy advocates have argued that site operators should assume that each user has opted-out unless a user explicitly opts-in. However, if such a rule were put in place, it would preclude almost all use of personal information because of the logistics of an opt-in system.
Web site operators should adopt a Privacy Statement, even if the web site operator collects no personal information about the visitors to the site. Most importantly, a Privacy Statement communicates that the site operator is cognizant of its customers' interests, and it allows a user to change the way his or her personal information is treated by the site operator.
Additionally, the FTC will be conducting random surveys of web sites over the coming months to determine the extent to which self-regulation has become an effective method of addressing Americans' privacy concerns. If that survey shows that a substantial number of sites are not in line with the FTC's guidelines, it is possible that the FTC will propose legislation to address such privacy concerns. Such legislation could substantially increase the cost of operating a web site, depending upon the complexity of the legislation. Additionally, because the FTC has extremely broad power to investigate and bring enforcement actions, it is conceivable that the FTC might also bring actions against web site operators who are unscrupulous with information obtained on the Internet.
Finally, because of Europe's hard line on data privacy issues, companies with an international presence should make a particularly careful review of their Internet privacy policies. Companies should examine both the policy statements posted on their web sites as well as their actions with regard to their web users. Those companies that (i) target their web sites to European audiences, (ii) operate web sites from servers located in Europe, (iii) store, process or otherwise use computerized files containing personal information in Europe, or (iv) transfer personal data from Europe to the United States should be particularly careful since any such storage, processing, or use of personal information may run afoul of Europe's data protection laws.