Ladas & Parry - Domain Names & E-Commerce - Overview of U.S. Laws Relating to E-Commerce

Domain Names & E-Commerce / E-Commerce / Overview of U.S. Laws Relating to E-Commerce

5. Privacy

Legislation relating to privacy issues is still fairly limited in the United States as compared, for example, with the European Union. The preferred American approach is one of self-regulation by the industry. So far this seems to be working, with increasing numbers of e-commerce traders adopting privacy policies and making these available to those accessing their web sites. Some law has, however, been enacted.

5.1 Children's Online Privacy Protection Act [31]

In October 1998, based upon the FTC's recommendation, the Children's Online Privacy Protection Act became law. This Act came into force and effect on April 21, 2000 and was enacted in order to address the privacy concerns with respect to information gathered online by commercial website operators from children under the age of thirteen. Even if a company's website its not directed towards children, if it is a general audience website and the operator has actual knowledge that it is collecting personal information from children under thirteen, compliance with the Act is required. The Act requires operators of commercial websites or online services to:

(1) provide notice of the type of information collected from children, the manner in which such information is used and whether such information is shared with third parties;

(2) obtain "verifiable parental consent" before collecting, using or disclosing information from the child that will (a) enable someone to contact the child off-line, or (b) be shared with third parties or be publicly posted;

(3) provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance;

(4) prohibit conditioning a child's participation on the provision of personal information except where the disclosure is reasonably necessary to participate in the activity; and

(5) establish reasonable measures to ensure the security and integrity of the information collected.

The Act is directed towards information collected from a child aged thirteen years and below, in an identifiable form by an operator of a website or online service for any purpose through a home page; a pen pal service; an electronic mail service; a message board or a chat room. Personal information would include a first and last name, a home or other physical address, an e-mail address, a telephone number, a Social Security number, any other identifier that the Commission determines will permit the online or physical contacting of a child and information concerning the child or parents of that child that the website collects from the child and combines with an identifier described in this paragraph.

The Federal Trade Commission (FTC), the agency responsible for promulgating and enforcing regulations under COPPA, has been very active in attempting to ensure compliance therewith. The FTC has initiated several major actions under COPPA against both online retailers ("e-tailers") and traditional brick-and-mortar companies who maintain websites and has been relatively successful in seeking monetary penalties and forcing their compliance. [32]

In addition to the legislation set forth above, certain voluntary guidelines exist promulgated by either governmental agencies and/or consumer protection groups in an effort to promote fair business transactions online and extend consumer protection to the e-commerce arena. For example, the FTC has posted on its website (www.ftc.gov) a primer for those businesses seeking to comply with COPPA entitled "How to Comply with the Children's Online Privacy Protection Rule." Federal Rules for the implementation of the Children's Online Privacy Protection Act are set out at 16 CFR 312.1 -312.11.

5.2 Privacy of Financial Information

The Gramm-Leach-Bliley Act [33] was signed into law by the President on November 12, 1999 and came into full force and effect on July 1, 2001. [34] This law applies only to the financial services industry. It applies to financial institutions such as banks, savings associations, credit unions, insurance companies, insurance agents and brokers, securities firms, investment and financial advisers, mutual funds, licensed lenders, loan brokers, finance companies, check cashers, collection agencies, credit bureaus, data processors, equipment lessors and some real estate lessors, courier services, printers of checks and similar documents, issuers of money orders, travelers checks and similar documents and other companies already engaged in activities that are closely related to banking. The Act deals with personal, non-public information provided to financial institutions by individuals.

The FTC has issued rules relating to privacy with respect to financial services, which came into effect on July 1, 2001. In addition to imposing requirements on financial service providers to safeguard customer information and to allow customers to opt out of any sharing of their information, the rules will also require the institutions to advise customers of the nature of the information which they collect, including information obtained from "cookies" and to advise with whom they share such information.

The SEC has issued guidelines concerning the use of electronic media in the context of the issuance of securities, which came into effect on July 1, 2001. Essentially, these regulations address three aspects of securities laws as they relate to the nonpublic personal information about consumers by financial institutions. The regulations first discuss the requirements for financial institutions to provide notice to customers about its privacy policies and practices. Second, the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties. Lastly, the regulations provide a mechanism by which consumers can prevent a financial institution from disclosing personal information by "opting out" of that disclosure. Federal Rules for the implementation of the Gramm-Leach-Bliley Act as it pertains to the securities industry are set out at 17 CFR §248.1-248.30.

Additionally, the Fair Credit Reporting Act regulates the collection and dissemination of consumer reports, i.e., statements that include information about a consumer's credit worthiness, credit history, character, reputation, personal characteristics or mode of living. [35]

5.3 Proposed Federal Legislation

A bill was introduced in the House of Representatives on January 3, 2001 entitled the Online Privacy Protection Act of 2001. [36] Essentially, the purpose of this bill is to require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by the Children's Online Privacy Protection Act of 1998 on the Internet and to provide greater individual control over the collection and use of that information. Furthermore, this bill would prohibit the operator of a website or online service to collect, use or disclose personal information concerning an individual (age 13 and above) in a manner that violates regulations to be prescribed by the Federal Trade Commission. The bill would require such operators to provide a process for such individuals to consent to or limit the disclosure of such information. This bill has been referred to the Committee on Energy and Commerce.

Several other bills have been introduced in the House of Representatives, including the Consumer Online Privacy and Disclosure Act [37], which is designed to provide greater control of the use of information collected about individuals on the Internet. This bill is somewhat more prohibitive than the proposed Online Privacy Protection Act of 2001 in that it would also prohibit "Internet profiling" [38] and prohibit the sale of information collected from Internet users by website operators or internet service providers who have become insolvent. Similarly to the Online Privacy Protection Act of 2001, the Consumer Online Privacy and Disclosure Act provides certain safe harbors and exceptions to the general prohibitions described above, most notably, obtaining the consent of the user to disclose such personal information.

Several other bills have been introduced in the House of Representatives or Senate addressing the issue of online privacy and the collection of personal information from Internet users include the Consumer Internet Privacy Enhancement Act [39], the Privacy Act of 2001 [40] and the Who is E-Mailing Our Kids Act [41], which would require schools and libraries receiving federal assistance to block access to Internet services that enable users to access World Wide Web and transfer e-mail in an anonymous manner.

5.4 State Legislation on Privacy Issues

At the state level, several states have laws protecting privacy in one way or another.

5.4.1 California

The Internet Privacy Protection Act of 1999 states that no Internet service provider that provides direct Internet services to residents of California shall disclose any personally identifying information to a third party for marketing or other purposes without the knowledge and affirmative consent of that subscriber. The bill would provide that this restriction be incorporated into any service agreement or contract between an Internet service provider and a California subscriber that is executed or renewed on or after the effective date of this bill. This would apply to all businesses and entities, including telephone and telegraph corporations, credit card issuers and bookkeeping and video rental services. This bill is typical of the prohibitions placed on Internet service providers and website operators throughout the individual states.

5.4.2 New York

The Internet Privacy Policy Act will come into force and effect on June 17, 2002. This Act pertains only to New York State regulatory agencies which provide an interactive computer service to individual users. The Act prohibits the collection or disclosure of personal information by state agencies concerning a user to any person, firm, partnership, corporation or other entity....unless such user expressly states that he or she has, (1) received the required notice or, (2) consented to such collection or disclosure. [42]

5.5 Trade Secrets and Privacy

As the law stands at present it seems that once a secret has been posted on the internet there is little that can be done to prevent further dissemination. Thus in Ford Motor Co. v. Lane [43] it was held that once trade secrets had been sent to an outside website, no injunction could be issued against their being posted online, since this would constitute a prior restraint.

5.6 European Union Directive on the Protection of Personal Data

The European Union adopted a Directive requiring its members states to harmonize certain aspects of their laws relating to electronic commerce. This Directive was adopted and went into immediate effect on June 8, 2000. [44]

With respect to privacy protection, the Directive prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standards for privacy protection. This Directive had caused concern in the United States as a result of its provisions that prohibit the transfer of personal data outside the European Union to countries that do not provide "an adequate level of protection" for personal data. [45] The word "adequate" is defined to take into account different circumstances that may surround personal data transfers. Automatic processing within the European Union may only take place if one of the following criteria is met:

(1) the data subject has unambiguously given his consent; or

(2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(3) processing is necessary for compliance with certain legal obligations; or

(4) processing is necessary in order to protect the vital interests of the data subject; or

(5) processing is necessary for the performance of certain tasks carried out in the public interest or in the exercise of official authority.

While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that of the European Union. The United States uses a sectoral approach that relies upon a mix of legislation, regulation and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these differing privacy approaches, the Directive would have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions. [46] Specifically, U.S. companies were concerned that these provisions could be used to prevent the transfer out of member states of the European Union of certain types of data.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce, in consultation with the European Commission, developed a "safe harbor" framework. This safe harbor is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the European Union or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor through the U.S. Department of Commerce will assure European Union organization that a U.S. company provides "adequate" privacy protection, as defined by the Directive.

To take advantage of the safe harbor provisions, U.S. companies are required to accept the following obligations:

1) to notify individuals about the purposes for which the collect and use information about them;

2) to give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual;

3) when disclosing information to a third party, to apply the notice and opt-out principles set out above;

4) to give individuals access to personal information about them that an organization holds and the ability to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

5) to take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction;

6) to confine personal information stored to that which is relevant for the purposes for which it is to be used and to take reasonable steps to ensure that data is reliable for its intended uses, accurate, complete and current; and

7) in order to ensure compliance with the safe harbor principles, to provide (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles.

The safe harbor provides a number of important benefits to U.S. and E.U. companies including:

1) All 15 Member States of the European Union will be bound by the European Commission's finding of "adequacy";

2) Companies participating in the safe harbor will be deemed adequate and data flows to those companies will continue;

3) Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and

4) Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions. [47]

The safe harbor framework offers a simpler and cheaper means of complying with the adequacy requirements of the Directive. Furthermore, an E.U. company can ensure that it is sending information to a U.S. company participating in the safe harbor by viewing the list of safe harbor companies posted on the U.S. Department of Commerce's website at www.export.gov/safeharbor.

5.7 Current Trends in Internet Privacy Policy

In a speech by the Chairman of the Federal Trade Commission, Timothy J. Muris, delivered at The Privacy 2001 Conference on October 4, 2001, Mr. Muris proposed an aggressive, pro-privacy agenda with respect to Internet privacy for 2002 and beyond. This proposed aggressive agenda would include a significant increase in the FTC's resources devoted to online privacy and a step-up in enforcement. It is interesting to note, however, that website operators and online service providers pressed for profits in the "post-Internet" boom have begun to broaden their privacy policies in an effort to raise revenues. For example, Yahoo recently changed its privacy policy to make it clear that it has the right to send mail and make sales calls to tens of millions of its registered users. Additionally, it has unilaterally given itself permission to send users e-mail marketing messages on behalf of its growing family of services, even to those users who had previously requested not to receive any marketing from Yahoo. Following Yahoo's lead, the Internet portal Excite has asked its users to accept a privacy policy that explicitly allows it to rent their names and phone numbers to marketing companies.

[31] 15 USCS § 6501 et. seq.

[32] United States v. Looksmart, Ltd ., No. 0-1606-A (E.D. Va.) (consent decree for $35,000.00 civil penalty entered on April 23, 2001) (settling charges that collection of personally identifiable information from children under 13 years of age without parental consent and sharing that information with others without parental consent violated the Children's Online Privacy Protection Act Rule); United States v. BigMailbox.com, Inc., No. 0-1605-A (E.D. Va.) (consent decree for $35,000.00 civil penalty entered on April 23, 2001); United States v. Monarch Servs., Inc. (No. AMD 01 CV 1165 (D. Md.)) (consent decree entered on Apr. 20, 2001); United States v. Lisa Frank, Inc., No. 01-1516-A (E.D. Va. filed Oct. 1, 2001) ($30,000.00 civil penalty).

[33] See 15 U.S.C. §§ 6801-6810. As required under the Act, the Federal Trade Commission, along with the Federal banking agencies, the National Credit Union Administration, the Treasury Department, and the Securities and Exchange Commission, have issued regulations (promulgated under 16 CFR Part 313.1-313.18) ensuring that financial institutions protect the privacy of consumers' personal financial information. Such institutions must develop and give notice of their privacy policies to their own customers at least annually, and before disclosing any consumer's personal financial information to a non-affiliated third party, must give notice and an opportunity for that consumer to "opt out" from such disclosure. The Act also limits the sharing of account number information for marketing purposes.

[34] See 16 CFR 313.18(a). However, 16 CFR 313.18(a) provides a two-year grandfathering until July 1, 2002 for compliance with the Act for service agreements entered into prior to July 1, 2000.

[35] See 15 U.S.C. §§ 1681 et. seq.

[36] See HR 89 IH.

[37] See HR 347 IH.

[38] The term "Internet profiling" has come into the lexicon to describe the practice of attaching a persistent cookie as a means of developing a personal profile on an individual user.

[39] See HR 237 IH.

[40] See S.1055.

[41] See HR 1846.

[42] See NY CLS State Technology Law § 203 (2002).

[43] 67 F.Supp 2d 745 (E.D. Mich. 1999).

[44] Directive 95/46 of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Eur. O.J. L2831/31 (Nov. 23, 1995).

[45] "Personal Data" is defined broadly as 'any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.'"

[46] See U.S. Department of Commerce, www.export.gov/safeharbor.

[47] See U.S. Department of Commerce, www.export.gov/safeharbor.

[Home] [About Ladas & Parry LLP] [Contact Us] [Search]
[Trademarks] [Domain Names & E-Commerce] [Patents & Copyrights]
[Litigation] [IP Rights Maintenance] [IP as Property] [News & Bulletins]