Tracking

Do You Have a Legally Protected Right to Online Privacy?

YES, BUT IT'S COMPLICATED

While many US states have passed relevant laws, and although there are draft bills pending in Congress that aim to regulate online personal data collection, there is currently no singular, comprehensive national law that defines your rights related to online tracking, data collection, storage, and retention. Federal officials and interested members of the public have met many times to determine how best to protect a person's online privacy while leaving room for freedom of speech and ecommerce for Web site owners and online advertisers. The current system is made up of a series of federal laws committed to regulating the collection of specific types of data, and the Federal Trade Commission's FTC Act that combats "unfair or deceptive" online practices. In fact, rather than adopt an all-inclusive law or set of laws, it seems likely that the federal government will continue to regulate only in certain areas, leaving it primarily to (1) the Internet user herself to actively opt out of and avoid unwanted data collection or use, and (2) the private companies to apply privacy policies that are readable, protective of the consumer, and actually followed.

DIFFICULTY OF REGULATION

Although the US has a long history of protecting its citizens' sense of privacy in the physical realm, privacy laws are difficult to apply to the online digital realm – namely because the Internet crosses national borders and because the government is concerned with stifling ecommerce. There are established laws that the federal government has used in attempts to afford the same protections online as are legally afforded offline, but such laws are considered by many to be outdated and ineffective. Another difficulty for regulators is how to fairly balance individual privacy concerns against the commercial interests of online data collection. The Internet has grown exponentially since its inception, and personal information is increasingly becoming a valuable, tradable commodity that is collected, stored, and transmitted with ease. Sure, online data collection and targeted advertising can make online shopping and quick searching more convenient, but it is difficult to determine where to draw the line to prevent unwanted use and storage of consumer information. Hence, the government has pretty much left it up to the consumer herself to opt-out of behavioral targeted advertising, access to social network profiles, and other data collection and sharing activities.

ESTABLISHED LAWS

The Electronic Communications Privacy Act ("Wiretap" Act and the Stored Communications Act) was enacted over two decades ago, in 1986. The law limits government access to an individual's private electronic communications. The USA Patriot Act amended it.
The Children's Online Privacy Protection Act regulates collection of children's personal information online, and requires parental consent for such data collection by Web sites frequented by children.
HIPAA protects personally identifiable medical information.
The HI-TECH Act protects electronic health records.
The Gramm-Leach-Bliley Act protects data collected by financial institutions. It requires financial institutions to provide each consumer with a privacy notice that explains what information is collected, shared, and used about the consumer, and how the bank protects that information. The notice must give the consumer the right to opt out of any information-sharing relationship with third parties.
The Fair Credit Reporting Act regulates your credit history.
The FTC's Red Flag Rules are regulations that require financial institutions and creditors to have written identity theft prevention programs.
The CAN-SPAM Act requires email marketers to honor individuals' requests to opt out of spam mailings.

EMERGING LAW

Pending Legislation

A Discussion Draft of Privacy Legislation was released in May 2010 by Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL). If enacted, it would require "notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual." The law would require companies that collect personally identifiable information to display a readable, understandable privacy policy explaining data collection, use, and disclosure practices. Private individuals would be given the right to sue companies for violation of these requirements.
More recently, in July 2010, the Best Practices Act (H.R. 5777, 111th Congress) was introduced to the House Committee on Energy and Commerce. Similar to the Boucher Bill, the Best Practices Act by Representative Bobby Rush (D-Ill.) would require online companies to get user permission before collecting health and financial information and before sharing personal information with third parties. And like Boucher's bill, the Best Practices Act grants citizens the right to sue violators of the act's provisions.
Opponents of the legislation, like ecommerce trade groups NetChoice and Interactive Advertising Bureau say such legislation is overly broad, would "cripple the Internet," and would make it easy for consumers to opt out of data collection, even when the data is not personally identifiable. Some opponents are concerned about the inherent inflexibility of legislation, and frequently push for a self-regulatory approach to online privacy governance in order to more swiftly react to consumer privacy concerns.

The Federal Trade Commission (FTC), a US government agency in charge of consumer protection and industry oversight, has been examining Internet privacy issues related to targeted behavioral advertising since the 1990's. The FTC has the authority to sue online entities that have been "unfair or deceptive" or have violated their own privacy policies. The agency has also produced several reports and proposals for online consumer protection regulation (see below), and intends to present an additional Report on Privacy in the near future. The agency has hosted numerous public hearings and reviewed thousands of pages of public commentary on the matter, but official regulations have yet to be drafted that officially define the legality, rights, and limitations related to online tracking techniques. The FTC will soon release its latest Report on Privacy, a result of a series of roundtable discussions it has conducted. The FTC has been criticized for focusing their attention almost exclusively on online behavioral advertising while ignoring other important online consumer privacy concerns. For details on the debate, check out the following papers:

FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, February 2009
Concurring Statement of Commissioner Harbour, February 2009
Concurring Statement of Commissioner Leibowitz, February 2009
FTC, Protecting Consumers in the Next Tech-ade, Spring 2008
FTC Testimony Before Congress on Behavioral Advertising, July 9, 2008
Final Report of the FTC Advisory Committee on Online Access and Security, May 15, 2000
FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, May 2000
FTC Report to Congress: Privacy Online, June 1998

PREFERENCE FOR INDUSTRY SELF-REGULATION?

While governments in the European Union and Canada have adopted meaty pieces of legislation that more heavily regulate online data collection, the US has thus far chosen to approach the issue using a market-based, self-regulatory approach. This means that, rather than passing complex laws to remedy online privacy concerns, the government will step aside and allow online businesses to regulate themselves, primarily through their own privacy policies. Supporters of the self-regulatory approach believe that if consumers want stronger privacy protections on the sites they frequent, businesses will profit only if their privacy controls win over the consumer's trust; and the market will adapt accordingly. They believe that more stringent regulation might not be as relevant or adaptable to advancements in technology as compared to "guidelines" or "principles." Alternatively, those who are against a self-regulatory approach tend to believe that there are inherent problems associated with many self-regulatory schemes, and that it takes a government's strong legislative hand to communicate what is right and wrong.

The Network Advertising Initiative. Consistent with the movement toward self-regulation, the Network Advertising Initiative (NAI) produced its Self-Regulatory Code of Conduct, or "NAI Principles," which was presented to and approved by the FTC in 2008. NAI is a collection of online advertising companies trying to create uniform data collection practices and avoid extensive industry oversight by the FTC. Its members, who include Google and Microsoft, are contractually obligated to abide by the Code of Conduct. The Code requires members to "educate consumers about behavioral advertising," "clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices," and obtain "consumer's opt in consent" before using "sensitive consumer information for online behavioral advertising," among other things. Abine's opt-out and tracker blocking tools (TACO) create an easy way for Internet users to ensure they have the choice to opt out of and block profiling; our TACO app allows you to opt out of the tracking activities of thousands of companies – even those that are not obligated to follow the NAI Code.

Consumer Advocacy Groups. Averse to the movement toward industry self-regulation are various think tanks and consumer protection groups, like the World Privacy Forum and the Center for Digital Democracy who are in support of a stronger legislative hand to control online behavioral tracking activities. These groups have submitted comments and reports to the FTC on their positions, advocating for stronger consumer protection through tools like mandatory opt-in (not opt-out) mechanisms and broadening the definition of "personally identifiable information." They claim that the NAI Self-Regulatory Code of Conduct fails to adequately protect consumer privacy.

NOTABLE CASES ON ONLINE PRIVACY

FTC v. US Search, Inc. (September 22, 2010). This case is the latest in a series of FTC enforcement cases regarding a company's alleged failure to honor its privacy policy. US Search, an online data broker that sells information about consumers to the public, has agreed to settle with the FTC, which claimed the company violated their privacy policy. While the privacy policy declared that US Search customers could hide their private information from search results, the company did not actually block consumers' personal information.
FTC v. Sears Holdings Management Corp. (June 4, 2009). FTC alleged that Sears hadn't alerted its customers about the extent of the company's online tracking activities. The case was settled.
FTC v. Toysmart (July 10, 2000). This case was filed in the US Court for the District of Mass. It ultimately settled out of court; but FTC alleged that Toysmart's sale of confidential, personal customer information collected on the company Web site violated its own privacy policy.
FTC v. ReverseAuction.com, Inc. (January 6, 2000). FTC claimed that ReverseAuction.com promised its users that it would comply with eBay's privacy policy and then violated that policy when it used personally identifying information to send its users spam mail to promote its new site. An out of court settlement resulted.
FTC v. Liberty Financial (May 6, 1999). FTC alleged that Liberty Financial was engaged in deceptive practices with regard to its privacy promise, which represented that information would be anonymous. In reality, LF was collecting the info in a non-anonymous manner. This case was settled out of court.
FTC . GeoCities (Feb. 5, 1999). The first FTC case regarding online privacy. FTC alleged that GeoCities misrepresented the purposes for which it was collecting personal identifying information from children and adults. Again, out-of-court settlement.

READ THE FINEPRINT

Currently, the FTC can sue companies who fail to follow their own privacy policies, fail to clearly and conspicuously share the contents of their privacy policy, or fail to maintain strong enough security practices related to the data they’ve collected about their users. Links to the policies of a few commonly visited sites are listed below, for the convenience of interested readers:

WANT TO KNOW MORE?

Helpful Articles

The Wall Street Journal has been following the online tracking debate closely. See http://online.wsj.com/public/page/what-they-know-digital-privacy.html
The Washington Post produced a lengthy investigative report on “Top Secret America”
Newser.com collects online privacy articles: http://www.newser.com/tag/2321/1/online-privacy.html
The Electronic Privacy Information Center (EPIC) lists news articles discussing the online privacy debate: http://epic.org/news/epic_in_news.html

Informational Web Sites

OnGuard Online (http://www.onguardonline.gov/)
OnlinePrivacyAlliance.org
(http://www.privacyalliance.org/)
PrivacyActivism (www.privacyactivism.org)
Of course, Wikipedia’s page on Internet privacy (http://en.wikipedia.org/wiki/Internet_privacy) provides a rough summary of levels, risks, and legal threats to the Web user’s online privacy.

Organizations & Government Agencies Alert to Online Privacy Concerns

American Civil Liberties Union (ACLU) is a nationwide organization of civil rights lawyers whose agenda includes litigation, policy shaping, and campaigning in the area of privacy rights

Computer Professionals for Social Responsibility has a Privacy and Civil Liberties program promoting online privacy

The Digital Due Process Coalition is a collection of privacy advocates, including the ACLU, amazon.com, Google, AT&T, and others, who wish to revitalize the Electronic Communications Privacy Act

Electronic Frontier Foundation is a collaboration of lawyers, policy analysts, activists, and technologists whose litigation work includes cases related to online invasions of privacy

Electronic Privacy Information Center is a public interest research group dedicated to focusing national attention on the protection of privacy

The Federal Trade Commission is the US government agency in charge of consumer protection and the development of online privacy legislation

The Future of Privacy Forum (FPF) is a policy institute interested in the advancement of responsible data collection practices

The House Subcommittee on Communications, Technology, and the Internet is chaired by Rep. Rick Boucher and has submitted draft legislation on online privacy rights

Network Advertising Initiative, a collection of online marketing companies, has been working to establish uniform business practices regarding personal data collection. Abine’s opt-out and tracker blocking tools (TACO) create an easy way for Internet users to ensure they have the choice to opt out of and block profiling; our TACO app allows you to opt out of the tracking activities of thousands of companies – even those that are not obligated to follow the NAI Code (see above).

The Privacy Foundation at the University of Denver conducts research on technologies that effect personal privacy

The Privacy Rights Clearinghouse is a nonprofit organization whose mission is to raise awareness of how technology affects personal privacy

Center for Digital Democracy, US Public Interest Research Group is a national nonprofit group that researches the development of the digital communications landscape

World Privacy Forum is a nonprofit that conducts research in the area of privacy

WHAT DO YOU THINK?

If you have any comments or suggestions regarding this page, contact claire@getabine.com