Do You Have a Legally Protected Right to Online Privacy?
YES, BUT IT'S COMPLICATED
While many US states have passed relevant laws, and although there are draft bills pending in Congress that aim to regulate online personal data collection, there is currently no singular, comprehensive national law that defines your rights related to online tracking, data collection, storage, and retention. Federal officials and interested members of the public have met many times to determine how best to protect a person's online privacy while leaving room for freedom of speech and ecommerce for Web site owners and online advertisers. The current system is made up of a series of federal laws committed to regulating the collection of specific types of data, and the Federal Trade Commission's FTC Act that combats "unfair or deceptive" online practices. In fact, rather than adopt an all-inclusive law or set of laws, it seems likely that the federal government will continue to regulate only in certain areas, leaving it primarily to (1) the Internet user herself to actively opt out of and avoid unwanted data collection or use, and (2) the private companies to apply privacy policies that are readable, protective of the consumer, and actually followed.
DIFFICULTY OF REGULATION
Although the US has a long history of protecting its citizens' sense of privacy in the physical realm, privacy laws are difficult to apply to the online digital realm – namely because the Internet crosses national borders and because the government is concerned with stifling ecommerce. There are established laws that the federal government has used in attempts to afford the same protections online as are legally afforded offline, but such laws are considered by many to be outdated and ineffective. Another difficulty for regulators is how to fairly balance individual privacy concerns against the commercial interests of online data collection. The Internet has grown exponentially since its inception, and personal information is increasingly becoming a valuable, tradable commodity that is collected, stored, and transmitted with ease. Sure, online data collection and targeted advertising can make online shopping and quick searching more convenient, but it is difficult to determine where to draw the line to prevent unwanted use and storage of consumer information. Hence, the government has pretty much left it up to the consumer herself to opt-out of behavioral targeted advertising, access to social network profiles, and other data collection and sharing activities.
- The Electronic Communications Privacy Act ("Wiretap" Act and the Stored Communications Act) was enacted over two decades ago, in 1986. The law limits government access to an individual's private electronic communications. The USA Patriot Act amended it.
- The Children's Online Privacy Protection Act regulates collection of children's personal information online, and requires parental consent for such data collection by Web sites frequented by children.
- HIPAA protects personally identifiable medical information.
- The HI-TECH Act protects electronic health records.
- The Gramm-Leach-Bliley Act protects data collected by financial institutions. It requires financial institutions to provide each consumer with a privacy notice that explains what information is collected, shared, and used about the consumer, and how the bank protects that information. The notice must give the consumer the right to opt out of any information-sharing relationship with third parties.
- The Fair Credit Reporting Act regulates your credit history.
- The FTC's Red Flag Rules are regulations that require financial institutions and creditors to have written identity theft prevention programs.
- The CAN-SPAM Act requires email marketers to honor individuals' requests to opt out of spam mailings.
EMERGING LAWPending Legislation
- More recently, in July 2010, the Best Practices Act (H.R. 5777, 111th Congress) was introduced to the House Committee on Energy and Commerce. Similar to the Boucher Bill, the Best Practices Act by Representative Bobby Rush (D-Ill.) would require online companies to get user permission before collecting health and financial information and before sharing personal information with third parties. And like Boucher's bill, the Best Practices Act grants citizens the right to sue violators of the act's provisions.
- Opponents of the legislation, like ecommerce trade groups NetChoice and Interactive Advertising Bureau say such legislation is overly broad, would "cripple the Internet," and would make it easy for consumers to opt out of data collection, even when the data is not personally identifiable. Some opponents are concerned about the inherent inflexibility of legislation, and frequently push for a self-regulatory approach to online privacy governance in order to more swiftly react to consumer privacy concerns.
The Federal Trade Commission (FTC), a US government agency in charge of consumer protection and industry oversight, has been examining Internet privacy issues related to targeted behavioral advertising since the 1990's. The FTC has the authority to sue online entities that have been "unfair or deceptive" or have violated their own privacy policies. The agency has also produced several reports and proposals for online consumer protection regulation (see below), and intends to present an additional Report on Privacy in the near future. The agency has hosted numerous public hearings and reviewed thousands of pages of public commentary on the matter, but official regulations have yet to be drafted that officially define the legality, rights, and limitations related to online tracking techniques. The FTC will soon release its latest Report on Privacy, a result of a series of roundtable discussions it has conducted. The FTC has been criticized for focusing their attention almost exclusively on online behavioral advertising while ignoring other important online consumer privacy concerns. For details on the debate, check out the following papers:
- FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, February 2009
- Concurring Statement of Commissioner Harbour, February 2009
- Concurring Statement of Commissioner Leibowitz, February 2009
- FTC, Protecting Consumers in the Next Tech-ade, Spring 2008
- FTC Testimony Before Congress on Behavioral Advertising, July 9, 2008
- Final Report of the FTC Advisory Committee on Online Access and Security, May 15, 2000
- FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, May 2000
- FTC Report to Congress: Privacy Online, June 1998
PREFERENCE FOR INDUSTRY SELF-REGULATION?
While governments in the European Union and Canada have adopted meaty pieces of legislation that more heavily regulate online data collection, the US has thus far chosen to approach the issue using a market-based, self-regulatory approach. This means that, rather than passing complex laws to remedy online privacy concerns, the government will step aside and allow online businesses to regulate themselves, primarily through their own privacy policies. Supporters of the self-regulatory approach believe that if consumers want stronger privacy protections on the sites they frequent, businesses will profit only if their privacy controls win over the consumer's trust; and the market will adapt accordingly. They believe that more stringent regulation might not be as relevant or adaptable to advancements in technology as compared to "guidelines" or "principles." Alternatively, those who are against a self-regulatory approach tend to believe that there are inherent problems associated with many self-regulatory schemes, and that it takes a government's strong legislative hand to communicate what is right and wrong.
- The Network Advertising Initiative. Consistent with the movement toward self-regulation, the Network Advertising Initiative (NAI) produced its Self-Regulatory Code of Conduct, or "NAI Principles," which was presented to and approved by the FTC in 2008. NAI is a collection of online advertising companies trying to create uniform data collection practices and avoid extensive industry oversight by the FTC. Its members, who include Google and Microsoft, are contractually obligated to abide by the Code of Conduct. The Code requires members to "educate consumers about behavioral advertising," "clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices," and obtain "consumer's opt in consent" before using "sensitive consumer information for online behavioral advertising," among other things. Abine's opt-out and tracker blocking tools (TACO) create an easy way for Internet users to ensure they have the choice to opt out of and block profiling; our TACO app allows you to opt out of the tracking activities of thousands of companies – even those that are not obligated to follow the NAI Code.
- Consumer Advocacy Groups. Averse to the movement toward industry self-regulation are various think tanks and consumer protection groups, like the World Privacy Forum and the Center for Digital Democracy who are in support of a stronger legislative hand to control online behavioral tracking activities. These groups have submitted comments and reports to the FTC on their positions, advocating for stronger consumer protection through tools like mandatory opt-in (not opt-out) mechanisms and broadening the definition of "personally identifiable information." They claim that the NAI Self-Regulatory Code of Conduct fails to adequately protect consumer privacy.
NOTABLE CASES ON ONLINE PRIVACY
- FTC v. Sears Holdings Management Corp. (June 4, 2009). FTC alleged that Sears hadn't alerted its customers about the extent of the company's online tracking activities. The case was settled.
- FTC v. Liberty Financial (May 6, 1999). FTC alleged that Liberty Financial was engaged in deceptive practices with regard to its privacy promise, which represented that information would be anonymous. In reality, LF was collecting the info in a non-anonymous manner. This case was settled out of court.
- FTC . GeoCities (Feb. 5, 1999). The first FTC case regarding online privacy. FTC alleged that GeoCities misrepresented the purposes for which it was collecting personal identifying information from children and adults. Again, out-of-court settlement.
READ THE FINEPRINT
WANT TO KNOW MORE?Helpful Articles
- The Wall Street Journal has been following the online tracking debate closely. See http://online.wsj.com/public/page/what-they-know-digital-privacy.html
- The Washington Post produced a lengthy investigative report on “Top Secret America”
- Newser.com collects online privacy articles: http://www.newser.com/tag/2321/1/online-privacy.html
- The Electronic Privacy Information Center (EPIC) lists news articles discussing the online privacy debate: http://epic.org/news/epic_in_news.html
Informational Web Sites
- OnGuard Online (http://www.onguardonline.gov/)
- PrivacyActivism (www.privacyactivism.org)
- Of course, Wikipedia’s page on Internet privacy (http://en.wikipedia.org/wiki/Internet_privacy) provides a rough summary of levels, risks, and legal threats to the Web user’s online privacy.
Organizations & Government Agencies Alert to Online Privacy Concerns
American Civil Liberties Union (ACLU) is a nationwide organization of civil rights lawyers whose agenda includes litigation, policy shaping, and campaigning in the area of privacy rights
Computer Professionals for Social Responsibility has a Privacy and Civil Liberties program promoting online privacy
The Digital Due Process Coalition is a collection of privacy advocates, including the ACLU, amazon.com, Google, AT&T, and others, who wish to revitalize the Electronic Communications Privacy Act
Electronic Frontier Foundation is a collaboration of lawyers, policy analysts, activists, and technologists whose litigation work includes cases related to online invasions of privacy
Electronic Privacy Information Center is a public interest research group dedicated to focusing national attention on the protection of privacy
The Federal Trade Commission is the US government agency in charge of consumer protection and the development of online privacy legislation
The Future of Privacy Forum (FPF) is a policy institute interested in the advancement of responsible data collection practices
The House Subcommittee on Communications, Technology, and the Internet is chaired by Rep. Rick Boucher and has submitted draft legislation on online privacy rights
Network Advertising Initiative, a collection of online marketing companies, has been working to establish uniform business practices regarding personal data collection. Abine’s opt-out and tracker blocking tools (TACO) create an easy way for Internet users to ensure they have the choice to opt out of and block profiling; our TACO app allows you to opt out of the tracking activities of thousands of companies – even those that are not obligated to follow the NAI Code (see above).
The Privacy Foundation at the University of Denver conducts research on technologies that effect personal privacy
The Privacy Rights Clearinghouse is a nonprofit organization whose mission is to raise awareness of how technology affects personal privacy
Center for Digital Democracy, US Public Interest Research Group is a national nonprofit group that researches the development of the digital communications landscape
World Privacy Forum is a nonprofit that conducts research in the area of privacy
WHAT DO YOU THINK?
If you have any comments or suggestions regarding this page, contact firstname.lastname@example.org