If you do business on the World Wide Web, change is your only constant. Even the most loyal online customers are a fickle lot, and no one can predict the “Next Big Thing” in e-commerce. While navigating the cyber-minefields has always been a dangerous and shifting challenge, the concept of data privacy has been taking on particular significance recently as a potential pitfall for the unwary. In the United States, the approach Internet businesses have adopted has traditionally been driven by the market, with many individuals and businesses demanding to see “privacy policies” before patronizing online vendors. More recently, new laws and legal decisions have begun to appear, adding to the considerations online businesses must weigh in deciding what level of privacy should be promised to visitors and customers.
Unlike Europe, which has imposed comprehensive legal restrictions on the collection, dissemination and use of personal information of virtually every kind, the United States has adopted a more piecemeal approach. There is no uniform requirement in the United States that individuals even be informed that personal information is being collected about them as they surf from website to website. Moreover, the information that is collected can generally be used, sold or disseminated without permission or restriction. However, a constellation of laws exists which provide protection for particular groups of individuals, and imposes restrictions on specific industries. Failure to comply with applicable Federal rules and associated regulations can result in hefty civil and criminal penalties, as well as the elimination of exit strategies and alternative revenue streams.
Unlike COPPA, which is concerned with the kinds of individuals from whom data is collected, the Health Insurance Portability and Accountability Act (“HIPAA”) focuses on a particular group of data collectors. Specifically, HIPAA protects all medical records and individually identifiable health information used or disclosed by health plans, health care clearinghouses, and health care providers conducting electronic financial and administrative transactions. Although in most cases compliance with the privacy rules implemented under the act is not required until April 2003, the consequences of non-compliance are steep — monetary penalties reach $250,000 and beyond and prison terms can be up to 10 years for obtaining or disclosing health information with the intent to sell it for commercial advantage. To ensure the security of such personal health information, entities subject to the act must adopt written privacy procedures outlining who has access to the protected information, how the information will be used, and to whom the information will be disclosed. HIPAA also dictates certain terms of privacy policies. Patient consent must be obtained prior to release of information. Health information may not be used for any purpose not related to health care, and disclosure must be limited to the minimum amount of information necessary for the purpose of the disclosure. While many individuals take the privacy of their health information for granted, the April 2003 deadline will mark a dramatic shift from what is currently expected of health care entities to what will be legally required.
Another privacy statute, the Gramm-Leach-Bliley Act (“GLB Act”), requires action well before 2003. Indeed, the beginning of this month marked the deadline for various privacy disclosures for parties covered under the act, and it is the GLB Act which is largely responsible for the spate of privacy statements consumers have received in the mail in recent months from their banks and credit card companies. At its core, the GLB Act requires financial and insurance institutions to create and adhere to written policies and procedures with respect to the collection and sharing of individual customer information. These policies and procedures enable customers to prevent their non-public information from being shared with non-affiliated third parties without consent. While the GLB Act is not limited to the collection of information on the Internet, online activity is certainly not immune from its reach, and the GLB Act therefore has potentially significant impact for the website privacy policies of covered entities.
- Description of the personally identifiable information collected. This is a brief summary of the information the company collects that is unique to each user. A good place to start is a list of the fields in the site registration form.
- Description of non-personally identifiable information collected. This is a summary of the information the company collects about its users in general, including aggregate information about site usage, traffic patterns and user statistics.
- Description of what the company may do with non-personally identifiable information. This is a statement describing the circumstances under which the company will disclose non-personally identifiable information to third parties. Laws and regulations are typically less strict about the protection of this kind of information and most consumers are less concerned about non-personally identifiable information.
- Cookies. This is notification to the user that during use of the site, certain files will be placed on the user’s computer hard drive or in memory. It helps put users at ease if the company points out that the company cannot use these cookies to retrieve personal information from the user’s computer.
- Disclaimer about Links. This is a warning to users that the rules change when they leave the company’s site. The company is not responsible for the privacy of the information the user submits to linked sites. The privacy of that information is the responsibility of the site to which they have linked.
- Security Disclaimer. This provision is generally a disclaimer for the company. It is a reminder to the users that while the company uses reasonable efforts to protect the privacy of their information, no server or software is 100% secure.
A company that carefully defines the agreement it intends to strike with users from whom it collects information has gone a long way in protecting itself legally and advancing its standing in the eyes of the market. By incorporating the appropriate provisions discussed in this article and taking into account laws and regulations that may restrict the way data is collected and used, a company with an online presence can walk the fine line between providing less than the market and the law require and promising more than prudence may allow.