5-point Plan to Avoid Online Privacy Minefields

Privacy image

Almost all Web sites collect and extrapolate information about their users to enhance the users' experience and provide customized services. As technology that tracks and profiles Internet users continually becomes more advanced, the potential for online privacy violations and resulting liability can be a minefield.

However, by following a handful of basic measures, you can ensure the fair use of information while allowing individuals to participate in decisions on the disclosure and use of their personal information.

The basics of a complete privacy policy

If the Web site uses personal information, a link to the company's privacy policy should be prominently placed on the home page and easily accessible throughout the Web site. The privacy policy should, at minimum, address issues of notice, choice, access, security, and enforcement.

  • Notice: Consumers are entitled to know when information is being collected, how it will be used, and when personal information might be disclosed to others. Notice should include the consequences to the consumer of refusing to give the information. It should also address the issues of choice, access, and security (see below).
  • Choice: Consumers should have choices about how their information is used or disclosed beyond the original purpose for which it was provided (e.g., to complete a transaction). Choice may be opt-in (e.g., click here to receive valuable information from our sponsors) or opt-out (e.g., click here if you do not want to receive new product announcements). Opt-in affords stronger privacy protection because it establishes a default rule against disclosure and use.
  • Access: Consumers should have access to stored information about them and an opportunity to correct inaccuracies or delete data.
  • Security: Web sites should protect the security of the data and ensure its integrity and accuracy.
  • Enforcement: These principles must be enforceable to be effective. You should have procedures in place to address infractions.

Any online company should formulate and comply with its own comprehensive privacy policy, and should become familiar with the Federal Trade Commission's October 1999 publication entitled "Self-Regulation and Privacy Online."


No policy? Significant liability risk!

Online privacy imageApart from damaging consumer confidence, a company's failure to adopt and follow reasonable privacy policies creates a significant risk of liability. The development of company-wide information collection practices, including notice and disclosure of such practices to consumers, is critical to establishing and maintaining consumer confidence and a viable online presence.

The use of personally identifiable information collected from Internet users, whether through voluntary means, such as registration, or involuntarily, through the use of cookies and other technology, can make a company vulnerable to legal actions based upon federal and state fair trade, unfair competition, and other laws. Similarly, the use of information in ways that are inconsistent with a company's published privacy policy may result in enforcement actions by the FTC and attorneys general, and class action lawsuits by private individuals.

Potential privacy violations become more complex when Internet companies merge, acquire one another, or form relationships that involve the sharing or transfer of Internet user information. Before acquiring or entering into an online partnering relationship, it is wise to compare a potential partner's information collecting practices with its published privacy policy.

Similar issues may arise when an online business enters into an advertising or outsourcing relationship. For example, the advertiser may routinely collect, aggregate, and disclose user information in a manner that violates the privacy policy of the online business. The parties should address any conflicts in their information collecting and disclosure practices before finalizing the relationship.


State, federal, and international regulation

Internet privacy law is in its infancy. There remains significant uncertainty in this area, given the absence of clear legal precedent; proliferation of privacy-related litigation nationwide; and the emergent body of state, federal, and international regulation. For example, federal banking regulators are accepting comments on proposed privacy regulations for financial institutions.

Since the passage of the Gramm-Leach-Bliley Act of 1999, state legislatures have been preparing privacy statutes and regulations that will affect companies from many industries.Court image The Yahoo! Inc., DoubleClick Inc., and Amazon.com Inc. litigations, and the class action lawsuits filed against RealNetworks for secretly tracking the music-listening habits of its users through RealJukebox (free software downloaded from the RealNetworks Web site) all reflect the propensity of the dot.com world to become involved in litigation alleging privacy violations.

For example, the FTC sued GeoCities for misrepresenting its reasons for collecting personal information from its visitors. The FTC claimed that GeoCities sold visitors' personal information to third party marketers, despite its privacy policy that stated that it would only use information for advertising offers or visitor-requested services. GeoCities settled the case and agreed to post a revised privacy policy that addresses certain fair information practice principles established by the FTC.


Online privacy resources

There are many online resources that are excellent for small businesses. For example, the Online Privacy Alliance Web site is an excellent educational resource. The Alliance has roughly 100 corporations and associations as members, and is committed to working with government to avoid having the public debate over Internet privacy result in unnecessary anti-industry sentiment. Also, there is an extensive hyperlinked reference to privacy-related news stories and legal resources, the E-Commerce Law Source.

The discussion above is for informational purposes only, and is certainly not a substitute for consulting a qualified lawyer to examine the issues and risks of your particular venture.

Related legal articles

We look forward to the opportunity to discuss any questions you may have regarding the range of business, technology and intellectual property services we offer. Our law office is based in Chicago, Illinois. Please feel free to call us at (866) 734-2568 should you have any questions.