|
Federal
Privacy Laws
The United States takes a sectoral
approach to privacy regulation, adopting regulations only to deal with specific
problems, subjecting some industries to extensive regulation and others to
lighter or minimal regulation. This
testimony will provide particular focus on regulation of children’s privacy on
the Internet and privacy regulation of electronic communications.
Since the 1970s, privacy regulation has
generally been measured by five “fair information practice” elements
articulated by the U.S. Privacy Protection Study Commission in 1977 and recently
re-enunciated by the Federal Trade Commission.
All federal privacy regulation encompasses at least two of the following
features:
-
Notice
to the consumer regarding collection, use and disclosure to third parties of
individually identifiable information obtained from him/her;
-
Consumer
choice either to opt out or opt in to use or disclosure to third parties
of such information (in some cases disclosures to affiliates are subject to
the choice requirement, in some cases they are exempt);
-
Access
to individually identifiable information collected about that particular
consumer and an opportunity to correct
inaccurate information;
-
Security
adequate to protect the information from unauthorized disclosure; and
-
Enforcement
of applicable privacy obligations.
A variety of other requirements¾most
often prohibitions against collection of information¾apply
in unique circumstances where a statute seeks to advance other policy goals.
For example, the Children’s Online Privacy Protection Act prohibits use
of an activity to solicit from children more information than reasonably
necessary to participate in the activity. Similarly,
the Fair Housing Act prohibits collection of information used to engage in
racial discrimination.
Finally, consumer protection law and the
Federal Trade Commission Act offer a backdrop of limited protection even where
no sector-specific privacy law applies. If
a company posts a privacy policy, it can be held to its commitment to follow
that policy under deceptive trade practice laws. Both the Federal Trade Commission and state attorneys general
have begun bringing civil enforcement actions for deceptive trade practices
against companies whose privacy practices have fallen short of their stated
policies in a material way. Section
5 of the Federal Trade Commission Act gives the Commission authority in the
context of commercial transactions to protect consumers against unfair and
deceptive acts. This section 5
authority is what is the backbone of self-regulatory programs.
While these programs, such as the Direct Marketing Association’s
privacy promise and the BBB OnLine program, are voluntary to begin with, they are thereafter
enforceable if a company fails to do what it had said it would do.
The FTC has proceeded against several Web sites that did not follow
through on their commitments.
This FTC authority is also the basis for the safe harbor program agreed
to by the European Union and the Department of Commerce.
A. ELECTRONIC
COMMUNICATIONS PRIVACY ACT
Congressional concern about technological advances in the years following
enactment of the 1968 wiretap statute led to the enactment of the Electronic
Communications Privacy Act of 1986 (“ECPA”).
Through ECPA, Congress sought to extend the telephone network privacy
safeguards codified in existing law to the new technology, including electronic
mail and other computer-to-computer data transmissions.
These communications are in many ways the electronic counterparts to
letters, memoranda, or files transported via the postal system.
ECPA addresses the problem of persons gaining unauthorized access—or
exceeding their authorized access—to those electronic communications that,
like personal or business correspondence, are intended to be kept confidential.
Specifically, ECPA’s stored communications provisions
prohibit the unauthorized access to or use of stored electronic communications
such as “voice mail” and electronic mail.
The exceptions to the rule of nondisclosure fall into three categories:
(1) disclosures that are authorized by the sender or the receiver of the
message; (2) disclosures that are necessary for the efficient operation of the
communications system; and (3) disclosures to the government.
With regard to governmental requests for information, the Act usually
requires that the customer be notified and given an opportunity to contest in
court a government entity’s request for access to electronic mail or other
stored communications in the control of a provider of electronic communications
services or remote computing services.
The law creates a civil cause of action against any party committing a
“knowing or intentional” violation of these provisions.
The aggrieved party may seek injunctive relief and actual monetary
damages (for amounts above the minimum award of $1,000) as well as attorneys’
fees and costs.
B.
IMPLEMENTATION OF THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998
In October 1999, the Federal Trade
Commission completed its rulemaking implementing the Children’s Online Privacy
Protection Act of 1998 (“COPPA”). The
FTC’s Final Rule largely tracks the plain language of the statute, while
providing additional detail on important issues such as who is covered by the
Act, and acceptable forms of notice and of consent, among others.
The Rule went into effect on April 21, 2000,
and online services and Web site operators who have actual knowledge that they
are collecting personally identifiable information online from children or who
target their Web sites or services or portions thereof to children under 13
years of age without complying with its requirements face the risk of
prosecution by the FTC and State Attorneys General (“State AGs”).
The Final Rule takes a practical and
flexible approach to compliance with COPPA.
Key elements include its application only prospectively
to collection of personal information collected online from children, and adoption of a “sliding scale” approach
to the statute’s verifiable parental consent requirement, which allows the use
of e-mail consent from a parent in certain circumstances for at least a two-year
period. This “sliding scale”
approach enables sites and online services to use an “e-mail-plus” mechanism
for consent to internal uses of the data, while requiring sites and services to
use print-and-send forms and other “more reliable methods of consent” for
activities that allow children to provide information to third parties or that
give children free e-mail accounts or chat room access.
1.
Overview of the Rule
The statute and the Final
Rule apply only to individually identifiable
information collected online from a child (“personal information”) by a Web
site or online service that is targeted to children under 13 or that has actual
knowledge that it is collecting personally identifiable information from a child
under 13. Collecting information
includes providing a child with the ability to have an e-mail account or the
ability to post to a chat room, bulletin board or other online forum.
The
Rule’s primary goal is to require parental consent before a child can make
personal information publicly available through chat rooms or e-mail.
In addition, the Rule, subject to several exceptions, limits what
information a commercial site can collect without prior parental consent even
though there is no evidence of harm to children resulting from data collection
from children.
It
requires Web site operators and online service providers who engage in this form
of online data collection to do the following:
a) Notice. Provide notice of their
collection, use and disclosure practices;
b)
Consent.
As a general rule, obtain “verifiable parental consent” for the
collection, use or disclosure of personal information subject to certain
exceptions (some of which substitute a notice and opt-out requirement for
consent);
c)
Information Collected.
Provide parents with a description of, and in some cases, the actual
information that they have collected online from the child;
d)
Opt Out. Allow parents to opt out of further use of the information;
e)
Limit Collection.
Avoid conditioning participation in an activity on disclosure of more
information than reasonably necessary to participate; and
f)
Security.
Use reasonable data confidentiality, security and integrity procedures.
The
FTC Rule lists acceptable means by which operators can obtain “verifiable
parental consent.” These
means vary depending upon the intended use of the information. For internal uses
of information, including marketing back to a child, Web sites may use e-mail
consent accompanied by additional steps to provide assurances that the parent is
providing the consent. These steps
include sending a delayed confirmatory e-mail to the parent once the site has
received the e-mail consent, or obtaining a postal address or telephone number
from the parent and confirming consent by letter or telephone call.
By contrast, where a site
offers chat rooms, message boards, or other similar features that enable
children to make personal information collected online publicly available, or
where the site discloses the information to third parties, it must obtain
consent through sending back a printed form via postal mail or facsimile, the
use of credit card numbers or toll-free phone numbers, digital signatures, or
e-mails containing PINs or passwords obtained through any of these means.
Violators
are subject to enforcement actions by the FTC or certain federal regulators with
jurisdiction over particular industries and by State AGs.
Web sites and online services may comply with the Rule either by
following the Rule in its entirety or by following self-regulatory guidelines
approved by the FTC.
2.
Who Is Covered by the Final Rule’s Obligations?
a.
Commercial Sites and Online Services
The Final Rule exempts all non-commercial
sites and online services. This is
consistent with FTC authority, which extends only to commercial activities.
Nonprofit status alone may not exempt prohibited practices.
The Rule does not define specifically the line between commercial and
non-commercial sites, and whether a nonprofit engaged in commercial activity
would be subject to the Rule.
b.
“Directed to Children”
The Final Rule applies to all Web sites and
online services, or portions of sites and online services that are targeted to
children under the age of 13 within the meaning of § 312.2 of the Rule.
This is a flexible inquiry that involves assessment of “the overall
character of the site,” including whether:
-
there
is child-oriented content on the site, which includes an assessment of the
age of models on the site, presence of animated characters, children’s
music, and/or child-oriented activities and incentives (such as puzzles,
games, or trivia);
-
the
ads appear to be targeted at children under 13;
-
the
language is targeted toward an audience under 13;
-
there
is reliable empirical evidence regarding the age of the site’s visitors;
and
-
there
is evidence regarding the intended audience.
The Rule does not look only to whether a
site or service is targeted to children in
its entirety. If a portion of a
site or service (such as a child-oriented pen pal service) is targeted to
children, then the requirements of the Final Rule will apply to that portion
only. Merely referring or linking users to a site that is targeted
to children does not subject an operator to the Rule, and linking to a site that
violates the Rule creates no liability. However,
if other elements of a site indicate that the site is a child-oriented
directory, then it would be considered targeted to children under the Rule.
Web sites and services that are targeted to
children and that have not obtained prior parental consent will be required to
monitor their chat rooms, message boards and similar services and delete
individually identifiable information that children post about themselves.
c.
Not “Directed to Children”
The great majority of operators of general
audience sites and online services that do not target their offerings to
children are regulated under the Rule only if they have actual knowledge that
they are collecting information online from a child.
Sites and services that ask the age of visitors are therefore subject to
the Rule’s requirements if they allow respondents who indicate that they are
under 13 onto the site or service. In
addition, the Final Rule indicates that receiving information “from a
concerned parent who has learned that his child is participating at the site”
gives the site actual knowledge. It
does not indicate whether notice from third parties provides such knowledge.
The commentary on the Rule indicates that
the FTC will “closely examine” sites that appear to be determining through
“age-identifying questions” whether a visitor is a child “without
specifically asking for the visitor’s age” to determine whether these sites
in fact have actual knowledge. For
example, asking whether a visitor attends elementary school may give a site
actual knowledge that it is collecting information from children.
Similarly, the FTC “will look closely at” sites that ask for age
ranges that include both children and teens (e.g., “15 and under”) to
determine whether they “are trying to avoid compliance with the Rule.”
d.
Collecting Information Online from Children
The Rule defines the act of collection as any means “enabling children to make personal
information publicly available through a chat room, message board, or other
means, except where the operator deletes all individually identifiable
information from postings by children before they are made public, and also
deletes such information from the operator’s records.”
This means that if an operator obtains
actual knowledge that it has collected personally identifiable information
online from a child, it may either comply with the substantive requirements of
the Rule or delete the information from its own records before it is made
public.
Therefore, online fora (such as chat rooms,
message boards and similar services) targeted to children that do not obtain
prior parental consent will need to put in place a process for: (1) moderating
and monitoring “real time” postings by children; (2) delaying making
postings containing personal information publicly available until such
information has been stripped from them; and (3) deleting that information
promptly from the operator’s records.
Similarly, sites and services that are not
targeted to children under 13 years of age, but that obtain “actual
knowledge” that a posting contains personal information disclosed by a child
may redact it of personal information both at the site and in their own
databases as an alternative to complying with the Rule’s requirements.
e. Responsibilities
of Intermediaries and Third
Parties Who Receive Personal Information
Often information collected at an online
site passes through several entities who could be deemed to collect the
information—for example, the Web site host, Web site content provider and its
affiliates, and advertisers on the site. The
Rule adopts a case-by-case, functional approach to determining what entity in
these situations is actually subject to the Rule, examining ownership and
control of the information, payment for and contractual arrangements for
collection and maintenance, and whether the site “is merely a conduit through
which the information flows to another entity.”
Internet access providers who do not target
children or have actual knowledge that they are collecting personal information
from children are exempt from the Rule. In
addition, third parties that receive information from operators are exempt from
the Rule’s requirements, although they may find that operators often restrict
by contract their ability to use the information or disclose it to others.
3.
The Rule’s Requirements
Operators that are covered by the Rule, must
comply with the Rule’s five principal functional requirements:
(1) providing notice, (2) obtaining prior parental consent in most
circumstances or complying with notice and opt out in most other circumstances,
(3) affording parents access to personal information collected online from their
child and the opportunity to opt out of further maintenance and use of that
information, (4) following the Rule’s security requirements, and (5) avoiding
conditioning participation in an activity on disclosure of more personal
information than reasonably necessary to participate in the activity.
a. Notices
Operators must provide notice, both on
their Web site at each point of collection and directly to parents in
circumstances where parental consent or notice and opt out are required, of
their collection, use and disclosure of personal information.
The FTC’s Final Rule prescribes in considerable detail the content of
the privacy notice that operators must provide on their Web site and directly to
members. The notice:
1)
Must be located on the operator’s home page and accessible at all data
collection points;
2)
When provided directly to parents as discussed in section b below, must
be provided via e-mail or as part of a print-and-send form where the site or
service is subject to consent or notice and opt out.
3)
Must be labeled specifically as a notice of the site’s information
practices regarding children;
4)
Must disclose, directly or through the operator of another site (whose
name, address, phone number and e-mail address must be listed at the original
operator’s site), the name, address, phone number and e-mail address of
third-party collectors of information at the site, the types of personally
identifiable information collected and whether information is collected directly
or passively;
5)
Must disclose whether third-party contractors have agreed to maintain
confidentiality, security and integrity of information;
6)
Must disclose how the information will be used (including fulfillment of
a transaction, record keeping, marketing or public disclosure) and the types of
businesses to whom the information may be disclosed;
7)
Must list parents’ rights under COPPA and procedures for providing
consent and obtaining access to their children’s information;
8)
Must disclose that the site or online service may not condition a
child’s participation in an activity on the disclosure of more personal
information than reasonably necessary to participate in the activity.
b. Verifiable
Parental Consent and Notice and Opt-out Requirement
1. Parental
Consent Requirement and Sunset for E-mail Consent
As a general rule, operators should obtain
informed parental consent before the collection, use and disclosure of personal
information collected online from a child.
In the case of personal information that is
part of public postings or disclosed to third parties, consent must be obtained through
print-and-send forms via postal mail or facsimile, the use of credit card
numbers or toll-free phone numbers, digital signatures, or e-mails containing
PINs or passwords obtained through any of these means.
These consent methods must be used for “activities involving chat
rooms, message boards, disclosures to third parties, and other
‘disclosures.’”
In the case of personal information that the
operator makes only internal use of,
consent may be obtained through any of the above means.
At least until April 2002, consent may also be obtained for these
purposes through e-mail accompanied by “additional steps . . . to provide
assurances that the parent is providing the consent.” These include “sending a delayed confirmatory e-mail to the
parent following receipt of consent, or obtaining a postal address or telephone
number from the parent and confirming consent by letter or telephone call.”
The Commission will “phase out” the sliding scale in April 2002
“unless presented with evidence showing that the expected progress in
available technology has not occurred.” The
Commission intends to begin a notice and comment period with regard to this
sunset in October 2001.
Operators must offer the parent the option
of consenting to collection and internal use of personal information collected
from the child without consenting to disclosure of the information to third
parties. However, release of
personal information to a person who uses the information solely to provide
support for the internal operations of the Web site or service, including
technical support and order fulfillment, is not considered a “disclosure,”
and parents may not prevent these disclosures if they agree to collection and
use of the information.
2.
Notice and Opt Out
Operators may provide direct parental notice
and the opportunity to opt out of further retention of the information, instead
of parental consent, in two circumstances:
The first is for collection of a child’s
e-mail address for the sole purpose of responding more than once to a specific
request of a child (such as subscription to an online newsletter, contest entry,
or customer service request) where the e-mail address is not used for any other
purpose. This exception is framed
quite broadly and may be useful to operators in a significant range of
circumstances.
The second is for a limited child safety
exception which permits an operator to collect a child’s name and online
contact information to the extent reasonably necessary to protect the safety of
a child user (e.g., to report evidence of child abuse) where the
information is used only for that purpose, not used to recontact the child for
any other purpose, and not disclosed on the site or service.
3.
Exceptions to Consent and Notice and Opt Out
Operators may collect
personal information without either obtaining parental consent or providing
parental notice and an opportunity to opt out in the following circumstances:
·
For collection of a child’s e-mail address for the sole purpose of responding
on a one-time basis to a specific request of a child, after which the
address is deleted;
·
For collection of the child’s or parent’s name and online contact
information for the sole purpose of obtaining parental consent or providing notice of a parent’s right to
opt out, if the information is deleted within a reasonable time after the
date it is collected;
·
In a school-based setting in which the operator provides notice of its
collection, use and disclosure practices to the school and the school provides
consent in loco parentis (the
Commission also intends to issue guidance to the educational community regarding
the Rule’s privacy protections); or
·
To the extent reasonably necessary to protect the security or integrity
of the site or online service (e.g., to prevent hacking), to take
precautions against liability, to respond to judicial process, or to the extent
consistent with other provisions of law, to provide information to law
enforcement or for an investigation related to public safety, provided that the
information is not used for other purposes.
c.
Access and Opt-out Requirements
Operators are required to
provide parents with access to the types of personal information collected
online from children, and with “a means that is reasonable under the
circumstances” for the parent to obtain the specific personal information the
operators have collected. Before
providing access to the actual information collected, operators must make
efforts to verify that the requester is in fact the child’s parent.
These efforts include not only secure procedures such as password
protected e-mail, but any acceptable method for obtaining parental consent to
third-party disclosures, discussed above. The
Rule indicates that operators who follow one of these procedures acting in good
faith to a request for parental access are protected from liability under
federal and state law.
The access requirement does
not apply to information collected from offline sources or collected before the
effective date of the Rule unless it cannot be distinguished from personal
information covered by the Rule. In
this instance, operators may be required to provide access to compilations of
personal information merged or enhanced with other information.
Operators must also afford
parents the opportunity to have personal information collected from their child
deleted from the operators’ databases and to have the operator cease using or
collecting the information. This
opt out simply revokes consent that the parent has previously provided.
It does not prevent the operator from seeking and obtaining parental
consent in the future.
d.
Security Requirement
Web sites and online services that are
covered by the Rule must establish and maintain reasonable procedures to protect
the confidentiality, security and integrity of personal information.
The Commentary to the Rule indicates that such procedures include secure
Web servers and firewalls, deleting information once it is no longer used,
limiting employee access to data, providing data-handling training to employees
who do have such access, and careful screening of third parties to whom the
information is disclosed. Noting
that security measures can be costly, the Commentary gives operators discretion
“to choose from a number of appropriate methods of implementing this
provision.”
e.
Limiting Collection
The Rule also places some limits on the
collection of personal information by covered Web sites and online services.
These operators are prohibited from conditioning a child’s
participation in a game, the offering of a prize, or another activity on the
child disclosing more personal information than reasonably necessary to
participate in the activity. This
measure is designed to prohibit tying a child’s ability to participate in a
prize or game to disclosure of personal information that is not necessary for
the activity in question.
4.
Methods of Complying
a.
Safe Harbor
COPPA
allows operators to comply by following self-regulatory guidelines approved by
the Commission after notice and comment.
The
Rule provides that to qualify for the safe harbor, self-regulatory guidelines
need not be identical to the Rule, but must have “substantially similar
requirements that provide the same or greater protection.”
Guidelines must include an effective, mandatory mechanism for independent
assessments of operators’ compliance with the guidelines through periodic
reviews or any other equally effective mechanism.
They must also include an effective incentive for compliance by operators
who commit to follow the guidelines, including mandatory public reporting of
disciplinary actions taken against operators who violate the guidelines,
referrals to the FTC of operators who engage in a pattern and practice of
violations, consumer redress, voluntary payments to the U.S. Treasury, or any
other equally effective incentive.
Self-regulatory
organizations who obtain safe harbor treatment must retain for at least three
years and make available to the FTC upon request all consumer complaints
alleging violations of the guidelines, records of disciplinary actions taken,
and the results of the independent assessments that are part of the
self-regulatory program.
b.
Enforcement
The
FTC will monitor the Internet for compliance with the Rule and bring law
enforcement actions to deter violations where appropriate.
Violations of the Rule are trade regulation violations and subject the
violator to civil penalties of up to $11,000 per day for each violation.
The FTC also has authority under Section 5 of the FTC Act to sue to
obtain a final cease and desist order, temporary restraining orders with or
without notice, restitution, disgorgement of profits, and other equitable
relief.
COPPA also provides states and
other federal agencies with authority to enforce compliance with the Rule.
State AGs can bring suit on behalf of citizens in their state to obtain
appropriate relief including enjoining the practice, enforcing compliance, or
obtaining compensation on behalf of residents of their state. A
series of federal agencies that have jurisdiction over regulated industries
receive enforcement authority over violations of the Rule by those industries.
For example, the Office of the Comptroller of the Currency has authority
over national banks, and the Department of Transportation has authority over air
carriers.
|
