Why are privacy policies important for websites?
- United States
- 02/06/2003
- Aresty International Law Offices, P.C
What is the purpose for web site privacy policies?
By: Andrew S. Breines
Aresty International Law Offices, P.C.
www.cyberspaceattorney.com
Global Law for the Digital Agesm
Privacy policies were designed to inform a web site user of the site owner’s collection of personally identifiable information and the use, if any, of that information. Standards agencies like the Better Business Bureau and eTrust developed forms of privacy policies and compliance programs. The European Union, Canada, Hong Kong and New Zealand all have enacted rules and regulations for companies that collect personally identifiable information. The United States has not, preferring instead to permit individual companies, states and watchdog agencies the ability to enforce privacy policies as contracts. However, the United States has enacted several federal laws designed to protect certain classes of Internet users:
• The Gramm-Leach-Bliley Act of 1999 governs the collection and dissemination of consumers’ non-public personal financial information by financial institutions.
• The Electronic Communications Privacy Act prohibits the unauthorized use, disclosure or interception of electronic communications. Typically called the “Wiretap Act”, it has been applied to email and network hacking violations.
• The Health Insurance Portability and Accountability Act of 1996 prohibits covered entities from disclosing protected health information to third parties without the patient’s prior consent; limits the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use; increases patients’ control over their medical information.
• Children’s Online Privacy Protection Act controls access to the personal information of children under the age of 13.
The Federal Trade Commission has made recommendations that define four areas that should be covered by any privacy policy:
1. Notice: The site must provide clear and conspicuous notice of the information practices including what is collected, how it’s collected, how it is used, how the site provides choice, access and security to users, whether the site discloses the information to other entities, and whether other entities are collecting information through the site.
2. Choice: The site should provide users with choices as to how their personally identifiable information is used beyond the use for which the information was provided (shipping, for instance). Such choice would include both internal secondary uses and external uses. Typically, the choice for users is the ability to “opt out” of any secondary use.
3. Access: Sites should be required to offer users reasonable access to the information a site has collected about them, including a reasonable opportunity to review information, correct inaccuracies and delete information.
4. Security: Sites should be required to take reasonable steps to protect the security of the information they collect from consumers.
An important component to the above is the site owner’s adherence to the policy. The site owner should incorporate practices that will uphold the policy. If the policy says that the site will not share information, it should not share information. If the policy says the information will never be sold, it should not ever be sold. Regular audits of the policy and the site’s adherence should be conducted.
Violations of privacy policies can result in liability, lawsuits, bad press or even investigations by federal regulators. The violations may lead to civil or criminal liability and fines depending on the level of the violation, the harm caused and the secondary use of the information released due to the failure to adhere to the policy.
