The Changing Face of Online Privacy
Concerns about online privacy are much in the news. Businesses, consumer advocates and governments debate what online privacy means, and what practices should be adopted by web site operators to address privacy concerns. It is an issue for all web site operators, not just the likes of Google and Facebook.
What does the individual web site owner need to know, and do?
Most web sites post some form of privacy policy. Having a reasonably conspicuous privacy policy is a standard practice, and it is required by at least one state statute, California Bus. & Prof. Code 22575 et seq. That statute sets forth some minimal requirements for the content of policies, and some other statutes impose related confidentiality and security obligations when certain information is collected. This and other relevant state statutes are accessible through the National Conference of State Legislatures.
At the federal level, the Children’s Online Privacy Protection Act of 1998 sets forth rules for collecting personal information by web sites directed at children. Financial institutions are subject to separate requirements under the Graham-Leach-Bliley Act, discussed here.
Compliance is complicated not only by the fragmented legal landscape, but also by the fact that new legislation is proposed every year.
Beyond complying with particular statutory requirements, the general approach to a privacy policy should be to disclose what personal information you collect and what you do with it, and, importantly, to update the policy to reflect changing business practices. Privacy policies are mostly disclosure documents, and the overarching goal should be to ensure they do not run afoul of the FTC Act’s prohibition of “unfair or deceptive acts or practices.” To fully and fairly disclose what information is collected and how it is used, a web site operator must take into account not only its own business needs, but also technical processes (e.g., delivery of cookies and the creation of user logs) as well as potentially different practices of any business partners involved in the site who may receive some personal information (e.g., web site hosts, the policies of “cloud” data storage providers, providers of ecommerce fulfillment or processing services).
Online privacy remains very much an evolving concept, and the debate over standards likely will continue for years to come. In March of 2012, the Federal Trade Commission issued a comprehensive report, entitled Protecting Consumer Privacy in an Era of Rapid Change, which offers a good overview of the state of the law, varying business and consumer perspectives on the question, and the different approaches under consideration. The FTC web site, http://www.ftc.gov/, contains additional guidance. Some of the practices referenced in this Report, while not now legally required, may emerge with time as “best practices.”
Christopher J. Mugel practices intellectual property law from Kaufman & Canoles’ Richmond, Virginia office. –Christopher J. Mugel
