Online Privacy in the US

Eric Goldman

Marquette University Law School

eric.goldman@marquette.edu

October 2002

Overview

w No single federal law regulates Internet privacy

w Many laws might apply depending on the circumstances

w The regulatory environment is changing almost daily

w The bottom line: you can do almost anything you want…if you get the proper consent

Children’s Online Privacy Protection Act
(15 USC 6501-6504 and 16 CFR 312)

w Applies to websites that market to kids or knowingly collect info from kids

n Kids = 12 and under

w Requires verifiable parental consent prior to use or disclosure of kids’ info

w Also, sites must allow parents to see what info was collected about their kids

w Usually, it’s better to avoid being covered by COPPA than to comply

n Regulatory costs are high

n Kids are tough to monetize

w Tricks to avoid compliance obligations

n Don’t collect personal info

n Don’t ask for age information

n If you must ask for age info, create age categories that mingle kids with adults (i.e., 18 and under)

n Bounce kids from the site

Electronic Communications Privacy Act
(18 USC 2510-22, 2701-2711)

w Regulates

n Interception of private communications in transit

n Disclosure of stored communications

n Government’s ability to obtain transactional information about communications

w Applies to “electronic communication services” and “remote computing services”

n Covers Internet access providers, email service providers, instant messaging services

n May also cover “email this page to a friend” functionality, online greeting cards, and other 1:1 online messaging functions

w Tricks to manage compliance

n Disclaim privacy expectations

n Avoid creating unintended privacy expectations

n Obtain user consent in advance

n Do not announce policies in conflict with the statute

MN Internet Privacy Law
(Chapter 325M)

w Approved 5/02, effective 3/1/03

w Regulates the disclosure of personally identifiable information by ISPs

w “ISP” defined as Internet access providers provisioning service in MN

w User consent can be obtained through conspicuous privacy policy

w Damages of $500 per consumer, but no class actions

Financial Privacy

w Graham-Leach-Bliley Act

(15 USC 6801-6809, 15 USC 6821-6827, 16 CFR 313-314)

n Regulates disclosure of nonpublic personal information; requires annual delivery of privacy statement and a security program

n Applies to financial institutions and companies significantly engaged in financial activities

n These can include retailers who offer their own credit cards, companies that provide credit, accountants, career counselors…

w Fair Credit Reporting Act

(15 USC 1681, 16 CFR 600-601)

n regulates the use and disclosure of credit reports

Health Privacy

w Health Insurance Portability & Accountability Act (45 CFR 160 and 164)

n Patient consent required for non-routine disclosure of medical info

n Healthcare entities must provide written privacy statement

n Healthcare entitles can’t market to their patients without consent

n Patients can access their medical records

n Effective 4/14/03 for most entities

Other Privacy Laws

w CA Civil Code 1798.85

n Can’t publicly post or display SSN

n Can’t require email transmission of SSN unless encrypted or secure

n Can’t use SSN as username unless coupled with password or other authentication

n Exceptions: as required by law or using SSN “for internal verification or admin purposes”

n Effective 1/1/03 in most cases, but some activity is grandfathered

w CA Civil Code 1798.82 (effective 7/1/03)

n Must notify customers if security of unencrypted personal info database is compromised

n Personal info = name + SSN, DL #, credit card #

w Federal Trade Commission Act (15 USC 45)

n regulates unfair or deceptive trade practices

w Computer Fraud & Abuse Act (18 USC 1030(a)(2)(C))

n can’t take info from protected computers

w ND Referendum (2002 Measure 2)

n repealed SB 2191, which let financial institutions require opt out of third party disclosures

Eric Goldman

Marquette University Law School

eric.goldman@marquette.edu

Overview

w No single federal law regulates Internet privacy

w Many laws might apply depending on the circumstances

w The regulatory environment is changing almost daily

w The bottom line: you can do almost anything you want…if you get the proper consent

Children’s Online Privacy Protection Act (15 USC 6501-6504 and 16 CFR 312)

w Applies to websites that market to kids or knowingly collect info from kids

n Kids = 12 and under

w Requires verifiable parental consent prior to use or disclosure of kids’ info

w Also, sites must allow parents to see what info was collected about their kids

w Usually, it’s better to avoid being covered by COPPA than to comply

n Regulatory costs are high

n Kids are tough to monetize

w Tricks to avoid compliance obligations

n Don’t collect personal info

n Don’t ask for age information

n If you must ask for age info, create age categories that mingle kids with adults (i.e., 18 and under)

n Bounce kids from the site

Electronic Communications Privacy Act (18 USC 2510-22, 2701-2711)

w Regulates

n Interception of private communications in transit

n Disclosure of stored communications

n Government’s ability to obtain transactional information about communications

w Applies to “electronic communication services” and “remote computing services”

n Covers Internet access providers, email service providers, instant messaging services

n May also cover “email this page to a friend” functionality, online greeting cards, and other 1:1 online messaging functions

w Tricks to manage compliance

n Disclaim privacy expectations

n Avoid creating unintended privacy expectations

n Obtain user consent in advance

n Do not announce policies in conflict with the statute

MN Internet Privacy Law (Chapter 325M)

w Approved 5/02, effective 3/1/03

w Regulates the disclosure of personally identifiable information by ISPs

w “ISP” defined as Internet access providers provisioning service in MN

w User consent can be obtained through conspicuous privacy policy

w Damages of $500 per consumer, but no class actions

Financial Privacy

w Graham-Leach-Bliley Act

(15 USC 6801-6809, 15 USC 6821-6827, 16 CFR 313-314)

n Regulates disclosure of nonpublic personal information; requires annual delivery of privacy statement and a security program

n Applies to financial institutions and companies significantly engaged in financial activities

n These can include retailers who offer their own credit cards, companies that provide credit, accountants, career counselors…

w Fair Credit Reporting Act

(15 USC 1681, 16 CFR 600-601)

n regulates the use and disclosure of credit reports

Health Privacy

w Health Insurance Portability & Accountability Act (45 CFR 160 and 164)

n Patient consent required for non-routine disclosure of medical info

n Healthcare entities must provide written privacy statement

n Healthcare entitles can’t market to their patients without consent

n Patients can access their medical records

n Effective 4/14/03 for most entities

Other Privacy Laws

w CA Civil Code 1798.85

n Can’t publicly post or display SSN

n Can’t require email transmission of SSN unless encrypted or secure

n Can’t use SSN as username unless coupled with password or other authentication

n Exceptions: as required by law or using SSN “for internal verification or admin purposes”

n Effective 1/1/03 in most cases, but some activity is grandfathered

w CA Civil Code 1798.82 (effective 7/1/03)

n Must notify customers if security of unencrypted personal info database is compromised

n Personal info = name + SSN, DL #, credit card #

w Federal Trade Commission Act (15 USC 45)

n regulates unfair or deceptive trade practices

w Computer Fraud & Abuse Act (18 USC 1030(a)(2)(C))

n can’t take info from protected computers

w ND Referendum (2002 Measure 2)

n repealed SB 2191, which let financial institutions require opt out of third party disclosures

w Anti-Spam Laws

n in at least 26 states (see spamlaws.com)

w State Privacy Rights Laws

w Children’s Online Protection Act (47 USC 231(d))

n currently enjoined

Doing Privacy Policies

w The three-headed hydra of marketing, engineering and legal

w Binding contract v. marketing representation

Children’s Online Privacy Protection Act
(15 USC 6501-6504 and 16 CFR 312)

Electronic Communications Privacy Act
(18 USC 2510-22, 2701-2711)

MN Internet Privacy Law
(Chapter 325M)