Online Privacy in the US

Eric Goldman

Marquette University Law School

October 2002



w   No single federal law regulates Internet privacy

w   Many laws might apply depending on the circumstances

w   The regulatory environment is changing almost daily

w   The bottom line: you can do almost anything you want…if you get the proper consent


Children’s Online Privacy Protection Act
(15 USC 6501-6504 and 16 CFR 312)

w   Applies to websites that market to kids or knowingly collect info from kids

n    Kids = 12 and under

w   Requires verifiable parental consent prior to use or disclosure of kids’ info

w   Also, sites must allow parents to see what info was collected about their kids

w   Usually, it’s better to avoid being covered by COPPA than to comply

n    Regulatory costs are high

n    Kids are tough to monetize

w   Tricks to avoid compliance obligations

n    Don’t collect personal info

n    Don’t ask for age information

n    If you must ask for age info, create age categories that mingle kids with adults (i.e., 18 and under)

n    Bounce kids from the site


Electronic Communications Privacy Act
(18 USC 2510-22, 2701-2711)

w   Regulates

n    Interception of private communications in transit

n    Disclosure of stored communications

n    Government’s ability to obtain transactional information about communications

w   Applies to “electronic communication services” and “remote computing services”

n    Covers Internet access providers, email service providers, instant messaging services

n    May also cover “email this page to a friend” functionality, online greeting cards, and other 1:1 online messaging functions

w   Tricks to manage compliance

n    Disclaim privacy expectations

n    Avoid creating unintended privacy expectations

n    Obtain user consent in advance

n    Do not announce policies in conflict with the statute


MN Internet Privacy Law
(Chapter 325M)

w   Approved 5/02, effective 3/1/03

w   Regulates the disclosure of personally identifiable information by ISPs

w   “ISP” defined as Internet access providers provisioning service in MN

w   User consent can be obtained through conspicuous privacy policy

w   Damages of $500 per consumer, but no class actions


Financial Privacy

w   Graham-Leach-Bliley Act

      (15 USC 6801-6809, 15 USC 6821-6827, 16 CFR 313-314)

n    Regulates disclosure of nonpublic personal information; requires annual delivery of privacy statement and a security program

n    Applies to financial institutions and companies significantly engaged in financial activities

n    These can include retailers who offer their own credit cards, companies that provide credit, accountants, career counselors…

w   Fair Credit Reporting Act

      (15 USC 1681, 16 CFR 600-601)

n    regulates the use and disclosure of credit reports


Health Privacy

w   Health Insurance Portability & Accountability Act (45 CFR 160 and 164)

n    Patient consent required for non-routine disclosure of medical info

n    Healthcare entities must provide written privacy statement

n    Healthcare entitles can’t market to their patients without consent

n    Patients can access their medical records

n    Effective 4/14/03 for most entities


Other Privacy Laws

w   CA Civil Code 1798.85

n    Can’t publicly post or display SSN

n    Can’t require email transmission of SSN unless encrypted or secure

n    Can’t use SSN as username unless coupled with password or other authentication

n    Exceptions: as required by law or using SSN “for internal verification or admin purposes”

n    Effective 1/1/03 in most cases, but some activity is grandfathered

w   CA Civil Code 1798.82 (effective 7/1/03)

n    Must notify customers if security of unencrypted personal info database is compromised

n    Personal info = name + SSN, DL #, credit card #

w   Federal Trade Commission Act (15 USC 45)

n    regulates unfair or deceptive trade practices

w   Computer Fraud & Abuse Act (18 USC 1030(a)(2)(C))

n    can’t take info from protected computers

w   ND Referendum (2002 Measure 2)

n    repealed SB 2191, which let financial institutions require opt out of third party disclosures

w   Anti-Spam Laws

n    in at least 26 states (see

w   State Privacy Rights Laws

w   Children’s Online Protection Act (47 USC 231(d))

n    currently enjoined


Doing Privacy Policies

w   The three-headed hydra of marketing, engineering and legal

w   Binding contract v. marketing representation

w   Multiple audiences with different needs

w   There are no “off-the-shelf” forms

w   Policies are difficult to amend

w   Companies have been burned by sloppy privacy policies/practices