Almost all Web sites collect and extrapolate information about their users to enhance the users' experience and provide customized services. As technology that tracks and profiles Internet users becomes more advanced, the potential for online privacy violations and consequent liability can be a minefield.

However, by following a handful of basic measures, you can ensure the fair use of information while allowing individuals to participate in decisions on the disclosure and use of their personal information.

The Basics of a Complete Privacy Policy

If the Web site uses personal information, a link to the company's privacy policy should be prominently placed on the home page and easily accessible throughout the Web site. The privacy policy should, at minimum, address issues of notice, choice, access, security, and enforcement.

Notice. Consumers are entitled to know when information is being collected, how it will be used, and when personal information might be disclosed to others. Notice should include the consequences to the consumer of refusing to give the information. It should also address the issues of choice, access, and security.

Choice. Consumers should have choices about how their information is used or disclosed beyond the original purpose for which it was provided (e.g., to complete a transaction). Choice may be opt-in (e.g., click here to receive valuable information from our sponsors) or opt-out (e.g., click here if you do not want to receive new product announcements). Opt-in affords stronger privacy protection because it establishes a default rule against disclosure and use.

Access. Consumers should have access to stored information about them and an opportunity to correct inaccuracies or delete data.

Security. Web sites should protect the security of the data and ensure its integrity and accuracy.

Enforcement. These principles must be enforced to be effective. You should have procedures in place to address infractions.

Any online company should formulate and comply with its own comprehensive privacy policy, and should become familiar with the Federal Trade Commission's October 1999 publication titled "Self-Regulation and Privacy Online."

No Policy? Significant Liability Risk!

Apart from damaging consumer confidence, a company's failure to adopt and follow reasonable privacy policies creates a significant risk of liability. The development of companywide information collection practices, including notice and disclosure of such practices to consumers, is critical to establishing and maintaining consumer confidence and a viable online presence.

The use of personally identifiable information collected from Internet users -- whether through voluntary means, such as registration, or involuntarily, through the use of cookies and other technology -- can make a company vulnerable to legal actions based on federal and state fair trade, unfair competition, and other laws. Similarly, the use of information in ways that are inconsistent with a company's published privacy policy may result in enforcement actions by the FTC and attorneys general, and class actions by private individuals.

Potential privacy violations become more complex when Internet companies merge, acquire one another, or form relationships that involve the sharing or transfer of Internet user information. Before acquiring or entering into an online partnering relationship, it is wise to compare a potential partner's information collecting practices with its published privacy policy.

Similar issues may arise when an online business enters into an advertising or outsourcing relationship. For example, the advertiser may routinely collect, aggregate, and disclose user information in a manner that violates the privacy policy of the online business. The parties should address any conflicts in their information collecting and disclosure practices before finalizing the relationship.

State, Federal, and International Regulation

Internet privacy law is in its infancy. There remains significant uncertainty in this area, given the absence of clear legal precedent; proliferation of privacy-related litigation nationwide; and the emergent body of state, federal, and international regulation. For example, federal banking regulators are accepting comments on proposed privacy regulations for financial institutions.

Since the passage of the Gramm-Leach-Bliley Act of 1999, state legislatures have been preparing privacy statutes and regulations that will affect companies from many industries. The Yahoo! Inc., DoubleClick Inc., and Amazon.com Inc. litigations, and the class actions filed against RealNetworks for secretly tracking the music listening habits of its users through RealJukebox (free software downloaded from the RealNetworks Web site), all reflect the propensity of the dot-com world to become involved in litigation alleging privacy violations.

For example, the FTC sued GeoCities for misrepresenting its reasons for collecting personal information from its visitors. The FTC claimed that GeoCities sold visitors' personal information to third-party marketers, despite its privacy policy that stated that it would use information only for advertising offers or visitor-requested services. GeoCities settled the case and agreed to post a revised privacy policy that addresses certain fair information practice principles established by the FTC.

Online Privacy Resources

There are many online resources that are excellent for small businesses. For example, the Online Privacy Alliance Web site is an excellent educational resource. The alliance has roughly 100 corporations and associations as members, and is committed to working with government to avoid having the public debate over Internet privacy result in unnecessary anti-industry sentiment. Also, there is an extensive hyperlinked reference to privacy-related news stories and legal resources, the E-CommerceLaw Source.com.

The discussion above is for informational purposes only and is certainly not a substitute for consulting a qualified lawyer to examine the issues and risks of your particular venture.

Copyright © 1995-1999 Pinnacle WebWorkz Inc. All rights reserved. Do notduplicate or redistribute in any form.