If e-commerce firms fail to consider issues regarding privacy, they may create an environment ripe for legislative encroachment, future Federal Trade Commission ("FTC") actions and class action lawsuits. Privacy breaches pertain to a wide range of information collected by Web sites, from addresses, telephone numbers, email addresses and text entries to specific user interests found in registrations and mailing lists. This kind of information is called personally identifiable information ("PII"). In June 1998, the FTC submitted a report to Congress regarding online privacy. This report highlighted five key principles which the FTC recommends e-commerce sites employ in order to promote consumer privacy:

  1. Notice. Web firms should give consumers notice of any PII collection practices prior to actual collection, including, among other things, all parties involved in collecting, archiving or receiving PII.
  2. Choice. Consumers must first consent to uses of their PII. Such consent should be clear, easily available and sufficiently explanatory. "Choice" requires Web firms to provide either an "Opt-in" (consumers must click to provide their consent) or "Opt-out" method (consumers are presumed to consent unless they indicate otherwise).
  3. Access. Consumers must have a right to access their PII and correct errors and omissions.
  4. Security. Web firms should have reasonable protections to prevent corruption of and inappropriate access to PII.
  5. Enforcement. The FTC contended that enforcement mechanisms should be put into place for privacy regulations, but did not offer firm recommendations. The FTC looks favorably upon Web sites that meet trade association requirements for privacy protection.

The principles illustrate the need for all Web sites collecting PII to post and maintain a clearly displayed privacy policy. Those sites that fail to do so risk, in certain circumstances, the prospect of an action by the FTC for unfair and deceptive trade practices.

The FTC may sue an e-commerce firm for engaging in a deceptive trade practice if that firm violates its own privacy policy. For instance, the FTC settled a complaint against Geocities Corporation, an Internet service provider and Web hosting entity, regarding its PII collection practices. The complaint stated that Geocities violated its agreement with its users to not share any consumer information without their consent. The FTC also settled a case in May 1999 against Liberty Financial Companies, Inc., in which the FTC accused the company of falsely representing on its Web site that PII collected from children would be maintained anonymously. Today, Liberty's actions might have also violated the Children's Online Privacy Protection Act ("COPPA") and the FTC's associated regulations, which apply to Web sites geared towards children or sites that have actual knowledge of their collection of children's PII.

Under COPPA, the FTC developed a rule which mandates, among other requirements, detailed notice of PII collection and verifiable parental consent prior to disclosures, parental bans on further collection and dissemination, disclosure limits tied to a child's participation in games and prize offers, and security procedures holding children's information confidential. E-commerce firms offering financial services should also ensure compliance with the Gramm-Leach-Bliley Financial Modernization Act, which also imposes substantial privacy responsibilities.

More recently, in the summer of 2000 the FTC settled separate charges against Toysmart.com and several online pharmacies. Toysmart.com had attempted to sell PII after it filed for bankruptcy despite the fact that Toysmart.com stated in its privacy policy that it would not do so. The charges against the online pharmacies involved, among other allegations, the sharing of PII and associated medical data with third parties. Sharing such data also implicates the Health Insurance Portability and Accountability Act of 1996, which imposes substantial restrictions and penalties regarding the use of medical data.

One avenue often ignored by Web sites that can lead to liability involves advertising. Many Web sites do not realize that when they contract with a third party agency to manage Web site traffic and advertising, that agency's ability to collect PII on the site can lead to violations of that site's privacy policy.

Ultimately, if Web firms do not take substantial steps to prevent consumer abuses stemming from their commercial practices, they face the specter of FTC complaints and class action lawsuits. Importantly, a number of steps can be taken to reduce the risk that these events will occur, including adherence to a well-drafted privacy policy and clear agreements between Web firms and agencies governing the use of collected data.

This article, which may be considered advertising in certain jurisdictions, does not purport to give legal advice pertaining to any particular situation and creates no attorney-client relationship. Readers should seek professional legal advice concerning any particular situation they face.

Jason Mark Anderman practices in Goodwin Procter' s Intellectual Property/Technology Practice Area. He can be reached at janderman@goodwinprocter.com.

Copyright © 2001 Goodwin Procter LLP. All Rights Reserved.