If e-commerce firms fail to consider issues regarding privacy, they may create an environment ripe for legislative encroachment, future Federal Trade Commission ("FTC") actions and class action lawsuits. Privacy breaches pertain to a wide range of information collected by Web sites, from addresses, telephone numbers, email addresses and text entries to specific user interests found in registrations and mailing lists. This kind of information is called personally identifiable information ("PII"). In June 1998, the FTC submitted a report to Congress regarding online privacy. This report highlighted five key principles which the FTC recommends e-commerce sites employ in order to promote consumer privacy:
Notice. Web firms should give consumers notice of any PII collection practices prior to actual collection, including, among other things, all parties involved in collecting, archiving or receiving PII.
Choice. Consumers must first consent to uses of their PII. Such consent should be clear, easily available and sufficiently explanatory. "Choice" requires Web firms to provide either an "Opt-in" (consumers must click to provide their consent) or "Opt-out" method (consumers are presumed to consent unless they indicate otherwise).
Access. Consumers must have a right to access their PII and correct errors and omissions.
Security. Web firms should have reasonable protections to prevent corruption of and inappropriate access to PII.
Enforcement. The FTC contended that enforcement mechanisms should be put into place for privacy regulations, but did not offer firm recommendations. The FTC looks favorably upon Web sites that meet trade association requirements for privacy protection.
Under COPPA, the FTC developed a rule which mandates, among other requirements, detailed notice of PII collection and verifiable parental consent prior to disclosures, parental bans on further collection and dissemination, disclosure limits tied to a child's participation in games and prize offers, and security procedures holding children's information confidential. E-commerce firms offering financial services should also ensure compliance with the Gramm-Leach-Bliley Financial Modernization Act, which also imposes substantial privacy responsibilities.
This article, which may be considered advertising in certain jurisdictions, does not purport to give legal advice pertaining to any particular situation and creates no attorney-client relationship. Readers should seek professional legal advice concerning any particular situation they face.
Jason Mark Anderman practices in Goodwin Procter' s Intellectual Property/Technology Practice Area. He can be reached at firstname.lastname@example.org.