E-Commerce: An Introduction, Shopper Privateness

E-Commerce: An Introduction, Shopper Privateness

E-Commerce: An Introduction, Shopper Privateness

Session 4: Shopper Privateness

Instructing Fellows: Rita Lin

Visitor Panelists:

Blake T. Bilstad, Esq.
Company Counsel, Secretary
MP3.com, Inc.

Keith P. Enright, Esq.
Principal, TECHNE Consulting
Govt Director, PrivacyLaw.Internet

Supplemental Materials:

“Memorandum on Privateness Audits and Privateness Insurance policies,” Michael Strapp, Harvard Legislation College.

“Privateness Audit Guidelines,” Keith P. Enright, Esq.


I. Introduction

II. Info Assortment

III. Legal responsibility for On-line Profiling

IV. Growing a Privateness Coverage

V. Statutes and Laws

VI. References

VII. Extra Supplies

I. Introduction

Privateness is one of probably the most complicated authorized points dealing with e-commerce ventures at present. Many websites, such because the one in our case research, have little curiosity in actively profiling their customers or discovering private details about them. Nevertheless, these websites will usually acquire important quantities of personally identifiable knowledge that could set off legal responsibility dangers.

A few of this knowledge is actively provided by customers. For instance, the WGU web site collects names, bodily and electronic mail addresses, and bank card data by way of varieties. Customers might also voluntarily provide private data of their threaded dialogue messages, that are archived on the location. However, a few of this knowledge is passively collected. The host server information routine details about every go to. Some of the location’s banner advertisements permit third-party advertisers to trace customers’ shopping habits.

Our job on this part is to evaluate the legal responsibility threat of a web site’s data assortment practices. We will break this job down into 4 foremost steps. First, we should decide what data is collected by the location. Second, we should consider the potential legal responsibility for these data assortment practices. Third, we should select whether or not to develop a privateness coverage to reveal these practices. And, fourth, we should confirm our compliance with statutes or laws. This lecture will look at every of those 4 steps.

[Back to top]

II. Info Assortment

Many e-commerce websites immediately ask customers for private data by way of varieties. Nevertheless, in addition to such data, many websites additionally file knowledge about their customers’ shopping habits. This knowledge could be matched with private and demographic data to create a profile of person preferences. Websites may use these profiles to focus on promoting or supply personalized providers. Or, websites may have interaction in weblining, the place completely different customers are supplied completely different costs based mostly on their profiles. Customers who’ve more cash or need a product extra are charged extra; alternately, lowered costs are denied to customers who store so properly for bargains that distributors will make no revenue by promoting to them. Enterprise Week has a terrific article on weblining (Web site)(Stepanek).

Attorneys should be cognizant that some e-commerce shoppers could not all the time pay attention to the extent to which their web site collects knowledge about its prospects. At first look, the web site in our case research won’t seem to gather a lot data. However, if we glance deeper, we will see that customers are disclosing data in two necessary methods: first, knowledge mechanically collected by the location’s server software program, and second, knowledge collected by third-party advertisers by way of our web site.

In our case research, the server software program will nearly definitely acquire quite a lot of data mechanically. Most server software program will mechanically file an internet log of shopping habits: what pages customers go to, the time and length of these visits, ads seen and clicked on throughout these visits, purchases made, question phrases entered in serps, and the referring web site that directed the person to the corporate’s web page. Moreover, most software program will mechanically acquire details about every person’s IP tackle, laptop title, browser sort, electronic mail tackle (if offered by the person’s browser or a “net bug”), community proprietor, and area registration.

Along with this data, our web site does permit third-party advertisers to position cookies on customers’ onerous drives. Advertisements on our web site are positioned by way of DoubleDealer, a (fictional) promoting community just like DoubleClick. DoubleDealer makes use of cookies to develop long-term profiles of customers’ shopping habits throughout a number of visits and completely different websites. It has a profile for each person that has ever regarded certainly one of their advertisements. Each time a person sees a DoubleDealer ad–whether on our case research web site or one other web site that carries their ads–her laptop will ship a observe to DoubleDealer indicating what sort of web site she’s taking a look at. And DoubleDealer will retailer that data in her file, so it is aware of to ship her extra advertisements associated to snowboarding or new age music or no matter she appears to love. On this sense, DoubleDealer tracks customers by way of our web site and all the opposite websites on its promoting community. As counsel to the WGU web site, it can be crucial that we acknowledge DoubleDealer’s practices as a result of they might create legal responsibility dangers and should be disclosed in our web site’s privateness coverage.

From the instance of our case research, we will see the significance of understanding the web site’s knowledge assortment practices. Computerized software program logs and third-party cookie placements are two of probably the most simply ignored features of knowledge assortment. Many websites have no real interest in actively profiling their prospects and may even insist to their counsel that they acquire no private data. However most of those websites do acquire data mechanically by way of thier server software program, and plenty of permit third-party cookie placement. In line with a current FTC privateness survey, though 57% of the busiest websites allowed third-party cookie placement, solely 22% disclosed that reality of their privateness insurance policies (Web site) (FTC,Privateness). Earlier than creating privateness insurance policies or weighing the authorized dangers of on-line profiling, on-line distributors and their attorneys ought to make sure that they’re conscious of the true extent of the location’s knowledge assortment practices.



Cookies acquire data as a person surfs the net and feed the data again to an internet server. An internet vendor’s web site will ship cookies (which is most easily an identification quantity) to a person’s laptop, the place it’s saved in a file on the person’s onerous drive and serves as a digital identifier tag that notifies the seller each time that person re-enters the seller’s web site. Though customers can configure their browser to disable cookies, some websites require customers to just accept them earlier than permitting entry.

Cookies have two foremost makes use of. First, by permitting the location to “bear in mind” the person, they can customise an internet site by producing particular content material focused to a selected person. For instance, cookies are generally used to mechanically provide passwords for customers preferring to not re-enter their password every time they entry a web site. Second, cookies are utilized by community promoting businesses, comparable to DoubleClick, to focus on product ads based mostly on long-term profiles of customers’ shopping for and browsing habits. When the advertiser contracts with many various web sites, it may possibly observe the identical cookie as that person surfs the net. Advertisers then collate this details about the person’s habits in a central database.

For extra data on cookies, see Vitality Division’s Pc Incident Advisory Council report (Web site) (Vitality). Additionally, take a look at Cookie Central (Web site) (Cookie). Netscape has a technical specification for cookies as properly (Web site) (Netscape).

Net bugs (or pixel tags)

Net bugs are images–usually invisible as a result of they’re just one pixel broad by one pixel high–that are embedded in net pages and HTML-formatted emails. Promoting networks usually use net bugs on net pages so as to add data to non-public profiles saved in cookies and to acquire statistics about what number of hits the location will get. Advert networks additionally use net bugs in “junk electronic mail” campaigns to find out what number of customers learn the emails and visited the linked web site, to take away customers from the record who didn’t open the advertising emails in any respect, or to synchronize cookies with the person’s electronic mail tackle.

The EFF has a nice FAQ on net bugs (Web site) (EFF, 1999). You may bake your personal cookie at Privateness.web (Web site)(Privateness.web).


Cookies and net bugs are solely the start. New applied sciences are being developed on daily basis to collect extra complete knowledge on shopper conduct. For an outline of some of those new data-collection applied sciences, together with some information on privacy-enhancing applied sciences comparable to P3P, see Growing Applied sciences.

[Back to top]

III. Legal responsibility for On-line Profiling

Though the FTC has beneficial laws to manage on-line profiling (Web site) (FTC, 2000), present American privateness regulation accommodates nearly no common prohibitions towards the gathering of shopper knowledge. In the present day, most privateness initiatives goal particular industries or varieties of knowledge, comparable to shopper credit score reviews, cable TV subscriber data, or private monetary data. See Protected Classes for extra data.

In our case research, the WGU web site will nearly definitely not face legal responsibility based mostly on a sector-specific federal statute as a result of it doesn’t acquire data that falls beneath any of the protected classes. The one relevant federal regulation can be Digital Communications Privateness Act (ECPA), which some privateness advocates have argued prohibits using cookies with out prior consent. In line with this interpretation of the ECPA, our web site may very well be responsible for permitting DoubleDealer to position cookies on customers’ onerous drives. Nevertheless, this interpretation of the ECPA is controversial, and few claims have reached remaining judgment. The location may additionally face widespread regulation or state regulation claims.

Earlier than discussing the authorized grounds for motion, nevertheless, it’s helpful first to get a way of the bigger public coverage considerations behind these arguments. Proponents of on-line profiling contend that gathering knowledge about shoppers permits websites to enhance service. Websites can customise content material, consider shopper response to merchandise, and goal advertisements to a shopper’s pursuits. Proponents argue that revenues from focused advertisements have backed the present wealth of free content material on-line; with out such a subsidy, the net could transfer towards a fee-based entry system that will worth low-income readers out of the market. For extra data on these arguments, go to the Affiliation of Nationwide Advertisers (Web site) (ANA, 2001) and the Direct Advertising Affiliation (Web site) (DMA, 2001). Authorized students have additionally urged that the enlargement of privateness threatens free speech rights protected by the First Modification. Solveig Singleton has a terrific regulation evaluate article on this matter (Singleton, 2000).

However, privateness advocates argue that customers shouldn’t be tracked with out their discover or consent. These advocates argue that buyers will not be adequately knowledgeable about passive data assortment applied sciences. In line with a Enterprise Week survey, solely 40% of customers have even heard of cookies, and of these, solely 25% have been in a position to choose the proper definition on a a number of selection questionnaire (Web site) (Enterprise Week, 2000). Moreover, privateness advocates contend that even when many of the data at present collected isn’t personally identifiable, it poses critical privateness considerations due to the inherently invasive scale of the monitoring. In addition they fear that companies will later resolve to mix the at present non-identifiable databases of shopping habits with private data from different sources. Lastly, advocates have posited that the patron discomfort with on-line monitoring will chill use of assets on delicate subjects comparable to abortion, HIV, or melancholy, and forestall the digital market from reaching its full potential.


Because of the absence of particular laws regulating on-line profiling, shopper class motion fits have proceeded beneath many various authorized theories. Some plaintiffs have argued that cookies and net bugs permit unauthorized entry to the person’s onerous drive (the place the cookies are saved) and due to this fact violate the Digital Communications Privateness Act (ECPA), (Web site) (§§ 2510-22) and (Web site) (§§ 2701-11). Others have urged that passive data assortment is actionable as a common-law privateness tort or trespass. Nonetheless others have additionally pursued their claims beneath state legal guidelines, comparable to Texas’s anti-stalking statute or California’s prohibition towards misleading and unfair commerce practices.

Just one shopper swimsuit filed towards on-line profilers has reached remaining judgment. In late March, a United States District Courtroom dismissed a extremely publicized shopper class motion swimsuit towards DoubleClick (DoubleClick, 2001). The plaintiffs’ pleadings alleged that DoubleClick’s use of cookies violated three federal legal guidelines: the Digital Communications Privateness Act, which prohibits unauthorized interception of digital communications; the Wiretap Act, which prohibits wiretapping in some conditions; and the Pc Fraud and Abuse Act, which prohibits unauthorized entry to a pc. The court docket discovered no violation of the legal guidelines as a result of websites consented to using cookies by third-party advertisers. Moreover, the court docket held that there was no proof that these legal guidelines have been supposed to ban cookie use by on-line advertisers. The choice has been appealed to the Second Circuit. DoubleClick nonetheless faces extra fits in Texas and California based mostly on state privateness and shopper safety legal guidelines.

Regardless of the DoubleClick resolution, the authorized limits on on-line profiling stay unclear. A California district court docket not too long ago denied a movement to dismiss a category motion swimsuit towards Intuit and dominated that Intuit’s use of cookies could violate components of the ECPA (Intuit, 2001). Moreover, in lots of state and federal jurisdictions, using cookies or related applied sciences to trace customers’ shopping habits can be a problem of first impression. Though the DoubleClick resolution could show persuasive to courts, different jurisdictions won’t be certain by it. And fits could proceed to proceed beneath state statutes on privateness and shopper rights.

Digital Communications Privateness Act (ECPA)

The ECPA, (Web site) (§§ 2510-22) and (Web site) (§§ 2701-11), imposes civil and legal penalties for the intentional interception, disclosure, or use of digital communications that have an effect on interstate or international commerce. Digital communications are outlined as any switch of knowledge by way of wire or electromagnetic system. Courts have interpreted the time period to incorporate electronic mail (Bochach, 1996).

The most important impediment to utilizing the ECPA to limit on-line profiling is that it exempts events from legal responsibility in the event that they acquire the prior consent from “customers” (§ 2701) or “events to communication” (§ 2511). Based mostly on the “person” exception in § 2701, a federal district court docket dominated in DoubleClick that the ECPA doesn’t bar using cookies by third-party advertisers. The court docket discovered that Web sites the place advertisements have been positioned represent “customers” beneath the ECPA. So long as the Web site agrees to using cookies, the requirement of “prior consent by customers” is glad and DoubleClick can’t be held accountable (DoubleClick, 2001). Supporters of the choice have drawn an analogy to the regulation governing third-party listening in phone conversations: if two persons are speaking on the cellphone, both one has the unbiased authority to consent to listening by third events.

Nevertheless, critics of the choice have argued that solely the patron may give consent to cookie placement as a result of the patron’s onerous drive is the related web site of saved data. And at the very least one California court docket agrees. In a current resolution relating to a category motion swimsuit filed towards Intuit, which owns quicken.com, a California district court docket refused to dismiss a declare based mostly on the ECPA (Intuit, 2001). The ECPA has two main components related to on-line profiling: Part 2701 prohibits unauthorized entry to saved communiciations, and Part 2511 prohibits the interception of digital communications for tortious or legal functions. The court docket denied Intuit’s movement to dismiss the Part 2701 declare. Though the court docket didn’t tackle DoubleClick‘s consent reasoning immediately, it emphasised that the customers’ onerous drives have been their very own and thus that customers alone may consent to cookie use. The court docket held that if the plaintiffs’ allegations are true, Intuit did violate the saved communications provision of the ECPA by putting cookies on customers’ onerous drives. Nevertheless, the court docket did dismiss the claims beneath Part 2511 as a result of it noticed no proof that Intuit’s function was legal or tortious. The plaintiffs’ argument that cookies violated customers’ privateness and due to this fact constituted a common-law privateness tort have been unsuccessful in swaying the court docket’s discovering with regard to Part 2511.

In sum, the query of whether or not the ECPA prohibits cookie placement stays unresolved–particularly with regard to Part 2701.

Widespread-law Privateness Tort

The widespread regulation doctrine of private privateness consists of 4 grounds for tort legal responsibility (Restatement1). Susan Gindin wrote a terrific regulation evaluate article explaining the applying of these conventional privateness torts to our on-line world (Web site) (Gindin, 1997).

1. Unreasonable intrusion upon the seclusion of one other

“One who deliberately intrudes, bodily or in any other case, upon the solitude or seclusion of one other or his personal affairs or considerations, is topic to legal responsibility to the opposite for invasion of his privateness, if the intrusion can be extremely offensive to an inexpensive individual.” (Restatement2)

Remark c of the Restatement provision signifies that the part has been utilized to wiretaps. Nevertheless, just like the ECPA, the most important issue is that the availability applies solely to data not voluntarily offered, which can bar claims the place on-line profiling practices are disclosed within the phrases of use or privateness coverage.

2. Unreasonable publicity given to a different’s personal life

“One who offers publicity to a matter regarding the personal lifetime of one other is topic to legal responsibility to the opposite for the invasion of his privateness, if the matter publicized is of a sort that (a) can be extremely offensive to an inexpensive individual, and (b) isn’t of reliable concern to the general public.” (Restatement (Second) of Torts, 1965)

There are two main obstacles to making use of this doctrine to on-line profiling. First, the personal data should be communicated so broadly that it’s “considerably sure to change into certainly one of public data” (remark a). Since most advertising knowledge from on-line profiling is saved throughout the promoting corporations, the publication of personal data will usually not be sufficiently broad to maintain a tort motion beneath this provision. Second, the personal data should not be of public file. Just like the ECPA or the earlier privateness tort, this provision bars restoration by customers who present data voluntarily or search to protest the dissemination of publicly obtainable data comparable to delivery dates or marital standing.

3. Publicity that unreasonably locations one other in a false mild earlier than the general public

“One who offers publicity to a matter regarding one other that locations the opposite earlier than the general public in a false mild is topic to legal responsibility to the opposite for invasion of privateness, if (a) the false mild during which the opposite was positioned can be extremely offensive to an inexpensive individual, and (b) the actor had data of or acted in reckless disregard as to the falsity of the publicized matter and the false mild during which the opposite can be positioned.” (Restatement (Second) of Torts, 1965)

The issue with discovering tort legal responsibility for on-line profiling beneath this provision is that it is proscribed to the dissemination of misguided data. Underneath this tort, shoppers can insist on the best to right false data within the databases, however they can not declare the best to ban surveillance altogether.

4. The appropriation of one other’s title or likeness

“One who appropriates to his personal use or profit the title or likeness of one other is topic to legal responsibility to the opposite for invasion of his privateness.” (Restatement (Second) of Torts, 1965)

This tort could create a reason for motion for the sale of private data to on-line publishers or unsolicited business emailers. Nevertheless, plaintiffs have up to now been unsuccessful on this vein of argument (Shibley, 1975).

Different common-law bases of legal responsibility

Different common-law bases of legal responsibility embrace breach of contract, unjust enrichment, and fraud (the place specific guarantees in a privateness coverage have been violated) in addition to trespass to chattels. In two traditional texts, Alan Westin (Westin, 1967) and Arthur Miller (Miller, 1969) have additionally argued that non-public data needs to be thought to be a type of common-law property.

State statutes

In fact, legal guidelines defending privateness will differ by state. Quite a few shopper class motion complaints about on-line profiling have alleged violation of state statutes towards misleading or unfair commerce practices. Others have relied on anti-stalking statutes (Stewart, 2000). The New York Occasions has an article on the case (Web site) (Kaplan, 2000). CNET Information additionally has an article (Web site) (CNET, 2000). Some states additionally supply particular safety for explicit courses of knowledge, comparable to medical data. For extra data, test with counsel who’s conversant in the legal guidelines of the person state.

Pending circumstances

Shopper class motion fits are at present pending towards RealNetworks, Toysrus.com, Avenue A, MatchLogic, Intuit, Amazon, and Pharmatrak. See Pending Shopper Class Actions for extra data.


States have additionally introduced actions towards on-line profilers beneath a wide range of authorized theories, usually involving state shopper safety statutes. The Michigan Lawyer Basic’s Workplace not too long ago settled a case with eGames, an internet video games retailer. The state had accused eGames of violating Michigan’s Shopper Safety act by failing to reveal on-line profiling by third-party advertisers on its web site. The eGames case was the most recent in a sequence of fees associated to on-line profiling introduced by the Michigan Lawyer Basic. See State Attorneys Basic for extra details about state actions.


Underneath Part 5 of the FTC Act, the FTC has the authority to sue corporations that have interaction in unfair or misleading commerce practices. To date, the Fee has restricted its use of this authority to pursuing on-line companies who fail to adjust to statements of their posted privateness insurance policies. It has not pursued companies who observe customers’ actions on-line by way of passive data assortment applied sciences comparable to cookies, so long as such practices don’t violate the ensures supplied within the web site’s privateness coverage.

The FTC has made clear that it doesn’t contemplate on-line profiling to be per se misleading or unfair when such practices are disclosed in privateness insurance policies and customers have the chance to opt-out. In reality, the FTC cleared DoubleClick, a community promoting agency that makes use of cookies and net bugs to focus on ads, of wrongdoing in a current investigation. Nevertheless, if on-line profiling isn’t disclosed to shoppers, the Fee’s stance could also be completely different. In its consent decree settlement with Geocities and its report back to Congress on privateness, the FTC hinted that it would contemplate undisclosed profiling to be per se unfair–even if the location has not posted a privateness coverage in any respect (Web site) (FTC, 2000).


Even when the disclosure of private data could be restricted by present statutes, administrative laws, or widespread regulation, shoppers who search to halt on-line profiling could face a further hurdle: a possible battle with the First Modification (web site)(1st) of the USA Structure. Eugene Volokh, a well known scholar on on-line speech, has argued that privateness guidelines could violate the free speech rights of those that want to disclose data, comparable to information businesses (Volokh, 2000).

Though the Supreme Courtroom has indirectly addressed the problem, the Courtroom has up to now upheld privateness legal guidelines towards constitutional problem and refused to deal with the sale of private data as speech. In Reno v. Condon, the Courtroom held that personally identifiable data constituted a “factor in commerce” slightly than speech and upheld a South Carolina regulation limiting the disclosure of drivers’ private data with out prior consent (Web site) (Condon, 2000). In Los Angeles Police Dept. v. United Reporting, the Courtroom additionally rejected a First Modification problem to a California statute that restricted entry to the names and addresses of arrested people (Web site) (United Reporting, 1999). Just like the regulation of on-line profiling usually, the First Modification concern stays unsettled.

[Back to top]

IV. Growing A Privateness Coverage


Underneath present American regulation, corporations will not be legally obligated to put up privateness insurance policies. Certainly, privateness insurance policies may very well put corporations at authorized threat. The FTC has investigated and sued corporations for failure to adjust to their said insurance policies. Furthermore, as soon as a partial disclosure of knowledge follow has been made, corporations could even face an obligation to completely disclose all privateness practices. Though the FTC has by no means explicitly said that partial disclosure triggers full disclosure, it scrutinized statements that “arguably raised an inference of at the very least one potential use” of private knowledge in its report back to Congress on on-line privateness. In different phrases, “click on right here to be on our mailing record” may be misleading if customers’ electronic mail addresses are later bought to third-party advertisers–even although no assure is ever made that the e-mail tackle can be used solely for the location’s mailing record.

Regardless of the authorized dangers, many websites voluntarily select to undertake privateness insurance policies. Why?

First, privateness insurance policies can enhance shopper confidence in a web site’s on-line choices. Shoppers could really feel extra snug providing private data or making purchases if privateness insurance policies are posted. In line with a report by AT&T in 1999, 27% of Web customers would ordinarily be unwilling to supply their names and postal addresses for a passion web site. Nevertheless, if the location displayed a privateness coverage and a seal of approval from a well known shopper advocacy group like the Higher Enterprise Bureau, 58% of these customers can be extra seemingly to supply the data. The dearth of shopper belief has translated immediately into misplaced revenues. In line with the FTC, attributable to shopper privateness considerations relating to on-line purchases, e-commerce corporations misplaced as a lot $2.8 billion in income in 1999 and are projected to lose $18 billion by 2002 (Web site) (FTC, 2000).

Second, the European Union Information Directive has offered an added incentive for e-commerce corporations in the US to put up privateness insurance policies. Article 25 of the Directive prohibits the switch of private knowledge from the EU to sure international locations missing “ample” privateness safety insurance policies, such because the US. Nevertheless, to forestall the blockage of all private knowledge movement between the US and Europe, the US Commerce Division has negotiated a Protected Harbor settlement with the EU. Underneath the Protected Harbor, American corporations could proceed to obtain private knowledge from the EU, so long as they put up privateness insurance policies and adjust to seven foremost ideas of privateness safety. See the subsection on the EU Information Directive beneath.


Privateness Audit

Step one is to conduct a privateness audit to resolve what data can be collected, how it will likely be used, and whether or not it will likely be shared with outdoors events. For extra data on how you can conduct a privateness audit, seeMichael Strapp’s “Memorandum on Privateness Audits and Privateness Insurance policies.” The Software program and Info Business Affiliation has a wonderful and informative privateness workbook (Web site) (SIIA, 2001), as does the Michigan Lawyer Basic’s Workplace (Web site) (Michigan AG’s Workplace, 2000).

There are additionally quite a few business certification packages, comparable to TRUSTe or BBBOnline that provide seals of approval and common auditing. See Business Certification Packages for a listing.

Basic data about privateness insurance policies

  • Privateness insurance policies needs to be drafted in plain and direct English. If the location targets shoppers in non-English-speaking nations, translations needs to be obtainable.
  • Privateness insurance policies needs to be personalized. Delicate or personally identifiable data could require the next diploma of safety than mixture or non-personally identifiable data.

Parts of a privateness coverage

    1. Discover

  • What knowledge is being collected? How? Are cookies or net bugs used?
  • What’s the major use of the information? What are different secondary makes use of?
  • What third events could have entry to the data?
  • What safety measures are in place to make sure the confidentiality and accuracy of knowledge?
  • Are items and providers supplied on the web site made obtainable to customers provided that they present private data?
  • Will the location proprietor disclose customers’ private data if it believes in good religion that the regulation requires it?

If third-party advertisers acquire knowledge on shoppers by way of advertisements positioned on the location, this follow needs to be disclosed and shoppers needs to be knowledgeable that the location itself doesn’t retain such data. Equally, if knowledge assortment is outsourced to a different firm or a third-party, this follow needs to be disclosed even when the information is meant for inside use solely.

2. Alternative: choose in or choose out?

Most corporations have adopted the opt-out method, which permits shoppers to decide on to not permit their knowledge to be shared with third events or used for advertising functions. Underneath opt-out, the default selection is to permit use of private knowledge. Underneath opt-in, the default is to limit use of private knowledge.

Firms are free to decide on between permitting prospects to choose out or choose in. Regulation requiring choose in slightly than choose out has been struck down by courts as violating the First Modification’s requirement of slender tailoring. In U.S. West v. Federal Communications Fee, the court docket struck down FCC guidelines requiring cellphone corporations to acquire affirmative opt-in permission to share buyer calling patterns with third events (U.S. West, 1999).

3. Entry and accuracy

Firms should resolve whether or not they’ll permit customers to entry their knowledge, right inaccuracies, or take away data they don’t want disclosed. Firms profit from correct buyer data, and person entry can enhance customer support by making certain that items are correctly shipped or prospects obtain data that almost all precisely matches their pursuits. Nevertheless, the patron entry to knowledge could require extra bills, computing assets, and personnel. On-line entry could not all the time be possible, notably for corporations that retailer extra delicate knowledge comparable to medical data. In such circumstances, written mail may be extra acceptable.

Watch out about specific or implicit ensures of safety. Breaches can create authorized claims based mostly on contract or tort.

Inner audits could also be acceptable for corporations that solely acquire mixture or non-personally identifiable data, whereas third-party monitoring could also be acceptable for corporations that acquire extra delicate data.

    6. Revision of coverage

  • Is the privateness coverage topic to alter or in any other case conditional?

    Posting a privateness coverage

To supply discover to shoppers, the privateness coverage needs to be posted prominently. Within the matter of GeoCities, the FTC developed a listing of necessities for ample discover:

  • A transparent and outstanding hyperlink or button labeled “PRIVACY NOTICE” on the house web page, which immediately hyperlinks to the privateness coverage;
  • Clear and outstanding show of the weather of the coverage with a button that should be clicked on on the backside of the display screen to make it disappear; and
  • A transparent and outstanding hyperlink to the privateness coverage at every location the place private figuring out data is collected, together with the next assertion in daring typeface: “NOTICE: We acquire private data on this web site. To be taught extra about how we use your data, click on right here.”


Firms that violate their privateness insurance policies could face authorized motion along with detrimental shopper response. In our case research, the ComeStudyAbroad.com web site can restrict its legal responsibility by ensuring to reveal each the information mechanically collected by its server software program and the cookies positioned by its third-party advertisers.

Federal Commerce Fee

The FTC doesn’t have the authority to require websites to put up privateness insurance policies. Nevertheless, as soon as a coverage is posted, the FTC has claimed the authority to require compliance with said practices. The FTC has investigated and sued a number of on-line corporations for deviating from statements made of their privateness insurance policies. The Fee has argued that such deviations represent unfair and misleading commerce practices, for which it’s licensed to hunt cures beneath the FTC Act (Web site) (FTC Act, 1938).

The regulation isn’t but clear on whether or not the FTC has the authority to implement privateness insurance policies and whether or not the failure to adjust to said insurance policies constitutes misleading commerce practices. No remaining judgments have been made as a result of all related circumstances have both settled by way of consent orders or at present await trial. To date, the FTC has sued or investigated GeoCities, Toysmart, DoubleClick, Amazon, and a sequence of on-line pharmacies. See Federal Commerce Fee for summaries of every of those circumstances.

State enforcement

State lawyer generals have sought to implement privateness insurance policies beneath each civil and legal regulation, usually invoking state shopper safety statutes. For example, Toysrus.com, DoubleClick, Clearstation, Infobeat, Extra.com, and Residing.com all face fits by state lawyer generals for failure to adjust to said privateness practices. See State Enforcement for summaries of every of those circumstances.

Non-public tort actions

Non-public fits have been predominantly introduced beneath the ECPA and common-law privateness invasion. See Pending Shopper Class Actions for extra data.

Shoppers have additionally used contract regulation to implement privateness insurance policies. One shopper efficiently sued Kozmo.com in California small claims court docket for breach of contract after Kozmo.com despatched e-mail to customers who had particularly opted out of receiving such bulletins. The plaintiff was awarded $50 in damages and $27.50 in court docket prices. The plaintiff has put a textual content of her judgment and an account of her story on-line (Web site) (Spertus, 2001).

[Back to top]

V. Statutes and Laws

Though Congress is at present debating a complete privateness laws scheme, the United States has historically taken a sectoral method to privateness. Particular person statutes require completely different requirements of conduct from completely different industries comparable to credit score reporting, monetary establishments, telecommunications providers, or cable tv. Delicate knowledge, comparable to monetary or medical data, additionally face completely different requirements of regulation. Information assortment by the federal authorities is regulated by its personal particular set of statutes. None of those classes will apply to our case research. For extra data on these statutes, see Protected Classes beneath.

At this level, no statute covers the final assortment of private data on-line. In contrast to the European Union, which requires databases to be registered and authorised by authorities knowledge safety businesses, the USA has relied in the marketplace and self-regulation to handle privateness considerations. Nevertheless, in current years, many within the U.S. have argued that the present market-based method is insufficient and new laws needs to be enacted. In line with the FTC, solely 41% of randomly chosen websites and 60% of widespread websites met the essential requirements for discover and selection (Web site) (FTC, 2000). The Fee has concluded that self-regulation is insufficient and has beneficial that Congress undertake laws to set forth fundamental requirements for on-line data gathering.


In our dialogue in regards to the legal responsibility of on-line profiling, we noticed that the ECPA could present a reason for motion towards on-line profilers.

The ECPA may also be used to guard anonymity on-line. In McVeigh v. Cohen, the U.S. Navy obtained private data from America On-line relating to an nameless person who described himself in his AOL person profile as a homosexual navy officer (McVeigh, 1998). The court docket discovered that the ECPA barred the federal government from acquiring a person’s private data from an internet service supplier with out a warrant, subpoena, or court docket order.

Nevertheless, the ECPA’s restrictions on revealing customers’ private data apply solely to authorities subpoenas. In Terry Jessup-Morgan v. America On-line, Inc., the court docket held that the ECPA doesn’t regulate disclosure of subscriber identities to personal people (Web site) (Jessup-Morgan, 1998). As an alternative, these looking for to protect anonymity from personal events should flip to different doctrines, comparable to common-law privateness tort or unfair commerce practices (Aquacool, 2000).

The textual content of the ECPA is offered at (Web site) (18 U.S.C. §§ 2510-22) and (Web site) (§§ 2701-11)


COPPA applies to two main classes of internet sites:

  • Business web sites directed to youngsters beneath 13
  • Basic viewers web sites with precise data of private knowledge collected from youngsters beneath 13

If a web site satisfies both of those descriptions, private data can’t be collected from youngsters with out parental consent. COPPA additionally imposes different restrictions requiring discover, parental entry to data and the choice to alter it, the flexibility to opt-out of future data assortment, and assurances of knowledge safety. COPPA is enforced by the FTC, which has posted a wonderful information on compliance (Web site) (FTC, 1999).

Underneath the COPPA protected harbor, companies may also take part in authorised self-regulatory packages that exempt them from prosecution by the FTC. At present, the Higher Enterprise Bureau’s Kids’s Promoting Overview Unit (CARU) is the one FTC-approved protected harbor program. Nevertheless, TRUSTe, the Leisure Software program Score Board (ESRB), and PrivacyBot.com have all submitted proposals for approval.

The textual content of COPPA is offered at (Web site) (15 U.S.C. §§ 6501-06)


The Information Directive, which went into impact in October of 1998, lays forth necessities for privateness practices in member international locations. (Web site) (95/46). Article 25 additionally prohibits the switch of private data relating to EU residents to international locations missing “ample” privateness legal guidelines. In January 1999, the EU decided that US privateness legal guidelines have been insufficient beneath the Information Directive and due to this fact barred all knowledge transfers to the US after June 2001.

In an effort to protect trans-Atlantic transactions, the U.S. Commerce Division entered into negotiations with the EU and developed a Protected Harbor settlement. Underneath the settlement, US corporations could voluntarily exempt themselves from the Information Directive by selecting to observe seven privateness ideas: discover, selection, onward switch (i.e., binding third-parties to observe the seven privateness ideas), safety, knowledge integrity, and entry to right or take away data. These ideas are enforced by the federal authorities and authorised self-regulatory businesses comparable to TRUSTe or BBBOnline. See the Commerce Division’s Protected Harbor web site (Web site) (Commerce Dept., 1999).

Nevertheless, only a few American corporations have taken benefit of the Protected Harbor. Why? First, the Information Directive permits knowledge switch if websites acquire prior consent from knowledge topics. Many U.S. corporations plan to develop contracts with EU enterprise companions, who can acquire consent from the information topics, or clickwrap agreements with EU knowledge topics themselves. Second, because the enforcement of the Information Directive towards the US is at a standstill till at the very least June 2001, corporations could merely be ready till enforcement is imminent earlier than becoming a member of a Protected Harbor program. Third, even when American corporations exempt themselves from the Information Directive, native privateness legal guidelines in EU international locations should block knowledge transfers.


Numerous federal statutes that defend particular classes of personal data. There are particular guidelines for monetary and medical data, in addition to cellphone and video rental information. The federal government additionally faces completely different restrictions on what type of private knowledge it may possibly acquire and the way it can acquire that knowledge.For an outline of those statutes, see the Extra Supplies part.


Numerous payments are at present pending in Congress regarding privateness on the whole in addition to privateness on-line. Control new updates by way of EPIC’s bill-tracking service (Web site) (EPIC, 2001).

[Back to top]

VI. References

Marcia Stepanek, Weblining, BUSINESS WEEK, Apr. 3, 2000, obtainable at http://www.businessweek.com/2000/00_14/b3675027.htm. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), obtainable at http://www.ftc.gov/reviews/privacy2000/privacy2000text.pdf. [Back to text]

U.S. DEPARTMENT OF ENERGY, INTERNET COOKIES (1998), obtainable at http://www.ciac.org/ciac/bulletins/i-034.shtml. [Back to text]

Cookie Central at . [Back to text]

Netscape, Shopper Aspect State HTTP Cookies at . [Back to text]

Digital Frontier Basis, The Net Bug FAQ at . [Back to text]

Bake Your Personal Web Cookie, Privateness.web at [Back to text]

FEDERAL TRADE COMMISSION, ONLINE PROFILING: A REPORT TO CONGRESS (2000), obtainable at http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf. [Back to text]

Affiliation of Nationwide Advertisers at . [Back to text]

Direct Advertising Affiliation at . [Back to text]

Solveig Singleton, Privateness versus the First Modification: A Skeptical Method, 11 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 97 (2000). [Back to text]

Enterprise Week/Harris Ballot: A Rising Menace, BUSINESS WEEK, Mar. 20, 2000, obtainable at http://www.businessweek.com/2000/00_12/b3673010.htm. [Back to text]

18 U.S.C. §§ 2510-22, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/121/toc.html. [Back to text]

In re DoubleClick Inc. Privateness Litigation, 2001 WL 303744 (S.D.N.Y. Mar. 29, 2001). [Back to text]

In re Intuit Inc. Privateness Litigation, 2001 WL 370081 (C.D. Cal Apr. 10, 2001). [Back to text]

In re Intuit Inc. Privateness Litigation, 2001 WL 370081 (C.D. Cal Apr. 10, 2001). [Back to text]

18 U.S.C. §§ 2510-22, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/121/toc.html. [Back to text]

Bohach v. Metropolis of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996). [Back to text]

In re DoubleClick Inc. Privateness Litigation, 2001 WL 303744 (S.D.N.Y. March 29, 2001). [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652A-E. [Back to text]

Susan E. Gindin, Misplaced and Present in Our on-line world, 34 SAN DIEGO LAW REVIEW 1153 (1997), obtainable at http://www.info-law.com/misplaced.html#widespread. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652B. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652C. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652D. [Back to text]

RESTATEMENT (SECOND) OF TORTS § 652E. [Back to text]

Shibley v. Time, Inc., 341 N.E.second 337, 339 (1975) (holding that Time’s sale of its subscription record to unsolicited mail advertisers didn’t represent an appropriation of character). [Back to text]

ALAN F. WESTIN, PRIVACY AND FREEDOM (1967). [Back to text]

Arthur R. Miller, Private Privateness within the Pc Age: The Problem of New Know-how in an Info-oriented Society, 67 MICH. L. REV. 1089 (1969). [Back to text]

Stewart v. Yahoo! Inc. (Dallas Cty. Dist. Ct., filed February 2000) (alleging that Yahoo! and Broadcast.com violated Texas’ anti-stalking statute through the use of cookies to observe shoppers on-line). [Back to text]

Carl S. Kaplan, Lawsuit Says Net Cookies Permit Unlawful Stalking, NEW YORK TIMES, Feb. 18, 2000, obtainable at http://www.nytimes.com/library/tech/00/02/cyber/cyberlaw/18law.html. [Back to text]

Texas Firm Accuses Yahoo of Privateness Violations, CNET, Jan. 26, 2000, obtainable at http://information.cnet.com/information/0-1005-200-1533164.html. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), obtainable at http://www.ftc.gov/reviews/privacy2000/privacy2000.pdf. [Back to text]

U.S. CONST. amend. I, obtainable at http://caselaw.lp.findlaw.com/knowledge/structure/amendment01/.[Back to text]

Eugene Volokh, Freedom of Speech and Info Privateness: The Troubling Implications of a Proper to Cease Folks From Talking About You, 52 STAN. L. REV. 1049 (2000) obtainable at http://www.regulation.ucla.edu/school/volokh/privateness.htm. [Back to text]

Reno v. Condon, 528 U.S. 141 (2000), obtainable at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court docket=us&vol=000&invol=98-1464. [Back to text]

Los Angeles Police Dept. v. United Reporting Publishing Corp., 528 U.S. 32 (1999), obtainable at http://caselaw.lp.findlaw.com/scripts/getcase.pl?court docket=us&vol=000&invol=98-678. [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), obtainable at http://www.ftc.gov/reviews/privacy2000/privacy2000.pdf. [Back to text]

Software program and Info Business Affiliation, On-line Privateness: Defending Your Enterprise and Your Prospects at . [Back to text]

Michigan Lawyer Basic’s Workplace, Information to Privateness Insurance policies at . [Back to text]

U.S. West v. Federal Communications Fee, 182 F.3d 1224 (tenth Cir. 1999). [Back to text]

15 USC § 45(a), obtainable at http://caselaw.lp.findlaw.com/scripts/ts_search.pl?title=15&sec=45. [Back to text]

Ellen Spertus, Spertus v. Kozmo.com at . [Back to text]

FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE (2000), obtainable at http://www.ftc.gov/reviews/privacy2000/privacy2000text.pdf. [Back to text]

18 U.S.C. §§ 2510-22, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/119/toc.html. [Back to text]

18 U.S.C. §§ 2701-11, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/18/components/i/chapters/121/toc.html. [Back to text]

McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998). [Back to text]

Terry Jessup-Morgan v. America On-line, Inc., 20 F. Supp. second 1105 (E.D. Mich. 1998), obtainable at http://authorized.net.aol.com/choices/dlpriv/jessup.html. [Back to text]

John Doe aka Aquacool_2000 v. Yahoo! (C.D. Cal, filed Might 11, 2000) (plaintiff who posted pseudonymous feedback criticizing his employer on a Yahoo! message board alleged that Yahoo! violated its privateness coverage by divulging his id after receiving a subpoena from his employer). [Back to text]

15 U.S.C. §§ 6501-06, obtainable at http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/91/toc.html. [Back to text]

Federal Commerce Fee, Learn how to Adjust to the Kids’s On-line Privateness Safety Rule at . [Back to text]

Council Directive 95/46, 1995, obtainable at http://www.privateness.org/pi/intl_orgs/ec/final_EU_Data_Protection.html. [Back to text]

Division of Commerce, Protected Harbor at . [Back to text]

Digital Privateness Info Middle, EPIC Invoice Monitor at . [Back to text]

[Back to top]

VI. Extra Supplies (Elective Studying)


Shopper Profile Alternate customary

A bunch of corporations, together with IBM, MicroStrategy, and First Union, have developed an XML-based customary that permits corporations with completely different software program and methods for gathering shopper data to share their knowledge extra simply in a typical format. The Washington Publish has an attention-grabbing article on the creating customary. Robert O’Harrow, Jr., Web Companies Act to Ease Sharing of Private Information, WASHINGTON POST, Dec. 5, 2000, at E1, obtainable at http://www.washingtonpost.com/wp-dyn/articles/A23676-2000Dec4.html.

Pentium III’s Distinctive Numerical Identifier

An figuring out serial code quantity is hardwired into every of Intel’s Pentium III chips. The chip was designed to enhance safety for e-commerce transactions and permit data programs managers to trace particular person computer systems throughout inside networks. Nevertheless, privateness advocates have argued that the numerical identifier could also be used to affiliate on-line profiles with a person’s personally identifiable data. In response to the controversy, most PC producers have disabled the function. CNET Information has an article on these identifiers. Stephanie Miles, Teams Press Company on Pentium III, CNET, Mar. 8, 1999, obtainable at http://information.cnet.com/information/0,10000,0-1003-200-339677,00.html.

Home windows 98 Identifier

Home windows 98 accommodates a novel serial quantity that identifies the person who registered the copy of Home windows working on that PC. The quantity is used to trace customers on the Microsoft web site, however due to a bug, could be accessed by different websites as properly. Try the story on CNET Information. Erich Luening and Mike Ricciuti, New Safety Gap Present in Windows98, CNET, Mar. 10, 1999, obtainable at http://information.cnet.com/information/0,10000,0-1003-200-339806,00.html.

P2P profiling

Peer-to-peer file sharing could permit corporations to develop profiles of customers based mostly on the shared recordsdata saved on their computer systems. Salon has an attention-grabbing article on this risk. Janelle Brown, Napster Parasites, SALON, Feb. 9, 2001, obtainable at http://www.salon.com/tech/function/2001/02/09/napster_parasites/index.html.

Wi-fi GPS

The FCC has not too long ago required new cell phones to include applied sciences designed to pinpoint the placement of 911 callers. Many wi-fi cellphone producers due to this fact integrated International Positioning System (GPS) expertise, which makes use of satellite tv for pc alerts to observe a person’s location, contained in the handsets of their new fashions. Privateness advocates have argued that wi-fi GPS will permit massive telecommunications corporations to trace prospects’ actions. See CNET’s information protection. John Borland, Wi-fi Cellphone Monitoring Plans Increase Privateness Hackles, CNET, Nov. 10, 2000, obtainable at http://information.cnet.com/information/0-1004-200-3624256.html?tag=st.ne.ni.gartnercomm.ni.

Platform for Privateness Preferences (P3P)

P3P is a normal supposed to reinforce shopper privateness safety. It’s being developed by the World Large Net Consortium (W3C). P3P-enabled websites will embrace machine-readable data indicating the information the location collects and the way the information can be used. Customers will enter their privateness safety preferences of their browser, which will show a warning if no privateness coverage is displayed or the location is gathering knowledge the person doesn’t want to disclose. The following launch of Microsoft’s Web Explorer will incorporate P3P expertise. The New York Occasions has an article on how P3P will work in IE . John Schwartz, The Nexus of Privateness and Safety, NEW YORK TIMES, Dec. 8, 2000, obtainable at http://www.nytimes.com/2000/12/08/expertise/08SECU.html. The W3C additionally has a good overview of P3P on the whole . World Large Net Consortium, P3P Public Overview at .

[Back to text]

[Back to top]



RealNetworks has confronted a rash of sophistication motion fits (RealNetworks circumstances, 1999). Lots of the fits are at present in arbitration as a result of courts have enforced the arbitration clause despite the fact that it bars plaintiffs from bringing class motion fits (Lieschke, 2000). The complaints allege that RealNetworks assigned globally distinctive identification numbers to its music listening software program that would have been used to trace its customers with out their data. Reduction is sought beneath the ECPA. Try the information protection on InternetNews (Web site) (McWilliams, 1999) and CNET (Web site) (Macavinta, 1999).


Toys R Us faces lawsuits in U.S. District court docket in New Jersey and California. The fits allege that the corporate’s web site allowed third-party market researchers to entry shoppers’ private knowledge in violation of the location’s privateness coverage. Coremetrics, a San Francisco-based advertising agency, allegedly tracked surfer’s actions on the location. The complaints allege breach of contract, common-law privateness invasion, and violation of the ECPA.

Avenue A and MatchLogic (an Excite @Residence subsidiary)

Two class motion fits have been filed on 11/22/00 in Denver (towards MatchLogic) and Redmond (towards Avenue A). The complaints allege that cookies and net bugs have been utilized by the two internet advertising corporations in violation of the ECPA, Pc Fraud and Abuse Act, and customary regulation trespass. Information protection could be discovered on the Business Normal (Web site) (Davis, 2000) and CNET (Web site) (Hansen, 2000). The textual content of the criticism towards Avenue A can be on-line (Web site) (Likelihood, 2000).


The criticism alleges that Alexa software program and Amazon, its distributor, acted in violation of common-law privateness rights, common-law trespass, and the ECPA (Supnick, 2000). The software program permits customers to surf the net, however allegedly transmits details about the websites visited to the person’s ISP, which then responds with focused promoting based mostly on the person’s actions.


The criticism alleges that the Boston-based firm violated the ECPA and Pc Fraud and Abuse Act for monitoring shopper exercise on pharmaceutical web sites (Darby, 2000). Though the defendant’s privateness coverage signifies that its knowledge assortment expertise may immediately establish customers when mixed with a monitoring database, Pharmatrak’s CEO argued that the expertise wouldn’t be used. There is a temporary blurb within the Boston Globe on the case (Web site) (Boston Globe, 2000).

[Back to text]



eGames sells a number of private laptop video games, which could be downloaded from its web site or bought as CD-ROMs by way of retailers. In September 2000, Michigan Lawyer Basic issued a Discover of Meant Motion alleging that eGames had violated the state’s Shopper Safety Act. The discover alleged that the corporate had not adequately disclosed on-line profiling by third-party advertisers on the firm’s web site. Moreover, the discover alleged that eGames’ software program allowed Conducent, a third-party advertiser, to make use of the corporate’s software program to observe shoppers’ actions on their private computer systems. The case settled on January 10, 2001. eGames agreed to take away all undisclosed third-party promoting software program and to make obtainable a free software program patch to take away Conducent’s software program from its present video games. The corporate additionally agreed to not collect personally identifiable data with out discover and consent, and it agreed to an expanded privateness coverage explaining how private knowledge is collected by way of cookies in addition to how customers can entry and proper their profiles. The Lawyer Basic’s press launch on this case is on-line (Web site) (Michigan AG’s Workplace, 2000).

Different Michigan on-line profiling circumstances

The Michigan Lawyer Basic’s Workplace has introduced a sequence of on-line profiling fits towards Ortho Biotech, AmericasBaby.com, Stockpoint, and iFriends Community. In every case, the criticism alleges that the defendant web site allowed third-party advertisers to passively acquire data utilizing net bugs or cookies and did not disclose this follow in its privateness coverage. The Michigan AG’s workplace contended that failure to reveal third-party monitoring violated the Michigan Shopper Safety Act, the Michigan Fraudulent Entry to Computer systems Act, and shoppers’ common-law rights to privateness and to be free from “trespass to chattels.”
In every of the Notices of Meant Motion, the Michigan AG’s workplace indicated that it was notably involved about third-party cookie placement as a result of of the dearth of discover to customers who could not understand they’re being tracked as they surf: “As a common matter, shoppers count on {that a} Web site they’ve chosen to go to will work together with their computer systems, particularly with their shopping software program. Cookies positioned by visited websites, comparable to these positioned by Stockpoint itself, could fall inside this expectation for some shoppers. (Web sites who place and browse their very own cookies on guests’ computer systems, nevertheless, ought to disclose using their cookies.) However most shoppers don’t perceive or count on that cookies are routinely positioned and browse by DoubleClick, Adforce, and different third events with whom customers haven’t chosen to ascertain an internet relationship.”

[Back to text]


The next record is a sampling of some business certification packages:

[Back to text]


Federal Commerce Fee


GeoCities is a main digital group and hosting service that permits shoppers to develop homepages, put up them on-line, and affiliate them with a GeoCities digital neighborhood. GeoCities required all customers to supply personally figuring out data by way of a New Member Utility kind as a situation for membership. The FTC alleged that the statements on the shape misrepresented the makes use of of this private knowledge collected by GeoCities.

The criticism made three main allegations. First, the FTC argued that GeoCities bought private knowledge to unauthorized third events after assuring customers that the information would be used solely to supply members the precise promoting affords and merchandise or providers they requested. Second, the FTC alleged that GeoCities bought “non-compulsory” data (training degree, revenue, marital standing, occupation, and pursuits) to third-party advertisers after assuring customers that the information can be used for inside statistical functions solely and would by no means be launched to anybody with out the member’s prior permission. Third, the FTC accused GeoCities of permitting third events to gather data from youngsters by way of on-line contests whereas creating the impression that GeoCities itself operated the contests and retained the data.

On August 13, 1998, the FTC introduced swimsuit towards GeoCities. The swimsuit was the primary on-line privateness swimsuit ever introduced by the Fee. The swimsuit was instantly settled by way of a consent order. GeoCities agreed to put up a outstanding privateness discover explaining the sort of data collected, what its function is, to whom it’s being despatched, and the way customers can acquire and take away the data. It agreed to inform all members of their alternative to have their data deleted from the databases of GeoCities and third-parties, and the settlement required GeoCities to contact all third events and request that they instantly delete all improperly disclosed data.

The criticism (Web site) (Geocities criticism, 1998) and consent order (Web site) (Geocities consent order, 1998) can be found on the FTC’s web site.


Toysmart was an on-line toy retailer. It collected detailed private details about its customers, together with billing data, purchasing preferences, and household profiles that contained the names and delivery dates of kids. Toysmart’s privateness coverage said that such data would by no means be bought to 3rd events. Nevertheless, after the firm filed chapter, it sought to promote its database of private data.

On July 10, 2000, the FTC filed for a preliminary injunction in federal district court docket to cease the sale of the database, claiming that the sale would violate the privateness coverage and thus constitutes a misleading commerce follow. The case was settled on July 21, 2000. Toysmart agreed to not promote the database as a stand-alone asset separate from the corporate itself. The corporate additionally agreed to promote the database solely to a purchaser that will adjust to the posted privateness coverage and alter the present makes use of of buyer data provided that prospects opted in to authorize such a change. If no such purchaser may very well be discovered inside a yr, the database can be destroyed.

Privateness advocates who deemed its restrictions insufficient roundly criticized the settlement settlement. Thirty-nine state lawyer generals signed an announcement objecting to the settlement and requesting that Toysmart be required to hunt permission from every particular person buyer earlier than promoting the data. The dispute was resolved when Disney, a majority stakeholder in Toysmart, ultimately agreed to buy and destroy the database.

The criticism (Web site) (Toysmart criticism, 2000) and consent decree (Web site) (Toysmart consent decree, 2000) can be found on the FTC’s web site.


DoubleClick, a massive community promoting firm, makes use of cookies and net bugs to trace customers throughout completely different web sites and file their browsing habits. These person profiles will not be personally identifiable, and DoubleClick’s privateness coverage assured customers that their data would stay nameless. Nevertheless, after the corporate’s buy of direct advertising agency Abacus in 1999, DoubleClick introduced plans to mix these profiles with personally identifiable data in Abacus’s database, which incorporates names, addresses, demographic knowledge, and buy historical past.

EPIC, a privateness advocacy group, introduced a criticism towards DoubleClick earlier than the FTC. The criticism alleged that DoubleClick’s false assurances of person anonymity in its privateness coverage constituted misleading commerce practices. It additionally alleged unfair commerce practices as a result of the customers who acquired the corporate’s cookies have been usually not conscious of monitoring and thus couldn’t benefit from opt-out procedures.

In February 2000, the FTC opened an investigation into DoubleClick’s practices. One month later, the corporate introduced that it had scrapped plans to merge the 2 databases. After reviewing DoubleClick’s practices to make sure its reversal was real, the FTC closed the investigation in January 2001. In a letter to DoubleClick’s lawyer, Christine Varney, the FTC stated, “it seems … that DoubleClick by no means used or disclosed shoppers’ personally identifiable data for functions apart from these disclosed in its privateness coverage.” Nevertheless, the FTC left the door open for additional investigation if the corporate’s insurance policies change, and the corporate agreed to make a number of adjustments in its privateness coverage.

EPIC’s criticism to the FTC (Web site) (DoubleClick criticism, 2000) and the FTC’s letter closing the investigation (Web site) (DoubleClick letter, 2000) could be discovered on-line.


On-line privateness advocates, the Digital Privateness Info Middle (EPIC) and Junkbusters, have despatched letters to the FTC urging investigation of Amazon’s current revision of its privateness coverage. Amazon’s outdated privateness coverage assured that it could “by no means” disclose buyer data to 3rd events. The brand new coverage permits restricted disclosure of private knowledge to 3rd events for fraud safety and credit score threat discount. It additionally eliminated the choice permitting prospects to ship electronic mail requesting that the net retailer not share their private knowledge with different corporations. The privateness teams allege that Amazon’s coverage change constitutes misleading commerce practices. The FTC has not but disclosed whether or not it has determined to begin an investigation.

On-line Pharmacies

In July 2000, the FTC introduced motion in a District Courtroom in Nevada towards a bunch of on-line pharmacies and their operators. Along with alleging that the pharmacies made false claims about their medical and pharmaceutical amenities, the criticism additionally alleged that that they had made false privateness assurances. The FTC alleged that the pharmacies falsely instructed prospects that non-public knowledge was encrypted and securely transmitted over an SSL connection. It additionally charged that the pharmacies falsely instructed prospects that their private data can be used solely for medical consultations and billing functions.

The case settled. The pharmacies agreed to a consent decree that prohibited them from “promoting, renting, leasing, transferring or disclosing the non-public data that was collected from their prospects with out specific authorization from the client.” It additionally required them to develop a privateness coverage that met the FTC’s tips for truthful data practices, together with discover, consent, safety, and entry.

Try the criticism (Web site) (Rennert criticism, 2000) and consent order (Web site) (Rennert consent order, 2000).

[Back to text]

State Enforcement


In December 2000, New Jersey’s Division of Shopper Affairs launched an investigation into allegations that the toy retailer has violated its privateness coverage by permitting third-party advertising researchers from Coremetrics to entry shoppers’ private knowledge.

Clearstation and DoubleClick

Prepare dinner County State’s Lawyer filed swimsuit towards Clearstation on December 5, 2000, in Illinois Circuit Courtroom. The criticism alleges that each websites violated the state’s Shopper Fraud Act by misrepresenting insurance policies on cookie placement. Towards funding evaluation web site Clearstation, the criticism alleged that the corporate did not disclose cookie use by third-party advertisers in its privateness coverage. It additionally alleged that the corporate’s privateness coverage said that long-term cookies weren’t used, though the location used cookies for as much as one yr. Towards community promoting agency DoubleClick, the criticism alleged that DoubleClick’s coverage urged that its cookies have been restricted to generic data solely when the cookies used a prolonged alphanumeric knowledge stream able to monitoring customers for as much as thirty years.


In January 2000, the New York Lawyer Basic’s workplace filed swimsuit towards InfoBeat, an electronic mail e-newsletter distributor. Though InfoBeat’s privateness coverage promised by no means to disclose customers’ private knowledge with out prior consent, the New York AG’s workplace claimed that when subscribers clicked on ads in InfoBeat’s html-formatted e-newsletter, their electronic mail addresses have been disclosed to third-party advertisers. The case settled, and InfoBeat agreed to completely disclose its practices in its privateness coverage, inform potential members of its practices, and supply them the chance to cancel their membership and have all private knowledge deleted. Try the settlement settlement for extra data (Web site) (New York AG’s Workplace, 2000).


On September 13, 2000, the Missouri Lawyer Basic’s workplace filed swimsuit towards the net retailer of well being care and diet merchandise. The criticism alleged that the location violated its personal privateness coverage by disclosing customers’ private knowledge to third-party advertisers by way of net bugs.


On September 25, 2000, the Texas Lawyer Basic’s workplace filed swimsuit towards the bankrupt on-line retailer beneath Texas’s Misleading Commerce Practices Act. The criticism sought to forestall the corporate from violating its privateness coverage by promoting its shopper lists and private monetary data throughout chapter proceedings. The events settled. Residing.com agreed to permit its court-appointed chapter trustee to supervise the destruction of all delicate monetary knowledge, comparable to checking account, bank card, and social safety numbers. The trustee was permitted to promote the client record so long as prospects have been knowledgeable and given an opportunity to opt-out through electronic mail.

[Back to text]


Word that this isn’t a complete record. It’s merely supposed to provide a taste for widespread varieties of sector-specific regulation.

Monetary Info

Truthful Credit score Reporting Act
(Web site) (15 U.S.C. § 1681)

Requires shopper reviews businesses to tell shoppers of the sources and contents of their reviews, present a listing of requesting events, and procure shopper consent earlier than offering data to employers or potential employers.

Gramm Leach-Bliley Act
(Web site) (15 U.S.C. §§ 6801-10) and (Web site) (§§ 6812-27)

Requires monetary establishments to supply discover of the corporate’s privateness coverage and supply shoppers the chance to opt-out of disclosure of private knowledge to 3rd events. Additionally requires establishments to guard towards anticipated safety threats and unauthorized entry that would end in substantial hurt or inconvenience to the client.

Truthful Debt Collections Practices Act
(Web site) (15 U.S.C. § 1692)

Prohibits debt collectors from publishing a listing of shoppers who refuse to pay their money owed besides to a credit score bureau.

Digital Funds Switch Act
(Web site) (15 U.S.C. § 1693)

Requires monetary establishments that present digital banking providers to tell shoppers of insurance policies regarding the disclosure of automated checking account data to third events.

Leisure and Telecommunications

Cable Communications Coverage Act of 1984
(Web site) (47 U.S.C. § 551)

Requires discover to cable subscribers of all assortment and disclosure of personally identifiable data.

Video Privateness Safety Act of 1988
(Web site) (18 U.S.C. § 2710)

Regulates the disclosure of video rental and gross sales information. Prohibits disclosure of personally identifiable video rental or gross sales information with out knowledgeable written consent, until the information are subpoenaed by a regulation enforcement company, disclosed within the atypical course of enterprise, or required for a civil continuing the place a compelling want exists that can’t be in any other case accommodated.

Communications Act of 1934, as amended by the Telecommunications Act of 1996
(Web site) (47 U.S.C. § 222)

Prohibits the disclosure of buyer proprietary community data (e.g., cellphone information) with out the affirmative written consent of the client. Exceptions exist for mixture shopper knowledge, data used to supply associated providers comparable to cellphone books, or emergency conditions.

Medical Info

Well being Insurance coverage Portability and Accountability Act of 1996
(Web site) (42 U.S.C. § 1320a)

Requires the Division of Well being and Human Companies to manage the privateness of individually identifiable well being data after Congress did not cross laws defending medical privateness by August 21, 1999. Draft laws can be found on the EPIC web site (Web site) (EPIC, 1999).

Federal Authorities Entry

Privateness Act of 1974
(Web site) (5 U.S.C. § 552a)

Requires discover when private knowledge collected by the federal authorities can be made obtainable to the general public.

Proper to Monetary Privateness Act of 1978
(Web site) (12 U.S.C. §§ 3401 et seq.)

Regulates disclosure of shopper monetary data to the federal government by monetary establishments.

[Back to text]

Leave a Reply

Your email address will not be published. Required fields are marked *