Privacy
Policies for Commercial Web SitesWhether to prevent the FTC or consumer litigation,
every commercial web site needs a privacy policy. Moreover, because of the current
failure of industry self-regulation, consumer privacy legislation is inevitable.
Therefore, every web site should have a privacy policy that addresses the privacy
concerns of its users. First, a good privacy policy should be easy to find,
read and comprehensively explain a web site's information practices. The policy
should also provide visitors with an opportunity to make informed decisions about
the collection and use of their information. More importantly, a privacy policy
is a promise. As a promise, it is not enough to just post a privacy policy, but
the policy must be fully implemented. Therefore, when creating a privacy policy,
there should be a careful analysis of the type of privacy issues that arise when
operating a particular web site because a privacy policy must accurately reflect
the desired practice and guarantee its faithful adherence to its provisions. A
privacy policy must consider, if not include: (1) broad coverage; (2) notice to
consumers as to the kinds of consumer information collected, how it is collected,
and from whom it is collected; (3) notice and explanation of a company's policy
and practice regarding dissemination of consumer information to others; (4) the
right to access information collected by a company, and notice of that right and
how the consumer can exercise it; (5) the right to correct inaccurate or incomplete
information in the consumer's files, notice of that right, and how the consumer
can exercise it; (6) consumer control and choice, including the ability to opt-in
to permit companies to use, store, and disseminate information, rather than opt-out
which requires consumers to act affirmatively to prevent use, storage, and dissemination;
(7) procedures and structures to prevent unauthorized use of information by employees
and service providers; and (8) procedures to ensure that information is disseminated
only to proper third parties. Web sites utilizing electronic signatures and encryption
should also include provisions to ensure reasonable levels of security regarding
authentication and the transmission of information. Anatomy of a Privacy
Policy I. SCOPE: First, and foremost, the privacy policy should
be made known to web site visitors. Notification of the privacy policy should
be written in clear and easy to understand language, displayed prominently and
made available before users are asked to relinquish information to the web site.
A consumer privacy policy should be broad and incorporate all of the web site's
e-commerce activities. It is generally agreed that certain personal identifying
information, including Social Security numbers, mother's maiden names, prior addresses,
and birth dates should be included in the definition of protected information.
However, there is a lack of consensus over whether other information should also
be included. In any event, a privacy policy should define all relevant terms according
to the web site's business model, including the information covered, companies'
collection, retention, use and dissemination of user's information. B.
CONSUMER INFORMATION. Consumers need a notice that explains what information
is being collected about them, from whom it is collected, and how it is collected.
For example, consumers using the web should have the right to be informed whether
cookies are being used when first visiting a site and before divulging any personal
information. If cookies are used a privacy policy should inform users as to how
they can block their use by activating software that blocks cookie which is available
free of charge. This will allow users the option in determining the levels of
privacy protection that they desire. The consumer should be informed of
whether and, if so, how their personal information may be disseminated to others.
Another provision of the privacy policy should address children's online privacy
rights. In doing so, the policy should state that it does not collect or use information
from children. However, if the web site targets users under the age of 18, the
policy should then state that it only collects information from children as permitted
in the Children's
Online Privacy Protection Act of 1998 or other acts or guidelines that currently
address children's online privacy rights. Information that is collected
by a web site should be accessible to its consumers. If a web site collects, stores
and disseminates information about consumers, then it should provide notice to
its users informing them of their right to know what information has been collected.
Additionally, a web site should allow consumers the right to correct erroneous
and incomplete information. If users have access and the opportunity to improve
the quality of information, e-commerce as well as the users benefits will be enhanced
because the industry thrives only if it has accurate and complete information.
C. OPT-IN / OPT-OUT. A privacy policy should also allow consumers
the ability to opt-in because a choice to opt-in gives consumers greater control
over their personal information. However, if a web site does not offer the opt-in
mechanism, then it should carefully consider the opt-out mechanism whereby information
can be collected and disseminated however it wants unless the consumer takes a
affirmative steps to inform the company not to engage in those practices. The
opt-out approach can be justified if one views consumer privacy as a minor issue
and not a right to be zealously protected. It is important to note that users
may fail to opt-out for a variety of reasons having little to do with whether
they truly consent to the collection and dissemination of their personal information.
The opt-out method is also easy for companies to abuse. The opt-in approach is
far more consistent with standard consumer control because it assumes consumers
do not want their privacy invaded. Therefore, consumers are automatically protected
from invasions. D. RESTRICTED INTERNAL AND EXTERNAL ACCESS. A privacy
policy should include procedures for restricting the internal access of its users'
information to those employees, ISPs and necessary agents on a "need to know"
basis. Therefore, the policy should regulate the access to each type of data to
only appropriate parties. Furthermore, the privacy policy should adopt policies
and procedures designed to ensure that the third parties receiving consumers'
information use the information for permissible purposes only and in all cases
take appropriate measures to safeguard the users' privacy. E. SECURITY.
A privacy policy should also set a minimum level of security in regard to
the authentication and transmission of information. The e-commerce industry and
the government are presently considering various approaches for authenticating
identity in online transactions. Available technology permits the use of electronic
signatures, but there are many possible alternative approaches. In addition, several
states have already adopted digital or electronic signature statutes, and many
more are currently considering such legislation. Security in the transmission
of information can be achieved through encryption. In order to prevent unwanted
accessibility to files or e-mail messages, encryption scrambles a file or e-mail
message so that it is unreadable to anyone that does not know how to unscramble
it. However, the implementation of encryption has been hampered by the government's
insistence on key recovery, in which the government would have the ability to
engage in electronic surveillance. Meanwhile, the e-commerce industry has been
developing encryption standards. CONCLUSION This article
is but a summary on the topic of privacy on the internet. To read more, download
"Immediate
Privacy Concerns that Domestic Commercial Web Sites should Consider When Conducting
Business in Electronic Commerce". A sample privacy policy, a list of
states with e-commerce laws and other information is available to LeapLaw subscribers
by logging in and searching the term privacy
policy. -------------------------------------------- LeapLaw
is an essential toolbox for business lawyers and paralegals that delivers
core legal resources needed to do more work in less time. Start
Here. Finish Faster. For
more information on becoming a LeapLaw subscriber, please contact us at 781-891-8808
or via e-mail at [email protected].
If you would like to be removed from this distribution list,
please e-mail us at and insert "remove" in the title line. |