LEAPLAW'S LEDGER

LeapLaw Logo
Vol. 4, Issue 3
March 2006
LeapLaw's
50 State Blawg

sponsored by:

NRAI Logo

Highlighted at
ABA Law Tech Show

60 sites in 60 Minutes

Could your practice benefit from on-demand experienced paralegal assistance? If so, contact Virtual Paralegal Services. You'll be glad you did.



ABOUT LEAPLAW™

Using LeapLaw, allows legal professionals to spend more time billing for critical legal work and less time billing for internet and other research. As corporate clients become increasingly sensitive regarding legal bills, accessing accurate, on-point information in a time-efficient manner translates into working smarter and increasing your competitive edge.

For more information on becoming a LeapLaw subscriber please contact us at 781-891-8808 or via e-mail at

 LeapLaw Ledger's Archives | About LeapLaw | Contact Us | Blawg

Privacy Policies for Commercial Web Sites

By: Mark Ishman, Esq.

Whether to prevent the FTC or consumer litigation, every commercial web site needs a privacy policy. Moreover, because of the current failure of industry self-regulation, consumer privacy legislation is inevitable. Therefore, every web site should have a privacy policy that addresses the privacy concerns of its users.

First, a good privacy policy should be easy to find, read and comprehensively explain a web site's information practices. The policy should also provide visitors with an opportunity to make informed decisions about the collection and use of their information. More importantly, a privacy policy is a promise. As a promise, it is not enough to just post a privacy policy, but the policy must be fully implemented. Therefore, when creating a privacy policy, there should be a careful analysis of the type of privacy issues that arise when operating a particular web site because a privacy policy must accurately reflect the desired practice and guarantee its faithful adherence to its provisions.

A privacy policy must consider, if not include: (1) broad coverage; (2) notice to consumers as to the kinds of consumer information collected, how it is collected, and from whom it is collected; (3) notice and explanation of a company's policy and practice regarding dissemination of consumer information to others; (4) the right to access information collected by a company, and notice of that right and how the consumer can exercise it; (5) the right to correct inaccurate or incomplete information in the consumer's files, notice of that right, and how the consumer can exercise it; (6) consumer control and choice, including the ability to opt-in to permit companies to use, store, and disseminate information, rather than opt-out which requires consumers to act affirmatively to prevent use, storage, and dissemination; (7) procedures and structures to prevent unauthorized use of information by employees and service providers; and (8) procedures to ensure that information is disseminated only to proper third parties. Web sites utilizing electronic signatures and encryption should also include provisions to ensure reasonable levels of security regarding authentication and the transmission of information.

Anatomy of a Privacy Policy

I. SCOPE: First, and foremost, the privacy policy should be made known to web site visitors. Notification of the privacy policy should be written in clear and easy to understand language, displayed prominently and made available before users are asked to relinquish information to the web site. A consumer privacy policy should be broad and incorporate all of the web site's e-commerce activities. It is generally agreed that certain personal identifying information, including Social Security numbers, mother's maiden names, prior addresses, and birth dates should be included in the definition of protected information. However, there is a lack of consensus over whether other information should also be included. In any event, a privacy policy should define all relevant terms according to the web site's business model, including the information covered, companies' collection, retention, use and dissemination of user's information.

B. CONSUMER INFORMATION. Consumers need a notice that explains what information is being collected about them, from whom it is collected, and how it is collected. For example, consumers using the web should have the right to be informed whether cookies are being used when first visiting a site and before divulging any personal information. If cookies are used a privacy policy should inform users as to how they can block their use by activating software that blocks cookie which is available free of charge. This will allow users the option in determining the levels of privacy protection that they desire.

The consumer should be informed of whether and, if so, how their personal information may be disseminated to others. Another provision of the privacy policy should address children's online privacy rights. In doing so, the policy should state that it does not collect or use information from children. However, if the web site targets users under the age of 18, the policy should then state that it only collects information from children as permitted in the Children's Online Privacy Protection Act of 1998 or other acts or guidelines that currently address children's online privacy rights.

Information that is collected by a web site should be accessible to its consumers. If a web site collects, stores and disseminates information about consumers, then it should provide notice to its users informing them of their right to know what information has been collected. Additionally, a web site should allow consumers the right to correct erroneous and incomplete information. If users have access and the opportunity to improve the quality of information, e-commerce as well as the users benefits will be enhanced because the industry thrives only if it has accurate and complete information.

C. OPT-IN / OPT-OUT. A privacy policy should also allow consumers the ability to opt-in because a choice to opt-in gives consumers greater control over their personal information. However, if a web site does not offer the opt-in mechanism, then it should carefully consider the opt-out mechanism whereby information can be collected and disseminated however it wants unless the consumer takes a affirmative steps to inform the company not to engage in those practices. The opt-out approach can be justified if one views consumer privacy as a minor issue and not a right to be zealously protected. It is important to note that users may fail to opt-out for a variety of reasons having little to do with whether they truly consent to the collection and dissemination of their personal information. The opt-out method is also easy for companies to abuse. The opt-in approach is far more consistent with standard consumer control because it assumes consumers do not want their privacy invaded. Therefore, consumers are automatically protected from invasions.

D. RESTRICTED INTERNAL AND EXTERNAL ACCESS. A privacy policy should include procedures for restricting the internal access of its users' information to those employees, ISPs and necessary agents on a "need to know" basis. Therefore, the policy should regulate the access to each type of data to only appropriate parties. Furthermore, the privacy policy should adopt policies and procedures designed to ensure that the third parties receiving consumers' information use the information for permissible purposes only and in all cases take appropriate measures to safeguard the users' privacy.

E. SECURITY. A privacy policy should also set a minimum level of security in regard to the authentication and transmission of information. The e-commerce industry and the government are presently considering various approaches for authenticating identity in online transactions. Available technology permits the use of electronic signatures, but there are many possible alternative approaches. In addition, several states have already adopted digital or electronic signature statutes, and many more are currently considering such legislation. Security in the transmission of information can be achieved through encryption. In order to prevent unwanted accessibility to files or e-mail messages, encryption scrambles a file or e-mail message so that it is unreadable to anyone that does not know how to unscramble it. However, the implementation of encryption has been hampered by the government's insistence on key recovery, in which the government would have the ability to engage in electronic surveillance. Meanwhile, the e-commerce industry has been developing encryption standards.

CONCLUSION

This article is but a summary on the topic of privacy on the internet. To read more, download "Immediate Privacy Concerns that Domestic Commercial Web Sites should Consider When Conducting Business in Electronic Commerce". A sample privacy policy, a list of states with e-commerce laws and other information is available to LeapLaw subscribers by logging in and searching the term privacy policy.

--------------------------------------------

ABOUT MARK ISHMAN, ESQ.

Mr. Ishman's practice concentrates on advising both high-tech and brick and mortar companies in connection with Internet, e-commerce, cyberlaw, intellectual property, corporate transactions, computer security, privacy and employment matters. He has over 13 years of experience in the legal industry, either as an attorney, paralegal or law clerk. Learn more about Mark at www.ishmanlaw.com.

ABOUT LEAPLAW™

LeapLaw™ is an essential toolbox for business lawyers and paralegals that delivers core legal resources needed to do more work in less time. Start Here. Finish Faster.

SUBSCRIPTION INFORMATION

For more information on becoming a LeapLaw subscriber, please contact us at 781-891-8808 or via e-mail at [email protected].

If you would like to be removed from this distribution list, please e-mail us at and insert "remove" in the title line.



LeapLaw's Home Page
LeapLaw, Inc., 738 Main Street, Unit 201, Waltham, Massachusetts 02451-0616