Online businesses know a lot about their customers. An online merchant knows every product that you look at, every product that you put in your “shopping cart” but later take out, and anything that you’ve ever purchased from them online. Online merchants also know when you shop, if you shop from home or from work, and—if they care—what your credit rating is. Furthermore, unlike the offline world, an online merchant can correlate your shopping profile with your web browsing habits.
Internet service providers can learn even more about their customers because all information that an Internet user sees must first pass through the provider’s computers. ISPs can also determine the web sites that their users frequent—and even the individual articles that have been viewed. They can analyze email messages for keywords. By tracking this information, an Internet provider can tell if its users are interested in boats or cars, whether they care about fashion, or even if they are interested in particular medical diseases.
What standards should online businesses and organizations follow with regard to the personally identifiable information that they gather?
History provides strong precedents for helping to understand the rights and responsibilities of online services and providers. These issues of personal information, computers, and large networked databases were first raised in the 1960s. Back then, the consumer reporting industry was embarking on the process of computerizing its vast consumer credit, employment, and insurance files. Much of the data in these files had been assembled over decades without the knowledge or consent of consumers. Their computerization assured that the files would soon be used more widely than ever before.
At least six subcommittees of the U.S. Congress considered the issue of privacy during the 1960s and early 1970s. Many people testified, including representatives of the companies building these systems and countless individuals who had been harmed by incorrect or inaccurate information that these systems occasionally contained. The U.S. Congress determined that many of these systems provided important services, but decided that the systems needed to operate within a regulatory framework that assured rights to people whose data was archived and recourse for the growing number of people who were being wronged.
One of the most important pieces of legislation, the Fair Credit Reporting Act, was passed by Congress in 1970 and signed into law by President Nixon. This law gave consumers fundamental rights, including the right to see their credit reports; the right to know the third-parties to whom their reports had been disclosed; the right to force credit reporting agencies to re-investigate “errors” detected by consumers; the right to force the agencies to include a statement from the consumer on reports that were in dispute; and a sunset provision requiring credit reporting agencies to purge information on a consumer’s report that was more than seven years old (ten years for information regarding bankruptcies).
Elliot Richardson, President Nixon’s Secretary of Health, Education, and Welfare, created a commission to study the impact of computers on privacy, and in 1973 that commission issued its report. The most lasting contribution of the report was the creation of the Code of Fair Information Practices (see the sidebar of the same name in this chapter).
Congress continued to pass legislation regulating the use of personal information. But instead of passing comprehensive legislation that would protect all personal information, Congress instead adopted a piecemeal approach. Federal records were covered under the Privacy Act of 1974[202] and the Freedom of Information Act. Student records were protected under the Federal Family Educational Rights and Privacy Act of 1974 (the Buckley Amendment). Banking records, cable subscriber records, and even videotape rental records were all protected by Congressional action. Each of these pieces of legislation were enforced by a different part of the federal government. Some acts, like the antijunk-fax Telephone Consumer Privacy Act, did not have any enforcement mechanism at all other than private lawsuits.
Things were different in Europe. Building on the experience of World War II, during which personal records were misused by the Nazis, most European governments created an institutional framework for regulating the collection and use of personal information. Ironically, much of this work was based on the Code of Fair Information Practices that the United States had formulated in the early 1970s. The Europeans extended these ideas into an overall system that was termed data protection .
In 1980, the Organization for Economic Development and Cooperation (OECD) adopted an expanded set of privacy guidelines. These guidelines were designed, in part, to harmonize the growing number of privacy regulations throughout the industrialized world. The guidelines were also specifically designed to deal with the growing problem of transborder data flows —the movement of personal information from one country, where that data might be highly protected, to another country that might have lesser protections. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[203] consist of eight principles:
- Collection Limitation Principle
There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Data Quality Principle
Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date.
- Purpose Specification Principle
The purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
- Use Limitation Principle
Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the previous principle except:
With the consent of the data subject; or
By the authority of law.
- Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
- Openness Principle
There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- Individual Participation Principle
An individual should have the right:
To obtain from a data controller, or —otherwise, confirmation of whether or not the data controller has data relating to him;
To have communicated to him, data relating to him:
Within a reasonable time;
At a charge, if any, that is not excessive;
In a reasonable manner; and
In a form that is readily intelligible to him;
To be given reasons if a request made specified as above is denied, and to be able to challenge such denial; and
To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.
- Accountability Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above.
The OECD Guidelines do not have the force of law, but are instead used as guidelines for each OECD member country when passing its own laws.
On July 25, 1995, the European Union passed Directive 95/46/EC, the Directive on Protection of Personal Data, aimed at harmonizing the data protection policies of the EU member countries while simultaneously prohibiting the transport of personal information to countries that did not have adequate protections. EU Commissioner Mario Monti said in a press release following the adoption of the legislation:
I am pleased that this important measure, which will ensure a high level of protection for the privacy of individuals in all Member States, has been adopted with a very wide measure of agreement within the Council and European Parliament. The Directive will also help to ensure the free flow of Information Society services in the Single Market by fostering consumer confidence and minimizing differences between Member States’ rules. Moreover, the text agreed on includes special provisions for journalists, which reconcile the right to privacy with freedom of expression. . . The Member States must transpose the Directive within three years, but I sincerely hope that they will take the necessary measures without waiting for the deadline to expire so as to encourage the investment required for the Information Society to become a reality.
In April 2000, the government of Canada adopted Bill C-6, establishing a data protection framework within Canada by which all nationally charted corporations must abide. The legislation extends itself to all provincially charted corporations in 2003.
State regulation of personal information used by the business sector has been less successful in the United States. Despite taking an early lead in privacy protection legislation, the United States passed few laws protecting privacy in the last quarter of the 20th century.
With regard to the online collection of personal information, American businesses have fought hard against all suggestions and attempts at federal regulation, arguing that the fledgling world of Internet commerce is simply too immature for meaningful regulation, and that regulation might jeopardize the ability of online businesses to make reasonable profits.
Instead, American businesses have argued that they should be allowed to adopt voluntary codes of conduct and tailor their own policies to suit their business needs. Eager to please its corporate sponsors, the Clinton Administration generally went along with these requests from the business community. Instead of fighting for the passage of meaningful legislation that would protect online privacy, the Clinton Administration instead asked businesses to post voluntary privacy policies on their web sites.
Voluntary privacy policies are only that—they are voluntary. No business is forced to post one. However, the Clinton Administration argued, once an organization posted its privacy policy, it would be honor-bound to live up to the rules that it had published on its web site. Companies that violated their own policies would lose customers.
That’s where things stood until 1998, when a highly publicized study by Georgetown business professor Mary Culnan revealed that American businesses, despite having asked for the chance to self-regulate, had not risen to the occasion. According to Culnan’s study, only 14 percent of the Web’s commercial sites were posting any sort of policy regarding the use of personal information. Consumer groups argued that it was time for the federal government to step in and regulate. But business groups asked for more time.
Over the following year, a large number of web sites posted privacy policies. Fearful that regulation might be just around the corner, many businesses focused on the creation of a privacy policy as an end in itself. And in this effort, the businesses were largely successful. A follow-up study in 1999 found that 65.7 percent of web sites were now posting privacy policies. Most importantly, according to Culnan, these web sites made up 98.8 percent of consumer web traffic. Of the top 100 web sites visited by consumers, a whopping 94 percent had posted privacy policies.
Interestingly, studies of many of these online policies revealed problems. One on-going research effort started in 2000 by Annie Antón and Julie Earp, professors at North Carolina State University, found that many online privacy policies are self-contradictory, incomplete, and often vaguely specified. They identified several instances where online sites clearly stated policies that were also clearly violated, on the very same site.[204]
To enforce voluntary privacy policies, the business community proposed the creation of voluntary membership organizations that would police their member companies. Similar to Underwriters’ Laboratories, these organizations would give their members a small logo, or seal, that would be displayed on web sites that complied with the organization’s own policies.
Two of the most successful seal programs are TRUSTe and the BBBOnline:
- TRUSTe
TRUSTe is a membership organization, based in San Jose, California, whose mission “is to build users’ trust and confidence on the Internet and, in so doing, accelerate growth of the Internet industry.”[205] Founded by the Electronic Frontier Foundation (EFF) and the CommerceNet Consortium, TRUSTe allows member organizations to display TRUSTe’s seal, which it calls the TRUSTe mark, if the privacy policy contains specific items and if the web site agrees to be audited by TRUSTe or by outside third parties (see Figure 24-1 for an example).
Because TRUSTe has changed its contract with its member organizations over time, the TRUSTe mark on different web sites actually has different meanings. On the Lycos (http://www.lycos.com) web site, for instance, the TRUSTe mark means that Lycos has agreed to disclose:
What personally identifiable information or third-party personally identifiable information is collected through the web site.
The organization collecting the information.
How the information is used.
With whom the information may be shared.
What choices are available to you regarding collection, use, and distribution of the information.
The kind of security procedures that are in place to protect the loss, misuse, or alteration of information under control of the site.
How consumers can correct any inaccuracies in the information.[206]
To join TRUSTe, a business needs to create a privacy statement (TRUSTe provides samples on its web site) and submit an application to TRUSTe. Membership dues are on a sliding scale. In April 2001, membership was $299 for a company with an annual revenue of less than $1 million, and $6,999 for an organization with annual revenues of $75 million or more.
It is important to note that a TRUSTe seal does not mean that information collected at a site is kept private! As Professor Antón has noted in presentations and her papers, a company could post a privacy policy stating that they sell collected user information to everyone who asks, that the user has no choices or options as regards collection or sale, that there is no security on the site to speak of to protect information, and that users have no options to correct errors. Although TRUSTe requires that there be statements about each of these issues, there is no requirement that any of the policy statements actually support user privacy protection!
- BBBOnline
BBBOnLine is a wholly owned subsidiary of the Council of Better Business Bureaus. According to the organization, “BBBOnLine’s mission is to promote trust and confidence on the Internet through the BBBOnLine Reliability and BBBOnLine Privacy programs.”[207]
BBBOnline has several seal programs, all shown in Figure 24-2:
The BBB Reliability Program seal indicates that a member business has been in business for at least one year, has agreed to abide by BBB standards of truth in advertising, and has committed to work with the BBB to help resolve consumer disputes that arise in conjunction with goods or services promoted or advertised on a web site. Additional requirements can be found at http://www.bbbonline.org/reliability/requirement.asp.
The BBBOnLine “Kid’s Privacy Seal” can be posted by sites that are in compliance with the Children’s Online Privacy Protection Act and are accepted by the BBBOnLine Kid’s Program. Membership in the Kid’s Program requires certification that the organization’s web site and privacy practices follow a detailed set of requirements that are outlined on the BBBOnLine web site. For details, see http://www.bbbonline.org/privacy/kid_require.asp. (See Section 24.2).
The BBB Privacy Program seal can be used by any business that applies to and is accepted into the BBBOnline Privacy Program. Like the Kid’s Program, membership in the Privacy Program requires that the web site implement the provisions of the BBBOnline’s model privacy policy. For details, see http://www.bbbonline.org/privacy/threshold.asp.
For customers of companies that have privacy policies, there might even be legal recourse. As privacy policies could be considered a form of advertising, companies that violate their own policies might be found guilty of deceptive and misleading advertisements. Thus, a company that violated its privacy policies might soon find itself the subject of an action by the Federal Trade Commission or one of the state’s attorney generals’ offices.
Whether or not such legislation passes in the future, web surfers should be aware that information about their activities may be collected by service providers, vendors, site administrators, and others on the electronic superhighway. As such, users should perhaps be cautious about the web pages they visit if the pattern of accesses might be interpreted to the users’ detriment.
The original code of Fair Information Practices (see the earlier sidebar) identified five principles. The OECD expanded this list to eight principles (see Section 24.1.2 earlier in this chapter). The U.S. government then backtracked. Between 1995 and 1998 staff members at the Federal Trade Commission conducted a series of meetings and workshops to evaluate online privacy issues. At these meetings, they were told that many principles in place in the rest of the world were simply too onerous for American businesses to comply with within the United States proper. After much discussion, the FTC staff put forth a discussion document, “Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy” that dramatically simplified the concept of Fair Information Practices to four key items:
- Notice
Consumers should have a right to know how an organization treats and collects personal information.
- Choice
A consumer should have an option to withhold personal information.
- Access
A consumer should have a right to view personal information that has been collected.
- Security
Online services should employ security measures to prevent the unauthorized release of or access to personal information.
What is missing from these revised items is the principle that people be allowed to challenge incorrect data about themselves. We leave it to you to decide if it is “fair” that incorrect, outdated, or inconsistent personal data about you might be held and repeatedly used without any ability to correct or delete it.
Industry should have been pleased with the FTC’s redefinition of the Code of Fair Information Practices. Instead, in testimony before the FTC and the U.S. Senate in the fall of 2000, representatives from Hewlett Packard and America Online said that they could only support the “Notice” and “Choice” provisions, arguing that “Access” and “Security” were too difficult and too elusive to write into regulations.
[204] Some of these results are in papers at http://www.csc.ncsu.edu/faculty/anton/publications.html.