by Rob Hassett
Casey Gilson Leibel P.C.
Six Concourse Parkway, Suite 2200
Atlanta, Georgia 30328
(770) 512-0300, ext. 557
Law Firm Website: http://www.caseygilson.com/
Personal Website: http://www.internetlegal.com/
Posted on August 19, 2006
* Mr. Hassett is a co-author of Volume 5 (which volume is entitled Internet and Interactive Media) of the 10 volume treatise entitled Entertainment Industry Contracts which is published by LexisNexus. This article is adapted from a Chapter of that volume.
II. Children’s Online Privacy Protection Act of 1998
III. California Security Breach Notification Act
IV. California Online Privacy Protection Act
V. California Information – Sharing Disclosure (“Shine the Light”) Act
Prior to the effective date of the Children’s Online Privacy Protection Act of 1998 (April 21, 2000) privacy laws in theUnited Statescould be summarized as follows:
(A) Prohibitions on state and federal government relating to:
(1) Unreasonable search and seizure under the fourth amendment to the United States Constitution;
(2) Compelling an accused to testify against himself or herself under the Fifth Amendment to the United State Constitution;
(3) Intruding unreasonably on the privacy of citizens, such as enacting a state law prohibiting sales of contraceptives or prohibiting abortions in the first trimester of pregnancy, under either the Bill of Rights generally or the Fourteenth Amendment; and
(4) Disclosing personal data except for publicly announced purposes under specific federal statutes;
(B) Privacy and publicity rights based on state constitutions, common law and state statutes including prohibitions against wrongful intrusion, wrongful disclosure of embarrassing private facts, false light and unauthorized appropriation of identity including image and voice for a commercial purpose. Wrongful disclosure and wrongful appropriations are especially familiar to entertainment attorneys;
(C) State law restrictions such as prohibitions against disclosure of health information by insurance companies and HMO’s;
(D) Prohibitions against wire tapping, unauthorized access into computers, collection of data regarding viewing habits of customers by cable companies, accessing another person’s electronic mail and disclosure by video retailers of data regarding purchases.
Noticeably missing in theUnited Stateswere restrictions on the use of data collected in commercial settings for marketing purposes and requirements for protections of that data from inadvertent theft or disclosure. The only federal restriction there was in this area prior to the year 2000 was the Fair Credit Reporting Act which restricted credit reporting agencies from disclosing information other than to be used for approving or disapproving credit, an application for insurance policy or an application for employment as well as a few other purposes such as collecting a judgment debt. The Fair Credit Reporting Act had an impact beyond just credit reporting agencies as the term is ordinarily understood, in that it defined a “credit reporting agency” to include any business that provided credit reports (i.e. personal information useful for determining eligibility for credit, insurance or employment) for any of the purposes for which credit reporting agencies were permitted to provide credit reports. As a consequence, banks and other businesses that obtained personal information, would avoid disclosing information about their customers for any of these purposes to avoid being classified as a “credit reporting agency.” In addition to being restricted in how these reports could be disclosed, credit reporting agencies were also required to remove data from databases under certain circumstances, permit consumers to view their information under certain circumstances and comply with other requirements that would be onerous for businesses that were not set-up as credit reporting agencies. However, the Fair Credit Reporting Act was not very helpful in protecting privacy because it defined credit reporting agencies as entities that provided reports for the purposes credit reporting agencies were permitted to provide reports as referred to above. Since the Act did not permit credit reporting agencies to provide information for “marketing purposes,” banks and other businesses that did release personal customer information for marketing purposes were not thereby deemed to be credit reporting agencies. As the Fair Credit Reporting Act did nothing to stop the release of private information for marketing purposes, it had no impact on Operators of entertainment websites.
The approach regarding privacy among the nations of the European Union has been very different. In 1995 the members of the European Union enacted the European Union Privacy Directive which essentially restricted commercial entities from using or disclosing personal data collected from consumers other than for the purposes for which the information was first collected without permission from the consumers. All of the member states of the European Union were free to enact stricter standards, but not free to enact standards that were less strict. The laws of the European Union applied to all data, no matter whether collected over the web, in databases or otherwise. As mentioned above, similar laws have since been enacted inCanadaandAustralia. Other countries are considering enacting privacy laws, but the writer is not aware of any other countries that have enacted comprehensive privacy laws similar to the European Union Privacy Directive.
As time went on, the American public has become more aware of the problems arising from identify theft (supposedly ten million Americans were victims of identify theft in 2003) and, unlike the European Union Privacy Directive which applies across all industries, Congress chose to enact laws that dealt with specific areas of privacy concerns. The two major federal acts that were enacted were the Gramm-Leach-Bliley Act (GLB), the privacy rules of which became effective on July 1, 2001 and imposed restrictions on “financial institutions” that went beyond what were imposed by the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act, (“HIPAA”), the privacy rules of which became effective on April 14, 2003. These acts also impose certain security requirements (requirements that set minimum standards for protecting data from unintended disclosures such as to hackers) on the holders of such information. The security rules under The Gramm-Leach-Bliley Act became effective at various times but are all in effect at this point. The security rules under the Health Insurance Portability and Accountability Act (“HIPAA”) become effective with respect to most health service providers onApril 20, 2005. The term “Financial Institution” is defined underGLBmore broadly than what is normally thought of as a “Financial Institution.” The term is defined to include banks and savings and loans but also includes accounting firms, credit card companies and a host of other businesses. Any business that collects personal financial information for the purpose of extending credit or holding deposits would be considered a financial institution. For example an Operator of an entertainment website that offered its own credit card would be governed byGLB. However, the writer is not aware of any entertainment companies that would be governed byGLB. HIPAA applies to health service providers such as doctors and hospitals, health plans such as insurance companies and healthcare clearing houses, which are third party providers of billing and data services for health service providers, and has no application to Operators of entertainment websites.
General privacy and publicity rights, available in some form in all states, do not restrict the use of private information for marketing purposes. The prohibitions against wrongful intrusion, public disclosure of embarrassing private facts, false light and wrongful appropriation of one’s likeness or voice, which are so familiar to lawyers in the entertainment industry, have not, provided the personal information was not obtained via a wrongful intrusion, been construed to restrict marketers from using personal information of individuals to market to those individuals.
SinceGLBand HIPAA became law, other acts have been enacted that do apply to Operators of entertainment websites. Those acts are:
(A) The Children’s Online Privacy Protection Act of 1998, which became effective onApril 21, 2000;
(B) The California Security Breach Notification Act, which became effective onJuly 1, 2003;
(C) The California Online Privacy Protection Act, which became effective onJuly 1, 2004; and
(D) The California Information-Sharing Disclosure Act, which became effective onJanuary 1, 2005.
Each of the above are addressed separately below.
II. Children’s Online Privacy Protection Act of 1998
The Children’s Online Privacy Protection Act (“COPPA”) imposes obligations on the Operators of websites that are operated for commercial purposes and are directed to children or where the Operator has actual knowledge that personal information is being collected from children under 13. The obligations that COPPA imposes on websites that are directed to or which collect information from children (with respect to the collection of information from such children who are residents of the United States) are very similar to the requirements that apply to website Operators with any presence in countries of the European Union with respect to both children and adults who are residents of any countries of the European Union. Important points concerning the Children’s Online Privacy Protection Act, include:
(A) The term “child” means an individual under the age of thirteen.
(B) The act purports to apply to any website, wherever located, that collects information from children who reside in theUnited States.
(C) The personal information that is the subject of the act includes:
(i) A first name and last name;
(ii) A home or other physical address;
(iii) Any email address;
(iv) A telephone number;
(v) A social security number;
(vi) Any other identifier that the Federal Trade Commission determines permits the physical or online contacting of a specific individual; or
(vii) Information concerning a child or parents of that child that is combined with an identifier described above.
(i) What information is collected from children by the Operator;
(ii) Describes how the Operator uses such information;
(iii) Describes to what individuals and/or entities the Operator discloses private information and what such information is disclosed,
(iv) Obtain parental consent that the child may use the website and provide the data required in one of two formats:
(a) If the information will be used by the Operator, but not disclosed to others, among other methods, the Operator may obtain consent by receiving an email from the supposed parent’s email address and confirming receipt by sending a reply email to the same address. Of course there is no guarantee that the original email was sent by, or the responding email was sent to, the parent. Although the younger the child, and therefore the more concern there may be, the less likely that the child would pretend to be the parent; and
(b) Where the children’s data may be disclosed to third parties, more credible evidence of authorization is required such as the providing of a credit card number of the supposed parent.
(v) For the parent, there should be the ability to view the information obtained from that parent’s child and also correct such information and/or prohibit the Operator from continuing to hold that information. The information may be provided by any reasonable means by which the parent’s signature can be verified, including having the parent mail the request for the information along with a form signed by the parent. The Operator may then send the information back to the parent by mail which is much less onerous for smaller Operators of kid-oriented websites than to provide passwords allowing the parents to go in and access the information themselves online.
(E) The Operator may not require the providing of any information concerning a child under thirteen that is not reasonably required for the purpose for which the child is providing such information.
III. California Security Breach Notification Act
The California Security Breach Notification Act became effective on July 1, 2003. The act requires that if any confidential information of anyCalifornia resident may have been compromised as a result of a computer security breach, that such resident be notified. An Operator of an entertainment website that collects such information from residents ofCalifornia would be required to make such disclosure in the event such website Operator becomes aware that such information may have been compromised. Other states and the Congress are considering, in the process of enacting or have just enacted, similar laws. As a result of the California Security Breach Notification Act in early 2005, consumers became aware of the unintended release of sensitive information by data warehouses to potential identity thieves.
IV. California Online Privacy Protection Act
An Operator shall be in violation of this provision only if the Operator fails to post its policy within thirty (30) days after being notified of non-compliance.
Another section reads that an Operator will be in violation of the section referred to in the foregoing sentence if:
(a) Knowingly and willfully.
(b) Negligently and materially
V. California Information-Sharing Disclosures (“Shine the Light”) Act
California Civil Code Section 1798.83, which became effective onJanuary 1, 2005, requires that Operators of websites that obtain information from customers that are residents of the state ofCalifornia, which have twenty (20) or more employees and have disclosed personal information to third parties for direct marketing purposes within the immediately proceeding calendar year, either
(A) Provide a mechanism for receiving requests for and provide, in response to any such request, in writing or by electronic mail, a list of the categories of personal information provided with the names and addresses of the third parties that receive such information and, where its not possible to determine from the name of the third party the nature of the third party business, an explanation of the business of each such party or;
© 2006 LexisNexis and Rob Hassett, All rights reserved.
The information above is provided for general educational purposes and not as legal advice. Laws in areas in which we practice change continually and also vary from jurisdiction to jurisdiction. Therefore no visitor to our site should rely on any of the articles provided for legal advice, but should always consult their own attorney regarding legal matters.