Privacy Policies

by Rob Hassett

Casey Gilson Leibel P.C.

Six Concourse Parkway, Suite 2200

Atlanta, Georgia 30328

(770) 512-0300, ext. 557

rob@internetlegal.com

Law Firm Website:  http://www.caseygilson.com/

Personal Website:  http://www.internetlegal.com/

Posted on August 19, 2006

* Mr. Hassett is a co-author of Volume 5 (which volume is entitled Internet and Interactive Media) of the 10 volume treatise entitled Entertainment Industry Contracts which is published by LexisNexus.  This article is adapted from a Chapter of that volume.

I.            Background

II.           Children’s Online Privacy Protection Act of 1998

III.          California Security Breach Notification Act

IV.          California Online Privacy Protection Act

V.           California Information – Sharing Disclosure (“Shine the Light”) Act

I.  Background

Until the Children’s Online Privacy Protection Act of 1998 (“COPPA”) became effective on April 21, 2000, entertainment websites based in the United States were not required to post a privacy policy except as required by their advertisers. Although not as widespread a practice before 2000 as today, sometimes operators that were not required to post a privacy policy would post one to reassure customers.  The best legal advice was often not to post a privacy policy.    Any website operator that posted a privacy policy ran the risk that the privacy policy could be inadvertently inaccurate and expose the website operator to a Federal Trade Commission action or a claim for fraud, whereas not posting a privacy policy could not result in any legal exposure.  As explained more fully below, in many cases, for an Operator of a commercial website (an “Operator”) that collects personal information from consumers, not posting a privacy policy is no longer an option.  There are four reasons that it is now often necessary, or at least recommended, that any Operator hire an attorney to draft and then post a privacy policy.  First, if the website is operated for commercial purposes and is directed to children under thirteen, or the Operator has actual knowledge that personal information is being collected from children under thirteen, the Operator is required by COPPA to post a privacy policy on the website.  Second, subject to the exceptions discussed below, the state ofCalifornianow requires that any website that collects personally identifiable information from consumers based inCaliforniapost a privacy policy.  Third, although the undersigned is not aware of any claims against website Operators without a presence in those countries even if information is collected from consumers in those countries, Operators with a presence in any countries of the European Union, Canada or Australia that collect personally identifiable information from consumers in those countries is required to post privacy policies.  Finally, most Operators of websites that do not post a professionally written privacy policy, post a rudimentary privacy policy that is either made up by the Operator or copied from another website and does not accurately describe the actual privacy policies of the Operator (or, where laws relating to privacy policies apply, do not comply with those requirements).   Posting a privacy policy that does not accurately describe the privacy policies of the Operator is both an unfair or deceptive act or practice for which the Operator may be subject to an action by the Federal Trade Commission and may be fraud under the laws of each state for which each visitor affected by the fraud could sue the Operator.  The only Operators of entertainment websites that need not worry about obtaining advice from a professional concerning posting of a privacy policy today are those that do not collect any personal information from visitors.

Prior to the effective date of the Children’s Online Privacy Protection Act of 1998 (April 21, 2000) privacy laws in theUnited Statescould be summarized as follows:

(A)       Prohibitions on state and federal government relating to:

(1)       Unreasonable search and seizure under the fourth amendment to the United States Constitution;

(2)       Compelling an accused to testify against himself or herself under the Fifth Amendment to the United State Constitution;

(3)       Intruding unreasonably on the privacy of citizens, such as enacting a state law prohibiting sales of contraceptives or prohibiting abortions in the first trimester of pregnancy, under either the Bill of Rights generally or the Fourteenth Amendment; and

(4)       Disclosing personal data except for publicly announced purposes under specific federal statutes;

(B)       Privacy and publicity rights based on state constitutions, common law and state statutes including prohibitions against wrongful intrusion, wrongful disclosure of embarrassing private facts, false light and unauthorized appropriation of identity including image and voice for a commercial purpose.  Wrongful disclosure and wrongful appropriations are especially familiar to entertainment attorneys;

(C)       State law restrictions such as prohibitions against disclosure of health information by insurance companies and HMO’s;

(D)       Prohibitions against wire tapping, unauthorized access into computers, collection of data regarding viewing habits of customers by cable companies, accessing another person’s electronic mail and disclosure by video retailers of data regarding purchases.

Noticeably missing in theUnited Stateswere restrictions on the use of data collected in commercial settings for marketing purposes and requirements for protections of that data from inadvertent theft or disclosure.  The only federal restriction there was in this area prior to the year 2000 was the Fair Credit Reporting Act which restricted credit reporting agencies from disclosing information other than to be used for approving or disapproving credit, an application for insurance policy or an application for employment as well as a few other purposes such as collecting a judgment debt.  The Fair Credit Reporting Act had an impact beyond just credit reporting agencies as the term is ordinarily understood, in that it defined a “credit reporting agency” to include any business that provided credit reports (i.e. personal information useful for determining eligibility for credit, insurance or employment) for any of the purposes for which credit reporting agencies were permitted to provide credit reports. As a consequence, banks and other businesses that obtained personal information, would avoid disclosing information about their customers for any of these purposes to avoid being classified as a “credit reporting agency.”  In addition to being restricted in how these reports could be disclosed, credit reporting agencies were also required to remove data from databases under certain circumstances, permit consumers to view their information under certain circumstances and comply with other requirements that would be onerous for businesses that were not set-up as credit reporting agencies.   However, the Fair Credit Reporting Act was not very helpful in protecting privacy because it defined credit reporting agencies as entities that provided reports for the purposes credit reporting agencies were permitted to provide reports as referred to above.  Since the Act did not permit credit reporting agencies to provide information for “marketing purposes,” banks and other businesses that did release personal customer information for marketing purposes were not thereby deemed to be credit reporting agencies.  As the Fair Credit Reporting Act did nothing to stop the release of private information for marketing purposes, it had no impact on Operators of entertainment websites.

The approach regarding privacy among the nations of the European Union has been very different.  In 1995 the members of the European Union enacted the European Union Privacy Directive which essentially restricted commercial entities from using or disclosing personal data collected from consumers other than for the purposes for which the information was first collected without permission from the consumers.  All of the member states of the European Union were free to enact stricter standards, but not free to enact standards that were less strict.  The laws of the European Union applied to all data, no matter whether collected over the web, in databases or otherwise.  As mentioned above, similar laws have since been enacted inCanadaandAustralia.  Other countries are considering enacting privacy laws, but the writer is not aware of any other countries that have enacted comprehensive privacy laws similar to the European Union Privacy Directive.

As time went on, the American public has become more aware of the problems arising from identify theft (supposedly ten million Americans were victims of identify theft in 2003) and, unlike the European Union Privacy Directive which applies across all industries, Congress chose to enact laws that dealt with specific areas of privacy concerns.  The two major federal acts that were enacted were the Gramm-Leach-Bliley Act (GLB), the privacy rules of which became effective on July 1, 2001 and imposed restrictions on “financial institutions” that went beyond what were imposed by the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act, (“HIPAA”), the privacy rules of which became effective on April 14, 2003.  These acts also impose certain security requirements (requirements that set minimum standards for protecting data from unintended disclosures such as to hackers) on the holders of such information.  The security rules under The Gramm-Leach-Bliley Act became effective at various times but are all in effect at this point.  The security rules under the Health Insurance Portability and Accountability Act (“HIPAA”) become effective with respect to most health service providers onApril 20, 2005.  The term “Financial Institution” is defined underGLBmore broadly than what is normally thought of as a “Financial Institution.”  The term is defined to include banks and savings and loans but also includes accounting firms, credit card companies and a host of other businesses.  Any business that collects personal financial information for the purpose of extending credit or holding deposits would be considered a financial institution.  For example an Operator of an entertainment website that offered its own credit card would be governed byGLB.  However, the writer is not aware of any entertainment companies that would be governed byGLB.  HIPAA applies to health service providers such as doctors and hospitals, health plans such as insurance companies and healthcare clearing houses, which are third party providers of billing and data services for health service providers, and has no application to Operators of entertainment websites.

General privacy and publicity rights, available in some form in all states, do not restrict the use of private information for marketing purposes.  The prohibitions against wrongful intrusion, public disclosure of embarrassing private facts, false light and wrongful appropriation of one’s likeness or voice, which are so familiar to lawyers in the entertainment industry, have not, provided the personal information was not obtained via a wrongful intrusion, been construed to restrict marketers from using personal information of individuals to market to those individuals.

SinceGLBand HIPAA became law, other acts have been enacted that do apply to Operators of entertainment websites.  Those acts are:

(A)       The Children’s Online Privacy Protection Act of 1998, which became effective onApril 21, 2000;

(B)       The California Security Breach Notification Act, which became effective onJuly 1, 2003;

(C)       The California Online Privacy Protection Act, which became effective onJuly 1, 2004; and

(D)       The California Information-Sharing Disclosure Act, which became effective onJanuary 1, 2005.

Each of the above are addressed separately below.

II.  Children’s Online Privacy Protection Act of 1998

The Children’s Online Privacy Protection Act (“COPPA”) imposes obligations on the Operators of websites that are operated for commercial purposes and are directed to children or where the Operator has actual knowledge that personal information is being collected from children under 13.  The obligations that COPPA imposes on websites that are directed to or which collect information from children (with respect to the collection of information from such children who are residents of the United States) are very similar to the requirements that apply to website Operators with any presence in countries of the European Union with respect to both children and adults who are residents of any countries of the European Union.  Important points concerning the Children’s Online Privacy Protection Act, include:

(A)       The term “child” means an individual under the age of thirteen.

(B)       The act purports to apply to any website, wherever located, that collects information from children who reside in theUnited States.

(C)       The personal information that is the subject of the act includes:

(i)         A first name and last name;

(ii)        A home or other physical address;

(iii)       Any email address;

(iv)       A telephone number;

(v)        A social security number;

(vi)       Any other identifier that the Federal Trade Commission determines permits the physical or online contacting of a specific individual; or

(vii)      Information concerning a child or parents of that child that is combined with an identifier described above.

(D)       The Operator is required to post a privacy policy on the home page of the website, and a link to the privacy policy everywhere personal information is collected, that provides:

(i)         What information is collected from children by the Operator;

(ii)        Describes how the Operator uses such information;

(iii)       Describes to what individuals and/or entities the Operator discloses private information and what such information is disclosed,

(iv)       Obtain parental consent that the child may use the website and provide the data required in one of two formats:

(a)       If the information will be used by the Operator, but not disclosed to others, among other methods, the Operator may obtain consent by receiving an email from the supposed parent’s email address and confirming receipt by sending a reply email to the same address.  Of course there is no guarantee that the original email was sent by, or the responding email was sent to, the parent.  Although the younger the child, and therefore the more concern there may be, the less likely that the child would pretend to be the parent; and

(b)       Where the children’s data may be disclosed to third parties, more credible evidence of authorization is required such as the providing of a credit card number of the supposed parent.

(v)        For the parent, there should be the ability to view the information obtained from that parent’s child and also correct such information and/or prohibit the Operator from continuing to hold that information.  The information may be provided by any reasonable means by which the parent’s signature can be verified, including having the parent mail the request for the information along with a form signed by the parent.  The Operator may then send the information back to the parent by mail which is much less onerous for smaller Operators of kid-oriented websites than to provide passwords allowing the parents to go in and access the information themselves online.

(E)       The Operator may not require the providing of any information concerning a child under thirteen that is not reasonably required for the purpose for which the child is providing such information.

(F)       The privacy policy posted on the website must be “clearly and understandably written, be complete, and must contain no unrelated, confusing or contradictory terms.”

The Operator of each and every website that is directed to children under thirteen, or knowingly obtains information from any child under thirteen, must comply with this act.  Both the Federal Trade Commission and the individual states may enforce the provisions of this act.  According to the FTC website (see http://www.ftc.gov/), the Federal Trade Commission recently settled violations of COPPA by imposing penalties of $75,000 and $400,000 respectively, where the Act had apparently not been followed, against two well-known companies.  The information that those companies had collected online indicated that the children providing the information were under thirteen years of age and no privacy policy in compliance with the Act had been posted.

III.  California Security Breach Notification Act

The California Security Breach Notification Act became effective on July 1, 2003.  The act requires that if any confidential information of anyCalifornia resident may have been compromised as a result of a computer security breach, that such resident be notified.  An Operator of an entertainment website that collects such information from residents ofCalifornia would be required to make such disclosure in the event such website Operator becomes aware that such information may have been compromised.  Other states and the Congress are considering, in the process of enacting or have just enacted, similar laws.  As a result of the California Security Breach Notification Act in early 2005, consumers became aware of the unintended release of sensitive information by data warehouses to  potential identity thieves.

IV.  California Online Privacy Protection Act

Until the effective date of the California Online Privacy Protection Act which became effective onJuly 1, 2004, neither the federal government nor any of the states required that any Operator of any website that was not subject to the Children’s Online Privacy Protection Act,GLB, HIPAA or the Fair Credit Reporting Act, provide a privacy policy online or otherwise.  As ofJuly 1, 2004 this has changed as the state ofCalifornia requires that any commercial website that collects personally identifiable information onCalifornia consumers post a privacy policy. That statute reads in pertinent part:

An Operator shall be in violation of this provision only if the Operator fails to post its policy within thirty (30) days after being notified of non-compliance.

Another section reads that an Operator will be in violation of the section referred to in the foregoing sentence if:

The Operator fails to comply with the provisions of the above section or with the provisions of its posted privacy policy in either of the following ways:

(a)       Knowingly and willfully.

(b)       Negligently and materially

The writer interprets these two statutes to mean that no Operator is currently required to post a policy under Californialaw until thirty (30) days from the date the state of Californiaprovides a notice requiring such posting.  Nevertheless, at this time the writer believes that the best policy for any Operator collecting personal information from a large number of consumers in Californiawould be to post a privacy policy that meets the requirements of this section.  The writer does not believe it is in the interest of any Operator, with many customers who are Californiaresidents, to attract the attention of officials in Californiaby not complying with the statute.  Also, most Operators will post some sort of privacy policy anyway, which will likely not be in compliance and be in violation of the statute.  The statute requires that the Operator conspicuously post a link that includes the word “privacy” on the homepage or “first significant page after entering the Website” and clearly states in the privacy policy what information the Operator collects, how the Operator uses such information, and how the Operator discloses such information.  If the Operator permits individual consumers to review and request changes to any personably identifiably information, that process must be explained.  If the Operator reserves the right to notify consumers of any changes to its policy, that process must also be explained.  Also, the Operator is required to identify the effective date of such policy.  The writer is not aware of any other states that require that privacy policies be posted, or that specific information be provided in them, but understands that legislatures of various states are considering adding similar statutes.

V.  California Information-Sharing Disclosures (“Shine the Light”) Act

California Civil Code Section 1798.83, which became effective onJanuary 1, 2005, requires that Operators of websites that obtain information from customers that are residents of the state ofCalifornia, which have twenty (20) or more employees and have disclosed personal information to third parties for direct marketing purposes within the immediately proceeding calendar year, either

(A)       Provide a mechanism for receiving requests for and provide, in response to any such request, in writing or by electronic mail, a list of the categories of personal information provided with the names and addresses of the third parties that receive such information and, where its not possible to determine from the name of the third party the nature of the third party business, an explanation of the business of each such party or;

(B)       State in a privacy policy disclosed to the public that personal information of customers will not be disclosed to third parties for direct marketing purposes unless the customer affirmatively agrees to that disclosure (opts in) or provides a clear method of opting out.

© 2006 LexisNexis and Rob Hassett, All rights reserved.

The information above is provided for general educational purposes and not as legal advice. Laws in areas in which we practice change continually and also vary from jurisdiction to jurisdiction. Therefore no visitor to our site should rely on any of the articles provided for legal advice, but should always consult their own attorney regarding legal matters.

This entry was posted in Law by Rob Hassett. Bookmark the permalink.

About Rob Hassett

Rob Hassett is an attorney in technology, entertainment and corporate law with the law firm of Casey Gilson P.C. in Atlanta, GA. He is a co-author of a leading volume on internet and interactive media law and has taught many classes in the professional education program at Georgia Tech.

Leave a Reply