Protecting Online Privacy to Avoid Liability.Nonprofit A corporation or an association that conducts business for the benefit of the general public without shareholders and without a profit motive. Nonprofits are also called not-for-profit corporations. Nonprofit corporations are created according to state law. membership organizations operating in the online world must confront a number of policy and legal issues that are still in the early stages of formulation. While the Information Age brings a tremendous number of benefits to the organization and its online visitors, it also poses a number of challenges to organizations that collect personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. about Web site users. Since establishing your Web site visitors' trust and confidence is the cornerstone of an effective Internet strategy, the protection of personal information is critical. In this column, Marc A. Pearl and Sol Irvine address Internet privacy Internet privacy consists of privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet, and to control who can access that information. issues for associations and some of the actions they can take to protect such information. The intensity of recent public debate surrounding online privacy suggests an expanding role for government regulation of online collection and use of private information. Although the volcanic changes in the landscape of online privacy regulation are largely motivated by the eruption of e-commerce activity, noncommercial Web sites that collect information about users will also be affected. As a result, nonprofit membership organizations that operate Web sites should pay close attention to developments in global online privacy regulation. To maintain the highest level of trust and confidence, an organization with an online presence must be aware of, implement, and enforce an effective privacy policy to protect itself against liability for privacy violations. This process includes the four steps explained below. Review data-collection practices Conduct a thorough and honest assessment of your association's Web site data-collection practices. Identify any functionality on the Web site that requires a user to submit information that might be considered private. That would include information that personally identifies an end user, such as name, mailing address, credit card number, or social security number. Web sites gather such private information through online registration forms; order forms; forms for account registration, mailing list An automated e-mail system on the Internet, which is maintained by subject matter. There are thousands of such lists that reach millions of individuals and businesses. New users generally subscribe by sending an e-mail with the word "subscribe" in it and subsequently receive all new or catalogue subscriptions, contest entries, and surveys; and other online offers that require data entry. If a Web site offers message boards or chat rooms, carefully review policies and practices in user-generated forums. A Web site can inadvertently acquire private information in these forums, and the operator's role in editing or moderating these areas will determine its responsibilities under the law. Finally, review data-sharing arrangements with business partners and third-party service providers. If the Web site relies on outsourced functions (such as hosting or co-location), it is a good idea to seek assurances that service providers will not misuse data in violation of applicable privacy laws. Become familiar with current regulations In the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , most online activities affecting personal privacy are not yet subject to special regulation. Fearing disruptive regulatory mechanisms that might stifle the breakneck break·neck adj. 1. Dangerously fast: a breakneck pace. 2. Likely to cause an accident: a breakneck curve. pace of e-commerce growth, the federal government has adopted a hands-off approach that allows business sectors to adopt the standards most appropriate to the demands of their particular constituents and customers. Notable exceptions are Web sites related to health care and financial institutions, and those directed at children--each category having received special legislative and regulatory attention at the federal level. European governments have taken a more hands-on approach. Since 1998, the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community has directed its member states to implement national legislation prohibiting the transfer of personal information to non-EU countries that do not meet the relatively stringent European standard for privacy protection. The European approach involves a complex bureaucracy of data-protection authorities, database registration ledgers, and procedures for mandatory pre-approval of certain online activities. Since most Web sites reach global audiences, the divergent European and U.S. standards have left many Web site operators confused. The European Commission European Commission, branch of the governing body of the European Union (EU) invested with executive and some legislative powers. Located in Brussels, Belgium, it was founded in 1967 when the three treaty organizations comprising what was then the European Community , working with the U.S. Department of Commerce, recently reached a compromise between the U.S. and European approaches, approving a safe-harbor framework that attempts to resolve the confusion. The primary concession to the European approach is a requirement that certain "sensitive information" cannot be collected or shared without the end user's prior consent. Sensitive information is defined as "personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual." All other information can be collected and used, provided that the end user has been given notice and has decided not to opt out. To take advantage of the safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. , a Web site operator must submit a self-certification letter to the Department of Commerce. If a Web site persistently fails to comply with the safe-harbor requirements, the Department of Commerce may take steps to publicize pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. publicize or -cise Verb [-cizing, -cized] that failure, possibly exposing the site to prosecution by European data-protection authorities--as well as to administrative orders An order covering traffic, supplies, maintenance, evacuation, personnel, and other administrative details. or civil penalties imposed by the U.S. Federal Trade Commission. Perhaps more significant to a nonprofit membership organization is the damaging effect of a public investigation or proceeding and the accompanying public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most disaster. Develop a privacy policy The key to a preemptive pre·emp·tive or pre-emp·tive adj. 1. Of, relating to, or characteristic of preemption. 2. Having or granted by the right of preemption. 3. a. approach to online privacy liability is a clear, public disclosure of the Web site's information-gathering and sharing practices. A privacy statement should be made available to end users by means of a link appearing at the foot of each page on the Web site and should be conspicuously referenced wherever personal information is being collected on the site. The privacy statement should address the following questions: 1) What personally identifiable information is being collected? 2) How is the information being used? 3) With whom might the information be shared? 4) Who is collecting the information? Users should be able to review, delete, or modify the information that is collected about them. You should also provide users with a contact within the organization to handle such requests. To be effective, a privacy policy must be supported by security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security that protect against unauthorized disclosures of private information. Proper security measures include a technical solution that keeps rogue users out of the portions of databases containing private information. In addition, articulating clear guidelines for employees that are authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to access private information will help protect an organization from violations of the privacy policy. Monitor regulatory developments Enterprises maintaining Web sites would be wise to keep an eye on to watch. - Shak. See also: Eye developments in Asia, Europe, and the rest of the world during the next few years. The Asian and Pacific Rim Pacific Rim, term used to describe the nations bordering the Pacific Ocean and the island countries situated in it. In the post–World War II era, the Pacific Rim has become an increasingly important and interconnected economic region. nations have been conspicuously absent from the public discourse on online privacy issues. Although certain privacy issues are addressed under both Australian and Hong Kong Hong Kong (hŏng kŏng), Mandarin Xianggang, special administrative region of China, formerly a British crown colony (2005 est. pop. 6,899,000), land area 422 sq mi (1,092 sq km), adjacent to Guangdong prov. law, no comprehensive privacy regimes specifically aimed at online activities have developed yet in Asia or the Pacific Rim. As Internet use proliferates in these areas, a reconciliation of cultural approaches to personal privacy similar to the safe harbor between the United States and Europe should be expected. Additionally, in late November, for example, the EU approved rules updating their Brussels Convention, designed to guarantee that consumers have the right to contest, in the courts of the member state in which they reside; a legal dispute arising with a retailer over goods purchased. Though focused on EU countries, the ever-dynamic nature of laws and treaties, such as this one, could have enormous impact on Web sites operated from the United States. Knowledge is power A successful online strategy--even for noncommercial Web sites--embraces the concept of establishing trust and confidence among users. The awareness and implementation of credible, enforceable, and easily understood privacy and information-security policies is key. The ability of the nonprofit membership organization to communicate to its constituents these very same strategies and policies will help provide a strong sense of consumer empowerment and ensure that governments stay out of the micromanagement This is about the management style. For the computer game strategy, see Micromanagement (computer gaming). In business management, micromanagement is a management style where a manager closely observes or controls the work of their employees, generally used as a pejorative term. of the Internet. Marc A. Pearl is a partner in Shaw Pittman's Washington, D.C., office and heads the firm's technology policy practice. Sol Irvine is an attorney in Shaw Pittman's New York City New York City: see New York, city. New York City City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. office and concentrates on technology transactions and issues. Jerald A. Jacobs is a partner in Shaw Pittman's Washington, D.C., office and is general counsel to ASAE ASAE American Society of Association Executives ASAE American Society of Agricultural Engineers (Society for Engineering in Agricultural, Food, and Biological Systems) ASAE Alkali-Sulfite-Anthraquinone-Ethanol . |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion