Protecting Online Privacy to Avoid Liability.
The intensity of recent public debate surrounding online privacy suggests an expanding role for government regulation of online collection and use of private information. Although the volcanic changes in the landscape of online privacy regulation are largely motivated by the eruption of e-commerce activity, noncommercial Web sites that collect information about users will also be affected. As a result, nonprofit membership organizations that operate Web sites should pay close attention to developments in global online privacy regulation.
Review data-collection practices
Conduct a thorough and honest assessment of your association's Web site data-collection practices. Identify any functionality on the Web site that requires a user to submit information that might be considered private. That would include information that personally identifies an end user, such as name, mailing address, credit card number, or social security number. Web sites gather such private information through online registration forms; order forms; forms for account registration, mailing list or catalogue subscriptions, contest entries, and surveys; and other online offers that require data entry.
If a Web site offers message boards or chat rooms, carefully review policies and practices in user-generated forums. A Web site can inadvertently acquire private information in these forums, and the operator's role in editing or moderating these areas will determine its responsibilities under the law.
Finally, review data-sharing arrangements with business partners and third-party service providers. If the Web site relies on outsourced functions (such as hosting or co-location), it is a good idea to seek assurances that service providers will not misuse data in violation of applicable privacy laws.
Become familiar with current regulations
In the United States, most online activities affecting personal privacy are not yet subject to special regulation. Fearing disruptive regulatory mechanisms that might stifle the breakneck pace of e-commerce growth, the federal government has adopted a hands-off approach that allows business sectors to adopt the standards most appropriate to the demands of their particular constituents and customers. Notable exceptions are Web sites related to health care and financial institutions, and those directed at children--each category having received special legislative and regulatory attention at the federal level.
European governments have taken a more hands-on approach. Since 1998, the European Union has directed its member states to implement national legislation prohibiting the transfer of personal information to non-EU countries that do not meet the relatively stringent European standard for privacy protection. The European approach involves a complex bureaucracy of data-protection authorities, database registration ledgers, and procedures for mandatory pre-approval of certain online activities.
Since most Web sites reach global audiences, the divergent European and U.S. standards have left many Web site operators confused. The European Commission, working with the U.S. Department of Commerce, recently reached a compromise between the U.S. and European approaches, approving a safe-harbor framework that attempts to resolve the confusion.
The primary concession to the European approach is a requirement that certain "sensitive information" cannot be collected or shared without the end user's prior consent. Sensitive information is defined as "personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual." All other information can be collected and used, provided that the end user has been given notice and has decided not to opt out.
To take advantage of the safe harbor, a Web site operator must submit a self-certification letter to the Department of Commerce. If a Web site persistently fails to comply with the safe-harbor requirements, the Department of Commerce may take steps to publicize that failure, possibly exposing the site to prosecution by European data-protection authorities--as well as to administrative orders or civil penalties imposed by the U.S. Federal Trade Commission. Perhaps more significant to a nonprofit membership organization is the damaging effect of a public investigation or proceeding and the accompanying public relations disaster.
The key to a preemptive approach to online privacy liability is a clear, public disclosure of the Web site's information-gathering and sharing practices. A privacy statement should be made available to end users by means of a link appearing at the foot of each page on the Web site and should be conspicuously referenced wherever personal information is being collected on the site.
The privacy statement should address the following questions: 1) What personally identifiable information is being collected? 2) How is the information being used? 3) With whom might the information be shared? 4) Who is collecting the information?
Users should be able to review, delete, or modify the information that is collected about them. You should also provide users with a contact within the organization to handle such requests.
Monitor regulatory developments
Enterprises maintaining Web sites would be wise to keep an eye on developments in Asia, Europe, and the rest of the world during the next few years. The Asian and Pacific Rim nations have been conspicuously absent from the public discourse on online privacy issues. Although certain privacy issues are addressed under both Australian and Hong Kong law, no comprehensive privacy regimes specifically aimed at online activities have developed yet in Asia or the Pacific Rim. As Internet use proliferates in these areas, a reconciliation of cultural approaches to personal privacy similar to the safe harbor between the United States and Europe should be expected. Additionally, in late November, for example, the EU approved rules updating their Brussels Convention, designed to guarantee that consumers have the right to contest, in the courts of the member state in which they reside; a legal dispute arising with a retailer over goods purchased. Though focused on EU countries, the ever-dynamic nature of laws and treaties, such as this one, could have enormous impact on Web sites operated from the United States.
Knowledge is power
A successful online strategy--even for noncommercial Web sites--embraces the concept of establishing trust and confidence among users. The awareness and implementation of credible, enforceable, and easily understood privacy and information-security policies is key. The ability of the nonprofit membership organization to communicate to its constituents these very same strategies and policies will help provide a strong sense of consumer empowerment and ensure that governments stay out of the micromanagement of the Internet.
Marc A. Pearl is a partner in Shaw Pittman's Washington, D.C., office and heads the firm's technology policy practice. Sol Irvine is an attorney in Shaw Pittman's New York City office and concentrates on technology transactions and issues. Jerald A. Jacobs is a partner in Shaw Pittman's Washington, D.C., office and is general counsel to ASAE.
|Printer friendly Cite/link Email Feedback|
|Date:||Mar 1, 2001|
|Previous Article:||Voicing the Value of Associations.|
|Next Article:||Toolbox Aids Cancer Patients.|