Printer Friendly

Protecting Online Privacy to Avoid Liability.

Nonprofit membership organizations operating in the online world must confront a number of policy and legal issues that are still in the early stages of formulation. While the Information Age brings a tremendous number of benefits to the organization and its online visitors, it also poses a number of challenges to organizations that collect personally identifiable information about Web site users. Since establishing your Web site visitors' trust and confidence is the cornerstone of an effective Internet strategy, the protection of personal information is critical. In this column, Marc A. Pearl and Sol Irvine address Internet privacy issues for associations and some of the actions they can take to protect such information.

The intensity of recent public debate surrounding online privacy suggests an expanding role for government regulation of online collection and use of private information. Although the volcanic changes in the landscape of online privacy regulation are largely motivated by the eruption of e-commerce activity, noncommercial Web sites that collect information about users will also be affected. As a result, nonprofit membership organizations that operate Web sites should pay close attention to developments in global online privacy regulation.

To maintain the highest level of trust and confidence, an organization with an online presence must be aware of, implement, and enforce an effective privacy policy to protect itself against liability for privacy violations. This process includes the four steps explained below.

Review data-collection practices

Conduct a thorough and honest assessment of your association's Web site data-collection practices. Identify any functionality on the Web site that requires a user to submit information that might be considered private. That would include information that personally identifies an end user, such as name, mailing address, credit card number, or social security number. Web sites gather such private information through online registration forms; order forms; forms for account registration, mailing list or catalogue subscriptions, contest entries, and surveys; and other online offers that require data entry.

If a Web site offers message boards or chat rooms, carefully review policies and practices in user-generated forums. A Web site can inadvertently acquire private information in these forums, and the operator's role in editing or moderating these areas will determine its responsibilities under the law.

Finally, review data-sharing arrangements with business partners and third-party service providers. If the Web site relies on outsourced functions (such as hosting or co-location), it is a good idea to seek assurances that service providers will not misuse data in violation of applicable privacy laws.

Become familiar with current regulations

In the United States, most online activities affecting personal privacy are not yet subject to special regulation. Fearing disruptive regulatory mechanisms that might stifle the breakneck pace of e-commerce growth, the federal government has adopted a hands-off approach that allows business sectors to adopt the standards most appropriate to the demands of their particular constituents and customers. Notable exceptions are Web sites related to health care and financial institutions, and those directed at children--each category having received special legislative and regulatory attention at the federal level.

European governments have taken a more hands-on approach. Since 1998, the European Union has directed its member states to implement national legislation prohibiting the transfer of personal information to non-EU countries that do not meet the relatively stringent European standard for privacy protection. The European approach involves a complex bureaucracy of data-protection authorities, database registration ledgers, and procedures for mandatory pre-approval of certain online activities.

Since most Web sites reach global audiences, the divergent European and U.S. standards have left many Web site operators confused. The European Commission, working with the U.S. Department of Commerce, recently reached a compromise between the U.S. and European approaches, approving a safe-harbor framework that attempts to resolve the confusion.

The primary concession to the European approach is a requirement that certain "sensitive information" cannot be collected or shared without the end user's prior consent. Sensitive information is defined as "personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual." All other information can be collected and used, provided that the end user has been given notice and has decided not to opt out.

To take advantage of the safe harbor, a Web site operator must submit a self-certification letter to the Department of Commerce. If a Web site persistently fails to comply with the safe-harbor requirements, the Department of Commerce may take steps to publicize that failure, possibly exposing the site to prosecution by European data-protection authorities--as well as to administrative orders or civil penalties imposed by the U.S. Federal Trade Commission. Perhaps more significant to a nonprofit membership organization is the damaging effect of a public investigation or proceeding and the accompanying public relations disaster.

Develop a privacy policy

The key to a preemptive approach to online privacy liability is a clear, public disclosure of the Web site's information-gathering and sharing practices. A privacy statement should be made available to end users by means of a link appearing at the foot of each page on the Web site and should be conspicuously referenced wherever personal information is being collected on the site.

The privacy statement should address the following questions: 1) What personally identifiable information is being collected? 2) How is the information being used? 3) With whom might the information be shared? 4) Who is collecting the information?

Users should be able to review, delete, or modify the information that is collected about them. You should also provide users with a contact within the organization to handle such requests.

To be effective, a privacy policy must be supported by security measures that protect against unauthorized disclosures of private information. Proper security measures include a technical solution that keeps rogue users out of the portions of databases containing private information. In addition, articulating clear guidelines for employees that are authorized to access private information will help protect an organization from violations of the privacy policy.

Monitor regulatory developments

Enterprises maintaining Web sites would be wise to keep an eye on developments in Asia, Europe, and the rest of the world during the next few years. The Asian and Pacific Rim nations have been conspicuously absent from the public discourse on online privacy issues. Although certain privacy issues are addressed under both Australian and Hong Kong law, no comprehensive privacy regimes specifically aimed at online activities have developed yet in Asia or the Pacific Rim. As Internet use proliferates in these areas, a reconciliation of cultural approaches to personal privacy similar to the safe harbor between the United States and Europe should be expected. Additionally, in late November, for example, the EU approved rules updating their Brussels Convention, designed to guarantee that consumers have the right to contest, in the courts of the member state in which they reside; a legal dispute arising with a retailer over goods purchased. Though focused on EU countries, the ever-dynamic nature of laws and treaties, such as this one, could have enormous impact on Web sites operated from the United States.

Knowledge is power

A successful online strategy--even for noncommercial Web sites--embraces the concept of establishing trust and confidence among users. The awareness and implementation of credible, enforceable, and easily understood privacy and information-security policies is key. The ability of the nonprofit membership organization to communicate to its constituents these very same strategies and policies will help provide a strong sense of consumer empowerment and ensure that governments stay out of the micromanagement of the Internet.

Marc A. Pearl is a partner in Shaw Pittman's Washington, D.C., office and heads the firm's technology policy practice. Sol Irvine is an attorney in Shaw Pittman's New York City office and concentrates on technology transactions and issues. Jerald A. Jacobs is a partner in Shaw Pittman's Washington, D.C., office and is general counsel to ASAE.
COPYRIGHT 2001 American Society of Association Executives
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Association Management
Geographic Code:1USA
Date:Mar 1, 2001
Previous Article:Voicing the Value of Associations.
Next Article:Toolbox Aids Cancer Patients.

Related Articles
Are you being watched?
Kamoroff's new book is guide to doing business online.
NCC warns against information regulation.
Company e-mail: to monitor or not to monitor. (Up front: news, trends & analysis).
Trying to plan for the terrorist next door. (Insiders Outlook).
A Web of rules: how the Internet is affecting Japanese content liability, privacy and consumer protection laws.
Privacy standards to help companies better manage personal information released for comment.
U.S., Canadian firms have different views of privacy.
How much is your customer's trust worth?
Brits' online security precautions 'insufficient'-AOL.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters