- Internet Rules of the Road II: Web Site Privacy Policies
- September 26, 2008 | Author: Anne Davies Newman
- Law Firm: Pepper Hamilton LLP - Harrisburg Office
PRIVACY POLICIES: THE LEGAL LANDSCAPE
A. California Law
Most Web sites cannot isolate their visitors from California, so they must comply with California law for all their visitors. For this reason, California’s requirements have become the standard in the U.S. for Web site privacy policies. What follows is a thumbnail sketch of those requirements. (See also the article “California Privacy and Security Legislation Affects Entire Nation”).
Cal. Bus. & Prof. Code §22577
In addition, if a Web site owner contracts for services (such as Web hosting, credit card processing, etc.) with an unaffiliated third party who will see a user’s name in combination with his or her (i) Social Security number, (ii) driver’s license or California identification card number or (iii) an account number, credit or debit card number together with a security code, access code or password that would permit access to the user’s financial information, then the Web site operator needs to require by contract that the third party implement and maintain the security procedures and practices described above.
This requirement does not apply to certain health care providers, financial institutions, entities that are “covered entities” under HIPAA, entities that obtain information under California’s Vehicle Code, and entities regulated by laws providing greater protection to personal information than that provided by California’s law.
Cal. Bus. & Prof. Code §1798.81.5
Information Disclosed to Direct Marketers
Likewise, since 2005, California has required that if a business with twenty or more employees discloses personal information regarding customers who are residents of California to a third party for the third party’s direct marketing purposes, the business must either:
(ii) annually, upon request, identify the categories of personal information disclosed during the previous year and the names and addresses of any third parties to whom the information was disclosed, together with information sufficient to identify the nature of the third parties’ businesses.
Unlike the California statutes identified above, this one defines “personal information” quite broadly, to include race, religion, political party affiliation, occupation, education, medical condition, height, weight, number and names of children, certain financial information, etc. “Third Parties” is also broadly defined, to include affiliates of the business that are separate legal entities, for example. There is also a lengthy list of exceptions to the statute.
Cal. Bus. & Prof. Code §1798.83
B. The Federal Trade Commission
C. Children’s Online Privacy Protection Act
Effective in 2000, the Children’s Online Privacy Protection Act (COPPA) and its implementing regulation impose specific requirements on operators of commercial Web sites that target and collect information from children (defined as those under 13 years of age). Operators of such Web sites are required to (i) disclose what information is collected from children, how that information is used and what its disclosure practices are, (ii) obtain verifiable parental consent prior to any collection, use or disclosure of personal information from children, (iii) upon the request of a parent, disclose the type of information collected from his child, provide a means for the parent to review any information collected, and give the parent the option of directing that information collected not be further used or stored, and that further information not be collected, (iv) not require disclosure by a child of more personal information than is necessary for the child to participate in a Web site activity and (v) establish and maintain reasonable procedures to protect the confidentiality, integrity and security of personal information collected.
Alternatively, a Web site operator will be deemed to be in compliance with COPPA if it conforms to the requirements of FTC-approved organizations like TRUSTe, the Children’s Advertising Review Unit (CARU) or the Council of Better Business Bureaus, Inc., to name a few.
Privacy policies for Web sites not targeted at children should make clear that such Web sites are intended for adults and do not knowingly collect personal information from those under 13.
15 U.S.C.A. §§ 6501 – 6506; 16 C.F.R. §§ 312.1 - 312.12
D. Communications: CAN-SPAM
(i) The Act and its implementing regulations distinguish between “commercial” e-mail and “transactional or relationship messages” – that is, messages regarding membership, subscription or the purchase of goods or services. If a message contains both kinds of content and could be understood by the recipient to be “commercial,” it will be treated as commercial.
(ii) If a Web site operator uses the e-mail addresses of its members to send a mass e-mail that is or could be interpreted by recipients as commercial, it must (i) identify the message as commercial, (ii) provide a “clear and conspicuous” notice to recipients of their right to “opt out” of future e-mailings and (iii) provide a physical address at which the sender can be contacted.
15 U.S.C.A. §§ 7701 – 7713; 16 C.F.R. §§ 316.1 - 316.5
For more information on the CAN-SPAM Act, please see Pepper’s Privacy and Security Law Update entitled “What’s a ‘Commercial’ E-Mail Under CAN-SPAM?” and our Privacy and Security Client Alert entitled “FTC Issues New CAN-SPAM Act Rules.”
E. Information Gathered from Outside the United States
This article does not discuss in detail the EU Data Directive and the laws of other countries, but Web site operators who gather personally identifiable information from jurisdictions outside the U.S. should be aware that requirements of other jurisdictions need to be considered.
F. Are Users Bound by Privacy Policies?