ABA Section of Business Law

Place a conspicuous link to the policy on your home page (not buried in a tiny font amid other links at the bottom of the page) and on each page where information is first collected. Yet, do not post a policy merely to ensure that the site has one. Having a policy that does not reflect your site's actual practices can be worse than having no policy at all (see No. 10 below).

2. Have you appropriately limited the scope of your policy? In racing to post a privacy policy, some companies fail to clearly limit its scope, thereby unleashing a Pandora's box of problems. For example, if the policy is not limited to Web site information practices, many (including the FTC, as a December 2001 announcement made clear) will assume that the policy governs all corporate information practices — whether online or offline, customer or employee — imposing compliance obligations that the company is ill-equipped to handle.

Likewise, not limiting the scope of the Web site and corresponding privacy policy to U.S. residents might lead to unwanted assertion of jurisdiction by a foreign data-protection official whose local laws are more restrictive. Some sites also err when defining the age of the target audience, thereby creating potential minefields related to the Children's Online Privacy Protection Act (COPPA) (see No. 7 below).

Beyond this, however, it is important to distinguish when the policy applies (to www.company.com) and when it does not (to other sites to which you link, even if the sites belong to affiliates) because you do not want to be held accountable for another site's practices. To limit confusion, include a linking disclaimer in the privacy policy and, as appropriate, at the point of linking. Avoid "framing" (putting your border around a third-party site) when linking; the visitor may not realize he is leaving your site, and framing could raise other problems.

3. Are you using third parties to run banner ads or collect information, or are you sharing information with third parties? You may be judged by the company you keep. Consider what third parties your site might be doing business with (including outsourcing, partnering and co-branding relationships), what concerns such relationships may raise and what you have done to minimize the potential risks, address ownership and control issues, disclose such information-sharing and meet your obligations. In doing so, don't forget that third parties can include affiliates, which are separate legal entities.

Although it may feel like one big, happy family when you share information among affiliates, you could create the wrong impression when you say in your policy or at an information collection point that no third parties receive personal data. Failing to disclose that the company shares data with third parties could be risky business, leading to class-action lawsuits and multi- million dollar settlements (like the $60 million-plus settlement announced in May, 2004, involving a major retailer and alleged violations of California law).

4. Does your site use cookies, Internet tags/Web beacons, or other tracking capabilities, and do you disclose this? Undisclosed passive tracking is the stuff that media headlines are made of. Cookies and other passive tracking practices are receiving increasing scrutiny domestically and globally (particularly in the EU) from both the press and lawmakers. Some non-U.S. jurisdictions even have criminal statutes that prohibit "unauthorized access" to computers that could be triggered by the improper use or disclosure of cookies.

Where cookies collect personally identifiable information from California residents, notice obligations could apply (see No. 1 above). Even where passively tracked information is not linked to personally identifiable information, it can raise privacy and notice concerns, given that no Web site user likes surprises. Companies should beware of the brewing controversy over "spyware," the subject of an FTC workshop and federal and state legislation, including Utah's HB 323, Spyware Control Act, enacted in March 2004.

Third parties (government, media, consumer organizations and site visitors) can use various means to reveal whether a site's representations about passive tracking match up with actual practice. Revise your policy to thoroughly address cookies, Internet tags and other passive tracking and don't overlook the Web bugs you might be placing in e-mail messages that send information back to your site. Talk with your IT staff to get an accurate picture of what the site is doing — a step that many companies overlook at their peril.

5. What security promises do you make and keep? Government enforcers are on the lookout for prominent companies who fail to protect personal data gathered online or do not otherwise live up to security promises in posted privacy policies. The FTC announcement in August 2002 that it would not wait to act, even absent security breaches, sent a clear message to all companies that they must take steps to keep data security promises and address their weakest links internally. Actions by state attorneys general, private litigants and watchdog groups are also sending a clear message that programming errors, hacking and other threats to data protection are foreseeable risks.

In April, 2004, the FTC announced another security- related settlement in which it claimed that the company had failed to adopt and implement policies and procedures to test site security and provide appropriate employee training and oversight. While the site had promised "state-of-the-art technology," the FTC alleged that an easy-to-prevent security flaw exposed names, billing and shipping address, e-mail addresses, phone numbers and past purchases. See the "Enforcing Privacy Promises: Enforcement" section at
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html.

Various U.S. privacy laws and regulations include security standards or other provisions for protecting sensitive information, including health care, financial as well as children's information (see No. 7 below). State laws increasingly address such issues as well, especially when it comes to imposing obligations regarding health care and financial information that exceed federal requirements.

Senate Bill 1386, effective on July 1, 2003, amended the California Civil Code to require notice of security breaches involving unencrypted personal information — a seismic shift in privacy compliance obligations. Another California law (California Civil Code 1798.85, effective July 1, 2002) restricts the use and Internet transmission of Social Security Numbers, which can affect career portions of Web sites. Arizona soon enacted a similar law (HB 2429, adding article 16 to Title 44, chapter 9, Arizona Revised Statutes).

Security laws and corresponding penalties for noncompliance can be more demanding outside the United States. The EU Data Protection Directive, which has influenced new privacy laws in jurisdictions throughout the world (such as, Argentina, Australia, Canada, Chile and Japan), requires technical and organizational measures to protect personal information. Italy and Spain are uncharacteristically specific in their requirements.

Violations in many EU member states can result in heavy fines and even prison terms. To date, Spain has imposed the highest data protection fines: A TV production company was fined 1,082,000 Euros for an Internet leak of personal data and psychological profiles of 1,700 contestant applicants, while a telecommunications company was fined 120,000 Euros for an Internet leak of 3,000 customer names and passwords because of an incorrectly configured server.

6. Do you take an opt-in, opt-out or give-up approach to additional communications? Zealous e-promotion of products and services can put some companies on the bleeding edge. Unsolicited communications for marketing and other purposes are increasingly subject to legal requirements in the United States and globally and are the topic of many a media expose.

Included in this concern is unsolicited commercial e- mail or "spam." The United States' new CAN-SPAM Act; see http://www.bmck.com/ecommerce/can-spam-act.pdf) specifies civil penalties of $250 per e-mail for violations, up to $2 million and treble damages for willful or knowing violations. Criminal penalties are possible in limited circumstances. Effective Jan. 1, 2004, the act made the American "opt-out" approach to e-mail marketing official by pre-empting state law that specifically regulates the use of e-mail to send commercial messages.

Not surprisingly, the act differs markedly from the opt- in regime of the EU, whose Directive 2002/58/EC defines a minimum standard for its member states who each implement their own unique (and sometimes more restrictive) national laws regarding e-mail marketing. Yet the act in many respects establishes a national standard and provides more detailed requirements than the intentionally broad directive.

Federal and state laws governing unsolicited faxed ads can be even stricter than those governing spam and can trigger greater penalties. Unsolicited-fax lawsuits are becoming increasingly common, and companies are paying multi-million dollar settlements or judgments. Federal law provides for a penalty of $500 per unsolicited fax; willful or knowing violations could result in treble damages. In egregious cases, corporate officers could be held personally liable.

Under the Telephone Consumer Protection Act and its related Federal Communications Commission regulations, providing opt-out is not enough and having a fax number on a registration form does not constitute explicit consent. The practice of relying on an existing business relationship to send unsolicited faxed ads is now in flux while the FCC, numerous business and trade organizations and Congress re-examine the issue.

In October, 2003, following a number of challenges, the FTC launched its National Do-Not-Call Registry (see http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html), but more than half of the states have their own "do not call" laws, which may continue to be enforced. Telemarketers who persist in calling those on the Registry (more than 60 million and growing) risk being fined up to $11,000 per violation. A number of cases have already emerged.

Do not assume that your possession of, or ability to obtain, e-mail addresses, fax numbers or phone numbers is the same as having consent to use them. To avoid legal and media nightmares, sites must carefully approach this complex and rapidly changing issue and consider when it is appropriate to take an opt-in v. opt- out approach to additional communications.

Evaluate whether language is drafted appropriately to cover the additional communications that the site will send now and in the future, including who will send the communications (company only, affiliates, other third parties), how they will be sent (do not assume that "send me e-mail updates" means "call me at home during dinner" or "fax me whenever you want") and types of communications (about just one product, anything related to the company, anything related to a particular topic of interest, etc.). Consider whether the company has already adopted or should establish spam, fax, telemarketing and broader communications policies.

Outside the United States, obtaining express opt-in consent to not only marketing communications, but also to cross-border transfers and collection of sensitive information, can be critical.

7. Have you childproofed your Web site? Children's privacy concerns are lurking on many sites, whether or not they are directed to children. Commercial sites that collect personal information from U.S. residents may need to comply with COPPA, which imposes difficult obligations and significant consequences for noncompliance for commercial sites directed to, or that knowingly collect personal information from, children under the age of 13. For example, in April, 2004, the FTC announced the largest civil penalty to date: $400,000 for knowingly collecting personal information from children without first obtaining parental consent.

Common "child-proofing" missteps include:

• Sites inappropriately ask for age-indicative information.Sites sometimes ask for age, grade, school or other information that unwittingly suggests that information could be collected from children. Likewise, some sites that want to screen out younger visitors sometimes ask for age at information collection points in a way that encourages falsification. This issue has received considerable attention from third parties such as the Children's Advertising Review Unit, which encourages prominent companies to go beyond what COPPA requires (see CARU news releases at http://www.caru.org/carusubpgs/carunewspg.asp).
• Sites that ask for age-identifying information also err by not blocking information collection from visitors identifying themselves as under 13.
• Sites unwittingly have content that could be deemed to be directed to children.Consider the subject matter of the site; visual and audio content; age of models on the site; language; whether advertising on the site is directed to children; information about the age of the actual or intended audience; and whether the site uses animated characters or other child-oriented features. What message is the site sending?
• Sites make thoughtless references to children,such as statements indicating that the site is aimed at or would appeal to children or that assure parents that children's information will be treated in accordance with the site's general privacy policy.
• Sites falsely assume that inserting a "magic" disclaimer clause in the privacy policy will fix any COPPA problems on the site.