Privacy: Government Regulation
- 1 Consumer Protection Issues
- 2 Regulation of Information from Kids – Children’s Online Privacy Protection Act
- 3 Regulation of Financial Information — Gramm-Leach-Bliley Act
- 4 Regulation of Patient Medical Records — Health Insurance Portability and Accountability Act
- 5 Regulation of Customer Proprietary Network Information
Consumer Protection Issues
In recent years, the Federal Trade Commission has actively asserted its authority to challenge Internet privacy policies and practices that may be “unfair and deceptive” and thus violate Section 5(a) of the FTC Act.
Fair Information Practices Act
In 1998, the FTC announced four elements necessary to protecting consumer privacy:
- Notice to consumers about what personal information is collected and how it is used;
- Choice for consumers about whether and how their personal information is used;
- Security of personal information; and
- Access for consumers to their own personal information to ensure accuracy.
In addition, the FTC declared that consumers should have an effective mechanism to enforce these fair information principles. In a number of cases, the FTC has brought enforcement actions against Web site operators based on suspect data collection practices.
FTC Privacy Agenda
Under the Bush Administration, FTC Chairman Timothy Muris has de-emphasized new privacy legislation but has promised that the FTC will step up its enforcement of existing rules and regulations as part of the agency’s “Privacy Agenda.” The Commission’s Privacy Task Force is directed to scrutinize products and services that tout privacy features, promises made in privacy policies or under the European Union Safe Harbor program, and the use of sensitive financial and medical data or personally identifiable information regarding children. Muris has also held out the possibility that federal regulators will seed lists with names to monitor promises made to consumers.
FTC and Wireless Privacy
The FTC is also actively monitoring emerging issues in wireless privacy. It released a summary and update of the proceedings of its December 2000 workshop titled “The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues.” The report noted that while self-regulatory groups have already established guidelines that address some of the wireless privacy issues, FTC staff concluded that more guidance might be helpful to companies seeking to implement them. The report stated that the FTC will continue to monitor the development of new wireless services, along with the privacy, security, advertising, and other consumer protection issues they raise. See http://www.ftc.gov/bcp/reports/wirelesssummary.pdf.
Selected FTC Actions Under Section 5 of the Federal Trade Commission Act
- In the Matter of Microsoft Corp., File No. 012 3240 (Fed. Trade Comm’n Aug. 8, 2002). Microsoft represented to consumers that it would maintain and protect the privacy and confidentiality of personal information transmitted to Microsoft when signing up for its .NET Passport and Passport Wallet Services. Moreover, Microsoft represented that it would not maintain personal information of Passport users beyond what was disclosed on its Web site and would provide parents with control over the information collected in connection with its Passport Kids service. The FTC determined that Microsoft was not maintaining the level of security, privacy and control represented on its Web site. The FTC subsequently approved a proposed consent decree requiring Microsoft to, among other things, increase privacy, security and control and certify as to such every two years for the next 20 years via independent auditors.
- FTC v. Robert Stout, Civ. Action No. 99-5705 (D.N.J. 2001), File No. X000 122 (Fed. Trade Comm’n Aug. 24, 2001). The FTC settled a suit brought against a group of spammers who gathered consumers’ personal information, including credit card numbers, by sending emails falsely stating that the Children’s Online Privacy Protection Act required consumers to register their information or lose access to Internet newsgroups. Under the terms of the settlement, defendants must not misrepresent any material facts, including that consumers are required to register or provide personally identifiable information in order to access newsgroups or the Internet, or that defendants represent state or federal government officials. The terms also include a host of compliance and monitoring requirements.
- In the Matter of GeoCities, File No. 9823015 (Fed. Trade Comm’n Aug. 13, 1998). In one of its first privacy actions, the FTC charged Web site host GeoCities with misrepresenting its online personal information collection practices. GeoCities consented to an order under which it would post on its site a Privacy Notice, telling consumers what information was being collected and for what purpose, to whom it would be disclosed, and how consumers could access and remove the information. GeoCities also agreed to obtain parental consent before collecting information from children 12 and under and to provide a link from its site to consumer privacy information on the FTC’s site. The consent order was approved on Feb. 5, 1999. See http://www.ftc.gov/os/1998/9808/geo-ord.htm.
- In the Matter of Guess?, Inc., File No. 022 3260 (Fed. Trade Comm’n July 30, 2003). Through its Privacy and Security policies, Guess represented that it would use personal information provided by users to “create a more personalized and entertaining experience.” Guess also represented that security measures were in place to protect all personal information from unauthorized access. The FTC determined that the Guess Web site, including users’ confidential information, was vulnerable to foreseeable attacks from third parties attempting to obtain access to customer information. The FTC further found that Guess was responsible for this vulnerability because it failed to “implement reasonable and appropriate measures to secure and protect the databases that support or connect to the website.” The FTC ordered Guess to implement a comprehensive information security program, including designating employees responsible for information security, identifying internal and external security risks, and monitoring and adjusting this program to maintain its effectiveness. Guess was also ordered to certify its compliance with this order via independent auditors every two years for the next 20 years.
Regulation of Information from Kids – Children’s Online Privacy Protection Act
Congress enacted the Children’s Online Privacy Protection Act of 1998 (“COPPA”) to govern online collection and use of information from children under the age of 13. 15 U.S.C. §§ 6501 et. seq. (2002). On October 20, 1999, the FTC issued rules for the implementation of COPPA. In general, these rules require commercial Web sites that are “directed” to children, or that have actual knowledge that children under the age of 13 are using those sites, to obtain “verifiable parental consent” before collecting personal information from children online. These rules took effect on April 21, 2000.
The rules define the “operator” of a Web site broadly as any commercial Web site or online service that collects or maintains personal information from or about its visitors, including persons or entities “offering products or services for sale through that website or online service.” Note that “collecting” information includes any activity that enables children to make personal information publicly available, including message boards or chat rooms.
Directed to Children
In determining whether a Web site is “directed to children,” the FTC will consider the following factors:
- Subject matter;
- Visual or audio content;
- Age of models;
- Language used on the site;
- Advertising and promotions featured on the site;
- Use of animated characters or child-oriented activities and incentives; and
- Evidence of the site’s intended audience and actual audience composition.
Notice and Consent
“Verifiable parental consent” means any reasonable effort, taking into account the available technology, to ensure that – prior to the Web site collecting any information from a child – a parent has notice of the site’s data collection practices and consents to any collection, use or disclosure of his or her child’s personal information. The FTC has specifically approved obtaining consent by phone or facsimile. Email alone is generally not considered sufficiently “verifiable.”
Recognizing that electronic consent and authentication technology has not yet been widely adopted, the FTC provisionally approved a sliding scale approach for obtaining parental consent. See 16 C.F.R. 312. Originally set to expire on April 21, 2002, the FTC extended this mechanism until April 21, 2005. During this period, Web site operators may use an email from a parent, coupled with various additional steps, to obtain parental consent to collect children’s information for internal use only. Web site operators must go beyond using email to obtain parental consent if they plan to share children’s information with third parties.
Effect of Failure to Comply
The rules authorize the FTC to bring enforcement actions and impose civil penalties (including monetary penalties) for violation of COPPA and the implementing rules.
FTC COPPA Compliance Monitoring
In addition to the enforcement actions below, the FTC’s monitoring of COPPA compliance continues. In April 2002, the FTC published a survey of Web site COPPA compliance based on a survey conducted in April of the previous year of 144 Web sites targeting children. The results were mixed. While 90 percent of Web sites posted privacy policies, most of the Web sites surveyed were not in full COPPA compliance. For example, only 52 percent of Web site operators disclosed that they were prohibited from conditioning a child’s participation in an activity on unnecessary disclosure of information. Less than 42 percent disclosed parents’ right to refuse further collection of information by the operator. The survey did not investigate the actual data practices of the canvassed sites. See .
COPPA Safe Harbor Program
COPPA includes a provision enabling organizations to submit self-regulatory guidelines to the FTC. If the FTC approves the guidelines, compliance will provide a safe harbor from COPPA enforcement. The FTC has approved applications from the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc., ESRB Privacy Online, and TRUSTe. See http://www.ftc.gov/privacy/safeharbor/shp.htm.
Selected COPPA Enforcement Actions
(1) U.S. v. Mrs. Fields Famous Brands, Inc., Civ. Action No. 2:03cv205 (D. Ut. 2003). The FTC brought suit against defendant Mrs. Fields for the collection of personal information from over 84,000 children under the age of twelve as part of defendant’s online “birthday clubs.” In collecting this personal information, including first and last names, street addresses, email addresses and dates of birth, Mrs. Fields did not notify or obtain verifiable consent from any parent or guardian prior to collection. Mrs. Fields also failed to provide a means for parents to review or delete the information collected from their children. The FTC and Mrs. Fields entered into a settlement consent decree whereby Mrs. Fields must, among other things, pay $100,000 in civil penalties and comply with rules enacted by the FTC under COPPA.
(2) U.S. v. Hershey Foods Corp., Civ. Action No. 4:03cv350 (M.D. Penn. 2003). In the first instance of the FTC challenging a company’s method of obtaining parental consent, the FTC alleged that while Hershey did attempt to obtain parental consent, Hershey failed to implement a procedure reasonably calculated to ensure that a parent or guardian, as opposed to other persons, filled out consent forms prior to collecting personal information from children. Moreover, the FTC alleged that Hershey proceeded to collect such personal information even where parental consent forms were not submitted. The FTC and defendant Hershey entered into a settlement consent decree whereby Hershey must, among other things, pay $85,000 in civil penalties and comply with rules enacted by the FTC under COPPA.
(3) U.S. v. American Pop Corn Co., Civ. Action No. C024008DEO (N.D. Iowa 2002). The FTC brought suit against American Pop Corn Co. for obtaining information from children on its Web site (i) without providing sufficient notice on what information it collects, (ii) without informing parents as to what information it collects from their children, (iii) without obtaining verifiable consent from parents before collecting children’s information, (iv) without providing reasonable means for parents to review the personal information collected, and (v) with a condition that required children participating in activities offered on their Web site to disclose information more personal than was necessary to participate. American Pop Corn settled for, among other things, a $10,000 fine, deletion of all children’s personal information collected from April 21, 2002, to the date of the decree, and a requirement that the company post a link to the FTC’s COPPA Web site.
(4) United States v. The Ohio Art Co., Civ. Action No. 027203 (N.D. Ohio 2002); File No. 022-3028 (Fed. Trade Comm’n 2001). In its sixth COPPA law enforcement action, the FTC brought suit against The Ohio Art Company, makers of Etch-A-Sketch, for obtaining children’s information without parental consent. The FTC alleged that the company failed to provide notice or obtain consent from parents. The FTC also charged the company with collecting more information than was necessary for children’s participation when it collected the dates of birth of more than 2,500 children so it could randomly select ten Etch-A-Sketch toy birthday present winners. The Ohio Art Company agreed to pay $35,000 as part of the settlement with the FTC.
(7) FTC v. Toysmart.com, Civ. Action No. 00-11341-RGS (D. Mass 2000). In its first COPPA complaint, the FTC alleged that Toysmart’s collection of personal information from children violated the Act. The case settled in July 2000 when Toysmart consented to an order requiring Toysmart to destroy or delete all information collected in violation of COPPA. See subsection (1)(d)(6), above.
Regulation of Financial Information — Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq. (“GLB”), governs financial information. See also 16 C.F.R. §§ 313.1 et seq. Among its requirements are the following:
(1) Financial institutions – broadly defined to include some non-banking institutions – must insure the confidentiality and security of customer records and information.
(2) Such institutions must disclose to customers their policies and practices for disclosing nonpublic personal information to affiliates and non-affiliates. The disclosure must occur at the time the relationship is established and thereafter on a yearly basis.
(3) Such institutions must notify their customers before disclosing nonpublic personal information to a non-affiliated third party and give the customers an opportunity to opt out.
(4) Financial institutions must also provide appropriate safeguards to protect customers’ personal information. See 16 C.F.R. §§ 314.1 et seq. (“FTC Safeguard Rule”).
- Trans Union LLC v. Federal Trade Comm’n, Civ. Action No. 00-2834 (D.D.C. 2001), aff’d, Trans Union LLC v. Federal Trade Comm’n, No. 01-5202 (D.C. Cir. 2002). Several credit reporting agencies filed suit against the FTC claiming that the GLB privacy regulations violated the credit reporting agencies’ First Amendment rights. The Court held that the FTC’s rules, which prevent the credit reporting agencies from selling personal information (including names, addresses and Social Security numbers) to third parties without a consumer’s permission, are a “permissible construction” of the GLB. The appellate court further affirmed the trial court’s ruling that a credit reporting agency constitutes a “financial institution” for the purposes of the GLB privacy regulations.
- FTC v. Information Search, Inc., Civ. Action No. AMD 01-1121 (D. Md. 2001); FTC v. Guzzetta, Civ. Action No. 01-2335 (E.D.N.Y. 2002); and FTC v. Garrett, Civ. Action No. H-01-1255 (S.D. Tex. 2001). The FTC brought suit against and successfully secured settlements from three information brokers who allegedly used deceptive practices – called “pretexting” – to obtain consumers’ confidential financial information. Filed in three different U.S. district courts, the suits alleged that the brokers used false pretenses, fraudulent statements, and impersonation to illegally gain access to information such as bank balances. The information was allegedly offered for sale for fees up to $600. The complaints charged the defendants with violations of the GLB and violations constituting unfair and deceptive trade practices and unjust enrichment. Under the settlement agreements, two defendants agreed to pay $2,000 each while the third agreed to a suspended fine of $15,000.
Regulation of Patient Medical Records — Health Insurance Portability and Accountability Act
On December 20, 2000, then-President Clinton and HHS Secretary Shalala released the first-ever set of national standards to protect the privacy of personal health records. The privacy regulation was modified by the Bush Administration and HHS in August 2002. The final rule is found at 45 C.F.R. Parts 160, 162, and 164. Full compliance by April 14, 2003, was required of all covered entities except small health plans, which have until 2004 to comply. The standards, which implement requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), apply to all individually identifiable health information that is created by health care providers, health plans and health care clearinghouses, whether on paper, in electronic form or orally communicated. Use of health data which does not identify an individual remains unrestricted. The HIPAA privacy rule includes six principles:
(1) Consumer Control. Consumers have the right to see a copy of their medical records, the right to request a correction to those records and the right to notice of a covered entity’s privacy policies.
(2) Accountability. The rule establishes civil monetary penalties of $100 per violation, up to $25,000 per year, for violations of a patient’s right to privacy. It also creates criminal penalties of up to $250,000 in fines and imprisonment for up to ten years for improper disclosure of protected health information, obtaining protected health information under false pretenses and obtaining protected health information with the intent to sell, transfer or use it for commercial or personal gain or malicious harm. The regulations do not provide for a private right of action.
(3) Boundaries. With few exceptions, the consumer’s health care information should be used for health purposes only, including treatment and payment. Covered entities may, but are not required to, obtain written consent from consumers before disclosing health care information for medical purposes. Health plans and health care providers are required to provide patients with written notice of their privacy policies at the time of enrollment and must make a good faith effort to obtain written acknowledgment of receipt of the notice. Written authorization must be obtained for a covered entity to use or disclose personal health information for non-health-care related purposes such as marketing.
(4) Exceptions. Several exceptions to the rule permit disclosure of health care information for particular national priority activities, including law enforcement, public health, and avoiding serious threats to an individual’s health or safety. In addition, incidental disclosures are not considered violations of the regulation, as long as the entity is otherwise in compliance with the regulation’s standards.
(5) Business Associates. Covered entities entering into contracts with “business associates” must ensure that those associates also protect personal health information. All covered entities other than small health plans have until April 14, 2004, to bring existing contracts into compliance.
(6) Preemption. The rule only preempts state laws that are in conflict with the federal standards or provide less strict privacy protections. It does not preempt state laws that are more protective of patient privacy.
(1) In re Drkoop.com Inc., No. LA01-47426-TD (Bankr. S.D. Cal. 2002). Drkoop.com collected private medical information on 1,000,000 of its online customers. Pursuant to its then current bankruptcy proceedings, Drkoop.com agreed to keep such records confidential even from potential buyers of the company unless its customers consented to release. Eventually, Drkoop.com agreed to destroy all personal, medical and financial information except for the email addresses of its customers. Prior to transferring such emails to its eventual buyer, Vitacost.com, Drkoop.com agreed to allow customers to opt out, notice of which was provided via email.
(2) Association of American Physicians and Surgeons, Inc. v. U.S. Department of Health and Human Services, No. H-01-2963 (S.D. Tex. 2002). Based on lack of ripeness, the court declined to rule on a challenge to a rule implemented under HIPAA by the Department of Health and Human Services (“HHS”). Plaintiff AAPS contended that the HHS medical privacy regulations provided unlimited access to patient medical records and thereby violated their privacy rights, exceeded HHS’ authority under HIPAA, and violated the First, Fourth, and Tenth Amendments of the U.S. Constitution. The court stated that AAPS failed to show that the HHS rule was inconsistent with the clear statutory language of HIPAA.
(3) S.C. Med. Ass’n v. Thompson, 327 F.3d 346 (4th Cir. 2003). The South Carolina Medical Association, an organization representing health care providers, filed suit seeking to have several provisions of HIPAA declared unconstitutional. The court rejected those claims, holding that HIPAA appropriately guided agency action rather than impermissibly delegating state legislative power. In addition, the court found that regulations promulgated pursuant to HIPAA were not beyond the scope of authority granted by the Act, and were not impermissibly vague.
Regulation of Customer Proprietary Network Information
Under federal law, telecommunications carriers have a duty to protect the confidentiality of Customer Proprietary Network Information, or CPNI. See 47 U.S.C. § 222, and the FCC implementing rules at 47 C.F.R. §§ 64.2001-2009. The implementing rules contain a variety of provisions mandating record-keeping for marketing campaigns, employee CPNI training, and high level oversight and certification to the FCC of CPNI compliance.
The term “customer proprietary network information” means—
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;
except that such term does not include subscriber list information.
The main thrust of the CPNI rules is a requirement that carriers provide notice to consumers regarding the use of their CPNI and that they obtain prior approval for use and disclosure of CPNI by an opt-out or opt-in method, depending upon the circumstances. The CPNI rules also allow for disclosure "as required by law." For example, the Stored Communications Act can require disclosure to the government of CPNI information.
Chapter 7 - Privacy And Data Collection
Data Terminology · Statutory Protections · The Wiretap Act (Title III) · The Stored Communications Act · Government Agency Regulation · Searching and Seizing Computers · Key Privacy Cases · Industry Self-Regulation · International Issues