This action might not be possible to undo. Are you sure you want to continue?
Privacy Policies: Summary of Best Practices
I. Summary of Relevant Best Practices Most statistical research regarding consumer attitudes toward online privacy were completed before the beginning of the new millennium. The results are what you might expect: the Federal Trade Commission in 1999 reports that 92 percent of consumers are concerned about the misuse of their personal information online, and 76 percent fear privacy intrusions on the Internet. 1 Data further suggested that there would be $18 billion in lost e-commerce revenue by 2002 because of privacy concerns. 2 However, this research was conducted during a different era of online privacy. The main concern then was tracking cookies embedded deep into the code of a webpage; they acted like a sponge on the sea floor, passively but completely absorbing intimate details from oblivious users. The user information was then complied and usually sold to the highest bidder. 3 Today, however, the issue is control over information that is voluntarily and actively shared by users. See, for instance, the recent uptick in news and commentary about the evolution of Facebook privacy controls. 4 Consumers increasingly expect fine-tuned and nuanced control over the information they
Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO CONGRESS, July
1999 [hereinafter “1999 FTC Report”]. Available online at http://www.ftc.gov/os/1999/07/ privacy99.pdf.
1999 FTC Report, supra.
Grant Gross, Privacy Groups File FTC Complaint on Behavioral Advertising, PCWorld, April 8, 2010 (“Online advertising platform providers are able to sell user data in real time, then the bidder can add its own data about the user . . . “). Available online at http://www.pcworld.com/article/193789/ privacy_groups_file_ftc_complaint_on_behavioral_advertising.html.
See Jenna Wortham, Facebook Glitch Brings New Privacy Worries, THE NEW YORK TIMES, May
5, 2010. Available online at http://www.nytimes.com/2010/05/06/technology/internet/ 06facebook.html.
1 of 7
2 of 7
Barbara Ortutay, Study finds young do care about online privacy, THE ASSOCIATED PRESS, April
15, 2010. Available online at http://www.msnbc.msn.com/id/36561309.
See, generally Federal Trade Commission, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO
CONGRESS, June 1998. [hereinafter “1998 FTC report”] Available online at http://www.ftc.gov/ reports/privacy3/priv-23a.pdf.
Department of Health, Education, and Welfare, RECORDS, COMPUTERS AND THE RIGHTS OF
CITIZENS, July 1973. Available online at http://aspe.hhs.gov/datacncl/1973privacy/ tocprefacemembers.htm.
1998 FTC report, supra, at n. 1. Federal Trade Commission, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC
3 of 7
comply with their privacy policies such that they refrain from using personal information in any way that is not explicitly mentioned. 11 Notice is the most essential principle expounded by the Commission: without it, the other principles are rendered ineffective because consumers lose the ability to make an informed decision about precisely how their information is used. 12 Notice requires a laundry list of disclosures to users about the data and the entities that collect it. Here are the relevant inquires as laid out by the Commission in their 1998 report: • • • • • • Who is collecting the data? What data is collected? How is the data being collected? What is the collected data being used for? Is any third-party receiving the collected data? What happens if the user chooses not to provide the requested data?
In order for notices to be effective, the policy document or other relevant information must be placed in a clear and conspicuous manner in a prominent location on both the home page of the website as well as any other page where information is collected. 13 The document should be clear in identifying the purposes for which data are to be used. While the organization is free to make later changes, such freedom also implies that the changes are not arbitrary or incompatible with the original purpose. 14 If changes create inconsistent policies that are applied to the original document, it may undermine consumer confidence in the rest of the policy. 15
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980),
12 13 14 15
1998 FTC report, pg. 7. OECD Guidelines, para. 9. OECD Guidelines, Explanatory Memorandum, para. 54. FTC 2000 Report, pg. 26.
4 of 7
16 17 18
In re Gateway Learning Corp., 138 F.T.C. 443, File No. 042-3047 (2004); FTC 2000 Report, pg. 26. 1998 FTC Report, pg. 8-9.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [hereinafter “EU Policy”], art. 14. Available online at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:31995L0046:EN:HTML.
5 of 7
The Trade Commission outlines three different models for consent over data usage: opt-in, opt-out, and “nuanced control” 19. With opt-in, the user affirmatively grants permission to an organization to use their information for a secondary purpose. Opt-out is the reverse: the user must affirmatively tell the organization that it does not want its information to be shared. As of the key 1998 FTC report, the Commission did not explain which consent regime is preferred. Instead, they reference a U.S. Department of Commerce report in a footnote that suggests that the selection of regime should be based on the “sensitivity” of the information, such that opt-in is required before collecting organizations can use sensitive information for a secondary purpose. 20 The Commission never defines “sensitive information” in the triad of reports on fair information use. However, they do describe it in the context of online behavioral advertising, which shares the same issue of secondary sharing. In a 2009 staff report, the Commission defines sensitive information as information about children and adolescents, medical information, financial information and account numbers, Social Security numbers, sexual orientation information, government-issued identifiers, and precise geographic location. 21 Another important concern raised in the 2000 report is the prevalence of organizations that ambiguously call their policy opt-in when it is really opt-out. For instance, it is not an opt-in regime when users are considered to have optedin when as soon as they provide information requested by the collecting organization. Furthermore, pre-filled checkboxes buried at the bottom of the page that allow third-party marketing communications also do not count as optin. Consumers may mistakenly assume that their information will not be shared
of the 1999 FTC Report, the Commission had not yet provided a name for non-binary consent options. They only mention that there are “possibilities to move beyond the opt-in/opt-out paradigm.” This is an extrapolation of that idea.
U.S. Department of Commerce, SAFEGUARDING TELECOMMUNICATIONS-RELATED PERSONAL INFORMATION, October 1995. Available online: http://www.ntia.doc.gov/ntiahome/ privwhitepaper.html#CONSENT.
Federal Trade Commission Staff Report, Self-Regulatory Principles For Online Behavioral Advertising, February 2009, pg. 42. Available online at www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
6 of 7
because they were told that they did not need to do anything to prevent the further use of information, when in reality, the pre-filled checkbox missed by the user signs away all privacy rights in the data. The 1998 Commission report also suggests the use of consent controls that extend beyond limited opt-in or opt-out regimes. The shortcoming with these methods is that they merely let the user assert whether they want to allow secondary uses or not; they generally do not have the ability to allow secondary uses in some cases and contexts but not in others. In many ways, the nuanced approach is something between the opt-in/opt-out methods and a case-by-case analysis. This method is used currently by a variety of social networking sites who utilize a social graph to control access throughout a database of content. 22 Currently, the Trade Commission has not yet passed judgment on these models. Europe, though, seems to be getting more conservative on privacy, and are currently advocating a full opt-in model for all user content and interactions on social media. 23 c. Access Access refers to an individual's ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. 24 User access to information should be incorporated as a routine and regular part of organizational data management. 25 That is, it should not require to complicated procedure or legal process for users to be able to see, correct, and challenge information that is stored about them. In order to minimize the burden of data access requirements to corporations, the Trade Commission recently empanelled the Advisory Committee on Online Access and Security. The Committee’s main task was to
Facebook, for instance, has a very nuanced consent system. Unfortunately, it comes close to being a caseby-case analysis, and makes for a very overwhelming sea of selections for an end-user. See, for example, http://graphics8.nytimes.com/packages/images/newsgraphics/2010/0512-facebook/gif1.jpg
23 24 25
http://www.crn.com/security/224701767;jsessionid=IFTGK15GBXBODQE1GHRSKH4ATMY32JVN 1998 FTC Report, pg. 9. OECD, Explanatory Memo, para. 59.
7 of 7
agree on a definition for “reasonable access.” There was significant disagreement, and instead of reconciling differences, the Commission merely blessed all of the approaches that emerged. The two most viable options are the “access for correction” approach and the “default to consumer access” approach. The absolute minimum definition of reasonable access is the “access for correction” approach outlined in the 2001 report. Users would be granted access to information only when it is used to grant or deny significant benefits to the user. Examples are “credit reports, financial qualifications, and medical records.” A potentially better option is the “default to consumer access” approach, whereby users could access information that is also normally retrieved by the organization. This follows the “unreasonably burdensome” approach; therefore, the organization would not have to create new database tables, nor would it have to disclose information that it does not possess and retrieve itself. Data access protocols are not only required of the primary data collection organization, but also apply to any third-party agent or partner that information is shared with. 26 Therefore, users have both the right to access data stored by the original organization as well as any organization that has received the information or used it for a secondary purpose.
2000 FTC Report, pg. 31.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.