Development of Privacy PoliciesIn 1995 the European Union introduced the Data Protection Directive[1] for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year the Federal Trade Commission published the Fair Information Principles[2], which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies.
[edit] Fair Information PracticeMain article: FTC Fair Information PracticeThe four critical issues identified in Fair Information Principles are:
Notice – data collectors must disclose their information practices before collecting personal information from consumers Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided Access – consumers should be able to view and contest the accuracy and completeness of data collected about them Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
In addition the Principles discuss the need for enforcement mechanisms to impose sanctions for noncompliance with fair information practices.
[edit] Current Enforcement of Privacy Policy in the United States.The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act[3] and the Online Privacy Protection Act of 2001[4], but none have been enacted. In 2001, the FTC stated an express preference for “more law enforcement, not more laws[5]”and promoted continued focus on industry self regulation.
In most cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices[6]. The FTC’s powers are statutorily restricted in some cases; for example, airlines are subject to the FAA’s authority[7], and cell phone carriers are subject to the FCC’s authority.[8].
[edit] Applicable US LawWhile no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:
The Children's Online Privacy Protection Act (COPPA)[9] affects websites that knowingly collect information about or target at children under the age of 13[10]. Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions[11]. COPPA includes a Safe Harbor provision to promote Industry self regulation[12].
The Gramm-Leach-Bliley Act[13] requires institutions “significantly engaged [14]” in financial activities give “clear, conspicuous, and accurate statements” of their information-sharing practices. The Act also restricts use and sharing of financial information[15].
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules[16] requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic[17].
Some states have implemented more stringent regulations for privacy policies. The California Online Privacy Protection Act of 2003 - Business and Professions Code sections 22575-22579 requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site[18]” Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on Web sites as deceptive or fraudulent business practices[19].
[edit] Privacy Policies and the European UnionThere are significant differences between the EU data protection and US data privacy laws. These standards must be met not only by businesses operating in the EU, but also by any organization that transfers personal information collected concerning citizen of the EU. In 2001 The United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program[20]. The FTC has approved eTrust to certify streamlined compliance with the US-EU Safe Harbor.
[edit] Online Privacy Certification ProgramsOnline Certification or “Seal” programs are an example of industry self regulation of privacy policies. Seal programs usually require implementation fair information practices as determined by the Certification program and may require continued compliance monitoring. TRUSTe[21], the first online privacy seal program, included more than 1,800 members by 2007[22]. Other Online Seal programs include the Better Business Bureau Assurance on the Internet[23], eTrust[24] and Webtrust[25].