|
Over the past quarter century,
government agencies in the United States, Canada, and Europe have
studied the manner in which entities collect and use personal
information -- their "information practices" -- and the
safeguards required to assure those practices are fair and
provide adequate privacy protection.(27) The result has been a series of reports,
guidelines, and model codes that represent widely-accepted
principles concerning fair information practices.(28) Common to all of these documents [hereinafter
referred to as "fair information practice codes"] are
five core principles of privacy protection: (1) Notice/Awareness;
(2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security;
and (5) Enforcement/Redress.
The most fundamental principle is
notice. Consumers should be given notice of an entity's
information practices before any personal information is
collected from them. Without notice, a consumer cannot make an
informed decision as to whether and to what extent to disclose
personal information.(29) Moreover, three of the other principles discussed
below -- choice/consent, access/participation, and enforcement/redress
-- are only meaningful when a consumer has notice of an entity's
policies, and his or her rights with respect thereto.(30)
While the scope and content of
notice will depend on the entity's substantive information
practices, notice of some or all of the following have been
recognized as essential to ensuring that consumers are properly
informed before divulging personal information:
- identification of the entity
collecting the data;(31)
- identification of the uses to
which the data will be put;(32)
- identification of any
potential recipients of the data;(33)
- the nature of the data
collected and the means by which it is collected if not
obvious (passively, by means of electronic monitoring, or
actively, by asking the consumer to provide the
information);(34)
- whether the provision of the
requested data is voluntary or required, and the
consequences of a refusal to provide the requested
information;(35) and
- the steps taken by the data
collector to ensure the confidentiality, integrity and
quality of the data.(36)
Some information practice codes
state that the notice should also identify any available consumer
rights, including: any choice respecting the use of the data;(37) whether the consumer has been given a right of
access to the data;(38) the ability of the consumer to contest
inaccuracies;(39) the availability of redress for violations of the
practice code;(40) and how such rights can be exercised.(41)
In the Internet context, notice
can be accomplished easily by the posting of an information
practice disclosure describing an entity's information practices
on a company's site on the Web. To be effective, such a
disclosure should be clear and conspicuous, posted in a prominent
location, and readily accessible from both the site's home page
and any Web page where information is collected from the consumer.
It should also be unavoidable and understandable so that it gives
consumers meaningful and effective notice of what will happen to
the personal information they are asked to divulge.
The second widely-accepted core
principle of fair information practice is consumer choice or
consent.(42) At its simplest, choice means giving consumers
options as to how any personal information collected from them
may be used. Specifically, choice relates to secondary uses of
information -- i.e., uses beyond those necessary to
complete the contemplated transaction. Such secondary uses can be
internal, such as placing the consumer on the collecting
company's mailing list in order to market additional products or
promotions, or external, such as the transfer of information to
third parties.
Traditionally, two types of choice/consent
regimes have been considered: opt-in or opt-out. Opt-in regimes
require affirmative steps by the consumer to allow the collection
and/or use of information; opt-out regimes require affirmative
steps to prevent the collection and/or use of such information.
The distinction lies in the default rule when no affirmative
steps are taken by the consumer.(43) Choice can also involve more than a binary yes/no
option. Entities can, and do, allow consumers to tailor the
nature of the information they reveal and the uses to which it
will be put.(44) Thus, for example, consumers can be provided
separate choices as to whether they wish to be on a company's
general internal mailing list or a marketing list sold to third
parties. In order to be effective, any choice regime should
provide a simple and easily-accessible way for consumers to
exercise their choice.
In the online environment, choice
easily can be exercised by simply clicking a box on the computer
screen that indicates a user's decision with respect to the use
and/or dissemination of the information being collected. The
online environment also presents new possibilities to move beyond
the opt-in/opt-out paradigm. For example, consumers could be
required to specify their preferences regarding information use
before entering a Web site, thus effectively eliminating any need
for default rules.(45)
Access is the third core principle.
It refers to an individual's ability both to access data about
him or herself -- i.e., to view the data in an entity's
files -- and to contest that data's accuracy and completeness.(46) Both are essential to ensuring that data are
accurate and complete. To be meaningful, access must encompass
timely and inexpensive access to data, a simple means for
contesting inaccurate or incomplete data, a mechanism by which
the data collector can verify the information, and the means by
which corrections and/or consumer objections can be added to the
data file and sent to all data recipients.(47)
The fourth widely accepted
principle is that data be accurate and secure. To assure data
integrity, collectors must take reasonable steps, such as using
only reputable sources of data and cross-referencing data against
multiple sources, providing consumer access to data, and
destroying untimely data or converting it to anonymous form.(48)
Security involves both managerial
and technical measures to protect against loss and the
unauthorized access, destruction, use, or disclosure of the data.(49) Managerial measures include internal organizational
measures that limit access to data and ensure that those
individuals with access do not utilize the data for unauthorized
purposes. Technical security measures to prevent unauthorized
access include encryption in the transmission and storage of
data; limits on access through use of passwords; and the storage
of data on secure servers or computers that are inaccessible by
modem.(50)
It is generally agreed that the
core principles of privacy protection can only be effective if
there is a mechanism in place to enforce them.(51) Absent an enforcement and redress mechanism, a fair
information practice code is merely suggestive rather than
prescriptive, and does not ensure compliance with core fair
information practice principles. Among the alternative
enforcement approaches are industry self-regulation; legislation
that would create private remedies for consumers; and/or
regulatory schemes enforceable through civil and criminal
sanctions.(52)
To be effective, self-regulatory
regimes should include both mechanisms to ensure compliance (enforcement)
and appropriate means of recourse by injured parties (redress).(54) Mechanisms to ensure compliance include making
acceptance of and compliance with a code of fair information
practices a condition of membership in an industry association;(55) external audits to verify compliance; and
certification of entities that have adopted and comply with the
code at issue.(56) A self-regulatory regime with many of these
principles has recently been adopted by the individual reference
services industry.(57)
Appropriate means of individual
redress include, at a minimum, institutional mechanisms to ensure
that consumers have a simple and effective way to have their
concerns addressed.(58) Thus, a self-regulatory system should provide a
means to investigate complaints from individual consumers and
ensure that consumers are aware of how to access such a system.(59)
If the self-regulatory code has
been breached, consumers should have a remedy for the violation.
Such a remedy can include both the righting of the wrong (e.g.,
correction of any misinformation, cessation of unfair practices)
and compensation for any harm suffered by the consumer.(60) Monetary sanctions would serve both to compensate
the victim of unfair practices and as an incentive for industry
compliance. Industry codes can provide for alternative dispute
resolution mechanisms to provide appropriate compensation.
A statutory scheme could create
private rights of action for consumers harmed by an entity's
unfair information practices. Several of the major information
practice codes, including the seminal 1973 HEW Report, call for
implementing legislation.(61) The creation of private remedies would help create
strong incentives for entities to adopt and implement fair
information practices and ensure compensation for individuals
harmed by misuse of their personal information. Important
questions would need to be addressed in such legislation, e.g.,
the definition of unfair information practices; the availability
of compensatory, liquidated and/or punitive damages;(62) and the elements of any such cause of action.
Finally, government enforcement of
fair information practices, by means of civil or criminal
penalties, is a third means of enforcement. Fair information
practice codes have called for some government enforcement,
leaving open the question of the scope and extent of such powers.(63) Whether enforcement is civil or criminal likely
will depend on the nature of the data at issue and the violation
committed.(64)
The fair information practice
codes discussed above do not address personal information
collected from children. They are, however, applicable to
parents, in light of the special status that children generally
have been accorded under the law. This status as a special,
vulnerable group is premised on the belief that children lack the
analytical abilities and judgment of adults.(65) It is evidenced by an array of federal and state
laws that protect children, including those that ban sales of
tobacco and alcohol to minors, prohibit child pornography,
require parental consent for medical procedures, and make
contracts with children voidable. In the specific arenas of
marketing and privacy rights, moreover, several federal statutes
and regulations recognize both the need for heightened
protections for children and the special role that parents play
in implementing these protections.(66)
It is parents who should
receive the notice and have the means to control the collection
and use of personal information from their children. The
Commission staff set forth this principle in a July 15, 1997
letter to the Center for Media Education.(67) In addition, the letter identifies certain
practices that appear to violate the Federal Trade Commission Act:
(a) It is a deceptive practice
to represent that a site is collecting personal identifying
information from a child for a particular purpose (e.g.
to earn points to redeem a premium), when the information
will also be used for another purpose that parents would find
material, in the absence of a clear and prominent disclosure
to that effect; and
(b) It is likely to be an
unfair practice to collect personal identifying information,
such as a name, e-mail address, home address, or phone
number, from children and to sell or otherwise disclose such
identifying information to third parties, or to post it
publicly online, without providing parents with adequate
notice and an opportunity to control the collection and use
of the information through prior parental consent.
This letter applies the
Commission's Section 5 authority for the first time to the
principles of notice and choice in the online collection of
information from children. The principles set out in the staff
opinion letter form an appropriate basis for public policy in
this area.
To assure that notice and choice
are effective, a Web site should provide adequate notice
to a parent that the site wishes to collect personal identifying
information from the child,(68) and give the parent an opportunity to control the
collection and use of that information. Further, according to the
staff opinion letter, in cases where the information may be
released to third parties or the general public, the site should
obtain the parent's actual or verifiable consent(69) to its collection.(70)
The content of the notice should
include at a minimum, the elements described above,(71) but, in addition, should take into account the fact
that online activities may be unique and unfamiliar to parents.
Thus, a notice should be sufficiently detailed to tell parents
clearly the type(s) of information the Web site collects from
children and the steps parents can take to control the collection
and use of their child's personal information. Where a Web site
offers children interactive activities such as chat, message
boards, free e-mail services, posting of home pages and key pal
programs, it should explain to parents the nature of these
activities and that children's participation enables others to
communicate directly with them. Such notice empowers parents to
monitor their children's interactions and to help protect their
children from the risks of inappropriate online interactions.
Since parents may not be fully
aware of what personal information a site has collected from
their child, the access/participation principle is a particularly
important one with respect to information collected from children.
To provide informed consent to the retention and/or use of
information collected from their children, parents need to be
given access to the information collected from their children,
particularly if any of the information is collected prior to
providing notice to the parent. The principle of integrity, which
addresses the accuracy of the data, is also important for
children's information. Parents have an interest in assuring that
whatever information Web sites collect from children or have
otherwise obtained about their children is accurate. This is
particularly important in contexts that involve decisions that
impact on the child or family, such as educational or health
decisions. In addition, since children's information is
considered to be a more sensitive type of information, sites
should take the same steps identified above to assure that
children's data is secure from unauthorized uses or disclosures.
|
